Just for clarification. House of Lords amendments do not have to be accepted by the House of Commons and may not make it into law. If you do not agree with an amendment then write to your MP, write to the ministers concerned. If you do not tell them your concerns they will not know. You can ask for an appointment with your MP. You can ask for an appointment with ministers. Better still you can form an advocacy group and lobby.
I've written to my MP several times about this. Each response just repeats the same talking points about safety whilst completely missing the underlying technical issues and consequences.
I've been met with that kind of stone walling before too, you know what eventually worked to actually turn the position of a local councilwoman? Going to her office and demand to speak with her, then sitting down, listening and having a conversation with her. Turns out that most of the emails "she" wrote to me was written by an assistant "to save her time" and she weren't aware of the points I was trying to bring up. Granted, this was like one and half decade ago, but if I was met with something similar today I'd try the same thing.
People tend to be a lot more reasonable in person, and also if you listen to them first.
Yeah, also they could be male. Don't take it so literal, the point I'm making is about going and physically meeting people, not about what title/label those people have.
There are lots of replies stating that their MP gave them a cookie cutter response, so it is a waste of time.
I can tell you that isn't entirely true. When they get a lot of messages about the same thing, or better still you meet them in person, they may keep giving you the 'party line response', but they will also be feeding back that there is discontent to the whips.
This. It's not a waste of time. I know it's frustrating. You have to set your expectations. The best you can do is write as eloquently and succinctly as possible to get your point across and make it clear what you're advocating for. Better still, encourage others to write / email / call with that same clarity.
What you are telling me in effect is that all the exchanges I have are ultimately disingenuous with the MP. It also tells me that the MP represents the party and not me (as they are acting as nothing more than a glorified public relations officer).
This undermines the entire point of the process and only further degrades public trust.
Here on the other side of the pond, writing our so-called Representatives to complain, produces the same kind of result. If your rep has a (D) by his or her name, you'll get back one form-letter, and if your rep has a (R) by his or her name, you'll get back the other form-letter. There's no attempt to address the points you might bring up. You write--and they respond back with their pre-baked talking points.
A politician is like ROM: Once it's written, that's it, you have to swap it out with a different ROM if you want even one of its lines of programming changed.
What you describe is the representative democratic system. Misunderstanding is the source of any distrust. It is frustrating to write to an MP only to be given boilerplate in return. But setting your expectations and continuing to advocate for your point of views is the only way to participate. One letter won't change anything, and how could it? There are other people writing opposing points of view. It's taken in the aggregate.
Same, my MP is clueless. They won’t listen to the experts. This is what he said:
The UK has a strong tradition of safeguarding privacy while ensuring that appropriate action can be taken against criminals, such as child sexual abusers and terrorists. I firmly believe that privacy and security are not mutually exclusive—we can and must have both.
The Investigatory Powers Act governs how and when data can be requested by law enforcement and other relevant agencies. It includes robust safeguards and independent oversight to protect privacy, ensuring that data is accessed only in exceptional cases and only when necessary and proportionate.
The suggestion that cybersecurity and access to data by law enforcement are at odds is false. It is possible for online platforms to have strong cybersecurity measures whilst also ensuring that criminal activities can be detected.
The response is the same boilerplate responses I used to get when I used to write to my MP. This is why I just gave up emailing my MP. You are essentially pleading with someone to reverse their previous position when they have no incentive do to so.
All of which is arguably true, but misses the point that uploading your age verification documents to every social media site you might want to look at is very likely to result in them getting hacked and leaked.
Working with startups, I've signed up for 100s of sites. My password manager lists 550. Those signups are currently low-risk: just my email (already widely public) and a random password. But it would put a big chill on my work if I had to upload government age verification docs to each one.
Same. I have protested over email about the Online Safety Act (amongst other things). I get a generic reply after 6-8 weeks with the same talking points.
Legislation like this does not make children safer, it makes everyone else less safe.
No, but it does mean that MP's have to make a positive decision to reject it, the proponents of the amendments (who are well financed) will claim anyone who opposes the amendment is pro-pedophile (as happened with the online safety act) which makes it hard to reject.
To stop it now we need a majority of MPs who are willing to take a political risk to reject it.
> House of Lords amendments do not have to be accepted by the House of Commons and may not make it into law
Except the Lords can send back a law indefinitely until the Commons accepts it. There have been cases in which laws were sent back 60 times until what the Lords wanted was added. A house with hereditary posts with infinite veto power.
> If you do not agree with an amendment then write to your MP, write to the ministers concerned. If you do not tell them your concerns they will not know.
It is an utter waste of time. MPs already know about the concerns. They don't care. I wrote to my MP about many of these concerns in the past. You either get ignored, told you are enabling pedos, told there will be protections put in place (ignoring the whole point is that I don't trust the government), or you get a boilerplate reply.
Moreover The vast majority of people (unfortunately this includes people in my own family) have been propagandised to agree with all iffy censorship, monitoring and other spooky nonsense the UK state engages with.
I don't get why the device changes the blame logic.
If child-services knew a parent was constantly watching/leaving around adult-content near children, that'd be considered the parents fault. If a parent lets a kid watch anything they want on TV and the kid watches adult content, it's the parents fault. But if the parent gives the child a phone, and doesn't manage what apps they use or content they watch, now it's the companies fault?
If my younger self, went into a store to buy a bottle of Vodka, before I came of age at 18 here in Germany, it wasn't my parents fault. It was the shop that did not check my license that was liable.
If they sold me beer before I was 16, same situation. Analogous for cigarettes. Or me trying to enter an amusement arcade (with monetary gains possible, not just pinball like things.
So why should "online stores" / "arcades" / "non kid friendly/appropriate venues" be treated differently than brick and mortar ones?
The company should be responsible for providing options to block all or part of the content, and warn users of the content type, depending on their place in the pipeline.
For example, Apple and Google should provide tools for the parents to set up a device appropriately for a child, much like the shop should not sell alcohol to underage customers. Similarly, content producers should specifically need to label content targeted for children or specially 18+, like the producer of alcohol must warn customers on the label and inform the retailers.
Parents and caretakers need information to make an informed decisions before being able to consume the media themselves. They also need some granular tools on the device to avoid banning them entirely. The burden is shared between creator, distributor and consumer.
We already had laws for this and it makes sense for some type of access control to the open internet. The shocking part is the requirement for everyone to verify ID to multiple public and private institutions, more than once per.
An analogy for the UK now would be needing ID to enter the supermarket (access the internet), ID to look at anything aimed at adults and potentially harmful such as alcohol, chemicals, sugary food, medicine etc. (know "potentially harmful" subjects exist), ID to look at anything lawfully 18+ such as alcohol and cigarettes (view the content), then ID again to make the 18+ purchase from an account needing ID to open.
Back in the day, I was able to enter a video rental store without ID. But the erotic section was cordoned of to my younger self.
Today, my younger self would go to Reddit, click any of the myriads of subreddits catering to any kink and just click "yes", when being prompted to ensure he is old enough to view NSFW content. Or on p*nhub. Or anywhere. I actually do not care for tobacco or liquor advertising. I did not become an lsd eating circle for playing PacMan. Nor did I become an alcoholic for watching hundreds hours of alcohol advertising till coming of age in Germany.
