The Proton Blog

In rush for age checks, we’re putting kids’ security at risk

Edward Komenda — Fri, 10 Apr 2026 19:30:52 GMT

As governments across the world charge ahead with age-verification laws, a well-intentioned rush to protect children is actually putting them at risk.

The goal is to shield children from harmful materials, but these laws lack sufficient safeguards to protect privacy. All it takes is a single data breach, and a law intended to protect children could end up exposing their sensitive personal information to the world.

To be sure, children deserve an internet that they can navigate safely. But explicit content and predatory social media are not the only dangers online. Privacy violations, especially for the young, can also do serious harm. Especially since, as the old warning goes, “The internet is forever.”

We should not accept simply trading one risk for another.

How the risks could affect kids

To verify their ages online, users are often asked to submit government IDs, credit card numbers, selfies, or unique biometric information. When breaches happen — and they do, with depressing regularity — that sensitive data is exposed.

What’s more, many companies outsource their age-verification services to a handful of third-party vendors. Those suppliers, as storehouses of the data, become all-too-tempting targets for hackers and criminals. Without sufficient policies on data minimization, usage, storage, and privacy, user data remains deeply vulnerable.

In September, a cyberattack compromised a third-party vendor for Discord, a video game chat platform, granting the attacker access to at least 70,000 images of government-issued IDs, including passports and licenses.

Discord had been collecting photos of IDs in compliance with the UK’s age-verification law, which took effect in July.

Since the implementation of the law, the UK’s Office of Communications reported that “many records were not consistent” with record-keeping and review guidance. Many companies also failed to show how they were taking responsibility for online safety risks.

This breach highlights the real-life consequences of online attacks. As age-verification laws gain traction on a larger scale, an emphasis should be placed on privacy. Protecting sensitive personal information makes the internet a safer place for everyone, including children.

The need for balance

The rush to prioritize age checks for minors without prioritizing secure methods of verification create additional cybersecurity risks that can put children in harm’s way. As governments make premature decisions about these technologies, they are opening a Pandora’s box for hackers and cybercriminals to mine at their leisure.

Moving forward, governments and legislatures must be thoughtful about the technologies they employ and the risks they come with. Policymakers should prioritize decentralized solutions that protect minors against the real threat of cyberattacks, without compromising users’ anonymity and right to privacy.

What are the alternatives to age verification?

Edward Komenda — Fri, 10 Apr 2026 19:19:39 GMT

With age-check systems, there isn’t a one-size-fits-all solution.

Research suggests that no single method effectively protects children while also balancing concerns about privacy and access to information, but there is a way forward. Applying a broad array of common-sense measures, including parental controls and digital literacy education, can go a long way in helping guard children against potentially harmful content while remaining mindful of privacy rights and the nuanced ways young people use the internet.

Attribute-based verification

It’s not exactly an alternative to age verification, but proponents of attribute-based verification argue that it provides a more secure and private method of verifying a user’s age. That’s because it verifies only what’s necessary, such as requiring a self-declared age range rather than a government ID. But it has its limitations. Notably, any method that relies on self-declaration can be easily circumvented. It also fails to address the issue of personal data privacy, as it does not prevent websites from collecting additional information, such as users’ IP addresses.

Attribute-based age checks, however, store data on the user’s device. This limits the number of people with access to a user’s private data and reduces the cyberattack risks posed by other age-check methods.

Zero Knowledge Proofs

Like attribute-based verification, a zero knowledge proof (ZKP) provides a way for websites and apps to verify a user’s age without the user having to explicitly share personal data about their identity. But ZKP isn’t an alternative to age verification, rather, it’s a cryptographic tool that allows websites and apps to verify information about the user in question without gaining any additional information about the user.

In 2025, Google announced ZKP integration within Google Wallet to provide age verification across multiple apps. The tech company said it would continue to use ZKP with existing partners, like Bumble, to verify users’ ages without revealing their identities.

Age-Appropriate Design Code

The Electronic Privacy Information Center’s model bill for Age-Appropriate Design Code (AACD) was designed as an alternative to the rise in age verification legislation. The AACD gives children agency over their online experiences while requiring tech companies to evaluate their programs for features that put children at risk for compulsive use.

Additionally, the AACD would prohibit these companies from implementing programs with high-risk features, and would provide transparency into addictive design practices.

Unlike age verification legislation, the AACD places responsibility on the manufacturers of these technological platforms, rather than the users they exploit, circumventing issues around privacy and personal security.

Device- and OS-level parental controls

Parents and children can work together on a solution that best meets their needs. Device- and OS-level parental controls offer a more personalized approach to gatekeeping what kids see online.

Parents can set up their children’s devices to restrict or limit certain content. OS-level controls can be set up to limit daily screen time, require approval to install apps, and use web content filters, but the internet’s ever-changing nature means web filters can’t always keep up.

Used in conjunction with other protective measures, however, these restrictions can act as guardrails that reduce children’s exposure to harmful content without universal age verification.

Research suggests children who report less screen time are also the most likely to have parental controls on their devices. Yet parental controls are underutilized, according to the nonprofit Family Online Safety Institute.

Use of parental controls varies widely across device types, and they are hardly a perfect solution. Children may have access to more than one device, making time limits and content filters harder to enforce.

Education and digital literacy

Talking with kids about online safety can make parental controls more effective.

In households that reported six or more conversations about online safety annually, both parents and children were more likely to say that parental controls effectively keep children safe online, research found.

And those offline lessons can be valuable tools in protecting children when they are online.

Research from the World Health Organization suggests educational programs and cyberbullying prevention can work to reduce violence against children online. Programs that discuss online dangers and offline violence prevention, as well as healthy relationship skills, can help address children’s vulnerabilities to sexual abuse, harassment, and bullying, a WHO study found.

Parental guidance, support, and the ability to engage critically with online content all affect how a child might feel about what they see on the internet, research suggests.

The way forward

Protecting children doesn’t require turning the entire internet into an ID checkpoint. The widespread deployment of online age checks struggles to balance legitimate child protection concerns against users’ data privacy rights. Until that balance is struck, existing measures can help kids navigate the internet confidently without surrendering sensitive personal information at every turn.

What small businesses still get wrong about password managers

Risa Tang — Fri, 10 Apr 2026 10:57:18 GMT

The way small and medium businesses work has changed for good — but so has the way they get attacked. Teams are distributed, SaaS tools handle everything from payroll to project management, and contractors and vendors rotate in and out of systems regularly. With each new tool or employee with access, the number of potential entry points increases.

That expanding attack surface matters because credential-based attacks, including phishing, account takeovers, and password theft, have become one of the most common ways businesses get breached. They work precisely because access has sprawled, which makes it difficult to track. All an attacker has to do now is find one valid set of credentials to bypass your business’s defenses.

In this context, it should be encouraging that over half of small businesses now use a business password manager. But Proton’s SMB Cybersecurity Report 2026 — a global study of 3,000 SMB decision makers — found that one in four still experienced a breach last year.

All this points to a gap between how tools are adopted and how they’re actually used.

How SMBs use password managers today

Most password managers are designed to do one thing well: help you remember your password. In practice, that means creating complex and unique passwords and managing them in an encrypted vault. That’s meaningfully better than the norm of reusing the same credentials across accounts and platforms.

But with passwords being an attacker’s easiest point of entry, SMBs need password managers to do much more than just solve memory and convenience problems. They need it to secure access.

Access is a far broader question. Do the right people have the right credentials — and would you know what they unlock or if they fell into the wrong hands? And as teams grow, subscriptions stack up, and contractors cycle in and out, your organization’s considerations need to shift from merely strengthening passwords to accounting for real-world security threats.

That’s the change most businesses don’t make until something goes wrong.

Where password manager implementations go wrong

The key insight of our report was that businesses adopting password managers don’t consistently use them.

Unsafe credential sharing still persists at surprisingly high rates:

33% share them in shared documents or spreadsheets
30% share credentials via email
27% share them via messaging apps
25% write them down
24% share them verbally

That’s a picture of busy people taking the fastest route available at that moment. Instead of toggling over to the password manager app and sharing a new credential in its proper vault, they might paste it into Slack or an email.

Workarounds feel harmless in isolation. But over time, credentials end up scattered across inboxes, chat histories, and shared documents in ways that are hard to untangle. When an employee leaves, you can’t later revoke access. And updating passwords on a moment’s notice after a data breach becomes impossible unless it’s stored in a centralized secure location.

Training to enforce security policies can help, but our research revealed even that isn’t quite enough…

Why security awareness training isn’t enough

Our report found that 39% of SMBs have experienced a security incident caused by human error. That statistic is easy to misread; the natural response is to assume that more careful employees means fewer incidents.

But this framing misses something important: Security systems that depend on perfect behavior under everyday pressure will always be let down by reality. Mistakes happen not because people don’t care — they happen because the secure option often demands more effort and time than the typical SMB can afford. Even well-intentioned teams will find workarounds when they’re resource-stretched.

The lasting fix isn’t more training. It’s designing systems where the secure option is also the easy one.

