UK Online Safety Act
EFF:
The U.K. Parliament has passed the Online Safety Bill (OSB), which says it will make the U.K. “the safest place” in the world to be online. In reality, the OSB will lead to a much more censored, locked-down internet for British users. The bill could empower the government to undermine not just the privacy and security of U.K. residents, but internet users worldwide.
Both the European Union’s Digital Services Act (DSA) and the United Kingdom’s Online Safety Act (OSA) aim to strike a balance between fostering innovation and safeguarding the internet for generations to come.
I just received an email confirming I’ve successfully verified I’m an adult. Exciting! Except no, because age verification is now going to be a regular thing for me. Why? Because the UK Online Safety Act went into effect on 25 July. And this isn’t just something affecting the land of tea, crumpets and queues. Governments worldwide are implementing similar measures to prevent minors from accessing high-risk and age-inappropriate content.
[…]
Bluesky became the canary in the age-verification coal mine, warning Brits they’d soon lose access to DMs and 18+ content. Brits went bonkers (well, they tutted, which for a Brit is tantamount to furious rage), unaware all sites must comply or risk massive fines.
[…]
Even though the UK’s implementation is barely a day old as I write this, we’re already seeing signs of overreach. Far more than porn is being locked behind verification walls, including LGBTQ+ subreddits and subjects deemed ‘inappropriate’ for ideological reasons, such as sex ed.
[…]
There are privacy and surveillance concerns. Forcing people to register for accounts begins the process of eliminating online anonymity – a genuine danger to some. It expands scope for wider surveillance. So we’ll have to trust companies won’t retain, misuse or monetise deeply personal data. Which, given historical precedent, makes me wonder how long it’ll take to get from “we’ll remove your personal age verification details within seven days” to a data breach revealing countless people’s selfies and most personal browsing histories.
The UK government has set up a system where people must upload an ID or a selfie to American corporations. There is nothing preventing these companies from storing the data, and the data will eventually get hacked. There are better ways to do this.
He links to a petition to repeal the Act.
This article is headlined “Around 6,000 Porn Sites Start Checking Ages in U.K.”, yet in this — the first paragraph — the reporters acknowledge these are “sites allowing porn” not “porn sites”.
[…]
When we are talking about large platforms like Discord and Reddit, there is a meaningful difference between describing them as “porn sites” and “sites allowing porn”.
Apps for Bluesky, Discord, Grindr, Reddit, and X are all available on the App Store, where they all have “16+” ratings, and the Play Store, where they have a “Mature 17+” rating with the exception of Discord’s “Teen” rating. These platforms are in a position to provide privacy-protecting age gating and, I think, they ought to do so with APIs also available to third-party stores.
The age verification mandated by this British law, however, is worrisome, especially if it becomes a model for similar laws elsewhere. The process may be done by a third-party service and can require sensitive information. These services may be specialized, meaning they may have better security and privacy protections, but it still means handing over identification to some service a user probably does not recognize.
Proton VPN (Hacker News):
Just a few minutes after the Online Safety Act went into effect last night, Proton VPN signups originating in the UK surged by more than 1,400%.
Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content.
Jess Weatherbed (Hacker News):
Several of the age checkers I’ve seen offer similar options: users can either choose to confirm their age by uploading bank card information, an image of their government-issued ID, or a selfie used to estimate their age.
It’s unclear if those selfie options could be spoofed by simply getting an older-looking friend to complete to process.
[…]
If the spike in Brits searching for the term “VPN” on Google is any indication, word of the loophole is spreading fast.
The Act pressures encrypted apps like WhatsApp and Signal to monitor user chats for illegal content, which experts say could require breaking end-to-end encryption.
[…]
The law covers any site that allows users to share or interact. That includes forums, messaging apps, cloud services, open-source platforms, even Wikipedia.
[…]
Criminals will use VPNs, encrypted tools, and the dark web. The Act does nothing to stop that.
Meanwhile, everyone else will be surveilled, censored, and blocked.
Wikimedia Foundation (Evolve Politics):
The Wikimedia Foundation, the non-profit that operates Wikipedia and other Wikimedia projects, announced its legal challenge earlier this year, arguing that the regulations endanger Wikipedia and the global community of volunteer contributors who create the information on the site.
