Ofcom's Secret VPN Surveillance: When Britain Embraced the Authoritarian Playbook
I spent years working in UK government cybersecurity. I understand the rationale behind monitoring infrastructure, the genuine threats that keep security professionals awake at night, and the delicate balance between protection and privacy. That background makes me uniquely positioned to say this: what Ofcom is doing with VPN monitoring is indefensible.
TechRadar just broke an exclusive story that should terrify every small business owner in the UK. Ofcom, our communications regulator, has confirmed they're monitoring VPN usage across the country using an unnamed AI tool from an undisclosed third-party provider. When pressed for details about this surveillance system, Ofcom's response was essentially "trust us, it's all aggregated data, nothing to worry about."
If you've ever wondered what it looks like when a liberal democracy starts copying China's approach to internet regulation, this is your front-row seat.
The Transparency Black Hole
Here's what Ofcom told TechRadar about their monitoring tool: "We use a leading third-party provider, which is widely used in the industry, to gather information on VPN usage. The provider combines multiple data sources to train its models and generate usage estimates."
Notice what's missing? The name of the tool. The identity of the provider. What data sources are being combined. How the AI models are trained. What "usage estimates" actually means. Any independent verification of accuracy. Whether the data is truly anonymised or merely aggregated.
This isn't transparency. This is theatre.
I've worked with government surveillance systems. Legitimate monitoring programmes have oversight, documentation, published methodologies, and independent auditing. What Ofcom is running is a black box that somehow magically knows how many people are using VPNs, why they're using them, and whether this constitutes a regulatory concern.
Except it doesn't actually know any of those things. Because the technology cannot possibly know.
The 1.5 Million Phantom Users
Ofcom claims 1.5 million daily VPN users in the UK following the Online Safety Act's mandatory age verification requirements. That's an impressively specific number. Presumably derived from rigorous methodology, cross-referenced with multiple independent data sources, and published in official documentation for scrutiny.
Except it isn't.
I've checked Ofcom's website. Their guidance documents. Their statutory reports. There is no official Ofcom publication containing this figure. The 1.5 million number appears exclusively in media reports citing "Ofcom estimates" without any source document to verify.
This is a regulator making statistical claims about surveillance targets without showing their working. In my government days, this would have been sent straight back for methodology review before anyone dared cite it publicly.
But even if we accept the number at face value, it tells us precisely nothing useful. VPN detection technology can identify that encrypted traffic is using a VPN protocol. That's it. The technology is completely blind to intent, purpose, or legitimacy of use.
When your accounting manager connects to Xero through your company VPN, Ofcom's AI sees: VPN detected. When a journalist protects sources using encrypted communications, Ofcom's AI sees: VPN detected. When someone bypasses age verification on adult content, Ofcom's AI sees: VPN detected.
The surveillance system cannot distinguish between these scenarios. But that hasn't stopped Ofcom from deploying it and making confident claims about what it shows.
The Small Business Surveillance Trap
Let's talk about what this means for the small businesses we actually serve. You've got 15 employees. Half work remotely. Your IT consultant set up a proper business VPN because that's basic security hygiene in 2025. Your remote workers use it to access company resources securely, protect against man-in-the-middle attacks on public Wi-Fi, and encrypt traffic containing customer data.
You're doing everything right from a cybersecurity perspective.
And now a government regulator is monitoring that VPN usage with an undisclosed tool using unknown data sources, ostensibly to catch people bypassing age verification on adult websites.
Can Ofcom's magical AI distinguish between your legitimate business security and circumvention? No. Does Ofcom know what data is being collected about your business operations? They won't say. Can you assess whether this monitoring creates additional GDPR risks for customer data flowing through your VPN? Not without knowing what's being monitored.
The opacity makes compliance verification impossible. You're responsible for protecting customer data under GDPR, but a government agency is monitoring your security infrastructure with secret methods. How exactly do you conduct a data protection impact assessment when the monitoring methodology is classified?
