The announcement that Pornhub has reopened access to UK iPhone users following Apple’s iOS 26.4 update has been greeted in some quarters as a breakthrough moment for device-based age assurance. It is not. What has occurred is the emergence of a partial ecosystem-level child safety measure that some are now attempting to treat as equivalent to the highly effective age assurance (HEAA) required under the UK Online Safety Act. It is not clear that it meets that standard, and regulators should examine the arrangement carefully before treating it as a precedent.
Put simply: Pornhub is not checking the user itself, cannot know whether the adult who verified with Apple is the person actually using the device, and receives no secure or authenticated age-verification confirmation from Apple. Apple may know the age of the Apple account holder, but Pornhub does not.
Apple’s iOS 26.4 introduced an account-level age attestation for UK Apple ID holders. Users are prompted to confirm they are 18 or over, with verification carried out by Apple itself using factors such as account tenure, a registered payment card or a scan of a qualifying photo ID. Those who complete the process have certain default restrictions lifted on their device, including Safari’s web content filter, which had been blocking access to adult sites. Those who do not complete it are treated by the device as though they may be minors.
This is a meaningful child safety measure within Apple’s own ecosystem, and Ofcom has welcomed it in appropriately positive terms. Apple has clearly worked seriously to raise the baseline of protection across iOS devices in the UK. But this remains fundamentally an internal account governance mechanism operated by Apple, not an age verification service directly provided to third-party websites.
The Online Safety Act places the duty to implement HEAA squarely on the service provider, in this case Pornhub. To discharge that duty, the service must be able to demonstrate that its age assurance process satisfies Ofcom’s four criteria of technical accuracy, robustness, reliability and fairness.
The central difficulty is that Pornhub does not appear to receive any authenticated signal, signed token or cryptographically verifiable assertion from Apple confirming that a specific user has been age-verified. Apple’s Declared Age Range API, which can provide a method-of-verification signal to developers, is available only to native applications built against recent iOS SDKs, not to ordinary websites. Apple’s web-facing implementation of the W3C Digital Credentials API in Safari could, in principle, support cryptographically signed and user-consented age assertions to websites. However, Pornhub does not appear to have implemented this approach and, consistent with Apple’s wider privacy architecture, such assertions would require explicit user consent in any event.
If access is instead being granted principally on the basis of browser or device characteristics indicating an iOS 26.4 environment with Safari restrictions removed, serious questions arise regarding robustness and resistance to circumvention. Browser environment indicators and User-Agent strings are relatively easy to spoof. A browser-environment inference alone would not appear capable of satisfying Ofcom’s robustness requirement, particularly given Ofcom’s explicit rejection of simple self-declaration as a sufficient standalone mechanism.
More fundamentally, several of the core components normally associated with high-assurance age verification appear absent from the relying party’s perspective. There is;
-
no proofing visible to the website itself: the service has no direct knowledge of how, or indeed whether, Apple verified the user.
-
no binding connecting the verified Apple account to the individual presently using the browser session.
-
no authentication step through which a credential, signed token, or cryptographically verifiable assertion is transmitted between Apple and the website.
The statutory duty rests with Pornhub, not with Apple. Apple’s internal attestation process, however well-designed for Apple’s own purposes, does not automatically discharge a third party’s legal obligations under the Online Safety Act.
Ofcom may ultimately conclude that ecosystem-level controls implemented by major platform operators can contribute materially to a broader assessment of age assurance effectiveness. That is a legitimate policy question. But even under such an approach, the relying service would still legally require a demonstrable, authenticated and reasonably resistant mechanism establishing that the individual accessing the content is genuinely associated with the verified adult status being relied upon.
None of this means that device-based or reusable age assurance is the wrong direction. Quite the contrary. The underlying vision – that a user should verify their age once to a trusted provider and then be able to assert that status securely and privately across multiple services – is precisely the direction in which the age verification industry is moving. Interoperable, tokenised and privacy-preserving age credential systems already demonstrate how this can be achieved properly: through cryptographic binding, selective disclosure, explicit user consent and signed assertions that relying parties can independently verify.
Indeed, Apple’s own implementation of the W3C Digital Credentials framework points toward exactly this sort of future architecture. Properly deployed, and with agreed commercial terms and liability agreements, such systems could form part of a genuinely compliant HEAA ecosystem for websites. But that future architecture is not what is operating here today. Until authenticated and verifiable age assertions are actually being contractually transmitted to relying services in a manner resistant to spoofing and circumvention, Pornhub’s return to the UK should not be treated as evidence that the requirements of Parliament have been fully satisfied.