BB// Burghr Bytes
← The Feed · Software · TUE, MAY 12, 2026 ☕ Buy me a coffee
Software Byte

The UK Just Voted to Hand a Cabinet Minister the Off Switch

An amendment to the Children's Wellbeing and Schools Bill gives a single minister the power to block sites, ban VPNs, and ID-check the entire UK adult internet. It cannot stand.

Filed TUE, MAY 12, 2026

On March 10 a quiet amendment to the Children’s Wellbeing and Schools Bill passed the Commons, and almost nobody outside the policy mailing lists noticed. The amendment does not ban a website. It does not name a platform. It gives whoever happens to hold the Secretary of State title the standing power to block sites, restrict apps, impose curfews on named services, and clamp down on VPN use, without coming back to Parliament and without having to prove a specific harm.

That is the off switch. One person, no debate. The framing is child safety. The mechanism is general-purpose internet control.

The Online Safety Act already did the heavy lifting on age verification. Since July 2025, services Ofcom decides expose under-18s to harmful content have had to gate access behind “highly effective” age assurance: photo ID, facial age estimation, Open Banking, a digital ID wallet. Six fines have already landed, including an £800,000 hit against Kick in February. You can argue with how that law was drafted, but it at least went through Parliament with its scope written down. This new amendment is different. It is not a rulebook. It is a delegation.

Read it next to the existing “reasonable anti-circumvention measures” obligation and the shape becomes clear. If a minister blocks a site for under-18s, services have to make that block stick. The only way to make a block stick on the open web is to identity-check every adult who wants in, because the network does not know who is twelve and who is forty until someone proves it. Universal age verification is not a side effect of this regime. It is the regime.

I am not handwaving the underlying problem. Kids should not be wandering into adult sites, algorithmic self-harm rabbit holes are real, and the worst corners of the internet are worse than they have ever been. The honest debate is not whether to act. It is whether you act on the platforms and the recommendation systems that aim this stuff at children, or whether you act on the pipe and ID-check the whole country to get there. This amendment picks the pipe. It is the lazy answer dressed up as the brave one.

What 19 of the major players on the internet have to say

On May 5, the Open Rights Group, Mozilla, the Tor Project, the EFF, Proton, Mullvad, ExpressVPN, IPVanish, Tuta, and ten others published a joint letter telling the UK government that the path it is on will break the web for everyone, not just minors. Their argument: the proposed measures would apply effectively to all users, lean on age assurance tech that is “inaccurate, privacy-invasive, or both,” and fragment the internet into a set of restricted jurisdictions instead of treating it as a global public resource.

These are not the usual suspects shouting “censorship” into the void. Mozilla ships the only major browser engine not controlled by Google or Apple. Tor is the project journalists, dissidents, and abuse survivors actually depend on. Proton runs end-to-end encrypted mail and a VPN with millions of paying users. When the organizations whose engineering keeps the open web open are in lockstep against this, the responsible move is to listen.

Their counter is also not “do nothing.” Focus on the systemic drivers: pervasive data collection, targeted advertising aimed at minors, recommendation systems tuned for engagement at any cost. Those are the things actually hurting kids. They are also inconvenient to attack because the businesses behind them are large and lobby hard. ID-checking the user is easier, and useless, because the harm is not a thirteen-year-old seeing a front page. It is a recommendation engine feeding them a curated drip of content optimized to keep them watching.

The technical reality the amendment ignores

You cannot block a site for under-18s on the open internet without identifying every adult who visits it. There is no middle option. The model has every UK adult, every time they access a regulated service, handing biometric data or a government ID to a private third party whose breach disclosures will be a recurring news story for the next decade.

VPN restrictions make it worse. VPNs are how remote workers connect to corporate networks, how people on public Wi-Fi avoid being intercepted, how anyone in an abusive household keeps a private connection to the outside world. The same week the amendment passed, VPN apps spiked to the top of the UK App Store. You do not deter a determined fourteen-year-old by banning Mullvad. You inconvenience the journalist, the activist, and the IT contractor.

“Anti-circumvention measures” is doing a lot of work in that bill text. Once a minister names a target, it deputizes every UK ISP and platform to actively prevent users from getting around the block. That is the part where DNS over HTTPS gets pressured and the next round of “encryption is helping the bad guys” arguments gets its statutory hook.

Why this matters outside the UK

Strip the amendment. Not soften it. Not add a sunset clause and call it a win. Remove it. A general delegation of “the Secretary of State may block, restrict, curfew, or ID-gate any service they choose” is not a children’s safeguarding measure. It is a constitutional change to how a G7 country relates to the open internet, smuggled into a schools bill.

If the government is serious about protecting kids, the levers are sitting right there. Make targeted advertising to under-18s illegal, the way several other jurisdictions already have. Require platforms to publish their recommendation system documentation and submit to independent audit. Fund the schools and mental health services that catch a kid before the algorithm does. None of that requires a national identity wall around the web.

I am writing this from the US, and the temptation is to treat it as someone else’s problem. It is not. The UK is the test case. Australia tried age verification first and other countries watched to see what stuck. If this amendment goes through unopposed, the same delegated minister-with-an-off-switch model shows up in the next round of “online safety” bills in Washington, Ottawa, Canberra, and Brussels, with the UK cited as the precedent. The web is a single network. You do not get to keep your half of it open while the other half is on a leash.

So push back wherever you are. Boost the joint letter. Donate to the orgs that signed it. If you build for the UK, say in public what compliance will actually cost your users. The off switch only works if the people who could refuse to flip it stay quiet.

Keep reading
Software
No. 01 · JUN 11, 26

The macOS Tools I Love

Five Mac utilities that make my life easier when Apple doesn't: a clipboard manager I pay for, and four tools I wrote because nothing else fit the need.

Read byte
Software
No. 02 · MAY 07, 26

How Tailscale Helped Me Ditch My iCloud Storage Subscription

A mesh VPN built on WireGuard that takes ten minutes to set up and turns every device you own into one private network. Why I use it for my home lab, and how to get started.

Read byte
AI
No. 03 · JUN 11, 26

I Built a ServiceNow AI Assistant Instead of Licensing One

Enterprise platforms sell you an AI assistant by the seat. I built one that lives inside the platform, runs on token-billed LLM calls, and lets me decide what it can do.

Read byte
Read the rest of the feed →