I'd like to believe that technical people at OFCOM actually know the impossibility of what they're being asked to implement but are just going through the motions, so their bosses/politicians can put out pointless press releases like this.
Trying to restrict access to content on the Internet by requiring "robust" age verification was never going to achieve the goals they stated, and has a number of predictable (and already seen) negative side-effects.
Unfortunately governments all over the place seem intent on continuing this type of regulation, I presume so they can be seen to be doing something. Good time to be in the VPN game, I'd guess.
Well, OFCOM lost all credibility with me and many on how they failed to fix the Vectone UK mess. Vectone UK was a virtual operator, however they owned the number range they allocated(Most MVNO's get a block from the provider they use for their network, Vectone behind the scene would shop around and by owning the number range, could made switching core network easier I presume). So even when you ported to another network, as they owned the number, they would set up routing to the new provider(This is how number porting works, of which I was unaware as I'm sure many are not). Issue is that if the provider goes bust, all those numbers go with them. So anyone who had a number that originated from them, even if they ported it to another network, suddenly lost not only their number, but any way shape or form of getting it back. The impact was devastating for many, including myself. All 2FA, or any account ties to that number you found yourself unable to control. Even if you had access to the account, to change the number would see them use best practice security to send a verification code to the old number. THis created a right nightmare as you can imagine with all the automated support we now have. So months of fun and games, with the odd gotcha popping up overlooked from time to time.
OFCOM failed to do anything, they could have forced them to sell the number range, taken over control of the umber range, or proactively thought out such situations due to the way they port numbers being that the new provider gets control of that number and not at the mercy of the previous provider, which in this case went bust.
But like many, I myself contacted OFCOM and found a chocolate teapot far more comforting and with better results.
What with the UK pushing digital ID, funny anecdote there - I did jury service recently and they do not accept a digital ID as proof of ID, nor do they accept a selfie either as proof of age or ID ( we all had a good laugh as was done in the best possible taste ).
Phone number, which means I have a SIM I ported, able to make calls, send text messages from what is a ghost number, that can't receive calls or texts and presents in all effect to the outside as a non-existent number. So ended up getting a new number with GiffGaff, which at least has credibility I trust.
That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
Then you're into "what about all TLS connections" which can be used to send traffic, so you have to do TLS interception at scale, which is a very non-trivial problem to try and solve.
Then you're into non-TLS encrypted protocols, so your only option there is to block anything you can't intercept.....
At that point you've pretty much broken Internet access in your country, might as well just chop the cables :P
I wish I was as optimistic about the resilience of the open web as you, but I see what the Chinese government achieved and what the Russian government have been doing over the last few years, and I'm very concerned.
China has built their Great Firewall over many years gradually, and they have a lot of resources inside, so almost everything from the "western" Internet has a Chinese analog.
Russian government simply does not give a flying fuck about people and economy on either side of the border, so they can just pull the plug completely if they see it necessary from the political point of view.
So these countries are hardly reference points for what UK can achieve (although Russia is closer than China).
Oh I'm not saying they won't try and do it, just it'll either be ineffective or they'll effectively wreck the Internet.
For the UK I'm kind of doubting they'll put enough money into it to make it good, so we'll get the ineffective version and politicians will get stories like this one written about their efforts.
I saw an excellent video[1] a few weeks ago that outlined this issue perfectly in the context of Tor's anti-censorship methodologies by hiding its traffic as other kinds of traffic. The endgame is basically to cut the cables and have a countrywide intranet, or just accept that people will bypass it. Even the Great Firewall isn't perfect, and Chinese frequently VPN out of it all the time.
They're still going to try anyway though. Wisconsin is already putting up a hilariously bad anti-VPN bill[2], and I'm curious if they don't just end up trying to ban every server provider out there in the process of enforcing it.
The more practical law is to ban using VPNs to bypass local censorship/filters/etc, which is the law the UAE has for example. Companies can keep using them for security, so can individuals who aren't using them to pretend to be somewhere else to bypass local laws.