So why ask for an ID when entering the internet (supermarket) instead of fining the respective companies into oblivion, if they allow minors in? Why burden the tax payer with an infrastructure? Make the companies making a shitload of money pay for ensuring they adhere to the law. Because actually allowing minors access to hardcore porn is - at least here - already illegal. But hey, we can't enforce it, because it is the internet.
Sorry, but I am just not a fan of setting up a society wide system, that tells the big advertisers: This is a real person. Or even: This is Joe Schimansky from so and so, age this and that. This is not any data the likes of Meta or Google should have.
Nor should the government have a system in place that enables them to track who gets verified for what content.
If private entities want to make money from content that is not fit for minors - they need to pay to ensure it isn't accessed. Or carry the consequences.
I know, I can get riled up. But quite a few of these initiatives to me either smell like regulatory capture and/or like a convenient way of monitoring society.
> If my younger self, went into a store to buy a bottle of Vodka, before I came of age at 18 here in Germany, it wasn't my parents fault. It was the shop that did not check my license that was liable.
Except this can only be fair if they carded everyone who buys liquor, not only people who appear young, otherwise it's subjective, and businesses shouldn't be liable if a tall, bearded teen buys vodka, because he looks older than 18.
Of course, in reality, liquor store cashiers are allowed to judge subjectively, but VPN providers won't be allowed to. And they'll probably be asked to share records of registered adults in the future, given the repeated efforts to backdoor encryption in the same UK. This is unlikely to be only about protecting the children.
I bought a product that requires ID verification in Massachusetts and the cashier couldn't complete the transaction without scanning my driver's license.
That's a really fair point. I suppose it's reasonable to point out that adults do have to provide ID quite often to buy things, but it's skipped so often because people can just look at us so we don't "feel" it. I think my problem comes from how I don't believe my cornershop records my ID when they see it, whilst I imagine these services would.
the problem is that devices are meant to be tools. They do not provide access to services, but you use them to access them. Limiting my devices' ability to do what i ask of them is more like geofencing my shoes, because you might use them to walk to the casino.
Sorry, if I was not clear enough. I explicitly did not want to limit devices - on the contrary. I am all for my device, my ability to use it how I like.
I meant that it is the responsibility of Facebook/Meta/Instagram to ensure that content is age appropriate - given the laws, rules and regulations of the country they are delivering the content to.
I mean, clearly it should be in the responsibility of p*nhub not only to ask "Are you over 18"? If I had this form of freely available porn, clearly I would have clicked it. Or respective subreddits.
Clearly and totally fine for consenting adults. Not so much for my 13 year old self a few decades back.
Does big tech help the parents? Can I set the age of the child in the phone user account and then the browser will report the age to the websites and the nice websites will aknowledge it and deny minors to watch adult content?
No big tech and browser makers did not put their hurds of developers to handle this and forced the governments to try more retarded solutions.
This big OSes should have a super easy activation procedure where a parent will enter the birthday of the account user and then the tech should do the magic,/
What are the current solutions for Android and iOS? To buy some apps and give them root permissions and they will filter out webpages or block entire domains ?
This makes the tech companies the decision makers over what is suitable content for children. But this has many problems. A big example is that some people are more open about sex than others. I'm reminded of a scene in an anime of a father in a bath with his daughters, normal in many cultures, deemed perverted by many (particularly christian US residents). Also here in the the Netherlands, a pretty open society when it comes to these things, we have parents complaining about books that show genitals to kids, even though they'll see them when they look down.
This is a hard problem, from about 0 to 18, kids go from being, well, kids, to being expected to be full adults and are expected to be able to deal with every liberty, every temptation that comes with it. There is no single best path to achieve this.
I want to educate my kids about sex, about alcohol, gambling, drugs, I want to teach them that the internet is a source of many good things, and many bad things. I'll make arrangements, determine the suitability of online materials, and will set boundaries together with my partner, thank you.
>This makes the tech companies the decision makers over what is suitable content for children.
No, the big tech just needs to
1 ensure that at the OS setup birthday is read, then if OS is queried about the user age range to answer
2 apps and websites will not decide anything, they will follow the local laws and on top of those they can addf their own moral or PR filters.
Then if you have a blog or big webiste and you care about the laws or users or the PR you then setup your server to ject say under 13 from your blog.
I am not a big tam of obscenely paid developers and managers so I bet they can improve on this idea or they can milk the ads until the government will pass retarded laws
You can block the entire internet and whitelist specific domains. There's multiple ways of doing this, from router parental controls, specific OS tools in iOS/Android, Windows, as well as apps specific to it, and all it takes is for a parent to care enough to make a simple Google or Youtube search and learn if they don't know, and don't even know to know that they should care in the first place.
The failure here is two-sided.
One and the most glaring are the parents who let devices raise their children, this hasn't changed since before home computers were a thing.
Secondly it's a failure of the state for not educating both adults and teenagers on best practices when using online platforms to be safe. If they're interested enough in policing people's web habits, they can spend time and resources on educating the masses. The best time to start doing it was 20 years ago, the second best is now and it could take a decade plus for it to have a meaningful impact.
Also this is important. The UK, like it or not, is a nanny state. They like to use child safety as an excuse to police adult habits, and more important their speech. There's quite a few times they've admitted to this plainly without any ambiguity.
"The Online Safety Act 2023 (the Act) is a new set of laws that protects children and adults online"
There's also examples of them being asked directly in interviews and they admit to wanting to police adults speech and content they consume online.
Australia is in a similar predicament and honestly most of the world is rolling towards this, just not as fast as the UK.
The UK unfortunately has incarcerated people for simply lifting cardboard signs saying Free Palestine. They've jailed people for innocuous social media posts on Facebook and other platforms.
I'm not proud of the USA for a lot of reasons, especially lately, but one thing that any and all Americans should be proud of is their Freedom of Speech protected by the First Amendment, it's the most American thing and one of the best aspects of America that other countries should aspire to, and I hope that the jabs Freedom of Speech has taken over the past decade doesn't make it crumble away.
In the UK all mobile phones default to no adult content on the mobile networks, if you want to access adult content you need to request it with the mobile network provider. They could have gone the same route with consumer internet access. Most ISP supplied routers support content blocking, it could have been turned on by default with a simple update pushed by the ISP.
Kids here in the UK get educated about online safety in school, schools have sessions for parents covering this stuff too. My own kids have had age appropriate internet access all their lives, its not been difficult to control it, we have had the tools and knowledge for years.
This stuff really isn't about child safety in my opinion.
Does router setting spply when the child is at school and using data? I do not think so. So you need to have the averager parent setup DNS records and probably pay some subscription to soem people doing the filtering?
It is not easy, if there was just a simple toggle and iOS/Android would ask the parent what kind of religious extremist or prude they are and then do the filtering then sure, but you want a parent to know what a router is, or DNS, or buy some subscriptions for some big tech app?
I agree that parents should do the filtering, but I think big tech should cooperate here, for example I could allow my young child on a PlayStation since Sony did ask the age of the account user and did apply filters in the store and chats.
But what is your objection? Is it really, REALY to much to ask for the Os to ask the birthday of the account user and then the browser to set the appropriate age range flag in the requests? Then the websites can deny the requests instead of the "Are you over 18" popup? Is that too expensive? too dificult? is it too communist?