When sharing access safely takes no more effort than dropping a password into a chat message, people will use it.

When the access problem gets out of control

The credential problem compounds as teams grow.

Eighty-six percent of SMBs now rely on cloud-based services for day-to-day operations. That typically means credentials sprawl across project management tools, finance platforms, marketing software, file storage, and customer systems, each with its own permissions and access history.

Access doesn’t just scatter across systems; it spreads across the organization, flowing between teams, external partners, contractors, and former employees who may still retain a way in.

This means that in reality, credentials accumulate, old access continues to linger, and the number of people who have — or have had — the keys to your most sensitive systems scales beyond easy tracking.

Having tools isn’t the same as being protected

The SMBs that experienced breaches last year weren’t cutting corners: 92% were actively investing in security tools. They had password managers, encrypted email, training programs, and written policies in place. In other words, their setups looked solid on paper.

What many lacked was consistent enforcement. Multi-factor authentication (MFA) was switched on but not required, password managers were deployed but not embedded into daily habits, and onboarding and offboarding processes were handled informally rather than systematically. We suspect, given the popularity of browser password managers, that many were not even using a centralized team platform at all — instead relying on a patchwork of less-safe options on an individual basis.

Each of these is a small gap that stays invisible right up until it isn’t.

The real measure of a security setup isn’t what tools are on the list, but whether those tools hold up under the everyday pressure of how people actually work.

Here are some practices to help bring this reality closer for your business:

Use a password manager built for teams. Browser password managers are not only less secure, they don’t have the admin tools managers need to maintain full control of your accounts. Unless you have an enterprise password manager that’s easy to use, it’s not going to cut it.
Audit who currently has access to what. Check the user lists on your most sensitive tools and if any names on there come as a surprise.
Replace shared logins with individual accounts. While it’s easy to share logins in a password manager, it’s not a best practice: Shared logins reduce visibility at the account level, making it harder to identify and react to a breach.
Make multi-factor authentication a requirement. MFA is one of the most effective protections available — but only when it’s enforced by default, not left as an optional setting.
Make offboarding systematic. Every departure, whether it’s an employee, contractor, or vendor, should trigger an access review immediately rather than as an afterthought.

Want to know what else you could learn from our survey of 3,000 business leaders across six key markets? Read more in our SMB Cybersecurity Report 2026. You’ll learn what causes breaches and what they actually cost, where human error shows up most often, how cloud and AI adoption are creating new blind spots. It also includes practical steps for beefing up protection that hold up in real-world conditions.

Get the full report

Proton Calendar now includes secure appointment scheduling

Anant Vijay Singh — Thu, 09 Apr 2026 11:53:31 GMT

In the 12 years since Proton began, millions of people have joined our mission to make the internet safer and more private, including over 100,000 businesses and nonprofits. They rely on Proton’s encrypted suite to protect their customers and teams, and we’ve continued to add more services and plans to support them — most recently with the launch of Proton Workspace.

Today we’re excited to announce the next addition to Proton Workspace with our secure appointment scheduling tool in Proton Calendar.

Whether you work with teams, run a side hustle, or take appointments from customers, you can now easily create public booking pages that show when you’re available, and your clients and colleagues can book an appointment in seconds. It automatically creates a new event on your calendar and generates a private Proton Meet link where you can have a secure video call. New events are zero-access encrypted, so all the details stay between you and your contact. Not even we have access.

For people dependent on platforms like Calendly, this means you no longer have to pay an extra subscription or give away calendar data to third-party services where it can be leaked or spied on. It’s a perfect tool if your business is based on appointments or if you want to save time finding an available slot to meet with colleagues or friends.

And it’s available in our new Proton Workspace plan, which combines all our business productivity tools into a single plan for complete data protection.

Try scheduling for teams

Explore plans for individuals

Part of a seamless encrypted workspace

The new appointment scheduling tool is fully integrated with Proton Calendar and Proton Meet to protect your business data end to end.

That’s important because your team calendar contains a trove of information about you and your business activities: your location, your priorities, and your contacts. It’s critical to keep that information protected from Big Tech platforms that could monetize or leak it, and from hackers who could use it against you for fraud or phishing attacks. Using a third-party booking platform spreads your information across the internet and increases your risk of a data breach, especially when those tools don’t use strong encryption.

Appointment scheduling bridges two fundamental business tools: Proton Calendar and the all-new Proton Meet for encrypted video calls. It’s not enough for a business to be able to plan and host a secure video conference — they also need to be able to schedule it. Our appointment scheduling tool fills this gap.

How appointment scheduling works

Appointment scheduling is simple to set up, and it’s available on all paid Proton Mail plans, Proton bundles, Meet Professional, and Proton Workspace. Teams with Workspace can create up to 25 booking pages to support multiple meeting purposes and durations.

In your Proton Calendar, just add a new booking page, give it a name, and specify the times you’re available. Your booking page will have a link that you can share publicly, such as on your website, email signature, or social media profile.

Whenever someone books a meeting with you, the event will instantly sync directly to your calendar (so it’s not possible to double book). And your contact will receive a confirmation email. If you’ve selected Proton Meet as the location for the meeting, the confirmation will include a secure meeting link.

The time, description, and participants on every event are zero-access encrypted, meaning it’s locked with your private encryption key and can’t be accessed by Proton or anyone else.

Learn more about how to use appointment scheduling

Power your growth with Proton Calendar

With appointment scheduling, Proton Calendar becomes more than just a way to track your schedule — it’s a way to grow your business or side project. If you’re a professional service provider, letting clients book meetings is a core part of your business model. But even if your business doesn’t run on external meetings, the appointment scheduling tool can help you save time or be more available to your team.

Appointment scheduling is perfect for:

Privacy-first providers like therapists, health clinics, law firms, and financial advisers
Managers or executives looking to save time when setting up meetings
Tutors scheduling time with students or professors hosting office hours
People who work for themselves, like content creators, indie hackers, or marketplace sellers
Anyone with a side project
And many more business professionals…

Securing your meetings isn’t just about protecting your own business, it’s also about protecting the people you do business with. When it comes to fields like healthcare, data protection is even an ethical and legal obligation. Appointment scheduling in Proton Calendar helps you meet those obligations while signaling to your customers that your business takes security seriously.

Explore Proton Workspace

Age checks and child safety: Online age verification systems fail to protect children

Edward Komenda — Wed, 08 Apr 2026 21:03:03 GMT

Online age checks are intended to keep violent, sexually explicit or other age-inappropriate content away from children. But do they?

Under-age social media users are often able to circumvent age restrictions, especially at the account-creation stage, research shows. In other cases, age checks have blocked children from accessing content that was later determined to pose no risk.

When faced with obvious harms, the desire to “do something” is understandable. But we need a higher standard. When it comes to children, we need to do something that works. And age verification as it is currently practiced often falls short of that basic goal.

Age checks are rooted in real concerns

Most parents of adolescents in the United States worry about social media’s effects on mental health, among other issues, according to the US surgeon general. At the same time, parents are concerned about the scope of age checks. In a study by the nonpartisan Center for Democracy & Technology, parents and teenagers voiced concerns about the checks’ effectiveness, data privacy, and user agency.

At their core, age-verification systems aim to prevent young people from accessing harmful or adult-geared content, but many critics have warned that even well-intentioned policies could create risks to free speech and data privacy for all internet users, not just children.

What’s considered harmful depends on whom you ask. Industry regulations, state laws, and national policies can all dictate which content is deemed harmful to young people, but some language is more vague than others.

The United Kingdom’s Online Safety Act, for example, lays out categories of content that children must be shielded from online. They include:

Pornography
Content that encourages, promotes, or provides instructions for:
- Self-harm,
- Eating disorders, or
- Suicide
Bullying
Abusive or hateful content
Content which depicts or encourages serious violence or injury
Content which encourages dangerous stunts and challenges
Content which encourages the ingestion, inhalation or exposure to harmful substances

In Australia, the move to ban social media accounts belonging to people younger than 16 more broadly cites concerns about screen time and mental health.

Whether these measures effectively shield young people from harm is debated.

Content restrictions don’t always get it right

Some researchers have warned that age checks could impede access to medically accurate sexual information and other educational content.

After the U.K. Online Safety Act took effect, the government noted “instances of over-moderation” in which children were blocked from viewing content that didn’t pose a risk.

Even with age-check systems in place, potentially harmful and age-inappropriate content remains accessible to kids. In some cases, childhood deaths have been linked to suicide- and self-harm-related content and risk-taking social media challenges, according to the surgeon general’s advisory.

The same advisory, however, noted that social media can be a source of positive community, connection, self-expression, and important information.

Age-gating access to those corners of the internet stands to disproportionately affect young people who rely on online communities for support and information.

Measures put in place to label content and guard children from age-inappropriate material have also been flawed.

In September, Disney agreed to pay $10 million to settle allegations by the Federal Trade Commission, which accused the company of failing to label its children’s videos on YouTube as “Made for Kids.”

Failing to correctly label the videos meant Disney collected children’s personal information when they watched the unlabeled content and autoplayed “Not Made for Kids” videos when they finished. Children also became targets of online advertisements geared toward older viewers.

