Internet Freedom Weekly: News Recap, April 20–24, 2026

This week’s news shows a clear direction of travel: governments and platforms are expanding age verification and data collection systems, often faster than they can secure or justify them. 

Alongside these developments, we also took a deeper look at the bigger patterns behind ongoing encryption debates and the growing role that network-level control plays in your access to the internet. This is what you need to know about internet freedom April 20–24, 2026.

The EU's Age Verification App Was Hacked in Two Minutes and Patched the Next Day

The European Commission’s newly released age-verification app, marketed as a privacy-preserving cornerstone of future digital identity infrastructure, was hacked in less than 2 minutes using nothing more than a file explorer. By editing a local configuration file, security consultant Paul Moore reset PIN access, disabled biometric checks, and removed rate limits, highlighting fundamental design flaws rather than niche, theoretical edge-case bugs.

Although the Commission responded with a rapid fix and re-framed the app as a demo version of what’s to come, a March 2026 analysis suggests the system can’t even verify whether passport checks actually happened on a device, making the entire trust chain unverifiable, as it moves toward integration with the new EU Digital Identity Wallet.

Read the full article here.

Agencies Failed Three Girls in Southport, and the UK Wants to Ban VPNs as an Answer

A UK inquiry into the 2024 Southport murders, where three children lost their lives while attending a Taylor Swift–themed yoga and dance workshop, found the attack was entirely preventable, with repeated failures across police, social care, and other agencies to act on clear warning signs. Oddly enough, political momentum has shifted toward restricting VPN access for minors, framed as a way to enforce the Online Safety Act. 

The proposal builds on earlier efforts to age-gate or ban VPNs, despite little evidence that it would address the systemic failures identified in the report, and instead expands internet controls in response to an institutional breakdown.

Read the full article here.

Italy's Postal Service Turned Banking Apps Into Spyware and Got Fined $15M for It

Italy’s data protection authority fined Poste Italiane and its subsidiary Postepay a combined €12.5 million for forcing users to accept invasive device monitoring as a condition of accessing banking services. The apps collected identifiers of all installed and running applications, data capable of revealing sensitive behavioral patterns, and retained them for up to 28 months.

Regulators found the practice disproportionate to the initial goal of fraud prevention, uncovered multiple GDPR violations, and ordered changes. At the same time, the company plans to appeal on procedural grounds rather than disagreeing on the underlying data collection.

Read the full article here.

Arkansas' Social Media Censorship Law Got Blocked in Court for the Third Time

A US federal court has once again blocked Arkansas’ attempt to impose age-verification and content restrictions on social media, ruling that Act 900 likely violates the First Amendment. 

The law would have required websites to track users and collect sensitive data to comply with vague standards, repeating the same structural flaws that led courts to strike down two earlier versions of the law. 

Despite courts explicitly telling Arkansas there are constitutional alternatives to protect children online, the state has continued to pass vague content restriction laws rather than pursue them.

Read the full article here.

PlayStation Rolls Out Age Verification in UK and Ireland With No Announcement

Sony quietly began rolling out mandatory age verification for PlayStation users in the UK and Ireland, notifying users via email and a support FAQ rather than a formal announcement. Starting June 2026, unverified adult accounts will lose access to communication features such as voice chat and messaging, with verification handled by the third-party provider Yoti. 

The rollout aligns with UK Online Safety Act requirements and is expected to expand globally, reflecting a broader shift toward embedding identity checks into everyday online services.

Read the full article here.

The Fight for Encryption We Keep Coming Back To

As debates over encrypted messaging continue across the EU, the UK, and the US, we took a broader look at why this issue never seems to go away. Despite changing language and justifications, the core question remains the same: whether private communication should remain inaccessible to anyone beyond its participants. In this piece, we explore how repeated attempts to weaken or bypass encryption shape both security and everyday online behavior.

Read the full article here.

How and Why Online Regulation Is Increasingly Being Written by Telecom Realities

As governments increasingly use internet throttling, connection blocking, and internet shutdowns to control online access, we also examined how online regulation is shifting beneath the platform level. Rather than targeting sensitive content directly, these drastic measures shape what users worldwide can access online in the first place.

Read the full article here.

Taken together, this week’s developments show how quickly technical systems like age verification are being deployed, even as their risks remain unresolved. The broader analysis points to where this is heading: more pressure on private communication and even more control embedded deeper into the infrastructure of the internet.