>The Uk could force the OS to have that toggle instead of censoring the internet
I know, and my point is if Big Tech would have added that toggle (or add it now before even more countries or USA states make more laws with different requierments ), made it easy to setup when you turn on a device for the first time to give it to your child then you could tell the politicians that the solution exists already. Now using the think of the children some governments will implement more invasive laws.
I never thought I'd say this, but I now fully approve of social media bans for children, screw under 16s, let's go further no children on the internet full stop. No mobile data plans for under 18s, arrest parents if they are found allowing their children to use a computer with an internet connection at home. Remove the internet from schools.
Then we can get rid of the online safety act, no need to dox adults if we just ban the children.
Then when the government refuses to repeal the OSA, we can then have an open and honest discussion about the real reasons that act exists.
> arrest parents if they are found allowing their children to use a computer with an internet connection at home. Remove the internet from schools.
Schools, yes 100%. Likewise mobile data plans.
Home internet? Could work, but I don't know how much time would be needed to transition any "do this on your computer" homework tasks. (Are there any?)
As one extra twist, the UK age-gates a lot of stuff at 16 rather than 18 in a way that is relevant here: back when I was at school myself, an era when writing letters to the editor of a newspaper was the closest most people had to a comments section, I noted the oddity that I was allowed to perform sexual acts at age 16 but wasn't allowed to photograph myself doing those things and couldn't buy videos of those things.
And between 16 and 18, the education choices in the UK are either A-levels, apprenticeships, or volunteering; I think mobile internet could reasonably be considered mandatory by that point in life.
It drives me nuts that local governments in the US continue to use Twitter/X to disseminate communications, despite having perfectly good web sites of their own.
Those websites aren't easy to update. I have a website of my own too, and even though I've set it up to be as painless as possible, it's always going to be easier for me to open a social media app and post.
Now imagine that the local government has a website that can only be changed by contacting a web developer, who takes 1-2 business days to reply. It might not be as bad as that, but I wouldn't be surprised if that's the ballpark.
Most content websites that are managed by a organisation such as a council/government or are usually driven by some CMS software. Updates are usually done by a content/social media team. These people are also posting the updates to twitter.
It isn't the late 90s/2000s anymore where people are uploading HTML files over FTP.
Every city and town has a website with information on services and paying taxes. They usually use a third party payment system in my experience, but the main site is theirs and they still use shitter and bookface.
If our governments can't update an HTML page same way they update a twitter status then we are all doomed and should just nuke ourselves to get it over with.
That's like saying parents would give meth to their kids. Make the crime equivalent and you'll find they won't, or if they do, they won't have their kids for long.
Parents are obviously far too stupid to do what's in their children's best interests re social media and smart phones. That plus the general indifference most parents have to this kind of thing mandates state interference. Banning social media for them specifically is a pain for everyone involved, just ban the phones - simple.
How is it more enforceable? It seems far more clear cut than 'little kimmy has an iphone 74++ pro but can't have snapchat' or whatever stupid app predators are using in year X. If little kimmy has an iphone 74++ pro it's getting confiscated and her parents fined at a minimum, that should make them strongly re-consider in future.
I think desktop computer use under some level of parental supervision is fine, but smartphones are not appropriate for kids at any level. I can't see any benefit whatsoever to under 18's possessing one.
> a ban on social media for users under 16, like Australia. Pretty dramatic change.
Meanwhile the government and official accounts continue to use X even as they're trying to ban it. Mixed messaging.
I think you'd find Govt. account users are over 16.
What I find particularly tragic about all of this legislation (the OSA and now this) is that there are obviously technical people in the room that would advise against this clusterfuck of a direction and they are being ignored by politicians who think the internet is something they can aggressively control.
This will continue to push people towards providers who operate outside UK jurisdiction or providers that care less about UK law and are less trustworthy.
I remain upset that they do this without building the necessary infra. They already assert identity when applying for a passport (and they do this very well). If they had extended this process by creating a OAuth compliant digital id provider first, then they could have avoided all the problems on the day the OSA dropped. Even better, they could have created a non-governmental agency to exchange tokens and urls to prevent the privacy issue of the government knowing which sites people are visiting. Instead we have this status quo of encouraging UK citizens to hand over their identity documents to dubious third-parties or shifting their traffic from the UK externally to avoid these checks.
> by politicians who think the internet is something they can aggressively control
You seem to believe they're wrong. Since they're the ones who come up with the laws of the land, I think it's important to realize that they can and do aggressively control access to the internet in their country. It sucks, but it's the reality.
> they can and do aggressively control access to the internet
yes but this is like watching someone deal with an ant infestation by stamping on them. They're not solving the issue and unlike the ant analogy, they're making the problem worse.
> If they had extended this process by creating a OAuth compliant digital id provider first, then they could have avoided all the problems on the day the OSA dropped.
Far less than all. See Australia, where age restriction is routinely evaded through adult collusion.
> Even better, they could have created a non-governmental agency to exchange tokens and urls to prevent the privacy issue of the government knowing which sites people are visiting.
The privacy issue would still exist. They can tie your online activity directly to these tokens.
not with a non-governmental agency doing the exchange. All they would see are tokens going out. You would need the non-governmental agency to share the urls with the government agency for the activity to be tied directly which would undermine the entire purpose of that architecture.
> You would need the non-governmental agency to share the urls with the government agency for the activity to be tied directly which would undermine the entire purpose of that architecture.
Which would absolutely would happen. The authorities will ask the non-gov agency for the details and they will be provided.
that's like stating that there's no value in creating a financial regulator to set interest rates because the government will just tell them to set them to whatever they demand.
Firstly, I didn't even mention what the value might be. I simply pointed out that the "independent organisation" would not really be independent. Which means it won't protect anyone's privacy. Which undermines the entire point of having it. Therefore it has no value.
Secondly, it is the central bank that sets the interest rate. In the UK that is the Bank of England. Secondly the government sets their mandate. They have a mandate of keeping the inflation at 2%. One of the mechanisms they to control inflation is the interest rate.
Moreover the "Chair of the Court of Directors" (the Chairman) of the Bank of England is appointed by the Crown (the King) at the advice of the Prime Minister and the Chancellor of the Exchequer.
The government both sets the mandate and effectively selects the Chairman. So while they don't directly set the interest rate, they do set the mandate and who runs the Central Bank.
BTW the Bank of England is failing to keep the inflation rate at 2% (and for some time) as it is currently 3.4%. So we can see how well that is going.
We've not had a black wednesday since this change. It has value because governments cannot be trusted to directly control interest rates. The indirection has value, politicians are forced to spend political capital in order to wrest control.
> So we can see how well that is going.
Still better than black wednesday and Norman Lamont.
I was actually directly addressing your comment about the your independent org for these identity tokens. There is no value because it cannot guarantee privacy. Therefore it has no value (at least not to me).
Secondly you seemed to not understand who set the interest rate but you are now confident in telling me about the perceived benefits of having a central bank set the interest rate. Which tells me that you just looked this all up about 10 minutes ago.
> It has value because governments cannot be trusted to directly control interest rates.
Neither can the central bank. As they are failing at their mandate of keeping inflation at 2%. The reported inflation rate is probably lower than the actual inflation rate due to CPI calculation wankery.
> The indirection has value, politicians are forced to spend political capital in order to wrest control.