Disney didn’t admit any wrongdoing as part of the settlement.

Are age verification systems effective? More research is needed

The effectiveness of age checks remains to be seen.

In the weeks after Australia’s policy took effect, social media companies revoked access to about 4.7 million accounts belonging to children.

Findings from a 2024 study suggest that the widespread global deployment of age verification has resulted in privacy-invasive or ineffective methods.

Research from the U.K.’s independent online safety regulator, the Office of Communications, pointed to some measurable changes in internet behavior, but it’s still too soon to evaluate effectiveness.

The number of visitors to pornography sites in the U.K. declined by one-third since the Online Safety Act took effect in July, the office noted in a December online safety report. The office is assessing how much the decline may have reduced children’s exposure to pornography.

“While it is too soon to assess the long-term impact of these changes, the widespread adoption of age checks means that children of all ages are now less likely to encounter pornography accidentally, which research has shown to be the way most children encounter porn,” the report said.

The office is expected to publish its initial data and analysis on children’s online experiences by May.

What happens after age-verification laws take effect: The chilling effect of online age and ID checks

Edward Komenda — Wed, 08 Apr 2026 16:42:31 GMT

Governments around the world are adopting laws intended to protect young people online. Age verification has emerged as a shared policy response, but in practice it produces very different internets shaped by unique legal, technical, and social conditions.

These case studies show what happens after age-verification laws take effect, focusing on three distinct models: decentralized legal experimentation, direct regulatory enforcement, and platform duty-of-care obligations. Together, they demonstrate how a single policy idea evolves when it moves into the real world.

United States

The U.S. exemplifies how age verification can spread without a national law. State legislation, court challenges, and platform responses have collectively reshaped online access, creating diverse outcomes across the country.

What was proposed

Federal lawmakers tried long ago to age-gate adult content on the internet. The Child Online Protection Act, passed by Congress in 1998, required commercial websites hosting material deemed harmful to minors to restrict access, often through age-verification mechanisms. Courts blocked the law repeatedly on First Amendment grounds, and it was ultimately struck down after years of litigation. The rulings reinforced protections for lawful online speech, including concerns about overbroad restrictions and the impact on anonymous access, shaping how later policymakers approached age-verification proposals.

Beginning in 2022, states began introducing legislation requiring adult-content sites to verify age, with early efforts in Louisiana and Utah helping establish a template that other jurisdictions soon followed. Lawmakers framed these measures as child-protection policies inspired by international proposals.

In lieu of a centralized system, these laws typically made platforms responsible for preventing underage access. Sites could face civil penalties—including fines, private lawsuits, or court-ordered restrictions—if minors accessed restricted content without “reasonable” safeguards in place.

What was implemented

States rolled out age-verification requirements aimed primarily at porn sites and other explicit content.

Texas quickly became the bellwether legal test case. Challenges to Texas HB 1181 moved through federal courts and ultimately reached the U.S. Supreme Court, where justices allowed the law to take effect in the midst of legal challenges. The decision signaled that state-level mandates could proceed without definitive resolution.

That opened the door for other states to advance similar laws alongside ongoing litigation. Because each state set different standards and timelines—and because legal language left a lot of room for interpretation—there was no uniform technical solution, leaving platforms to navigate a rapidly expanding patchwork of regulatory demands.

What changed

Rather than uniformly changing how age is treated and proven online, policy pressure changed the internet itself.

Compliance became a risk calculation for platforms, as they weighed verification costs, liability, and privacy issues. Some—ranging from adult-content sites to social media—chose to restrict or withdraw services in affected states. Access began to depend on geographic location, producing a fragmented online experience.

Proposals and laws have increasingly targeted app stores and other digital intermediaries, shifting responsibility from individual sites to infrastructure providers. This lets policymakers gauge whether age gating can work at the ecosystem level.

Public reaction

Americans are sharply divided. Supporters argue that state laws finally imposed accountability on large platforms after years of failed federal legislation, reflecting a growing view among policymakers that voluntary safeguards are not enough to protect minors online. Critics, including civil-liberties organizations and digital-rights advocates, warn that mandatory age verification chills lawful speech and weakens protections for anonymous expression.

Litigation is the central arena for resolving these tensions, and state attorneys general are the front-line enforcers. As challenges move through the courts, judges continue to grapple with whether mandates constitute permissible regulation or unconstitutional restriction.

As a result, America’s internet is an experiment moving further from legal clarity, even as age verification spreads.

Age verification in the U.S. – litigation model

States enact age-verification laws
Courts determine what survives legal challenge
Platforms adapt to evolving rulings

Focus: Legal viability
Outcome: Policy is shaped by litigation outcomes

United Kingdom

After decades of global debate over online safety for minors, the UK became the first country to enforce modern age assurance on a national scale.

What was proposed

Early UK media regulation, particularly the Communications Act 2003, established content protections for minors in broadcast and on-demand services, but it didn’t address open internet access to pornography.

Under the Digital Economy Act 2017, the original plan was to mandate age checks for access to adult content, requiring age-verification technology specifically. That plan was repeatedly delayed and finally abandoned in 2019 amid privacy concerns and the practical challenges of enforcing rules against services operating outside the UK.

Instead of prescribing how content is gated, the Online Safety Act 2023 regulates outcomes, requiring services to deploy “highly effective” age-assurance measures and demonstrate how effectively they protect minors.

This created a broader safety framework, enforcing platform responsibility through performance standards that extend beyond sites offering adult content.

What was implemented

Implementation fell to UK communications regulator Ofcom. It outlined expectations for platforms, requiring age-assurance systems capable of reliably distinguishing adults from minors, with enforcement backed by investigation and financial penalties.

Ofcom didn’t specify a method. Companies could use identity-document checks, biometric estimation, third-party verification vendors, or alternative approaches—provided they met Ofcom’s effectiveness thresholds. This flexibility led to a rapid, albeit uneven, rollout of age verification.

What changed

The UK’s internet transitioned from an open-access model moderated after the fact to one requiring proof of eligibility to enter certain spaces.

When enforcement timelines arrived in 2025, major platforms began modifying access flows, and users began encountering checkpoints where none had existed before. These age checks were embedded in account creation, browsing activity, and content discovery, and that affected anonymity, friction, and participation online.

For platforms, age assurance became a continuous compliance obligation subject to interpretation, audit, and penalty; and it proved hard to define. Ofcom opened investigations into dozens of porn sites and issued penalties against operators whose age-assurance measures didn’t meet the standard. In this way, acceptable gates evolved through strict enforcement actions.

Public reaction

Public response has been mixed as to whether the system represents overdue protection or risky overreach.

Among the concerns raised by privacy advocates are assertions that mandatory age-assurance normalizes identity checks for lawful activity, expands collection of sensitive data, and threatens anonymity for users who rely on it for freedom to explore and express themselves.

Spikes in VPN use have been reported, suggesting that some UK users prefer workarounds to participation in verification systems. Others question the effectiveness of age gates, including some young users who’ve argued that they limit access without resolving underlying harms. Still others say critics should give these protections time to prove out, framing the law as a necessary adaptation to a changed digital environment.

The UK’s experience shows how age-verification policy alters the internet through cumulative shifts in access, accountability, and user behavior—changes that remain contested.

Age verification in the UK – enforcement model

Parliament sets safety outcomes
Regulator enforces platform compliance
Age verification operates as an access gate

Focus: Access control
Outcome: Users must demonstrate eligibility to enter restricted spaces

Australia

Australia has drawn international attention for its online youth-safety agenda, where age checks emerge from platform duty-of-care obligations instead of a standalone age-verification law.

What was proposed

Australia’s Online Safety Act 2021 built on earlier regulatory frameworks (1992, 2015, and 2018) that relied largely on complaint-based takedowns of harmful content. Policymakers concluded that reactive removals were insufficient and shifted toward requiring large platforms to reduce risks up front.

The Act significantly expanded the authority of the e Safety Commissioner, turning the regulator from a complaint handler into a proactive supervisor of online safety. Rather than prescribing specific verification methods, the law made platforms responsible for preventing foreseeable harms to minors.

This shift laid the groundwork for age assurance by binding platform compliance to the ability to distinguish between adult and underage users.

What was implemented

Implementation centered on regulatory guidance and enforcement powers exercised by the eSafety Commissioner. Platforms were required to show how their services reduced risks to underage users, guided by regulator-approved safety standards and ongoing oversight.

In practice, this meant strengthening moderation systems, activating parental controls, restricting features for younger users and developing mechanisms capable of identifying them. So platforms deployed age-assurance measures such as age estimation, behavioral-detection systems, and layered verification approaches combining multiple signals to assess a user’s age, often trialed through government-supported technology testing programs. Age assurance therefore functioned less as a single checkpoint and more as an ongoing compliance capability embedded in everyday service operation.

In December 2025, Australia extended this duty-of-care strategy through a world-first social media ban for users under 16, explicitly conditioning access to major platforms on the ability to determine a user’s age.