This also has the benefit (to the government) of criminalising individuals, making prosecution much easier and allowing it to be more selective according to the government's whims. It reminds me of the way the US dealt with piracy, you could go after a bunch of college kids to make a point etc.
I'd guess the tricky part there is proving intent. If I sign up to a VPN so I can watch sports or other geo-restricted content while on holiday, does that count?
In a fully authoritarian state of course you likely don't have to worry too much about proof, but I'd suggest the UK has a ways to go for that.
On the piracy front, well we've seen how successful they were in stopping piracy.... not at all.
That is, until you only allow approved vendors (Microsoft, Cloudflare, etc) to provide these types of services. It’s very easy to pass laws like that, and it seems like centralization is the direction everything is headed.
So if you could get Google/Apple/MS on board, then you could embed controls onto most people's endpoints, and actually that'd work more than trying to put the burden on websites/controlling the network. The trick is those are all US corporations who may or may not want to be responsible for that level of control.
While we still have alternate operating systems, that won't be a universal control of course. You'd have to stop people owning general purpose computing devices for that to be fully effective.
> You'd have to stop people owning general purpose computing devices for that to be fully effective.
That's been the corporate and probably governmental wet dream since the iPhone released. I think the only thing keeping the x86_64 scene from doing the same thing is legacy software support, and open alternatives existing. If Microsoft could've viably banned getting software from anywhere outside their store, they would have.
I would argue with all the computers they sold in "S mode" a few years ago, they earnestly tried it in the home market.
> That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
This should not give you /any/ comfort that they won't attempt to ban VPNs. It's as easy as making it illegal to purchase/use a VPN/proxy service as a non-business entity with some loosely drafted legislation that would scare people.
It's child's play to draft legislation that would not affect businesses, plus some appropriate PR/propaganda campaigns
What's a VPN though, just an encrypted tunnel between two nodes. For decently technical people, it'd always be possible to rent a VPS somewhere outside the country and route traffic to it.
If they're going down that route I'd expect the first service to be banned will be Tor, I'm actually mildly surprised they haven't tried that already.
It really is easy. You can not outsmart lawmakers here, if they are determined enough.
It doesn't have to be 100% perfect, just 80% plus some messaging (edit: and harsh penalties). Do you not accept this?
As to wording of the law, eg:
"A Commercial VPN is defined as a service offered to the public for remuneration that routes internet traffic through servers to obscure the subscriber's IP address or apparent geographic location, where the primary purpose is to provide anonymity or circumvent geo-restrictions."
"A Business VPN is defined as a virtual private network operated by or on behalf of an organisation to enable employees, contractors, or authorised agents to securely access the organisation's internal network resources; connect geographically separate premises of the same organisation; or comply with data protection or security obligations."
They can fine all they want, if the company doesn't have any entity in said territory they can just ignore it. What Ofcom succeeded to achieve though is to deter more and more foreign IT companies to ever expand and create jobs in the UK.
> They can fine all they want, if the company doesn't have any entity in said territory they can just ignore it.
Try running an online poker site abroad and serve US players and find out how that'll work out for you.
Didn't work out well for Lithuanian/Canadian/Israeli Isai Scheinberg founder of Poker Stars, nor Calvin Ayre, the founder of the Bodog, who ended up on the FBI's top 10 list. United States reportedly sought* to seize around $3 billion worth of assets from 3 major online poker companies at the time.
This is the UK we’re talking about, not the US. Watch out, they might send you a strongly worded email, then they’ll follow it up with a D-notice to prevent the media from telling everyone how you embarrassed them.
Eh, maybe? Maybe not? What if years later someone from that company flies through the UK? And if you think you can avoid connecting flights there, what if a flight from NY to CDG has to do an emergency landing and chooses somewhere in the UK?
I mean, while this might be true, I'm not sure democracies being totally incapable of regulating the internet is a good place to be. I'm not sure a race to the bottom (if you attempt to regulate us in anyway we'll leave/go complain to the US president) is really a great outcome here. "Porn websites should check your age" is not some radical totalitarian demand I think?
I think it actually is a radical totalitarian demand, if the only accepted form of age verification is government ID scans or selfie face capture. People should have a right to serve content without having to deal with the SPII of their clients.