To who does it have value? It doesn't benefit me (or most regular people) to have a 2% inflation rate and relatively low interest rates. It eats away the value of my savings. I now buy Gold (it hit a record high price today) and the value of my Gold and Silver has more than doubled in 3 years.
> Still better than black wednesday and Norman Lamont.
Saying it is better than a total crash isn't saying much.
Instead we have a gradual devaluing of the currency, many consumer goods are of far poorer quality (I repair my own vehicle and it is often better to get a reconditioned part than a new one), there is also "shrinkflation".
If we had a crash I actually think it would at least provide a wake up call and spur some real meaningful change.
It appears that you have not yet learned the lesson that perfect is the enemy of good. Just because a system doesn't meet your high expectations, doesn't mean it doesn't have value.
I'm also having trouble squaring your keen interest in the economic woes of inflation combined with your desire to have a stock market crash. Perhaps you are unaware of your bias given your portfolio, wishing to enact misery upon millions for your own personal gain. The last big crash was a major contributer the second world war, so be careful for the "meaningful change" you wish for.
> Which tells me that you just looked this all up about 10 minutes ago.
you should learn the etiquette round here, cos that ain't it. Either treat fellow commenters and their perspectives with a modicum of respect or go back to facebook. BTW, that was a swing and a miss, I lived through that period.
Don't misunderstand when I don't reply or even read your next response. Its because I don't want to talk to you anymore, because you're not interesting.
> It appears that you have not yet learned the lesson that perfect is the enemy of good. Just because a system doesn't meet your high expectations, doesn't mean it doesn't have value.
That isn't what you are proposing. What you are proposing is something which has no value. I've told you why it is pointless. Saying it "has value" repeatedly doesn't change the fact that it is pointless.
> I'm also having trouble squaring your keen interest in the economic woes of inflation combined with your desire to have a stock market crash. Perhaps you are unaware of your bias given your portfolio, wishing to enact misery upon millions for your own personal gain. The last big crash was a major contributer the second world war, so be careful for the "meaningful change" you wish for.
I love it when people accuse me of wishing harm on others. I would prefer not to have to buy gold/silver and rather just put cash in my savings.
I told you why a big crash might be preferable (in the long term). Sometimes a bit of a reset and a big disaster will bring long term positive change as things will actually be fixed properly.
> you should learn the etiquette round here, cos that ain't it. Either treat fellow commenters and their perspectives with a modicum of respect or go back to facebook. BTW, that was a swing and a miss, I lived through that period.
You obviously didn't understand what you are talking about. It such a basic mistake. I pointed it out and then you pretended to understand how it worked. So it was obvious you looked up it up after my reply. Whether or not you lived through the period is irrelevant.
So complaining about my supposed lack of etiquette is simply a deflection. You could have just admitted you were wrong.
> Don't misunderstand when I don't reply or even read your next response. Its because I don't want to talk to you anymore, because you're not interesting.
So when you throw insults at people (calling me boring) it is okay, because you are doing it. Gotcha :D. I love double standards.
the UK already forces ISPs to hold a database of the hosts you have visited in the last three years. By implementing the laws in the way they currently are doing undermines their own legislation by pushing UK users into having a tangible reason to hide their their browsing patterns from UK networks by funneling their traffic through VPNs or other proxies to avoid age gates.
Tin foil aside, my issue is that they're not even good at what they're trying to do. Their policy is inconsistent with their aims and lacks technical strategy. You think they're worried about dissenters when in practice they're more worried about elections in 2029 and whatever pearl clutching users post on mumsnet.
> the UK already forces ISPs to hold a database of the hosts you have visited in the last three years. By implementing the laws in the way they currently are doing undermines their own legislation by pushing UK users into having a tangible reason to hide their their browsing patterns from UK networks by funneling their traffic through VPNs or other proxies to avoid age gates.
People had tangible reasons before having to avoid age-gates. You should not have people spying on your online activity.
> Tin foil aside, my issue is that they're not even good at what they're trying to do. Their policy is inconsistent with their aims and lacks technical strategy.
Good, I don't want them to be good at what they are doing.
> You think they're worried about dissenters when in practice they're more worried about elections in 2029 and whatever pearl clutching users post on mumsnet.
They can be be worried about both. They are capable of being concerned about two different things at the same time.
If VPNs require age verification, then people will shift to running a VPN on a cheap VPS. Probably via a popular single-click setup script.
Or people will just get drawn to more seedy providers that do no KYC or have ulterior motives. If I was Russia, I'd consider operating a free VPN or VPS service that MITMs the traffic.
I'm very interested to see how some VPN providers react to this. For a zero logs VPN provider, if such a thing can really exist, how big of a problem is this? Presumably many customers pay with a debit/credit card already so there's some PII on file? Usage remains the same? Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.
Of course, we're sliding quite rapidly down that slippery slope here so I'm sure logging and easier government tracking would be next. The justifications will get weaker and even more lacking in supporting evidence for their implementation.
> Presumably many customers pay with a debit/credit card already so there's some PII on file?
Yes. But I think most of the zero logs providers will remove the identifiable payments details after a certain about of time. e.g. Mullvad have a specific policy relating to what is stored and retention time (I am not affiliated with Mullvad, I just use their service).
I believe a whole host of VPN providers have no real need to comply with this amendment if it passes the Commons.
The providers are structured in a way that makes forcing compliance difficult and have built their whole business model around this. NordVPN is registered in Panama for example and Mullvad lets you send cash in the mail and doesn't store any user details (even a hashed email).
It'll be interesting to see how & who reacts if it does pass.
> Now more than ever, trusting a US jurisdiction VPN provider ? No thanks !
The whole point of Obscura is you aren't trusting any single company. A Swedish company and an American company would need to collude to cause a problem. Unless you know something I don't?
> The whole point of Obscura is you aren't trusting any single company.
First, Mullvad's infrastructure has been independently audited.
Mullvad integrity has also tested as proven by a legal case where they were subject to a search warrant when someone was trying to claim copyright infringement.
As far as I can tell, Obscura has not had anywhere near the same scrutiny.
Second, obscura is the first hop is it not ?
Therefore it may well "only" relay the traffic to the exit node but it is still a relay and hence open to SIGINT analysis by the US.
I would have thought therefore using Mullvad's built-in multi-hop mode on their audited platform would be the wiser decision ?
Hence why Mullvad is being used as the exit point.
You have full e2ee between yourself and Mullvad but crucially Mullvad don't know who your IP. Five eyes are already doing SIGINT on behalf of both the US and the UK government before my connection even reaches Obscura so I lose nothing but potentially gain privacy.
How is it you think a single company (Mullvad) having access to my IP and what I am browsing is less secure than splitting it up amongst multiple providers one of which being Mullvad with that audited platform you talk about?
If I wanted Tor on top I'd layer it on top too but that would still be a single point of failure.
It's open source which means I can trust having the app installed if I build from source (or I can just use Wireguard directly). I then know I'm directly connected to a Mullvad Wireguard node by checking the public key here: https://mullvad.net/en/servers
Other than Wireguard protocol being broken there is no way for Obscura to snoop presuming I check the public key. I'm not saying I trust Obscura, I'm saying with their model I don't need to trust them which is vastly superior. Nor do I need to trust Mullvad.
