Two crises. One solution. Zero chance they'll use it.
The infrastructure exists. The political will won't.
Since July 2025 in Britain, if you want to look at “adult content” online - or, increasingly, just use Reddit like a normal human being - you’re expected to upload your passport to some verification outfit you’ve never heard of, or let an algorithm stare at your face and guess how old you are.
When this happened the Great British Public responded to it in a time-honoured fashion by downloading VPNs in such numbers that Proton’s sign-ups went up over 1,400% in a weekend and VPN apps filled half the App Store top ten. Half! The other half presumably being apps to tell you which VPN to download.
Meanwhile, over in Whitehall, the Government decided that what the nation is really crying out for is a shiny digital ID in a GOV.UK wallet. You may remember this idea from such previous hits as the National Identity Register, which got scrapped in 2010 after burning through hundreds of millions of pounds. Nearly three million people signed a petition against the new one. The Government’s response was to make it “optional” and carry on regardless, because of course it was.
Now, here’s the bit that really does my head in.
These are presented as two separate problems - kids accessing porn, and proving who you are online - requiring two separate expensive solutions, at least one of which will inevitably be delivered late by a consultancy charging £2,000 a day for a graduate who’s just discovered what an API is.
They are not two problems. They are one problem. And - brace yourselves - it’s already been solved. The solution is sitting in your pocket right now, between Candy Crush and those three parking apps you’ve got that never work.
It’s called your banking app.
A radical proposal: use the thing that exists
Think about what a bank actually is for a moment. It’s an institution that is legally required to know exactly who you are. KYC - Know Your Customer - means every single account holder in this country has already trooped down to a branch or jabbed at an app with their passport and proof of address, and a regulated institution facing eye-watering fines if it gets this wrong has verified them. About 98% of UK adults have a current account. Your bank knows your date of birth with more certainty than your own mother, who frankly has been a bit vague about it since the third child arrived anyway.
Better still, banks already have the plumbing to share verified facts about you, with your consent, through an API. It’s called Open Banking. It exists. It works. It handles billions of calls a month. The regulator that supervises it exists. The security standards exist. The consent screens exist. Somebody has already done the hard bit, which in government IT terms is roughly equivalent to discovering the project finished early and under budget.
So here’s the proposal, and I want you to notice how it does not involve a single new quango, database, or “transformation programme”:
You open your banking app. You tap “prove I’m over 18”. The app spits out a single-use cryptographic token - a code, a QR, whatever - that says precisely one thing: the holder of this is an adult. Not your name. Not your birthday. Not your account number. You show it to the website or other app. The website or other app checks the signature. In you go. Ten seconds, job done, and at no point did they have any idea who you are, or your bank learned what you’re into.
“But the bank would know!” No. It wouldn’t. That’s the point.
This is where it gets properly clever, and where every politician’s eyes will glaze over, so do try to keep up if you’re reading this in the Department for Science, Innovation and Acronyms.
There’s a class of cryptography called blind group signatures - invented by David Chaum in the 1980s, so it predates politician’s understanding of email by roughly forty years and counting. The bank signs the token without seeing where it’ll be used. Mathematically cannot see. There is no log entry at NatWest saying what you did at 11:47 on a Tuesday, because the information was never there to log. The website or app, for its part, checks the token against the banking sector’s published keys and learns only that some regulated UK bank vouches for you. Not which one. Not who you are.
Tokens are single-use, so nobody can track you across sites. And because the bank knows half of nothing and the app or website knows the other half of nothing, there is no database to breach, no logs to leak onto a USB stick left on a train (HMRC, 2007, 25 million records, never forget), and nothing for a future government with authoritarian itchy fingers to requisition. The privacy isn’t a promise in a white paper. It’s maths. Promises get amended in committee. Maths doesn’t.
This isn’t even untested. Sweden and Norway have run national identity off bank infrastructure for two decades. Belgium too. Australia’s at it. The only flaw in their versions is that the bank can see where you log in - which is exactly the flaw the blind group signature stuff removes. We’d be taking a proven model and bolting on better privacy. I know, I know - Britain, learning from somewhere that’s done it successfully. Steady on.
The objections, dealt with before some think tank charges £40k to raise them
“What about people without bank accounts?” About 1% of adults - and the Post Office, which already does in-person ID checks in every town in the land, issues them tokens over the counter. Next.
“Teenagers will just nick their dad’s phone!” Yes, and they can also nick their dad’s passport, credit card, and car keys. No system in history has stopped a determined teenager with a compliant older sibling. The question is friction, and a biometric-locked banking app generating tokens that expire in minutes offers rather more of it than the current system, which a 14-year-old defeats with a free VPN in the time it takes to say “highly effective age assurance”.
“Why would banks bother?” A fraction of a penny per verification, paid by the website/app, multiplied by millions of checks a day. Banks have done more for less. And if they drag their feet, the FCA already has the precedent: it frogmarched the big nine into Open Banking once, it can do it again.
So naturally, we’ll do the other thing
The consultation on digital ID closed in May. Ministers are now deciding, and every instinct of Whitehall will be screaming at them to bolt age checks onto the GOV.UK wallet, centralise the lot, and announce it at conference to a standing ovation from people who’ve never read a privacy impact assessment in their lives.
It would mean asking the public to trust the state with precisely the thing three million of them just signed a petition saying they don’t trust the state with. Whereas the alternative - distributed across dozens of competing regulated banks, no new database, no new enrolment, privacy guaranteed by mathematics rather than by Darren Jones’s solemn word - is sitting there, fully formed, waiting for someone in Government to notice.
The technology is forty years old. The banking rails are nine years old. The regulatory hammer already exists. Every single piece is on the board.
Which is precisely why I confidently predict we’ll spend at least £400 million building something worse. It’s what we do.
I've been using the Swedish BankID system for a decade now, and it works incredibly well. They are also now extending the same idea to Freja eID which is for people without a bank account, but with some other EU/EEA ID card. https://frejaeid.com/en/home/ - already in most places you can log in with BankID, Freja ID is accepted.