Online safety bill.

[Fango]

We're starting to veer off-topic into political territory. Please stay on topic or this thread will be closed:

Quote:

Our site is not a place to discuss or promote people's political or religious beliefs.

Fango

[anonjohn]

Now that this is the law, the next stage is for the regulator (OfCom) to start consultation with online porn providers on mechanisms eg for "highly effective age verification". Self certifying - "I swear that am over 18 - honest" will not be sufficient.

ofcom.org.uk/consultations-and-statements/category-1/guidance-service-providers-pornographic-content.

Summary from
theregister.com/2023/12/05/uk_age_verifcation_proposals/

However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":

1. Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
2. Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
3. Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
4. Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.
5. Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.

Deadline for this phase of the consultation is 5 March 2024.

Ofcom can't force non-UK providers to introduce age verification, but perhaps could potentially try to force UK ISPs to block non-compliant sites - I don't know, I havent read the Act.

[supersmoothy]

Quote:

Originally Posted by anonjohn

For example, Ofcom notes the following age checks as potentially "highly effective":

1. Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
2. Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
3. Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
4. Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.
5. Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.

So, as we already thought, if they go down this road, it's going to be heaven for hacker groups, and I mean actual organized criminal gangs, not some nerd googling how to stream a football game. Well, let's see how they will react to the new forthcoming Ashley-Madison-like situation.
Oh, BTW, I think option 2 is totally unfeasible on its own, because it would automatically exclude any device that is not on a phone network.

Quote:

Originally Posted by anonjohn

Ofcom can't force non-UK providers to introduce age verification, but perhaps could potentially try to force UK ISPs to block non-compliant sites - I don't know, I havent read the Act.

Regardless of what is in the Act, I absolutely expect this, because it would make no sense otherwise. ISPs already routinely block a shitload of sites, so it would be a matter of just adding a few new ones to the list.

Also, I 100% expect criminalization of ISPs and blocking of ISP traffic to come next, in order to stop an easy circumvention of the laws.

[supersmoothy]

In fact, this article is from exactly 1 year ago, so they are indeed already considering Chinese-style ban/control on VPNs.

https:// www. independent. co. uk/news/uk/politics/vpns-online-safety-bill-labour-champion-b2239810.html

[anonjohn]

Quote:

Originally Posted by supersmoothy

In fact, this article is from exactly 1 year ago, so they are indeed already considering Chinese-style ban/control on VPNs.
https:// www. independent. co. uk/news/uk/politics/vpns-online-safety-bill-labour-champion-b2239810.html

No ban or control of VPNs was proposed according to the Commons debate (Hansard v724 Mon 5 Dec 2022)
hansard.parliament.uk/Commons/2022-12-05/debates/E155684B-DEB0-43B4-BC76-BF53FEE8086A/OnlineSafetyBill#contribution-B8A2D85B-22D9-4F22-97F6-216B8888AD4E
although some might detect an ominous hint

Quote:

New clause 54
(1) The Secretary of State must publish a report on the effect of the use of Virtual Private Networks on OFCOM’s ability to enforce requirements under section 112.
(2) The report must be laid before Parliament within six months of the passing of this Act.
...
Sarah Champion MP:
My new clause 54 would require the Secretary of State to publish, within six months of the Bill’s passage, a report on the effect of VPN use on Ofcom’s ability to enforce the requirements under clause 112. If VPNs cause significant issues, the Government must identify those issues and find solutions, rather than avoiding difficult problems.

But it looks like that amendment didn't get through to the final Act. I did a search for VPN and virtual but could not find any mention of VPNs in the entire text of the Online Safety Act 2023 on one page here: legislation.gov.uk/ukpga/2023/50/enacted

Almost every company and organization that allows remote working (including banks, NHS, government depts and also the Labour Party!) require their staff to use a VPN. Protecting private data is a legal requirement of the GDPR (General Data Protection Regulations). Having the government being able to snoop on that highly encrypted traffic would be totally unacceptable to almost every organization and institution.