You keep hand waving around that Obscura are somehow untrustworthy but you have steadfastly refused to address the fact that their model does not require trust. If you trust Mullvad (which you are claiming to) please show an attack that would work to breach this model. You can't.
Sadly if you look at how the law is drafted its setup to catch companies that have a significant UK base not just those that advertise here. It is highly likely for compliance reasons (as we saw with imgur and others) that they will simply block the UK themselves.
Yeah, if you're unable to read, I understand reaching such conclusion :) But no, this is about platforms/services:
> Amendment 92 (“Action to Prohibit the Provision of VPN Services to Children in the United Kingdom”) requires VPNs that are “offered or marketed to persons in the United Kingdom” or “provided to a significant number of persons” to implement age assurance for UK users.
it also said to have "different ages for different services" so the fact you have a debit/credit card to pay is more than enough to prove you at least 16.
this will be interesting to watch i just wish i weren't caught in the net.
That's never been true in the UK? You don't have to be 16 to get a debit card, and having one isn't proof of any age. (For example, Barclays gave me my first debit card when I was 13, many years ago.)
If those services are provided by a company that “offered or marketed to persons in the United Kingdom” or “provided to a significant number of persons”, then they need to implement those checks. Still outside of openvpn, and still outside of general servers, you can still spin up your own server and use that, without any age checks, as you're not offering any service.
The host who lets you spin up the server might also need to implement those age checks though. But still, not openvpn.
So effectively truly Private vpn providers have to have an exit from UK. I mean even if say proton says that its not meant for UK but "substantial" people use protonvpn because its private, then they would be forced for the same laws.
Another point is what prevents UK govt or UK bots to sign up for Proton Vpn say themselves and the difference between bots and humans is becoming thin especially for such Private Vpn's and then UK govt comes again knocking asking for age verification.
Honestly makes me feel like UK citizens are hostage in their own countries & we might see more UK IP's being blocked from accessing services because the idea of Virtual private network is still vague in my opinion. One can abstract a sort of VPN on top of xmpp or matrix servers too or even telegram as the intermediate. Would that mean that UK govt would come knocking onto these asking for who created the VPN (suppose I built a VPN which uses telegram to send messages/packets or uses telegram infra, so would they come to telegram asking what is the IP/detail info of my telegram user, would they go to signal or xmpp or matrix providers too? What if I use a provider who colo's on a datacenter and they go to the datacenter asking for access or the company behind datacenter
I am not saying that they would for something so niche but the fact of the matter is that nothing's stopping them from the laws from what I can gather.
They would only have to do it once to instill fear in the masses. I mean technically just this law has instilled fear and I am not even a UK citizen
Someone familiar with UK law please comment on my message but VPN is such a vague term imo. Like at this point you are just targeting private networks or people who meet online in private
VPNs LITERALLY means Virtual "PRIVATE NETWORKS"
What gives the govt right to intercept between two parties communicating in any way (enforcing a condition for one party to have Id of other for age verification etc.)
> It does not require either party to have the other's ID.
Sure but that's literally not my point.
It's still an interception because the govt is still decided who can communicate (essentially) or not.
You cannot communicate with a vps provider if they don't have your ID and this condition being forced as a requirement otherwise the UK govt.s gonna jail and sue into literal millions is much akin to an interception in basically everything.
It literally is your point "enforcing a condition for one party to have Id of other for age verification etc".
As for the provider, there is not prhibition on communicating with him, with or without ID. Just on him providing service to other than verifed adults.
> As for the provider, there is not prhibition on communicating with him, with or without ID. Just on him providing service to other than verifed adults.
Oh okay yea I don't mean that exactly but from my original comment what I meant was that the service of VPN is still essentially just a communication layer of sorts between two devices where a middle man can sit technically.
I was referring to this as still a communication creating a network between these two vis a vis VPN
And they are having restrictions on VPN's, my point of fear in this context is that suppose I host anything between two computers, technically its still a VPN (think a proxy or even a VPS or even cf tunnels alternative or heck even my self hosted tmate)
My point is that they are all still technically VPN's and this rule can still apply. I don't think that they can refer to VPN as wireguard or something as we imagine and this gives immense power to them
> I think unfortunately you are right. The prohibition is wide - to head off evasion.
No worries, I wish I was wrong too but sadly I am just following the logic-ish that I am feeling is gonna happen, but I am happy that our confusion atleast got solved and I was able to proper explain what I am thinking.
Wrote a little poem inspired by the famous germany wwII poem-ish that I read in my history book
First they came for our social media, I didn't say anything
Then they came for our vpn, I didn't say anything (we are here)
Then they came for our vps providers, I didn't say anything (By definition a connection with VPS can still be considered a virtual private network, I don't think that they have ruled it out in the law)
My biggest fear is that this will be replicated if it turns out to be good for the people in "power"
My worries is that a single mis use of this can/will put everyone in line that nobody's safe.
I am not even sure if this rule can somehow be exploited for non UK users as UK users seems the most impacted but non UK companies would be impacted too. I mean we already had global surveillance but this is putting things into global level. First time something like this is happening in a democracy fwiw imo (atleast for VPN)
It's scary developments and I am not prepared to live through this era of privacy dystopian nightmare fuel. I hope a resistance can emerge other than the doomerism I feel right now because my point is right now its the UK citizens who are fucked by their govt. but we can just very much be likely on the chopping block too.
I know internet resistance is meh but something's better than nothing and I hope UK creates protests about this as its still not written in law (but being honest I am doomerist about it that chances of it being signed are almost 100% given that someone created a petition and it got signed in UK and they were legally forced to discuss it but somehow they didn't like wtf about the Online Safety act?)
I mean, much support to my UK friends to prevent such 1984 dystopia. (I am tired of saying 1984 but literally 1984)
Looks like a Internet resistance should be established for freedom. We privacy conscious users should combine and try to discuss more about what are some things which can be done but I must admit that I don't know the solution but I hope that a solution can come out of discussion or a clear plan of action.
i don't think so, it is not provided as a service. if you provide vpn service people can connect to from their router then you need to do age verification before giving them a key/password to connect to the server
OpenSSH, Tinc, Wireguard and a myriad of other open source tools can also be used as a VPN. One only need a place to connect to and egress from. To me that means VPS/Server providers will also need to do age verification. Most VPS/Server providers also allow configuring reverse DNS. That leaves only CIDR blocks as a way to tell it is not residential. One could also egress from residential elsewhere assuming the friend has spare bandwidth that could be balanced and capped using sch_cake.
What societal "harm" is the UK actually trying to reduce with this age verification? It almost feels like the amount of effort they're putting into this is out of balance with the actual harm.
political dissent. Uncomfortable truths. Any speech that does not align with the official narrative.
A Labour MP foolish attended a GB News show and when pushed admitted that the Online Safety Act was also about identifying speech by adults [0].
Sorry about the quality of the link, but the video is there (higher quality is available on X) and its not like the paragon of truth that is the BBC reported on this.
It takes just a few seconds to see that it's a random backbencher who is not in the government. We have a whole range of MPs, and some of them sometimes talk about things they have no idea about. The website you're citing is little more than propaganda, since it explicitly makes it seem like the MP has any connection to the government.
Not made clear in this article - this bill will be passed back to the House of Commons to debate/amend before going back to the House of Lords. This was not the final say.