What changed

For platforms, safety obligations became continuous and adaptive. Meeting regulatory expectations increasingly required systems capable of reliably distinguishing minors from adults, turning age assurance from an optional safeguard into a prerequisite for enforcing youth-access restrictions.

For users, changes ranged from stricter defaults and safety features to large-scale deactivation of accounts identified as belonging to underage users.

The result was deeper regulatory influence without universal identity-based age verification, reflecting a research-driven model that evaluates safety outcomes and emerging age-assurance tools instead of defaulting to biometric or document-based checks.

Public reaction

Australia’s approach has generated praise and concern, both inside and outside the country.

Proponents argue that platform design shapes online risk more than individual behavior alone, and that regulating platforms offers governments a more practical point of intervention. Critics believe that expanding safety mandates fails to adequately protect children and offers a quick fix to complex social and political problems.

As debate intensifies over whether enforcement will ultimately require more invasive age checks, this case shows that when governments regulate platform responsibility first, age verification can be a practical consequence.

Age verification in Australia – governance model

Platforms continuously manage risks to minors
Regulator supervises platform safety systems
Age verification operates as one of many embedded compliance tools

Focus: System design and ongoing oversight
Outcome: Platforms must demonstrate their environments are safe for minors

What age verification actually means (and why the term is misleading)

Edward Komenda — Wed, 08 Apr 2026 16:05:22 GMT

The days of the checkbox honor system are ending as efforts to age-gate the internet spread worldwide. The goal of protecting children is widely embraced: Age should be checked for access to certain content or sometimes entire platforms, as young people are exposed to legitimate risks when left to explore and engage without guardrails.

But the methods of checking age—both the existing ways and those forming under intense regulatory pressure—vary significantly in effectiveness and intrusiveness. From one approach to the next, there are stark differences in how much data is collected and who controls it. Regardless of the method, the most consequential moment is the point where age is actually checked. The mechanics of that interaction, and how its outcomes are handled, drive real-world implications for privacy, security, and free expression.

Yet the distinctions are often blurred, stemming from the terminology around age checks. Age gating, age assurance, age estimation, and age verification can get collapsed into a single idea. Understanding why that matters starts with breaking down the language.

Standards versus methods

Age gating and age assurance are standards—policy goals that describe intent and confidence, not mechanism. Age gating tells you that an age-based restriction exists. Age assurance signals that some effort is being made to enforce that restriction. These terms don’t specify how, or how effectively, age is determined.

Age estimation and age verification are methods — technical categories for how age is checked. And the contrast is central to the debate over how age checks should happen online.

Age estimation versus age verification

As lawmakers, courts, tech companies, and advocacy groups address both the complexities and conflicts of age gating, the terms “age estimation” and “age verification” are sometimes treated as interchangeable. That shorthand obscures meaningful differences in accuracy, accountability, and data exposure.

Age estimation

Age estimation, also known as age assurance, is exactly what it sounds like—an inference, not a confirmation. These systems draw on data already available within a platform, such as profile photos, videos, audio, declared information (like a birth date), and account metadata (like how long an account has existed). Using biometric techniques like voice or facial analysis, combined with account history and behavioral patterns, the system generates a probability that someone falls within a given age range.

Because this doesn’t require identity documents, age estimation is often framed as “privacy-preserving.” But data exposure depends on the individual system: Is age estimated once or continually? What signals are used? How secure is the system itself? And if age is misread, what happens?

Inference-based systems are inexact and can be fooled, such that a user’s age may be misclassified in either direction, with access allowed or denied where it shouldn’t be. On the gaming platform Roblox, which rolled out mandatory age checks for access to certain features, young users tricked the system with fake mustaches and other disguises, underscoring the risk of relying on inference alone.

Other concerns have been raised about accuracy and bias, as results depend heavily on image quality, vary from algorithm to algorithm, and are affected by unique intersections of personal attributes, with disproportionate misreads on under-represented groups. Data from Australia’s age-assurance technology trial—tied to a nationwide ban on social media for teenagers—showed that age estimation produced higher error rates for people with darker skin tones and for some demographic groups, including those from Indigenous and Southeast Asian backgrounds.

If eligible users are denied, recourse is limited. They generally aren’t told why, and the default solution is to upload identity documents—the exact thing age estimation is meant to avoid.

Age verification

Age verification aims to confirm age as a fact, using proof from a trusted source. Today, that usually means a government-issued ID like a driver’s license or passport, either uploaded directly to a platform or filtered through a third-party service that verifies age and sends back a yes-or-no result.

The risk of document uploads is intuitive: Scans can be stolen or misused, particularly as age checks spread across more services. What’s easier to miss is that even when documents are deleted from a platform, the outcome of the age check often persists—stored alongside an account or session and linking back to an identifiable user.

Identity-linked systems versus anonymous or token-based claims

Age-verification systems fall into two categories: those that bind age checks to identity and those that try not to.

Identity-linked systems

Identity-linked systems are the dominant model today, employing the familiar ID upload flow. Platforms may not retain copies of documents, but the verification outcome is almost always stored, linking lawful content access to a real person who may not want that association recorded.

Adult-content sites illustrate the conflict. In states where age-verification laws have been enacted, compliance has largely meant identity-linked checks, requiring users to upload IDs through third-party vendors. As a result, industry giant Pornhub pulled out of 23 states, pointing to privacy risks. The company has said it supports age verification “when it is done right,” advocating for device-level age checks rather than site-based age checks.

Similar dynamics appear in app-store ecosystems, with age verification prompted at download, signup, or the account level. When the outcome of that check is tied to an account, it stops being a one-time gate and becomes an attribute, shaping how the platform understands and manages the user. That can include:

Reuse across time and contexts (future logins, enforcement actions, compliance audits)
A reusable verification result can be used long after the original check for enforcement, monitoring, or regulatory review, often without the user’s awareness or renewed consent.
Integration with other account data (access logs, platform activity, moderation records)
When age status is combined with behavioral or moderation data, it becomes part of a broader profile that can influence account treatment and content access in ways unrelated to age alone.

Users typically aren’t told how long their verification status persists, where it is stored, or how it may be reused, leaving them with little ability to contest errors, revoke consent, or gauge long-term implications.

Anonymous or token-based claims

Other age-verification systems attempt to avoid or reduce identity linkage. These approaches rely on credentialed or token-based claims, both of which perform an age check once and then reuse the result to grant access later.

Credentialed claims: Verifiable digital credentials (VDCs) rely on identity checks already performed by trusted institutions (think DMVs and banks), allowing users to confirm age online with a digitally signed cryptographic proof—aka the issuer vouching for the age claim. Most VDCs employ selective disclosure, revealing only what’s necessary to meet an age threshold (e.g., confirming that someone is “over 18”), though more advanced zero-knowledge proofs aim to verify eligibility without sharing any personal data at all.

Both reduce exposure at the point of access. But the privacy and security benefits depend on who issues the credential and how it’s stored, as well as which platforms accept it inside the emerging digital-ID model (which carries its own impacts to privacy and access).

Token-based claims: Tokens are like hand stamps at a concert; short-lived, site-specific proofs that allow repeat access without rechecking age every time.They are typically issued after an initial verification and used internally by a platform to streamline access.While that reduces repeated data exposure within a single service, tokens don’t eliminate identity linkage at the point of issuance and offer users scant visibility into how access is remembered or reused. Users typically can’t examine, limit, or revoke these claims, which turn a one-time access decision into an ongoing state. Tokens are a platform optimization, not a rights-protecting feature.

Whatever the verification pathway, the highest risk sits at the point where age is checked—and system design and implementation make all the difference.

Government-mandated versus platform-run systems

Laws define the obligation to keep young people safe online, but they are carried out by regulators, platforms, vendors, app stores, and OS providers that must interpret vague requirements under real operational pressure.

Whether a law calls for “effective age assurance” or “privacy-preserving age verification,” it rarely specifies exactly how the requirement should be met in terms of:

What data must (or must not) be collected
Whether a government-issued ID is required
Whether age can be inferred or must be verified
Whether identity must be linked to an account
Whether checks happen once or continually
Who stores the data and for how long
Whether third-party verification is allowed
What counts as “effective” or “privacy-preserving”
What recourse users have when systems fail

Such decisions are left to downstream authorities, which is why the same legal language can produce radically different outcomes. These authorities are simply optimizing for different things: Regulators are optimizing for governance, platforms for liability, vendors for marketability, and infrastructure providers for uniformity. Beyond these institutional priorities, the primary concern is not democratic legitimacy or proportionality, but defensibility to show that sufficient steps were taken to prevent underage access. In that environment, ambiguity is seen as risk, and risk is minimized through standardization and overcompliance—or through platforms pulling out of states where compliance raises both ideological and financial concerns.

Social network Bluesky chose to block access entirely in Mississippi rather than comply with a state law that would have forced it to verify age for all users and collect sensitive personal data. The platform said the requirements went beyond child safety goals and would “limit free speech and disproportionately harm smaller platforms.”

The most restrictive option becomes the baseline not because of public input or legislative intent, but because of operational risk management. The consequence is an abstraction of policy that narrows the practical scope of all users’ rights online.