... but they specifically don't have to, right? You can just use a third party verification company. Or you can not, if you'd prefer not to. You just have to do something vaguely meaningful that isn't just "Pinky swear you're 18".
The alternative to the OSA is not "being totally incapable of regulating the internet". There's a wide, wide gap between complete lack of regulation and what the UK has done.
Do you really believe Ofcom and the UK establishment in general really care about the children or terrorists when they are pushing for mandatory digital ID and age-verification in every aspect of our digital lives or are you playing naive?
Controversially, I think most people I know in politics really are actual humans, who got into politics to stop bad things happening, and think that children having ready access to pornography is A Bad Thing.
Search Molly Russell in the Uk.... that case sums up online child safety, parents letting emotion take the lead over intellect. That girl was suicidal, you cant blame a fuckin search engine if she was the one looking for suicide content. But whos going to tell those parents theyre wrong? Instead, now a laws been passed and every website now has to be a part time parent/teacher to all children in the uk.
What you or your politician friends may not understand is that “good people stopping bad things” is a very easily manipulated group, because it often is emotion based and reactionary. It is how America has been dismembered, little by little over the decades, good people doing good to stop the bad.
A maybe as clear as possible example of this is the Patriot Act, even though it’s now 24 years old. It was so easy to manipulate people being emotional and thinking they were doing good and stopping bad, when in reality they were doing the opposite.
I won’t even bother listing several other examples because people are still very deeply invested in those manipulations, because no one wants to believe a) they were so easily fooled and b) what they were raised to believe was just manipulative lies and actually bad, while being told it was good and supporting it made them good. It’s far easier thinking of oneself as good…which is the easily manipulated part.
It’s all very standard psychological manipulation stuff, it just takes on whole other self-fulfilling characteristics when it ascends to a complete majority scale, because things can’t be bad if everyone believes… was trained on it all their lives… right?
If you take as a given that consenting adults should have access to sexually explicit material generated by other consenting adults; the potential for harm to adults is huge with the current implementations.
Can't wait for the headlines when the entire watch history of some famous person is released after someone recognises them in their "age verification scan".
It's about the only good thing which could come out of digital ID. Being able to proved proof of age in a double blind way.
This law demands a surveillance architecture, not just porn regulation. Once the norm and mechanism to de-anonymize content use exists, it can be expanded to any content, including political dissent, and for both accessing AND contributing to content (like, for example, on HN). The line should be drawn here.
The vague potential harm of sex doesn't justify the concrete harm of abolishing digital privacy. Further, it's just sex. Equating imagery of legal, natural activity with physical danger is an error.
It is blatantly dangerous to justify stripping citizens of their anonymity. The lawmakers who proposed this are oppressors. They are the danger to our children.
Everyone disagreeing with this poster, are you okay with living in a society where anything goes? Do we give up trying to minimise harms because it is hard to do? The effort to regulate this sort of access has to start in some shape or form and then improved.
Come up with a better solution, provide a proof of concept and yes regulatory agencies / governments will take notice. People like us work in these agencies. Let's propose better ways of achieving the same goal of reducing porn exposure to minors - not keep bashing the initiative taken.
I don't know if you are a parent, but this is a ridiculous question. The unrestricted Internet is a cesspool. For the same reason you wouldn't allow a child to go play in an open sewer, you cannot allow them access to the unrestricted Internet.
How old are you? Most millennials grew up with unfettered access to the internet, including porn, because our non-digital-native parents were easily outsmarted. We were fine. This seems like the same helicopter parenting fallacy that has already destroyed kids' in-person lives.
My kids are millenials. They are fine too, but that is only because my wife and I worked really hard to regulate their access. We caught our 7 year old son searching for some offensive stuff on the internet and when asked, his answer was "my friends are looking for it".
In his teen years, we started hearing some stuff you'd typically associate with the toxic manosphere. A number of discussions later it turned out he was picking this off the internet.
Parents who talk about the difficulty of dealing with all this are labelled as hysterical, emotional, helicopter parents...the list goes on. My only response to that is what I tell most people - don't judge parents too harshly until you've had the opportunity to be one.