The Commons are even more hungry for pervasive online surveillance than the Lords - at least, while Labour and the Tories are in power.
Reform UK (the party currently leading in the polls by a large margin) is the only party that loudly opposed the draconian measures within the Online Safety Act and promise to repeal it
Makes me giggle as Russian citizen since very similar rhetoric was used when establishing internet censorship in RU - let's protect our citizens from evil foreign entities from the internet.
Hotels are not platforms. No network effects at play. The idea of ban is to push teen DAUs below the critical mass necessary for self sustaining retention and growth.
Sure teens will still figure out a way to access when they really want to, but they won’t be be the same level of peer pressure.
I feel like this is the strongest argument in favor of the bans. I am not sure it will be effective or is the most effective way to go about it. I am curious to see the data that comes out of Australia in a few years.
I really do not think European countries had "free speech" like it is understood in the US.
After WWII you mostly had state run and controlled TV and radio. And some more freedom in the written press but still most countries mandate Legal deposit [0] sometimes since the Middle Ages. Legal deposit is just the granddaddy of what we understand the Internet is in China.
You could really get in trouble easily.
Then mass media were liberalized and put under the control of big corporations in the 1970-80s what gave the illusion of more freedom.
But the WWW really brought the US free speech standards to the entire developed world in the 90-2000s. This is why people under 50 understand "free speech" according to this standard.
The "you get put in jail because of a meme on Facebook" is really a return to normal after a 20 year pause on the Internet. If you don't fight for it, it will never last.
Starmer, like most leaders in the EU, has an 18% approval rating. He really can't afford free speech for its subjects.
How is age verification and free speech in any case related?
You can solve the problem of age verification without limiting your free speech right. Those two get entangled all the time and it does not make sense.
Non-anonymous free speech is a bit of a red herring. If you say something publicly, especially in this era of mass data, you are perpetually liable to be punished for it at some point in the future. If not by the current government, potentially another. Virtually every country in the world has experienced authoritarianism at one point or another, and there is never a guarantee that it won't again. Saying something publicly tied to your identity is signing up to be imprisoned when an authoritarian who doesn't like what you said seizes power. We have many historical examples of dictators rounding up and executing wide classes of people, so we know this threat model is more than just a hypothetical but rather something that can and does realistically happen at various times and places.
Therefore, in practice, anonymity is the only way to safely express oneself in public. Privacy is the true bastion of the freedom of ideas. This is naturally lost when the means to communicate privately are stripped from us, when every word we've ever said is recorded and tied to our identity. Age verification could possibly theoretically be implemented in a way that does not immediately infringe upon privacy, but you surely know that there is no world in which it will ever be implemented in such a way.
Every government in the world right now wants to get their hands on the controls and put their thumb on the scales here. Modern social media has proven to be effectively remote control for their citizens, nothing like this kind of power has never existed before and is absolutely irresistible to politicians. Expect them all to be laser focused on this until they're able to seize complete control, no matter how long it takes or how roundabout the path to this is.
Yes and no - you need to check whether each individual politician, not just party, is taking money from said global corporates, because they have a lot of money and UK politicians are cheap.
Not to mention the opaque mess that's Reform UK financing.
Many of these governments are directly funded and directed by said corporate fascists. The opposition is hardly much better. There’s no good guys at the state level here.
The "coordinated corporate fascists" (your words not mine) are providing a platform where I can challenge the the state and be seen by potentially millions of people.
Amendment 92 of the bill, added by Lord Nash during it's passage through the Lords says:
> “consumer” means a person acting otherwise than in the course of a business;
> “relevant VPN service” means a service of providing, in the course of a business, to a consumer, a virtual private network for accessing the internet;
It's quite specific wording for a piece of legislation, just VPNs. It excludes businesses but, as written, it wouldn't include network proxies, or remote desktop protocols, or TOR, or web/mobile applications that fetch pages for you, any of which could be used to circumvent the bill. The slippery slope argument could be made that those things would have to be added for this bill to have any meaningful impact, and that would require the amendment to be written in a very non-specific way. I'm not hopeful that the Government would recognise that as overreach (ignoring that the amendment already is).
Is there yet a low friction way to verify age of UK users that doesn't rely on third party services with questionable privacy implications and exorbitant pricing?
I wonder if any of the law makers are investors in those companies.
The government isn't doing any favours for its image by simulatenously trying to ban X, and introducing all of these internet controls. It just fuels the narrative that the government is trying to shut people up and control the spread of certain ideas. Then when you add in that weird "education" game they paid for, Pathways[0], it feels like a very coordinated effort.
How do they define "VPN" in this? If I make a little wireguard mesh and use an aws vm in another country as the exit node for my traffic, would that go under VPN?
Does the house of lords really do anything, though? At best, they can delay decisions, but what power do they really have? Aren't they just a bunch of rich people funded with taxes doing basically nothing?
I mean it's still a Virtual Private network between you and the VPS (which is rented by VPS provider)
So technically if you are from UK, they might come at your VPS provider if they find that you use them as a VPN (law's kinda vague from what I can gather)
Your VPS provider wouldn't really protect your privacy for 4 $ so a snitch.
My point which fucking scares me if I were a UK citizen is that they just have to do it once to scare you to your guts.
Maybe I am paranoid but I couldn't see this shit happen 2-3 years ago & UK is atleast moving at a very dystopian rate and I am not sure if other countries might move in similar direction too if UK experiment turns out to be helpful to the people in power or helps in curbing out protests/real change in any capacity.
I know the law hasn't passed but chances are unless osmething very unlikley happens, its gonna get passed
What's up with democracies trying to imprison their own citizens in such sense, whether digitally or in person. Some countries feel like prisons rather than free land now.
These were the best benefits of democracies over authoritarianism.
I genuinely question with such points if democracy actually just becomes a dual party authoritarianism. Sure people vote but just scare them for real change just once. If a person speaks online, even if they use a VPN, just catch one extreme and scare the moderates from even ever saying something different than what govt says
It’s a lot more difficult to do this anonymously than it is to use a VPN. You almost certainly need to provide payment information and often also identity verification.
Probably about the same, there is a lot of VPS providers out there, and not a small
amount accepts basically an email + cryptocurrencies without any further verification than that. And that's just on the clearweb, going beyond that you start having even more options.
Yeah, although the smaller providers, the sketchier they are. I'd rather use a VPN in a pool of thousands/millions of users. As a data point, I can signup for Proton VPN by downloading it to my iPhone and providing any email address. Without any payment, I can connect to VPN servers and browse anonymously ("anonymously"). This is certainly easier than provisioning a new VPS, not least because I need to pay for it.
then you are not using any vpn service marketed or provided in the UK. if you were to sell access to your VPS to others then you would have to do age verifications on them maybe.
maybe it is still illegal, IDK, bu likely due to other laws (eg a generic "it is illegal to use workaround for X")
then you are not using any vpn service marketed or provided in the UK[0]. if you were to sell access to your VPS to others then you would have to do age verifications on them maybe.
[0] maybe it is still illegal, IDK, bu likely due to other laws (eg a generic "it is illegal to use workaround for X")
The definition section of the amendment defines a "relevant VPN service":
>“relevant VPN service” means a service of providing, in the course of a business, to a consumer, a virtual private network for accessing the internet;
I think it would be a significant stretch to say that a provider that provisions a VPS instance is a "business providing a virtual private network".