Previously:
- Updated Age Ratings in App Store Connect
- UK Backing Down on Apple Encryption Backdoor
- Digital Services Act and Thierry Breton vs. Twitter
- Proposed EU Chat Control
- UK Proposal to Weaken Messaging Security
Update (2025-07-29): Dan Milmo and Robert Booth:
Reddit started checking ages last week for its forums and threads which include mature content. It is using technology made by a company called Persona, which verifies age through an uploaded selfie or a photo of government ID. Reddit does not have access to the photos but stores the verification status to avoid users having to repeat the process too often.
The UK government has more information about which content will be regulated:
The kinds of illegal content and activity that platforms need to protect users from are set out in the Act, and this includes content relating to:
- child sexual abuse
- controlling or coercive behaviour
- extreme sexual violence
- extreme pornography
- fraud
- racially or religiously aggravated public order offences
- inciting violence
- illegal immigration and people smuggling
- promoting or facilitating suicide
- intimate image abuse
- selling illegal drugs or weapons
- sexual exploitation
- terrorism
Since these fall under the Illegal category, it sounds like they will be blocked entirely, rather than being subject to age verification. Presumably there will be a combination of algorithms, AI, and human reporting/review, but I have not seen the details.
Also:
Companies must also assess whether their service is likely to be accessed by children and, if so deliver additional protections for them. This includes protections against in-scope mis- and disinformation.
“Scope” seems to mean the scope of the Act itself, which is very broad. I guess Ofcom gets to decide what the truth is.
Several Reddit communities dedicated to sharing news and media from conflicts around the world now require users in the UK to submit a photo ID or selfie in order to prove they are old enough to view “mature” content.
Via Nick Heer:
Contrary to the beliefs of one moderator of one of these subreddits, this does not seem to be motivated by burying evidence of the atrocities of war. This is the predictable overreach of Reddit choosing to require age verification to view any “not safe for work” subreddit, because of course Reddit is not going to be sensitive to context. It is not right; it is what is least expensive because it requires little additional moderation or underlying technical changes. Reddit could implement different types of NSFW labelling, but that also increases its risk of legal liability if something is improperly labelled.
The scary thing about the data breach of the Tea app where people’s government IDs were leaked is that multiple governments are passing laws requiring people to provide their ID to random apps and websites to prove they’re 18.
See also: John Gruber.
5 Comments RSS · Twitter · Mastodon
Indeed, the criminals will continue to use VPNs and encryption and their own computer services rather than public ones.
The real point of this legislation is to ensure that doing those things MAKES you a criminal. Or certainly makes you act more like one.
Because guess what the next direct targets will be.
Bart, isn't the UK just protecting its borders? Why are you complaining about lawful enforcement of legal requirements? /s
@Plume, good point. May I try an answer? It's spelled t-r-u-s-t.
For starters, the UK doesn't *own* the internet. (Neither does China, but that's a different question.) They absolutely *should* protect their borders. But let's narrow down what a border really is.... are you a parent of someone underaged? Living in a house you own, or maybe paying mortgage on? Isn't your household a border too?
Next, are you saying that you - assuming you are "of age" - wish to log in to a social network of your choosing. Does that mean you are willing to upload some kind of photo ID to a tech company run by a billionaire who's only reason for asking for this kind of ID is to obey the local (in this case national) government? Does this willingness extend to trusting that this government, hopefully properly elected, won't abuse the data said billiion $$ company is collecting?
Again, yes, UK is just protecting its borders. In my country, so is ICE.
This is obviously going to be abused. At this point there's no reason for us to believe that any data collected by any organization, government or corporation, will remain private, and this will certainly be tracked, sold, and leaked despite any assurances we're being given now.
The only way I could go along with a scheme like this is if it was mathematically demonstrable that the verification method was anonymous, something akin to using privacy pass. Being that such a system is possible and I see nothing to indicate that it was ever seriously considered or suggested, that just means to me that the point is not to protect children from porn, but to de-anonymize the internet.
I'm calling it now: if this doesn't get major pushback and becomes normalized in the west then we'll see pretty much every major internet service require government ID, complete with people being punished and banned from the normal economy for wrongthink and bad behavior.