> For the same reason you wouldn't allow a child to go play in an open sewer, you cannot allow them access to the unrestricted Internet.
fair enough, but legislate this? why cant you just stop your own kid going on the internet? Id argue youre overblowing it but you cant ever remove the emotional/hysterical aspect when dealing with a parent
> why cant you just stop your own kid going on the internet?
May I ask if you are a parent? Because every parent knows that kids will try to cross any boundary set (which is how they learn, not a problem). If there is additional friction at each step before they access something which is harmful for them, chances are they would have matured well enough to prepare them before they are exposed to harmful content.
Yes they are, but human beings live in a society and we look out for each other. Sayings such as "it takes a village to raise a child" isn't just a pithy quote. Any parent will tell you from their lived experience that it is true.
Most parents do a reasonably good job of regulating the physical environment their child exists in. At the same time, a lot of parents are out of their depth keeping up with all the threats that exist on the Internet.
Like with security of systems, there has to be defense in depth against these threats to children. Regulation is one of them. Parental efforts are another.
It takes less than 3 minutes to set up the free, built-in parental control software in all major operating systems.
This isn't a situation where a parent is so overloaded that they need a village to help raise a child. This is just parents who have decided not to do anything.
But if we're going to go the village route, how about we send someone from say, a child welfare organization to visit every house with a child to walk parents/guardians through setting up the software on their devices - maybe with regular follow-ups to ensure the child's well-being in neglectful households that did not already have such software set up.
I think the one problem about this train of thoughts is that it makes people overly willing to accept any kind of solution, as fast as possible, because what could be more important than protecting our children.
It makes people completely ignore or dismiss the potential problems this will create down the line, especially because we tend to be good at ignoring things that do not affect us yet. This whole thing feels both rushed and extremely short sighted.
Sorry but I'm going to keep bashing the initiative because:
1. It doesn't stop kids from accessing porn because kids know about or can learn about free VPNs.
2. I think it exposes lots of adults to identity theft on non-porn websites by normalising compulsory ID checks. e.g. on Spotify, Bluesky, Reddit, etc. I think it's a matter of time before phishing sites start making use of this.
I think the implementors of this law either knew about these issues or are hopelessly naive.
Given that and the push for digital IDs at the same time I think they are bad actors and I question their motivation.
> I think the implementors of this law either knew about these issues or are hopelessly naive.
Or they decided that, on balance, there is still a net benefit to this starting point.
Doing nothing is not an option - the unregulated Internet is a cesspool. We've allowed children unregulated access to this for a couple of decades now. The argument that we cannot regulate this to protect kids, so we should just accept the damage it is doing is not acceptable any more.
Yes, effective regulation takes time to formulate. But you have to start somewhere and improve the situation.
Your comment has two separate messages that, despite not technically contradicting one another, don't really relate to each other in any way.
1. The current status quo has been the default that's been in place for 20-30 years now
2. Despite this, the situation is so dire right now (did something new happen recently? Worldwide?) that we must do something about it now now now - even if that oversteps and takes away rights, even if it sells off your most private data to random third parties, even if it establishes a framework for broader censorship, doing something NOW is so important that it must trample all other concerns
My whole generation grew up on unrestricted internet, and while I agree that it's not the ideal situation, the experience I and everyone else I know had over these decades suggests that it's not the apocalyptic catastrophe that everyone pretends it to be. Something should be done, but it must be done carefully and in moderation as to avoid censoring and limiting adults in an attempt to make the entire internet child-first.
Instead, what we're seeing is half of the first world suddenly remembering about this after 20 years and steamrolling ahead in complete lockstep. Does this not worry you in any way? And look at what each one is proposing. Why are there no middle-ground privacy-first proposals anywhere? For some reason, those are confined to research papers and HN posts, not policy. Even without thinking of complicated cryptography and tokens and whatnot, think of this: what if ISPs were legally mandated to ship their routers in "child-censored mode" to everyone but businesses and households with no children? They would filter out all the websites that Ofcom or whatever other agency decides are inappropriate for children, but the router owner/operator could go in the settings and authorize individual devices for full internet access.