Just because you could run a VPN, it's not the VPS provider that is offering a VPN service.
I think it will successfully strech that far (especially after VPN provders move into VPS to avoid) not least because no-one but the provider could be held responsible.
I don't understand what "VPN providers move onto VPS to avoid" means? Can you clarify?
I can't see how they could apply it to VPS providers without meaning AWS, GCP, Digital Ocean, etc would all start having to do age verification checks. Can't imagine here would not be a massive push back against that.
By VPS, I mean a generic compute instance that can run whatever you want. Like a Linux instance. I'm not sure what you mean by "VPN providers offer VPS as a substitute" in that context.
Paying by card isn't enough to verify age. They'd have to specifically verify via passport or other ID.
They REALLY want people to become more tech-savvy and to learn how to create their own VPNs using cheap VMs instances from __INSERT_CLOUD_PROVIDER_HERE__, don't they?
Privacy has an age rating now ? Seems a little ironic forcing anyone under 18 away from being able to have extra layers of privacy and in some cases security online.
I think we need to accept that age verification makes the internet safer. What we cannot accept is age verification's use as a mechanism to pry too far into peoples lives. When we can separate age verification from who am I, most people will be happier. What's tricky is who validates age? Your ISP? Your government? Your OS? A thirty party? Who accredits third-parties, and can you trust them? I'm convinced there's a way to solve this do we can keep the internet safe and not intrude massively on peoples privacy.
I think the creeping invasion of privacy argument is backwards here. What we have today isn’t privacy, it’s abdication. Platforms are externalising risk onto parents and pretending the internet is exempt from the safeguards we accept everywhere else.
Either the tech industry solves this, or governments will. That’s not ideology, it’s capitalism. If we don’t build workable, privacy-preserving primitives, regulation will arrive in the most blunt form possible.
There’s a reasonable middle ground. Identity can be a first-class citizen without being leaked to every website. I don’t need to hand over my name, address, or documents to prove I’m over 18. I need a yes/no assertion.
Imagine the browser exposing a capability like:
> “This site requires age verification. Are you over 18?”
The browser checks via a trusted third party credential and returns a boolean. No DOB. No tracking. No persistent identifier. Just a capability check, much closer to how physical ID works than today’s data-harvesting mess.
As a parent, I already police my kids as best I can, and it’s imperfect. But the offline world has friction and gates: bars check ID, cinemas enforce ratings, shops refuse sales. Those mitigations don’t make parents redundant; they support them.
Online, we’ve chosen to pretend none of that is possible. That’s not a principled privacy stance.
If we don’t design these primitives ourselves, we will get crude, insecure age databases, mandatory uploads of passports, or blanket bans instead. This is the least bad option, not a slippery slope. Collectively we have solved far harder problems.
I don't think it's possible? You could imagine some sort of certificate scheme where the govt issues a thing that says to a 3rd party "we certify this person is 18 but in a way that doesn't reveal who they are". You could also implement that in a way where, even if the 3rd party reports the details of an authorisation to the govt, the govt can't say who was involved in that auth.
But in the latter case, the system is wildly open to abuse coz nobody can detect if every teenager in the country is using Auth Georg's cert. The only way for that to be possible is if the tokens let you psuedonymise Georg at which point it's no longer private.
The answer is to leave this shit to parents. It's not the government's job. It's not the government's business.
That's what got us in to the current public health emergency. It is a luxury we cannot afford if we are to stand a chance to get out. https://www.bmj.com/content/392/bmj.s125
If the parents don’t see it as an issue then the state should not be forcing its way in, especially considering the harm to privacy and free speech. This is an area where reasonable people can disagree as to what the correct parenting approach is, so the state should not enforce a particular approach. If anything they should focus on making it easier for parents to set their own limits at the device level.
...except when the harm spreads far beyond the family.
"We have reached an inflection point. We are facing nothing short of a societal catastrophe caused by the fact that so many of our children are addicted to social media." says the Lord proposing the UK ban.
When it was a luxury we couldn't afford because of "terrorism" I was doubtful. Now that it's a luxury we cannot afford because of the "public health" effects of teenagers using TikTok, I am starting to struggle to identify a good-faith argument.
Can we somehow get age verification without IDs? Age verification itself is OK as an idea. I’m happy to show ID to buy alcohol at the store… but the store clerk doesn’t take a photo of that ID and store it in logs somewhere forever.
Can we please get a law where kids won’t just take their parents’ IDs and upload them to random places?
You might like the Digital ID scheme. It uses Zero Knowledge Proofs, so that one of your 'IDs' could be a simple 'Is over 18' ZKP, without involving your name or anything other detail. These are not tracked by government or possible to associate with your wider identity. This is one of the examples listed in the framework docs.
> "Unlike with a physical document, when using a digital identity, you can limit the amount of information you share to only what is necessary. For example, if you are asked to prove you are over 18, you could provide a simple yes or no response and avoid sharing any other personal details." (from https://www.gov.uk/guidance/digital-identity )
There's a huge amount of disinformation circulating about the digital ID scheme, and the government's messaging over it has been catastrophically clumsy. Which is a pity, because the system has clearly been designed with civil liberties in mind (ie defensively) and for citizens it's a serious improvement over the current system.
While great on paper, zero-knowledge-proof based systems unfortunately have a fatal flaw. Due to the fully anonymous nature of verification tokens, implementations must have safeguards in place to prevent users from intercepting them and passing them onto someone else; in practice, this will likely be accomplished by making both the authenticator and the target service mobile apps that rely on device integrity APIs. This would ultimately result in the same accessibility issues that currently plague the banking industry, where it is no longer possible to own a bank account in most countries without an unmodified, up-to-date phone and an Apple or Google account that did not get banned for redeeming a gift card.
Furthermore, if implementers are going to be required to verify users per-session rather than only once during signup, such a measure would end up killing desktop Linux (if not desktop PCs as a whole) by making it impossible for any non-locked-down platform to access the vast majority of the web.
I'm unsure how applicable these risks are here. The proofs appear to be bound to the app, which in turn is bound to the user's face/fingerprint (required to unlock it).
It's an app, and data is submitted with a tap to approve. The data is just attribute / proof pairs (eg nationality:British / true), and the bundles assembled from these pairs will differ between use cases. Nightclub proof of age would just need the 'over 18' proof, while opening a bank account would need a photo, name, address, date of birth, nationality etc. In other words, there isn't a single Digital ID. The 'ID' is just a container for a specific use. They can be reused, but they will often be single purpose or generated from the attributes saved in your wallet the moment a service requests your data. The best way to think of this is that it gives you a way to pass on your citizen data with authority, and without having to overshare.
The major problem is that no one trusts government not to abuse it and use it to track everything people do. There will be some proportion of people who trust the current government, but will be paranoid that a future government will abuse it, and there will be a proportion of people that don't trust the current government to not abuse it.
You might be able to get more trust by the government assigning a third party to audit the systems to make sure they are working as advertised, and not being abused, but you would still get people being paranoid that either the third party could be corrupted to pretend that things are okay, or that a future government would just fire them and have the system changed to track everyone anyway.