What is ultimately at stake

Advocacy groups warn that age gating threatens a free and open internet. They argue that adults misclassified as minors can be blocked from lawful information. That users unwilling or unable to submit identity documents can be excluded entirely. That communities relying on anonymity for reasons of safety, stigma, or self-exploration may find that essential information and connection now come with conditions they can’t meet. And that exclusion of children from the internet that isn’t “necessary and proportionate” violates their fundamental rights.

While the spirit of these laws is child safety, industry analysts worry that the legal language could be applied to any site offering content with “adult themes,” whether that means information about sexual health, creative image boards, or social forums.

These concerns have crystallized into ongoing legal opposition to age gating at both state and federal levels, despite widespread agreement that the internet should be safer for young users.

Understanding what “age verification” actually means helps clarify the challenges of finding that balance.

From vulnerability to resilience: an incident response framework for SMBs

Ben Wolford — Thu, 02 Apr 2026 16:31:48 GMT

Cybersecurity incidents are a huge risk to SMBs, with 1 in 4 small businesses hacked despite cybersecurity measures, according to Proton’s 2026 SMB Security Report. Damages of a security breach are not limited to data and financial losses: legal and IT costs, impact on customer trust, operational disruption, and time spent on recovery are some concerns of SMBs hit by cyberattacks. A single incident can affect all areas of a business and disrupt its continuity.

In such a delicate and risky scenario, every small business needs to implement concrete measures to avoid weak spots and exposure to cybercriminals, as well as a concrete incident response framework, aligned with the business’s reality.

This guide will help small and medium-sized businesses to identify exposure to cyberthreats and elaborate a comprehensive response plan in case a cyberattack occurs.

What does vulnerability mean in SMB environments?

What are SMBs’ most frequent vulnerabilities?

How to build an incident response framework as an SMB

The importance of role clarity: who owns what?

Which common mistakes can increase risk?

What are the characteristics of a low-vulnerability SMB?

Checklist: The actions to take during an incident

How to reduce weaknesses before the next incident

What can you do today to improve your security?

Frequently asked questions

What does vulnerability mean in SMB environments?

According to our 2026 SMB Cybersecurity Report, 39% of SMBs say that they’ve faced a cyber incident due to human error at some point, highlighting that behavioral issues drive vulnerability. Security tools and technology are still at the center of business security, but behavior also matters.

Lack of preparation, everyday habits, and small oversights, like insecure sharing of credentials or skipping operational routines, are all potential triggers to a hacking or other cybersecurity incident.

A solid data breach prevention strategy requires banning common high-risk practices such as:

Team members using the same login for multiple sites.
Accounts staying active even after someone leaves (for more details, see our offboarding checklists).
Sharing sensitive information in spreadsheets, chats, plain text documents, and other insecure channels.
Employees following outdated security instructions.

Weakness in security isn’t just about hackers bypassing firewalls. More often, it’s about being unprepared, communicating ineffectively, or reacting too slowly when the unexpected strikes.

What are SMBs’ most frequent vulnerabilities?

There are several types of weak point that can be observed in businesses across all industries:

Weak credential security practices

Repeated use of easy-to-guess passwords, sharing them over chat, or writing them on insecure notes or spreadsheets are bad habits that create a massive risk. Passwords are often the first (and last) defense for critical accounts, but poor practices leave doors wide open for intruders.

Lack of least-privilege and role-based access

Many SMBs struggle when it comes to establishing a strong and role-based access policy with a least-privilege approach to ensure unnecessary permissions are avoided. Access and credentials must be limited to current employees and granted according to the requirements of their roles.

No incident response plan

Many teams assume that they’ll handle an incident if and when one occurs. But when a crisis hits, confusion reigns, with nobody knowing who’s responsible for what. A simple contact sheet and incident response plan can make the difference between a quick recovery and days of interruption.

Poor staff security awareness

Attackers know the most common weak link isn’t technology; it’s people. Phishing, fake invoices, and “urgent” messages from management all prey on distracted or untrained staff. It’s essential to conduct regular security training for all team members, not just a one-time onboarding event.

Shadow IT and unsanctioned cloud tools

With so many new SaaS platforms, it’s easy for employees to sign up for tools without approval. Since these shadow IT systems aren’t managed or monitored, critical data often ends up scattered in vulnerable locations outside the central business network. When these weak spots overlap, the impact multiplies.

The formula is simple: one password leak + poor communication + no plan = trouble that spreads quickly.

The Proton guide to security for growing businesses expands on these important themes with hands-on checklists and further reading.

How to build an incident response framework as an SMB

A clear plan, showing who does what, in what order, with which resources, is key for addressing a cybersecurity incident. Here are the steps you need to build a comprehensive and precise framework.

1. Preparation and security readiness

Initially, SMBs need a minimum level of structure in place in order to prevent incidents and be prepared in case a response plan is needed.

Start with the basics:

Maintain an up-to-date inventory of systems, devices, and SaaS tools.
Define who owns each system and who has administrative access.
Ensure backups are automated, tested, and stored securely.
Enable logging on critical systems (logins, file access, admin actions).
Centralize credentials using a business password manager.
Document an incident response checklist and key contacts.

Preparation also includes running simple “what if” scenarios with your team. Even informal tabletop exercises help identify confusion before a real crisis.

2. Early detection and reporting

You can’t respond to what you don’t see. Then, encourage a culture where employees report anything unusual without hesitation.

Common signals of cyber vulnerabilities include:

Unusual login attempts (unknown locations or devices).
Sudden password reset requests.
Unexpected system slowdowns or shutdowns.
Alerts from security tools or cloud platforms.
Employees reporting suspicious emails or messages.

Automated detection and strong employee awareness are key to spotting a possible cyber security breach early.

3. Initial containment and damage control

Once a threat has been detected, you need to act immediately.

Your first goal is to stop the spread:

Isolate affected devices from the network.
Disable or freeze compromised accounts.
Revoke active sessions in cloud tools.
Block suspicious IP addresses if possible.

If ransomware or active data exfiltration is suspected, shutting down affected systems may prevent further spread. Delays at this stage can turn a small issue into a business-wide incident.

4. Internal communication and assigning roles

Confusion destroys confidence during a crisis. Clear communication ensures coordinated and effective action.

Quickly inform inform everyone who needs to know about the incident:

IT administrators (internal or outsourced).
Team leaders and managers.
Senior decision-makers.

Assign clear roles:

Who will update staff and leadership on progress?
Who handles external communication (customers, vendors, regulators)?
Who documents every step taken?

Make sure nobody is left in the dark. Roles overlap in many SMBs, but clarity helps everyone move in the same direction towards the same goal.

5. Lock down credentials and system access

Compromised credentials are one of the most common entry points for attackers, and securing access is critical to regaining control.

For a better chance of preserving credentials and system access:

Change all passwords and credentials related to the affected systems and enforce two-factor authentication (2FA).
Remove or suspend any suspicious accounts and check for active accounts belonging to ex-employees.
If you use a business password manager, revoke and reset all shared credentials centrally.

6. Investigation and root cause analysis

Investigation is key for adequate incident reporting and building a stronger cybersecurity culture.

Key actions include:

Build a timeline of the incident (what happened and when).
Review system logs, login history, and access reports.
Identify the initial entry point (phishing, stolen credentials, vulnerable software, unauthorized file access, malware activity, use of dormant or legacy accounts).
Conduct interviews with affected employees if necessary.

7. Recovery and resuming operations

Once the threat is contained and you’ve gained some insight as to how it started, the focus shifts to re-establishing normal operations:

Restore systems and data from clean backups.
Re-enable services gradually, prioritizing critical operations.
Monitor systems closely for any recurring suspicious activity.

Communication and transparency help rebuild trust and reduce uncertainty. Then:

Inform employees about safe system usage post-incident.
Notify customers or partners according to your local data regulatory body’s requirements.
Comply with any legal or regulatory reporting obligations.

8. Post-incident review and continuous improvement

To prevent the same error from happening again after recovery, your next steps are to:

Identify what worked and what failed.
Update your incident response plan accordingly.
Fix gaps in tools, processes, or training.
Schedule follow-up security awareness sessions.

This analysis helps transform reactive firefighting into long-term resilience.

9. Classifying and keeping record of incidents

Every incident is a learning opportunity, so keeping a running list of observations about any and all incidents makes planning for the future easier.

To keep complete records, include the following information:

Date and type of incident.
Systems affected.
Root cause.
Actions taken.
Impact level.

Classifying the attempt according to its severity is also a key factor to prioritize response and resource allocation.

A clear classification, in a simple language, will make it. For example:

Critical: Could stop operations or expose sensitive information quickly.
High: May allow outside access to important data or systems.
Medium: Could be used as a “stepping stone” or cause confusion.
Low: Unlikely to have a serious impact alone, but worth fixing.

You can also use ready-to-use scoring systems, such as the NIST’s vulnerability severity frameworks (NIST CVSS), as a reference.

The importance of role clarity: who owns what?

SMBs rarely have a dedicated security team. But that doesn’t mean nobody owns these tasks, and assigning roles is essential to boost confidence and speed up response.