Which is stronger?

stopping children seeing porn by banning or controlling VPNs.
vs
VPNs needed to protect secure business communication + comply with GDPR privacy law

[supersmoothy]

Quote:

Originally Posted by anonjohn

Almost every company and organization that allows remote working (including banks, NHS, government depts and also the Labour Party!) require their staff to use a VPN. Protecting private data is a legal requirement of the GDPR (General Data Protection Regulations). Having the government being able to snoop on that highly encrypted traffic would be totally unacceptable to almost every organization and institution.

Easy solution: Only block non-corporate VPN connections, at ISP level. No need to snoop. China does it (even though I think they also snoop).

[anonjohn]

Quote:

Originally Posted by supersmoothy

Easy solution: Only block non-corporate VPN connections, at ISP level. No need to snoop. China does it (even though I think they also snoop).

I suppose this might be possible if every ISP had a list of every approved IP address for almost every medium and large business which used VPN. But what about the huge number of small businesses and organizations and the self-employed who use commercial VPNs like NordVPN or Proton VPN to connect to base - or rolled their own VPN using eg OpenVPN?

My main point is not to argue over what governments and individual politicians might or might not be planning - time will tell. But to show that it is practically impossible for a government to enforce "highly effective" age verification online while also preserving privacy and preventing blackmail.

VPNs are an obvious way of evading one country's blocks. But trying to block some or all VPNs brings another shedload of practical difficulties for businesses and organizations. The well-meaning attempts at protecting children in this way, is probably impossible in practice.

[lonmol]

Quote:

Originally Posted by anonjohn

I suppose this might be possible if every ISP had a list of every approved IP address for almost every medium and large business which used VPN. But what about the huge number of small businesses and organizations and the self-employed who use commercial VPNs like NordVPN or Proton VPN to connect to base - or rolled their own VPN using eg OpenVPN?

My main point is not to argue over what governments and individual politicians might or might not be planning - time will tell. But to show that it is practically impossible for a government to enforce "highly effective" age verification online while also preserving privacy and preventing blackmail.

VPNs are an obvious way of evading one country's blocks. But trying to block some or all VPNs brings another shedload of practical difficulties for businesses and organizations. The well-meaning attempts at protecting children in this way, is probably impossible in practice.

They've already begun implementing the US version of these laws. I rather doubt that they're a well meaning attempt to protect children. More likely they're an information (and cash) grab. Whenever politicians say they're doing something for the children, you know they're full of it. If they really cared about protecting children, they'd do something about the mass shootings in our schools.

[supersmoothy]

Quote:

Originally Posted by anonjohn

I suppose this might be possible if every ISP had a list of every approved IP address for almost every medium and large business which used VPN. But what about the huge number of small businesses and organizations and the self-employed who use commercial VPNs like NordVPN or Proton VPN to connect to base - or rolled their own VPN using eg OpenVPN?

In practice, one does quite the opposite. ISPs don't whitelist sites, they blacklist them. So, for VPNs, businesses that use their own VPN for their employees would be automatically fine, as would be those who use Cisco's Anyconnect (the majority of those I know of in the UK), or other similar services, whose first step of the connection, incidentally, is on a server of the organization (so, a UK domain). The rest can be blocked.

Quote:

Originally Posted by anonjohn

My main point is not to argue over what governments and individual politicians might or might not be planning - time will tell. But to show that it is practically impossible for a government to enforce "highly effective" age verification online while also preserving privacy and preventing blackmail.

VPNs are an obvious way of evading one country's blocks. But trying to block some or all VPNs brings another shedload of practical difficulties for businesses and organizations. The well-meaning attempts at protecting children in this way, is probably impossible in practice.

On this, we certainly agree, except on the small detail that I don't think that blocking VPNs will bring difficulties for businesses (see above).