You can't. Which is rather convenient for Ofcom.
Section 121: The Sword of Damocles
The VPN monitoring is concerning enough. But it's just the visible tip of a much larger surveillance infrastructure being constructed under the guise of child safety.
Section 121 of the Online Safety Act gives Ofcom power to require platforms, including encrypted messaging services, to use "accredited technology" to scan for illegal content. That's regulatory speak for client-side scanning. That's technical speak for breaking end-to-end encryption.
The government promises they won't actually use these powers until the technology is "technically feasible." Which is reassuring until you realise that every cryptography expert on earth says it's impossible to scan encrypted content without fundamentally undermining the encryption itself.
Apple spent considerable time and resources developing client-side scanning technology in 2021. Then they shelved the entire project, explicitly stating it couldn't work without destroying user privacy. Signal and WhatsApp have both threatened to leave the UK market entirely if Section 121 is enforced.
But the powers remain in the Act. Sitting there. Waiting.
Here's what I learned from years in government security: once surveillance infrastructure exists, expanding it is trivially easy. The hard part is getting the initial framework approved. After that, scope creep is inevitable.
Today it's monitoring VPN usage for age verification. Tomorrow it's scanning encrypted messages for "harmful content." Next year it's pre-emptive threat detection based on browsing patterns. The infrastructure is being built right now.
The Authoritarian Comparison Nobody Wants to Acknowledge
James Baker from the Open Rights Group told TechRadar that VPN monitoring sets "a concerning precedent more often associated with repressive governments than liberal democracies." He's being diplomatic. Let me be direct.
Analytics platforms consistently show VPN usage is lower in countries with greater online freedom and higher in authoritarian states like China, Russia, and the UAE. Countries that monitor VPNs are typically countries we criticise for internet censorship and surveillance overreach.
Graeme Stewart from Check Point Software said the UK's VPN situation "puts the country in dubious company alongside China, Russia, and Iran."
When cybersecurity experts are drawing direct comparisons between UK regulatory approaches and Chinese internet control, that should trigger some serious national self-reflection. Instead, we got Peter Kyle, the UK Technology Secretary, saying critics of the Online Safety Act are "on the side of predators."
That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties. It's also intellectually dishonest. You can oppose surveillance overreach and support child protection. These aren't mutually exclusive positions, despite government rhetoric suggesting otherwise.
The Scope Creep Has Already Started
The Online Safety Act came into full force on 25 July 2025. Within days, we saw exactly the kind of scope creep that privacy advocates predicted.
Parliamentary speeches about grooming gangs: blocked. News coverage of conflicts in Gaza and Ukraine: blocked. Mental health support forums: shut down due to compliance costs. A cycling forum discussing gear ratios and puncture repair: closed because they couldn't afford to meet Ofcom's requirements.
This isn't about protecting children anymore. This is about a regulatory framework so broad and vaguely defined that platforms are blocking anything remotely controversial to avoid potential liability. The chilling effect is immediate and profound.
Small platforms are shutting down entirely rather than face the compliance nightmare. Larger platforms are geoblocking UK users. We're building a censored internet using child safety as justification, then acting surprised when the same tools get applied to political speech and legitimate discussion.
This is the authoritarian playbook in action. Start with something everyone agrees is bad. Build the surveillance infrastructure. Then expand once the framework exists and opposition has been painted as supporting the bad thing.
What Small Business Owners Must Do Now
If you run a small business using VPNs for legitimate security purposes, here's your action plan:
Document everything. Create a written record of which employees use VPNs, why, and what business functions require encrypted connections. If Ofcom's monitoring ever becomes the basis for regulatory action, you need evidence of legitimate use.
Maintain your security protocols. Don't let surveillance theatre make you complacent about actual cybersecurity. Your data still needs protecting from ransomware gangs, phishing attacks, and credential stuffing. These threats are considerably more dangerous than Ofcom's monitoring.