No matter what you do, you will never convince a subset of people that a system that can potentially be used to track everyone won't be abused in that way. Unfortunately, those people are most likely correct. This is why we can't have nice things :(
For the record, I thing it would be great to be able to have a trusted government issued digital ID for some purposes. I especially think it would be great to have an officially issued digital ID that could be used to sign electronic documents. My partner and I moved home recently, and it was not easy signing and exchanging legal documents electronically.
> You might be able to get more trust by the government assigning a third party to audit the systems to make sure they are working as advertised, and not being abused, but you would still get people being paranoid that either the third party could be corrupted to pretend that things are okay, or that a future government would just fire them and have the system changed to track everyone anyway.
The scheme is one step ahead of you, Auditors are required [1]. Government's role in the scheme is limited to operating the API in front of its departments which are read only and scattered (eg no central database), funding the auditors and trust registry (a Digital Verification Service public key store), and legislating. The verification work will all be done by private sector digital verification services - whichever is associated with the wallet app you've chosen. There were 227 of them last year already working for various services - we all benefit from the sector being brought under a formal regulatory framework.
The tracking you fear doesn't seem to be possible beyond what is already tracked when you open a bank account etc, but this is entirely outside the scope of the wallet's operation. It's been designed specifically to make the kind of abuse you fear impossible, at least in its current format, where government is out of the loop except as a passive reference, and the DV services are legally prevented from retaining any data without your consent. Of course that could alter in future, but as it stands the framework doesn't allow for what everyone fears it does.
This is very bad news because I have been in contact with low cost providers (lowendtalk) and the community & even they usually end up renting etc. from datacenters and they usually would have name as well
So theoretically, suppose I have a vpn company on A) either such lowend niche providers who might support let's say my mission or we are aligned or B) the hyperscalers or large companies.
Now I am 99% sure that large companies would actually restrict VPN creation usage (something remarkably rare right now but still it's a gone deal now)
And I feel like even with niche lowendbox providers, suppose I am paying 4 euros or something to a provider to get an IP, they are either using hyperscaler themselves (like OVH) or part of a datacenter itself
If a server they own in some capacity runs a vps, can it be considered that they are running a vps and they can get sued by the Safety Act too? If not, then what if this happens one layer above at datacenter and now datacenters might have to comply with them
I haven't read the article but wtf.
Suppose I run a tmate instance (basically allows you to connect one ssh server to another both inside nat), theoretically this is a vpn as well.
I was calling out that they might ban vpn's when online safety act came and I realized that theoretically nothing's stopping them technologically to do so. It's a cat and mouse game but they didn't have a legal reason to do it so much. Now... You have it.
Is the end of total privacy for UK here?
I feel like even privacy oriented VPN's will move out of UK and non privacy oriented (ie. who will accept your id's) will probably have to manage it or use some third party and I am pretty sure that this basically gives govt. even more, they might now look at which IP said something, contact the now compliant VPN and block other truly private, for which user Id used a particular IP at particular time and seek their ID. I don't know how Dystopian UK's gotten but what's stopping a "reasonable cause" or some UK fbi equivalent contacting.
I feel like even one or two such extreme case of VPN providers would be enough to scare the whole country into check where if you are UK citizen and you talk against UK online, you will be screwed.
Atleast that's the direction I am seeing it heading.
Depending on the instance & how many more such dystopian laws UK adds. It's democracy gets really questionable... and I am not sure what it will be replaced by.
Both parties are kind of aligned in this from what I can tell. Just raise what "reasonable" suspicion to contact means and abuse any laws or create new dystopian laws but online safety act wasn't okay but VPN's provided a way around it.
Now that VPN's themselves are affected. It's kind of gonna wreak havoc imo of any individual privacy.
I am worried what this might mean on tor. Since tor can be considered a vpn, so will UK company sue me if I run a tor instance now?
You are over thinking. This is to enforce age restrictions online which parents are overwhelmingly in favour of.
Make the friction high enough for evading age restrictions and it will stop most kids. Not all but most. Same as most shops stop under age kids buying alcohol and most cinemas enforce age ratings.
If you want to roll your own VPN go ahead.
As far as the "dystopian" state of the UK goes. Even if the UK was a "distopia" the internet won't save you, even though people of a certain age like to think they can stop an authoritarian government from their keyboard. Take the US as a recent example, the bastion of free speech, but US citizens are being murdered by a government organisation. Posting memes from your VPN won't help.
> As far as the "dystopian" state of the UK goes. Even if the UK was a "distopia" the internet won't save you, even though people of a certain age like to think they can stop an authoritarian government from their keyboard. Take the US as a recent example, the bastion of free speech, but US citizens are being murdered by a government organisation. Posting memes from your VPN won't help.
I understand what you mean but still, one has to realize that all the grievances happening in US (esp with Greenland) feels like something trying to distract from the Epstein files (Me and my cousin literally talked about this yesterday and these were almost his words not mine)
Epstein files pressure got dialed up to 11 because of internet, was it not.
If however the internet keyboard warriors weren't there or just the people who were aware from the internet (I mean I can't attest for you but I was reaware of epstein files from internet)
Also yeah, Take the example of Nepal whose almost authoritarian esque govt. was literally toppled by internet protestors to get an anti corrupt person in power.
Internet & anonymity still has power and to just give it up to a govt. would still have massive massive consequences man.
If this law passes, anonymity & privacy is fundamentally ended in UK.
> If you want to roll your own VPN go ahead.
If my VPN would have an IP be arranged via a VPS they will just come knocking to my VPS
Russians actually use a Russia VPS to connect to VPN but they are getting locked down. (Source: I saw some russian person in a forum doing exactly this)
if we are comparing UK to Russia on a reasonable amount, then that would speak mountains too and we can move our conversation from there.
Edit: perhaps I feel like I was also overthinking it a year back when I was worried about VPN's block (I have written it in Hackernews you can go read) and I figured that with something like UK, the tech wouldn't be enough to be uncensorable and we are still off to govt laws and I was worried about exactly this happening.
I didn't want to be right then and I don't want to be right now but I am just telling what I have a reasonable enough suspicion of something happening in future.
UK citizens already lost legislative war, now government has a valid enforcing reason for IP blocks, DPI, etc.
Just a recap how it happened in Russia:
1. First, year ~2015 legal framework was created under disguise of banning pirated media(specifically torrents.ru)(legislative push). State-wide DNS ban introduced. Very easy to circumvent via quering 8.8.8.8
2. Then, having legal basis, govt included extra stuff in banned list(casinos, terrorist orgs, etc)(executive push). IP bans introduced, applied very carefully.
3. Legal expanded allowing govt to ban specific media on very vague criterias(legislative push). IP blocks tried on some large websites. DPI hardware mandated to be installed by ISPs to filter by HTTPS SNI(executive push).
4. At ~2019 Roskomnadzor(RKN) created, special govt entity which enforces bans without court orders(legislative push).
5. ~2021 sites become banned if they are not filtering content by Russian laws by request of RKN(executive push). VPN services were obligated to also DPI-filter traffic(legislative push).
6. ~2023 Crackdown on VPN started(executive push). Popular commercial services were IP-banned, OpenVPN and IPSec connections selectively degraded by DPI.
7. ~2025 Heavy VPN filtering(vless, wireguard, etc) introduced(executive push). Performance of certain sites were degraded(youtube, twitter, etc).
reply