In fact, clearly assigning responsibilities is one of the fastest ways to improve response time and reduce confusion during an incident. There are six key roles you need to define in an incident response plan.

Incident coordinator

As the main contact, the incident coordinator is responsible for keeping the response organized and on track.

Typical tasks include:

Declaring when an incident is officially being handled.
Activating the response plan and notifying key stakeholders.
Prioritizing actions and ensuring deadlines are met.
Acting as the bridge between technical and non-technical teams.

Technical responder

This team member will be responsible for investigating and containing the incident from a systems perspective.

Their main tasks are:

Isolating affected devices or accounts.
Resetting passwords and enforcing access controls.
Reviewing logs and identifying the source of the issue.
Coordinating with external IT providers or security vendors if needed.

Communications lead

This role involves managing how information is shared internally and externally.

The communications lead is in charge of:

Informing employees about what happened and what actions to take.
Preparing messages for customers, partners, or vendors.
Handling sensitive communication to avoid panic or misinformation.
Supporting compliance with notification requirements when applicable.

Documentation lead

The documentation lead ensures that every step of the incident is properly recorded.

Their key tasks are:

Keeping a timeline of events and actions taken.
Collecting evidence such as logs, screenshots, or email traces.
Documenting decisions and their rationale.
Preparing reports for internal review, legal, or insurance purposes.

Clearly defined roles reduce overlap and hesitation. They also discourage finger-pointing in stressful situations.

Which common mistakes can increase risk?

Some errors, such as waiting too long or underestimating the severity of a threat, are likely to increase the damage of a security incident.

So, make sure to keep away from the following common mistakes:

Delaying containment: doubting yourself after the first red flag wastes precious response time.
Failing to rotate credentials promptly: attackers often sit inside breached accounts, waiting for the chance to return.
Ignoring communications: staff left in the dark will make independent decisions, multiplying the risk.
Not writing down actions: lack of documentation disrupts insurance claims, regulatory notifications, and learning from incidents.
Underestimating the power of reputation: even small breaches, if poorly handled, erode customer confidence

When dealing with a cybersecurity incident, speed, transparency, and humility are key factors that can make a huge difference in outcomes.

What are the characteristics of a low-vulnerability SMB?

Having strong security doesn’t require a large team or a dedicated IT department. Successful companies treat weak spots like any other business process, with regular attention and honest conversation:

A clear owner for security, even if it’s not their full-time job.
Step-by-step response playbooks, reviewed regularly.
Well-defined access rights, updated every time roles change
Security woven into business planning, not just IT.
Regular audits to keep the response plan sharp.
Transparency about mistakes, driving long-term trust.

Above all, low-exposure companies nurture a culture where no one is punished for reporting mistakes or questioning habits. Psychological safety is just as important as technical security in these environments.

Checklist: The actions to take during an incident

Here’s a list of tasks that you can adapt to build a checklist for your own organization:

Confirm the incident: write down what triggered your suspicion.
Isolate infected or breached devices/accounts.
Change all relevant passwords immediately.
Inform key staff and assign documentation responsibility.
Identify breached systems and shut down or disconnect as needed.
Begin an internal communication loop to update about concluded actions and next steps.
Contact legal, IT, or external advisors as required.
Collect error logs, email traces, and other evidence.
Begin restoring lost or encrypted data only after systems are clean.
Notify customers or authorities only after understanding what happened.
Debrief, update your plan, and schedule new awareness training.

Assign these tasks in your security documentation, and revisit after every incident or test to improve your resilience and ensure business continuity.

How to reduce weaknesses before the next incident

Fortunately, you don’t need a giant budget or a formal security office to prepare for disaster. Most of the best defenses are common sense, documentation, and regular follow-up.

Let’s examine the most important principles that will prevent incidents within any business.

Strong credential policies

Your organization should require unique, hard-to-guess passwords, and 2FA for every account. Use a business password manager to avoid sticky notes or email-based sharing.

Least-privilege and role-based access

Regularly review permissions for every team member in your organization. Does everyone who can access billing, client lists, or cloud dashboards actually need daily access? Limit rights to just what’s required to get the job done.

Regular staff training

This doesn’t need to take hours. Even a 20-minute quarterly session on how to recognize suspicious emails, avoid odd pop-ups, or handle password resets can cut incidents dramatically.

Periodic risk reviews

On a regular basis, step back and scan your business as if you were looking for exposures, just like an attacker would. Review lost laptops, cloud accounts, old employees, and forgotten SaaS platforms. Honestly acknowledging gaps is the best investment you can make in your own resilience.

Incident response checklist

This checklist doesn’t have to be extensive immediately. Start with a one-page summary, including who to call, what to do first, and where records will be kept. Refine it every six months, or after an incident.

What can you do today to improve your security?

It can be difficult to know where to start with your own cybersecurity measures. Here are practical, immediate actions you can take this week:

Print or bookmark your own incident response checklist and cybersecurity incident report template.
Review who holds admin credentials and update them using a centralized password manager like Proton Pass for Business.
Schedule a team meeting to clarify roles during a digital crisis.
Send out a short “how to recognize phishing” guide to your entire team.
Update your access list and close out dormant user accounts or SaaS tools.
Read the latest research from the enterprise tools category for tips on useful security add-ons.
Commit to reviewing your policy and process after every event, large or small.

For those seeking hands-on templates, learning resources, or technology that truly empowers teams instead of trapping them in complexity, we recommend using Proton’s Practical Guide to Security for Growing Businesses. The guide matches many best practices discussed here and arms you with complete information, checklists, and important steps.

Frequently asked questions about cybersecurity vulnerabilities

What is a vulnerability in cybersecurity?

A vulnerability in cybersecurity is any flaw, gap, or oversight that allows attackers to gain unauthorized access to systems, data, or infrastructure. These gaps can exist in technology (like unpatched software), processes (like granting excessive permissions), or human behavior (like falling for phishing emails). For SMBs, weaknesses often overlap across all three categories, so reviewing and updating exposure points is ongoing work.

How can SMBs detect vulnerabilities?

SMBs can spot weaknesses by conducting regular cybersecurity assessments, reviewing permissions, scanning for outdated software, and checking for unused accounts or unsanctioned tools. Monitoring alerts from firewalls or login services, encouraging staff to report odd activity, and running phishing simulations are other practical steps. Periodic “tabletop tests,” where the team walks through a mock breach, often expose where processes need improvement. References like NIST CVSS and guidelines from Proton’s Security Guide for Growing Businesses help review ideas following a structured path.

What steps help reduce cybersecurity vulnerabilities?

The main steps are to use a password manager, enforce unique logins, review and minimize permissions, create an incident response checklist, and train staff regularly on security basics. Do not overlook simple fixes like keeping software updated, logging off unused devices, and deleting any dormant cloud or SaaS accounts. Make security a recurring agenda item in leadership meetings, and record lessons learned from any incidents as part of ongoing improvement.

Why is incident response planning important?

Incident response planning provides structure, clarity, and speed during a crisis, reducing confusion and business disruption. With an agreed plan, everyone knows their role, main contacts, and recovery steps. Even basic planning helps minimize the impact of any breach on customers, finances, and company reputation. The National Cybersecurity Alliance and the US Small Business Administration (SBA) both request small businesses to develop, document, and rehearse their own response frameworks.

How to build a resilient security framework?

A resilient security framework is built by assigning clear roles, documenting every process, enforcing strict business password management, and making security training regular for every team member. Test your response plan in “fire drills,” and refine it every time something changes in your business. Integrate your incident response with overall business continuity to keep everyone on the same page.

How a password manager supports GDPR compliance for businesses

Kate Menzies — Thu, 02 Apr 2026 15:53:50 GMT

Organizations handling personal data in countries where the General Data Protection Regulation (GDPR) applies must maintain strict security controls in order to comply. Whether you’re a technology company, financial services provider, healthcare organization, or SaaS platform, access to personal data within your business network needs to be governed by authentication systems. This means that weak credential practices are one of the most common sources of regulatory risk.

Regulators increasingly expect companies to demonstrate that they’ve implemented appropriate technical and organizational safeguards to protect personal data. In practice, many incidents that lead to investigations or breach notifications originate from a simple but critical vulnerability: compromised credentials.

Password management has become an important component of enterprise data protection strategies. When implemented correctly, a business password manager such as Proton Pass for Business can support several key GDPR principles, including secure processing, controlled access to personal data, and accountability.

Although a business password manager alone does not guarantee GDPR compliance, structured credential management significantly reduces exposure to some of the most common operational risks that lead to data breaches and regulatory scrutiny.

GDPR authentication, access control, and data protection requirements

The role of authentication and authorization in GDPR compliance

How credential mismanagement increases data breach and GDPR compliance risk

How password management supports GDPR obligations

How can password management support GDPR compliance?

GDPR compliance goes beyond password managers

Structuring your approach: Step-by-step guidance for businesses

Real-world tips for better access control and password security

How Proton Pass for Business supports secure access governance

Frequently asked questions about GDPR and password management

At their core, GDPR compliance requirements are designed to make sure that personal data is handled responsibly and protected from unauthorized access, loss, or misuse. While the regulation covers many aspects of data governance, security and access control play a central role.