Get legal advice if you operate any platform. If your business runs forums, hosts user-generated content, or operates any online community, speak with a solicitor immediately. The compliance burden is massive, the definitions are vague, and the penalties are severe. We're talking fines up to £18 million or 10 per cent of global revenue, with criminal liability for senior managers.
Stay informed about regulatory changes. This situation is evolving rapidly. Section 121's client-side scanning provisions could be activated whenever the government decides the technology is "feasible." The EU's Chat Control legislation could pass and affect your European operations. Twenty-five US states have passed similar age verification laws.
Engage politically. Over 550,000 people signed a petition to repeal the Online Safety Act. That triggered a mandatory parliamentary debate. Contact your MP. Make clear that surveillance of privacy tools is unacceptable in a democracy. The only reason governments get away with this is public apathy.
The International Surveillance Arms Race
The UK isn't alone in this authoritarian drift. We're part of an international movement towards internet surveillance dressed up as child protection.
The EU is debating Chat Control, which would mandate scanning of all encrypted messages. Australia is implementing sweeping age verification requirements potentially covering search engines. Twenty-five US states have passed their own age verification laws, each slightly different, creating a compliance nightmare for any platform operating internationally.
It's a legislative arms race. Each country watching the others, copying frameworks, expanding scope. All using the same justification that's politically bulletproof: protecting children.
The brilliance of this approach is its cynicism. Who can oppose protecting children without being painted as supporting predators? It's emotional blackmail elevated to regulatory policy.
Why This Matters Beyond Privacy Philosophy
I understand some readers thinking "I've got nothing to hide, why should I care about VPN monitoring?" That misses the fundamental point.
This isn't about whether you personally have something to hide. It's about whether we want to live in a society where government agencies monitor our security tools using secret systems with no transparency, oversight, or accountability.
It's about whether "protecting children" justifies building surveillance infrastructure that inevitably gets repurposed for political control.
It's about whether we're comfortable with regulators making statistical claims about millions of people without showing their methodology.
It's about whether we accept that once surveillance systems exist, limiting their scope requires political will that historically evaporates the moment a crisis makes expanded powers seem necessary.
I spent years in government cybersecurity. I've seen how mission creep works. I've watched well-intentioned programmes expand beyond their original scope. I've observed how "temporary" powers become permanent fixtures.
What Ofcom is doing should concern everyone, regardless of whether you use VPNs or care about abstract privacy principles. Because this isn't abstract. This is concrete surveillance infrastructure being deployed right now, with more extensive powers sitting dormant in legislation, waiting for the political moment when their activation becomes palatable.
The Bottom Line
Ofcom is monitoring VPN usage with an unnamed AI tool using undisclosed data sources. They claim this shows 1.5 million daily users, a figure that appears nowhere in official documentation. The monitoring technology cannot distinguish legitimate business use from circumvention, creating unknowable privacy risks for businesses operating legally.
Section 121 of the Online Safety Act grants powers to scan encrypted communications, powers that cryptography experts say are technically impossible to implement without destroying encryption itself. The government promises they won't use these powers yet. The powers remain in the Act.
Within days of enforcement, scope creep began blocking political speech, news coverage, and legitimate forums. Small businesses face massive compliance burdens with vague definitions and severe penalties. The UK's approach is being copied internationally while experts draw direct comparisons to authoritarian regimes.
George Orwell said "If you want a picture of the future, imagine a boot stamping on a human face forever." I'd update that for 2025: imagine a regulatory framework monitoring your privacy tools with secret AI while claiming it's protecting children.
That's not dystopian speculation. That's Tuesday in Britain.
We can push back now, or we can accept this as the new normal. But let's not pretend we weren't warned.
Mauven MacLeod is a former UK Government Cyber Analyst and co-host of The Small Business Cyber Security Guy Podcast. He now focuses on translating enterprise-level security thinking into practical solutions for small businesses.
[Comments? Questions? Disagree entirely? Find me on the podcast or drop a comment below.]
Further Reading: