Some argue that because VPNs exist, any age assurance system will fail. This leads to the mistaken belief that age-restricted sites are exempt from compliance if users connect through a VPN. As we have argued before, this is not true. Legislation we have reviewed globally, including the UK’s Online Safety Act (2023) and similar meaaures[sic] in Australia or US states, offers no such exemption.

This seems a bit disingenuous. This is conflating legal exemption (i.e. the law explicitly providing an out) with enforceability. Is anyone seriously arguing that because of the existence of VPNs that their use to circumvent the law therefore makes that act of circumvention legal?

The article goes on to explain technical mechanisms by which websites can determine whether someone is likely to be accessing the site from the UK despite using a VPN (all of which become statistical and not certain conclusions, as well as require gathering suspiciously identifying information the user has not consented to supplying), but that really sidesteps the crux of the conversation. Experts in cyber security have been railing against this law and others like it for a while, with solid evidence that they don’t have the effect proponents claim (that is, make the Internet safer for children), and in fact can make the Internet more dangerous for minors. So the question is then: is violating this law civically unethical?