Several provisions of the regulation directly relate to authentication and access governance:

Article 5 — Principles of processing: Requires integrity and confidentiality safeguards when processing personal data.
Article 25 — Data protection by design and by default: Organizations must implement systems that limit access to personal data to only those who require it.
Article 32 — Security of processing: Requires technical and organizational measures such as encryption, resilience of systems, and mechanisms ensuring ongoing confidentiality and integrity.

From an operational perspective, organizations are expected to implement measures such as:

Strong access controls for internal systems and databases.
Unique user accounts that provide traceability for actions taken within systems.
Secure credential storage practices.
Periodic reviews of who has access to personal data.
Technical safeguards that prevent unauthorized access or credential compromise.

Regulators also increasingly expect companies to demonstrate evidence of these measures, particularly when responding to data subject complaints, regulatory inquiries, or breach investigations. Strong credential governance is a security concern as well as a documentation and accountability issue.

The role of authentication and authorization in GDPR compliance

Authentication and authorization are foundational mechanisms for enforcing GDPR security principles.

Authentication verifies the identity of a user accessing a system, while authorization determines the scope of data and systems that user is permitted to access. When these controls fail, personal data can be exposed to unauthorized parties, creating both security risks and compliance liabilities.

Standard safeguards expected in modern business environments include:

Unique user identities tied to individual employees.
Strong password requirements and password reuse restrictions.
Secure credential storage and transmission practices.
Two-factor authentication (2FA) for core systems.
Logging and monitoring of authentication events.
Automated session expiration and inactivity controls.

Despite these established best practices, many organizations still struggle to enforce consistent credential policies across dozens or even hundreds of internal applications and third-party services.

In distributed work environments where employees rely heavily on cloud tools and SaaS platforms, centralized credential management becomes essential for maintaining consistent security controls.

How credential mismanagement increases data breach and GDPR compliance risk

Credential compromise remains one of the most common causes of data breaches. According to the Verizon 2025 Data Breach Investigations Report, the primary hacking variety for both SMBs and large organizations is the use of stolen credentials, at 32% in large organizations and 33% in SMBs. Leveraging stolen credentials has been one of the common ways into an organization for the last several years.

Human behavior plays a major role in this risk. Employees frequently reuse passwords across multiple systems, share credentials informally with colleagues, or store sensitive login details in unsecured documents.

Typical examples include:

Passwords stored in spreadsheets or internal documents
Sharing credentials for shared platforms insecurely, with no oversight or control
Password reuse across corporate and personal accounts
Orphaned accounts that remain active after employee departures

These practices significantly increase the attack surface for organizations. If a single credential is compromised through phishing, credential stuffing, or malware, attackers may gain access to systems containing personal data.

As outlined in our analysis of the biggest cybersecurity threats businesses face today, phishing attacks and credential theft remain among the most effective methods used by attackers to gain unauthorized access to corporate systems.

For organizations subject to GDPR, these types of breaches can trigger regulatory reporting obligations, financial penalties, and reputational damage.

The link between access control and data minimization

One of the core principles of GDPR is data minimization, which requires organizations to limit both the amount of personal data collected and the number of individuals who can access it.

In practice, this principle requires companies to implement strict access governance policies that ensure personal data is only accessible to personnel whose job responsibilities require it.

Poor credential management undermines this objective. When access credentials are widely shared or poorly tracked, organizations lose visibility into who actually has access to sensitive systems.

This creates several compliance risks:

Employees may retain access to systems long after their roles change.
Contractors or vendors may continue to access systems after projects end.
Sharing credentials (without using a password manager with activity logs enabled), which makes it impossible to attribute actions to specific users.

Effective password management improves visibility into credential ownership and simplifies the process of granting, reviewing, and revoking access rights.

Password managers have evolved from simple credential storage tools into comprehensive access management platforms. For organizations managing large volumes of accounts across cloud services, internal systems, and third-party applications, they can serve as an important layer of security and access governance.

Modern business password managers such as Proton Pass for Business combine secure credential storage with features like end-to-end encryption, centralized access control, and secure credential sharing, helping organizations manage authentication risks more effectively.

When implemented as part of a broader security strategy, these capabilities can directly support several GDPR obligations related to secure processing, controlled access to personal data, and operational accountability.

Security of processing

Article 32 requires organizations to implement appropriate technical measures to ensure the security of personal data.

Password managers strengthen authentication security by automatically generating strong, unique passwords for each service or system. This eliminates password reuse and reduces the risk of brute-force attacks or credential stuffing.

Business password managers such as Proton Pass for Business also apply end-to-end encryption to stored credentials and metadata, ensuring that login information remains protected even if infrastructure is compromised.

Access control

Password managers help organizations enforce structured access control and apply the principle of least privilege across their systems. Rather than relying on informal sharing or static credentials, access to sensitive accounts can be managed centrally and adjusted as business needs change.

Administrators can:

Grant access to credentials on an as-needed basis.
Share credentials securely without exposing the underlying password.
Revoke access instantly when employees leave or responsibilities change.
Update or rotate credentials to maintain security over time.

These capabilities make it easier to maintain accurate access records, reduce unauthorized exposure, and ensure that personal data is only accessible to authorized personnel.

Auditability and accountability

GDPR places significant emphasis on accountability. Organizations must be able to demonstrate that appropriate safeguards are in place and that access to personal data is monitored.

Password managers provide detailed activity logs that record when credentials are accessed, modified, or shared. These logs can help security teams investigate incidents, demonstrate compliance during audits, and respond to regulatory inquiries.

Breach risk reduction

Credential reuse and weak passwords are major contributors to data breaches. Password managers address these risks through automated password generation, breach detection alerts, and secure credential sharing mechanisms. They will also perform password health checks, notifying the user of weak or reused passwords with the option to change them instantly for optimal security.

Reducing the likelihood of credential compromise directly supports GDPR’s objective of minimizing both the likelihood and impact of personal data breaches.

Structured credential management plays a central role in this approach. By standardizing how passwords are generated, stored, and shared, organizations can enforce best practices consistently rather than relying on individual user behavior. With Proton Pass for Business, teams can enforce strong password requirements, support two-factor authentication (2FA), and establish secure data sharing practices that reduce the risk of exposure.

Password managers can support GDPR compliance in several operational scenarios:

Employee offboarding: When an employee leaves the organization, administrators can immediately revoke access to shared credentials and internal systems, reducing the risk of unauthorized access.
Secure credential sharing: Teams that rely on shared SaaS tools can grant access to credentials without exposing the underlying password, ensuring access remains traceable and controlled.
Incident response: If a credential is compromised during a security incident, administrators can quickly identify affected systems, rotate passwords, and document mitigation measures for regulatory reporting.

These operational efficiencies are particularly valuable for organizations managing hundreds or thousands of digital services across distributed teams and cloud platforms. The Proton guide to building a cybersecurity culture in small businesses highlights how organizations can combine security tools with employee training and clear policies to reinforce secure practices across teams.

GDPR compliance goes beyond password managers

Although password managers strengthen security controls, they’re only one component of a comprehensive GDPR compliance program.

They don’t replace:

Data mapping and processing activity records.
Legal assessments of lawful data processing.
Data minimization policies and retention frameworks.
Employee training and internal governance policies.
Incident detection and regulatory notification processes.

GDPR compliance requires both technical safeguards and organizational governance. Password managers contribute to the technical side of this framework but must be integrated with broader data protection practices.

Integrating password management in a wider compliance strategy

Organizations seeking to strengthen GDPR compliance should treat credential management as part of a wider data protection architecture.

Effective strategies typically combine:

Centralized credential management
Role-based access governance
Employee security awareness training
Documented data protection policies
Continuous monitoring of authentication activity

When combined with robust policies and security awareness programs, password management becomes an important operational control that supports both security and regulatory accountability.

Structuring your approach: Step-by-step guidance for businesses

Implementing effective access governance requires both technical controls and structured processes. Organizations beginning their GDPR security journey can follow the practical sequence below to strengthen authentication practices.

Inventory all systems and services that process or store personal data. This includes internal platforms, SaaS applications, and third-party integrations.
Assign individual user accounts to employees. When shared accounts are unavoidable, access should be managed through secure, auditable methods that maintain traceability and allow administrators to control, monitor, and revoke access as needed.
Deploy a business password manager, such as Proton Pass for Business, and assign administrative roles to security or IT teams.
Store all business credentials within the password manager and enforce strong password generation policies across systems.
Implement structured onboarding and offboarding procedures, ensuring credentials are granted and revoked in line with employee roles.
Conduct periodic access reviews, verifying that users only retain access to systems required for their current responsibilities.
Provide employee training on password security risks, including phishing, credential reuse, and safe credential sharing practices.
Maintain activity logs and document reviews to demonstrate compliance during security audits.

By following these steps, organizations can significantly reduce their attack surface while also creating repeatable workflows that support ongoing regulatory compliance.

