TheNew UK Law – A Gateway to Totalitarian Control

In July 2024, under the banner of child protection and online safety, the UK Parliament passed legislation requiring biometric age verification for all users accessing pornography and dating websites or apps. At first glance, this appears to be a well-intentioned attempt to shield minorsfrom adult content. But beneath the surface lies a digital Trojan horse onethat threatens civil liberties, data sovereignty, and personal privacy on ascale not seen before in UK digital policy.

The law mandates that users must submit biometric datasuch as facial scans or official ID documents through third-party companies toaccess legal adult content. Despite the government's framing, critics warn thatthis is less about protecting children and more about constructing theinfrastructure for a centralised surveillance regime.

Unlike earlier efforts such as the 2019 Conservative-led ageverification attempt, which was scrapped after public outcry this versionslipped through Parliament under a Labour government, largely unnoticed.The lack of public consultation, limited parliamentary debate, and absence oftechnical scrutiny have raised alarm bells about the true intent behindthe legislation.

A Flawed System Built on False Premises

Even if one accepts the premise of child protection, the lawfails on its own terms. Any tech-savvy teenager can easily bypassbiometric checks using a VPN to appear as though they’re browsing fromoutside the UK. Alternatively, they can access adult content through encryptedapps, lesser-known websites hosted overseas, or peer-to-peer sharing. Theseworkarounds are widely available and well understood meaning the law willprimarily impact law-abiding adults rather than those it purports to protect.

This means that far from shielding children, the policyinstead becomes a blunt surveillance instrument. It punishes everydaycitizens while doing nothing to address the actual problem. In fact, byforcing users to seek content through VPNs or underground sources, it may evenmake minors more vulnerable to unregulated and unsafe content.

In essence, the system is ineffective, invasive, and ripefor mission creep.

No Central Authority Just Outsourced Surveillance

Crucially, the UK government has not established a centralpublic verification service. Instead, each website or app must choose itsown provider. This decentralised model fragments responsibility whileoutsourcing user data to private companies many of which are based overseas andoperate beyond the UK’s legal jurisdiction.

Take Aylo FREESITES LTD, the parent company ofPornhub. It uses a platform called AllPassTrust to handle ageverification. Aylo is incorporated in Cyprus, but operates digitalinfrastructure that likely falls under US jurisdiction via the CLOUDAct (Clarifying Lawful Overseas Use of Data Act). This means biometric data submitted by UK users could be accessed by US authorities—and, through international intelligence-sharing agreements, potentially shared back with the UK.

The Five Eyes Loophole

The UK is a founding member of the Five Eyes alliance secretive intelligence-sharing network that includes the US, Canada,Australia, and New Zealand. This alliance allows governments to circumventdomestic privacy laws by accessing data collected legally by partnernations. For example, data hosted on a US server and obtained under US law canbe lawfully shared with the UK government even if the same data would beillegal to collect domestically under UK law.

This creates a legal backdoor: the UK outsourcessurveillance by allowing foreign allies to collect UK citizen data, thenretrieves it via intelligence-sharing agreements. In this light, biometricverification isn’t just an age check it’s a gateway to totalitarian datacontrol, where international surveillance bypasses both GDPR protectionsand democratic oversight.

Investigatory Powers Act: The Final Nail

Pair this law with the Investigatory Powers Act 2016 alsoknown as the Snoopers’ Charter and the implications become chilling. The IPA already grants sweeping surveillance powers to UK intelligence agencies, including the retention of web browsing history, phone records, and metadata.When combined with biometric verification logs, every adult login to a datingor pornographic website could become a state-trackable event, linkingpersonal identity to private behaviour.

In such a system, anonymity online becomes a relic of thepast.

A Dangerous Precedent

If left unchallenged, this infrastructure could easily beexpanded. Today, it’s pornography and dating. Tomorrow, it could be forums,social media, or political websites. Age verification could become universaldigital ID by stealth a system with no opt-out, no transparency, and noguarantee that the data collected won’t be used against citizens in the future.

This is not about protecting children. It’s about normalisingbiometric control, establishing precedents that can be expanded silently.The danger is not only the system itself but the ease with which it can be repurposed,politicised, or abused.

Section 2: Who Owns Your Identity? The Role ofThird-Party Providers and Foreign Control

With no national infrastructure in place, websites and apps have turned to private verification companies some UK-based, many not. Firms like Yoti, FaceTec, and AllPassTrust have emerged asleading players in age and identity verification. While these companies offerconvenience, they also raise serious concerns about accountability,jurisdiction, and data exploitation.

AllPassTrust A Closed System with Hidden Roots

Pornhub’s verification system is run by AllPassTrust, a domain registered via EuroDNS with obscured ownership behindLuxembourg-based Whois Privacy services. The platform’s infrastructure islinked to Aylo FREESITES LTD, which is also registered in Cyprus. Thisobfuscation makes it difficult for ordinary users or regulators to fully tracewho holds their data, where it's stored, and under which laws it can beaccessed.

More concerningly, the domain’s backend is hosted on DigiCertDNS and UltraDNS, with servers in the United States. This immediately exposesthe data to US government access under the CLOUD Act, which compelsAmerican service providers to comply with federal data requests even if thedata pertains to non-US citizens located abroad.

FaceTec and Yoti – Biometric Gatekeepers

FaceTec, an American company, provides facialrecognition software for identity verification. Its clients include financialinstitutions, crypto exchanges, and governments. It also powers biometricage-gating for a number of dating and adult sites. With registration hiddenbehind Domains By Proxy (GoDaddy) in Arizona, FaceTec operates under USlaw, making any data it handles vulnerable to American subpoenas.

Yoti, in contrast, is a UK-based company that marketsitself as a privacy-forward identity platform. However, even UK-based firmsmust comply with UK surveillance laws particularly the Investigatory PowersAct. And given the Five Eyes partnership, even “domestic” data mayultimately be shared abroad.

No Regulation, No Recourse

There is no single regulatory body tasked withoverseeing the standards, transparency, or cybersecurity practices of thesecompanies. Each firm sets its own policies, decides how long to store data, anddetermines what to do with user information if law enforcement or intelligenceagencies come knocking.

This patchwork system of outsourced surveillance,governed by opaque corporate contracts, creates an environment where youridentity becomes an asset to be handled, leveraged, and potentially abused.There is no universal guarantee of deletion, no requirement to notify users ofgovernment access, and no way to opt out once data has been collected.

In other words: your identity is no longer yours.

Section 3: Coming Soon Data Sovereignty in an IndependentScotland

The situation in the UK raises urgent questions for Scotlandespecially for those who support independence. If biometric data is collected,processed, or stored by foreign corporations outside of Scotland’s legal reach,then Scottish citizens’ rights are effectively outsourced. In an independentScotland, digital sovereignty must become a foundational principle.

This would mean:

• Enshrining     the right to data privacy and anonymity into a written Scottish     constitution.
• Establishing     a national digital infrastructure with servers located on Scottish     soil, under Scottish jurisdiction.
• Prohibiting     biometric storage by foreign companies or governments.
• Guaranteeing     that all identity verification systems are publicly owned, open-source,     and transparent.
• Requiring     parliamentary approval for any intelligence-sharing or surveillance     agreements.

An independent Scotland has a rare opportunity to reverse the trajectory toward biometric authoritarianism. By rejecting the current UK model, Scotland could build a future where privacy, security, and sovereigntycoexist and where digital rights are not traded for false promises ofprotection.

‍