• 12 Dec, 2025 *

Three unelected peers have tabled amendments to a children’s welfare bill that would require ‘tamper-proof’ surveillance software on every smartphone sold in the country

The proposal sounds straightforward enough: prohibit virtual private network services from being sold to anyone under eighteen in Britain. But buried within the language of the Children’s Wellbeing and Schools Bill, tabled on 9 December in the House of Lords, lies a profound misunderstanding of how the internet works—and a glimpse of something rather more troubling than legislative ignorance.

A VPN is not a product. It is a protocol, a mathematical arrangement that anyone with two internet-connected computers can implement for themselves. Attempting to regulate it is rather like attempting to ban algebra, or perhaps more precisely, like attempting to license the act of whispering. The technology exists independently of any commercial provider, embedded in the basic architecture of networked computing. A motivated teenager with a Raspberry Pi and a foreign server could establish one in an afternoon.

Yet Lord Nash, Baroness Cass, and Baroness Benjamin have proposed precisely such a ban, alongside two companion amendments that reveal the true scope of their ambitions. The second would require all smartphones and tablets sold in Britain to come pre-installed with "tamper-proof system software which is highly effective at preventing the recording, transmitting (by any means, including livestreaming) and viewing of CSAM"—child sexual abuse material. The third would mandate "highly-effective age assurance measures" to prevent anyone under sixteen from accessing social media platforms.

Taken together, these amendments would transform every internet-connected device in Britain into a surveillance terminal, monitored at the hardware level for content the state deems impermissible.

The coalition behind the amendments

The three sponsors make for an unusual alliance. Lord Nash is a Conservative life peer and venture capitalist who co-founded Sovereign Capital, a private equity firm. His political work centred on education reform during his tenure as Schools Minister under David Cameron, where he oversaw a dramatic expansion of the academies programme. He donated approximately £300,000 to the Conservative Party before receiving his peerage in 2013. His background is commercial, his instincts regulatory.

Baroness Cass occupies a different position entirely. A paediatrician by training, she served as president of the Royal College of Paediatrics and Child Health before conducting the Cass Review, a government-commissioned examination of gender identity services for young people. That review, published in 2024, led to the NHS suspending transgender procedures for minors. She was elevated to the House of Lords in the Dissolution Honours that same year. Her authority derives from medicine, her recent prominence from restricting access to a different kind of intervention for children.

Baroness Benjamin completes the trio. The former children’s television presenter—known to generations of British children from Play School and Play Away—has campaigned for over a decade on child online safety issues. She championed provisions in the Online Safety Act 2023 aimed at preventing children from accessing pornography. Her motivations appear genuinely protective rather than commercial or political, but her technical understanding of the systems she seeks to regulate seems limited.

Together they represent a coalition that crosses party lines: Conservative business interests, crossbench medical authority, and Liberal Democrat moral advocacy, united by the conviction that children require protection from the internet and that such protection can be legislated into existence.

The tamper-proof contradiction

The CSAM-scanning amendment deserves particular scrutiny, for it contains a contradiction that security professionals have identified for years in similar proposals. Software that users cannot modify is software that security researchers cannot examine for vulnerabilities. "Tamper-proof" code is, by definition, code that cannot be fixed when flaws are discovered.

The history of computer security offers no examples of permanently secure systems—only systems whose vulnerabilities have not yet been found, or have been found and patched. A device running mandatory, unmodifiable scanning software would present an irresistible target for malicious actors. The very backdoor installed to detect child abuse imagery could be exploited to extract banking credentials, private communications, or the intimate photographs the system was ostensibly designed to protect.

Apple discovered this when it briefly announced plans for client-side CSAM scanning in 2021. The proposal generated immediate criticism from cryptographers and security researchers who pointed out that any system capable of scanning user content before encryption could be repurposed—by hackers, by authoritarian governments, or eventually by the company itself under legal or commercial pressure. Apple quietly shelved the plan. The British House of Lords, it seems, did not notice.

The amendment also raises questions about scope. The bill initially covers smartphones and tablets, but explicitly empowers the Secretary of State to expand the definition of "relevant devices" to include "other categories of device which may be used to record, transmit or view" prohibited material. Laptops, desktop computers, gaming consoles, smart televisions—anything with a camera or internet connection could eventually fall within its reach.

The Australian precedent

The timing of these amendments is not coincidental. On 10 December 2025, Australia became the first country in the world to implement a ban on social media access for children under sixteen. The law covers Facebook, Instagram, TikTok, YouTube, X, Snapchat, Reddit, Twitch, and numerous other platforms, with fines of up to AU$49.5 million for serious or repeated breaches.