Real-world tips for better access control and password security

Strong credential hygiene practices are most effective when they combine technical safeguards with practical operational policies. If you’re a security leader responsible for protecting personal data, you should consider implementing the following practices:

Enforce unique passwords for every business service. Password reuse significantly increases the risk of credential compromise through credential stuffing attacks.
Rotate credentials for sensitive systems periodically, particularly following employee departures or role changes.
Avoid transmitting credentials through email or messaging platforms. Use secure password sharing tools within password managers instead.
Disable unused accounts promptly. Dormant accounts frequently become entry points for attackers.
Provide regular security awareness training. Short, frequent reminders about phishing and password hygiene are often more effective than annual training sessions.
Use credential health monitoring tools to identify weak, reused or breached passwords early.
Encourage employee feedback on authentication workflows so security policies remain both effective and practical.

These operational practices complement technical safeguards and help organizations maintain a resilient authentication environment.

How Proton Pass for Business supports secure access governance

For organizations operating under GDPR or other data protection frameworks, access governance must extend beyond basic password storage. Modern enterprises rely on dozens, often hundreds, of SaaS applications, internal systems, and cloud services, each requiring secure authentication and controlled access.

According to research from Okta’s Businesses at Work report, large organizations now use an average of over 100 SaaS applications, creating significant complexity in managing credentials and permissions across teams.

Proton Pass for Business is designed to address this operational challenge by combining secure credential management with enterprise-grade access governance. Built on Proton’s privacy-first infrastructure, the platform applies end-to-end encryption to stored credentials and metadata, ensuring that sensitive authentication data remains protected at all times, even from the service provider.

The Proton Pass architecture also aligns closely with the transparency and accountability principles embedded in GDPR. Proton Pass is open source and independently audited, allowing organizations to verify security claims and evaluate how data is handled. This level of transparency is increasingly important as enterprises face growing scrutiny around vendor security practices and supply chain risk.

Key capabilities that support GDPR-related security and governance include:

Centralized administrative controls: Security teams can allocate, modify, and revoke credential access across employees or teams in seconds, ensuring access privileges remain aligned with organizational roles.
Open-source transparency: Publicly available code enables independent security review and reduces the risk of undisclosed data flows.
End-to-end encryption: All stored credentials and sensitive metadata are encrypted on the user’s device, ensuring only authorized users can access login data.
Swiss privacy jurisdiction: Proton operates under Switzerland’s strong privacy laws, providing clear legal protections and predictable jurisdictional oversight for data handling.
Independent security audits: Regular third-party audits reinforce accountability and validate security claims.
Streamlined deployment: Quick implementation and intuitive interfaces help organizations adopt strong authentication practices without disrupting workflows.
Seamless workflow integration: Proton Pass integrates with browser environments and existing productivity tools, supporting rapid onboarding for employees and contractors.

Together, these capabilities transform Proton Pass from a simple password manager into a centralized access governance tool. For security leaders responsible for protecting sensitive data and maintaining compliance, the ability to manage credentials, enforce strong authentication practices, and maintain visibility over access activity is essential.

As organizations expand their digital infrastructure, fragmented credential management and inconsistent authentication policies become significant risk factors. A unified business password manager helps reduce this complexity while strengthening operational security controls.

Frequently asked questions about GDPR and password management

What role does password management play in GDPR security requirements?

Password management supports GDPR security requirements by strengthening authentication and access control across systems that process personal data. Under Article 32, organizations must implement appropriate technical and organizational measures to protect data. Password managers help enforce strong credentials, secure storage, and controlled access to accounts, reducing the likelihood of unauthorized access and credential-based attacks.

Does GDPR require strong password policies for businesses?

GDPR does not prescribe specific password rules, but it requires organizations to implement appropriate security measures to protect personal data. In practice, this means enforcing strong password policies, preventing password reuse, and implementing secure authentication systems. Many organizations use password managers to automate these practices and ensure consistent enforcement across cloud services and internal applications.

How do password managers reduce the risk of data breaches?

Password managers reduce breach risk by generating strong, unique passwords for each account and securely storing them in encrypted vaults. This prevents common vulnerabilities such as password reuse, weak credentials, and insecure credential storage.

They also strengthen defenses by supporting two-factor or multi-factor authentication (2FA/MFA), alerting users to compromised or reused credentials, and enabling secure credential sharing without exposing sensitive information.

By addressing both technical weaknesses and human error, password managers help organizations protect systems from phishing attacks, credential stuffing, and other forms of unauthorized access.

How do password managers support access governance in organizations?

Password managers improve access governance by centralizing credential management and enabling administrators to control who can access specific systems or accounts. Organizations can track credential usage through audit logs and revoke access quickly when employees leave or change roles, which helps enforce the principle of least privilege and strengthen accountability across teams.

What features should a password manager have for GDPR compliance?

When evaluating password managers for GDPR-aligned security practices, organizations should look for features such as end-to-end encryption, strong administrative controls, secure credential sharing, detailed activity logging, and independent security audits. Transparency, open-source architecture, and clear data protection policies can also help organizations verify that the solution aligns with privacy and compliance expectations.

Can password managers help during a GDPR audit or compliance review?

Yes. Password managers can provide valuable documentation during audits or compliance reviews by demonstrating how authentication and access control policies are enforced. Activity logs, centralized management, and credential access records can show auditors that the organization maintains oversight of who can access sensitive systems and how those permissions are managed over time.

Congress is about to renew warrantless surveillance. And VPN users are caught in the middle.

Edward Komenda — Wed, 01 Apr 2026 19:06:39 GMT

As Congress moves toward renewing Section 702 of the Foreign Intelligence Surveillance Act (FISA), the debate is starting to encroach upon something far more familiar: the tools people use to protect themselves online.

VPNs, used by millions to keep their internet activity private, route traffic through servers around the world. But that basic function raises a question lawmakers are only beginning to confront: What happens when protecting your privacy makes your activity look foreign?

A surveillance law that was never meant for you

Section 702 allows US intelligence agencies to collect communications from foreigners abroad without a warrant. In practice, that boundary has never held.

The system routinely pulls in Americans’ emails, messages, and calls when they interact with foreign targets or pass through global infrastructure.

Civil liberties groups, lawmakers, and even courts have raised concerns for years about how often that data is searched without a warrant. Now the law is up for renewal again, with an April deadline fast approaching. And despite repeated evidence of overreach, there is a push in Washington to extend these powers with minimal changes.

Support for surveillance is bipartisan, but so is the backlash. Jim Himes, the top Democrat on the House Intelligence Committee, recently faced protesters at a town hall raising concerns about Section 702.

The VPN problem no one accounted for

A new letter from senators including Ron Wyden raises a different risk — one that didn’t exist when Section 702 was written.

VPNs obscure a user’s location by routing traffic through servers around the world. But under current surveillance rules, that same behavior can make an American look like a foreigner.

Lawmakers are asking whether intelligence agencies treat VPN traffic as “foreign” by default — a classification that could strip users of constitutional protections and place them inside the Section 702 surveillance pipeline.

A renewal without reform expands the risk

There are proposals on the table to fix this. Mark Warner, who chairs the Senate Intelligence Committee, has said lawmakers will address concerns around the expanded definition of “electronic communication service providers” (ECSPs).

That expansion widened who can be forced to assist in surveillance. It no longer stops at telecoms or email providers. It can include anyone with access to the systems your data passes through, from cloud services to public WiFi networks. Surveillance moves closer to the infrastructure of the internet, increasing the number of places where data can be collected under Section 702.

The bipartisan Government Surveillance Reform Act would go further. Backed by lawmakers including Ron Wyden and Mike Lee, the bill would require a warrant before agencies can search Americans’ data collected under Section 702 and close a loophole that allows the government to buy personal data from brokers instead of going to court.

That loophole matters because information that would normally require a warrant, like location data or browsing history, can be purchased on the open market with no judicial oversight.

The bill would also roll back some of the most controversial recent changes, including how broadly the government can force companies or infrastructure providers to assist with surveillance.

These changes target a known issue: surveillance systems built for foreign intelligence have been turned inward through technical loopholes and broad interpretations. As Ron Wyden has warned, Americans would be “stunned” to learn how these authorities are actually being used.

Without reform, those gaps stay open. And as VPN use becomes more common, more ordinary behavior risks being swept into foreign intelligence collection.

Where Proton stands

At Proton, we build tools that give people control over their data without exposing them to hidden tradeoffs. Privacy should not depend on how your traffic is classified by a surveillance system. It should be the default.

Using a VPN still protects you. It encrypts your internet traffic and prevents your provider, network operator, or anyone on the same connection from seeing what you do online. That protection matters, and it works. But encryption alone does not fix how surveillance laws are written. If your activity falls outside that protection, or is collected elsewhere, it can still be swept into systems like Section 702.

This also raises a broader issue. Privacy should not stop at national borders. People should not be subject to surveillance simply because they are not American. Legal protections may vary. The principle does not.

As lawmakers debate the future of Section 702, the stakes extend beyond intelligence policy. They shape what protection actually means in practice, and who receives it.