Initial reports from Australia suggest the ban is already proving porous. Some children have discovered that drawing on facial hair fools age-estimation technology. Others are simply using their parents’ credentials. The law places enforcement burdens on platforms rather than families—there are no penalties for children or parents who circumvent the restrictions—but the basic problem remains. Digital natives find workarounds faster than regulators can anticipate them.

Prime Minister Anthony Albanese welcomed the ban as "families taking back power from these big tech companies," but surveys suggest that while 77 per cent of Australians support the policy in principle, only 25 per cent believe it will actually work. The British amendments appear designed to address precisely this enforcement gap—by building surveillance directly into the hardware itself.

The pattern across democracies

What makes the British proposals particularly striking is their emergence within a broader pattern. Similar legislative efforts have surfaced in Canada, throughout the European Union, and in various American states. The coordination is not necessarily conspiratorial; policy ideas diffuse through international networks of legislators, consultants, and advocacy organisations. But the effect is a kind of mutual reinforcement, each nation’s proposals lending legitimacy to the others.

The "think of the children" framing has proved remarkably durable across political systems and ideological boundaries. It provides cover for surveillance measures that would face fierce opposition if proposed for adults. Once identity verification infrastructure exists for the stated purpose of age-gating, expanding its use becomes technically trivial and politically easier with each iteration.

Britain offers instructive precedent. The Regulation of Investigatory Powers Act 2000 was introduced to combat terrorism. Within years, local councils were using its provisions to investigate minor infractions—dog fouling, school catchment fraud, improper bin placement. Australia’s metadata retention laws, initially justified for serious crime investigations, have been accessed by bodies ranging from local councils to racing authorities. The surveillance ratchet turns in one direction only.

What the bill cannot achieve

The VPN amendment contains a telling phrase: providers must implement age assurance that is "highly effective at correctly determining whether or not that person is a child." But effectiveness is precisely what these measures cannot guarantee. The internet routes around restrictions by design. A British teenager determined to access a VPN could purchase a foreign eSIM, use credentials borrowed from an older relative, or simply set up their own encrypted tunnel using freely available open-source software.

The Tor Project—a nonprofit organisation dedicated to internet privacy and anonymity—would technically fall within the bill’s definition of a "Relevant VPN Service." Banning Tor in Britain would place the country in the company of China, Iran, and Russia, the other nations that have attempted such prohibitions. Tor continues to operate in all of them.

What the amendments can achieve is rather different from what their sponsors presumably intend. They can create legal uncertainty for legitimate privacy tools. They can establish precedent for mandatory device-level content scanning. They can normalise the idea that internet access requires identity verification. They can build the administrative and technical infrastructure for more comprehensive surveillance. Whether they can meaningfully reduce harm to children remains an open question that the bill’s sponsors have not adequately addressed.

The lords and the technology they do not understand

The House of Lords serves, in constitutional theory, as a chamber of expertise and reflection. Its members are supposed to bring specialised knowledge to the scrutiny of legislation. Yet none of the three sponsors of these amendments possesses technical credentials in computer science, network engineering, or information security. A venture capitalist, a paediatrician, and a children’s television presenter have proposed to restructure the basic architecture of consumer computing devices.

This is not unusual. Technology regulation throughout the democratic world has been characterised by a persistent gap between legislative ambition and technical comprehension. Elected officials demand backdoors in encryption without understanding that a backdoor is simply a vulnerability with a friendly name. They mandate content filtering without grasping that filters can be circumvented or repurposed. They propose age verification without considering that verification creates databases, and databases get breached.

The amendments will now proceed through the Lords before returning to the House of Commons for approval. Given the current political climate—an incoming government in the United States that has expressed sympathy for rolling back digital restrictions, and mounting evidence from Australia that such measures face practical limitations—the proposals may yet be amended or abandoned.

But they have already achieved something. They have demonstrated that in Britain, as elsewhere, the impulse to control information flows remains powerful, that child protection provides durable political cover for surveillance expansion, and that the gap between what legislators wish technology could do and what technology actually does shows no sign of closing.

The children these lords seek to protect will grow up in whatever digital environment their elders construct. If that environment is one of permanent surveillance, tamper-proof monitoring, and mandatory identity verification, they will learn its contours as thoroughly as any previous generation learned the constraints of their world. They will also, like previous generations, find ways around them. The question is what kind of infrastructure—and what kind of precedent—we will have built in the attempt to stop them.

#politics