But that would place the burden of filtering appropriate content on the government, rather than every website in the world - and it wouldn't allow them to extract money via lawsuits and fines. More importantly, it also doesn't allow them to do favors and subcontract benevolent third-party businesses to store and process every user's identity in association with what they visit. I'm betting it's because of those reasons that any privacy-friendly approaches are a complete non-starter.
I think the "surveilance capitalism" and centralization of companies like Meta, Google etc has made many of us very sensitive to any systems that will leave traces of us against our will, be it porn, flock cameras or anything else that is similar.
I think we would have a lot less of a pushback against such policing efforts if governments had done a better job at reigning in tracking on the internet from the start. "Porn websites should check your age" is not that radical, but in a world where it doesn't feel unrealistic that much of the information about you is correlated and processed in ways that are not in your personal best interest, then it becomes another loop in the proverbial noose that can be used to hang us all.
The alternative is that people have a venue to speak that is outside of government intervention.
While we can all see potential abuse (yelling FIRE in a crowded theater), surely the IRL abuse by governments is equally clear, with possibly a higher potential for damage.
That’s what’s so pernicious about this manipulative tactic; you’re protecting the children, after all, right?
The real motivation behind this effort is not protecting children (the signal for that is all over the place), it’s about interrupting and conditioning society for a total surveillance state that controls or suppresses speech and thought. As always, the “think of the children” is just a typically cynical, narcissistic manipulation of people’s natural instincts to protect children.
Of course the underlying motivation is totalitarian. What, do you think they’re just going to come out and say “ok, peasants, we are not going to implement totalitarianism now”? No, they always sneak it in little by little, just as they always have, to the point that people still don’t understand what is going on in spite of things being as bad as they already are.
This is basically grooming, and no, the van does not have candy in it, kid.
If they actually cared about kids, they would have not banned and controlled adults from engaging in legal things freely, or they would have banned pornography as a clear societal ill. They could have also barred children from the open internet in general by allowing children only on a white/allow list; which is exponentially easier to implement, there is government justification, they are not full legal persons, and it can be enforced and penalized with existing child endangerment laws… you give access to a child, you are punished, just like if you, e.g., give children access to alcohol or any number of things.
What they choose to implement instead was that adults have to reveal their identity, essentially digital “show me your papers!”
The ruling class even constantly, openly talk about how they want everyone to have to provide their real identity on the internet to speak. They’re narcissists; all you have to do is listen to what they do and say to the audience they seek admiration from to see through the manipulation and lies directed towards you.
The dots are right next to each other and are labeled A and B. I am always a bit confused why so many people cannot, maybe don’t want to connect obvious dots; maybe because of what it means, not wanting to face reality because it causes discomfort in what they believe about things and themselves?
“I supported them and voted for them/this system. How could they be totalitarian? I would never vote for totalitarian control over myself, because I am smart and good. Therefore their intentions and motivations must be pure”. It’s a common abuse trap. It is also the underlying psychological manipulation mechanics of other cults and con artists, not just contemporary politicians.
Yeah, they didn't really think through the fact they're publishing big lists of sites without effective age verification in all the investigation notices on their website..
I'd like to think somewhere in the newsroom somebody read off the list of websites, nobody admitted to visiting, so they had to conclude none of them had name recognition.
Heavy tangent: I finally tested the age verification thing in France: it's fine. I heavily dislike the biometric verification, it feels it can be gamed easily and in my opinion is dangerous, but the e-Id/bank verification seems solid.
Weirdly, it might makes 'local' porn site like Dorcel who used to ask for credit cards for age verification (because of prior regulation not followed by mindgeek) more popular in the long run.
Except by ogling your ID, the attendant isn't making a copy and linking it to your purchase in a database that will get breached, or shared with the wrong future government.
This isn't the same due to the sensitive nature of pornography consumption but in the US this is exactly what happens when you buy certain cold medicines (pseudoephedrine specifically)
erm, I think they're now called "sex workers" but self-employed or digital prostitutes is more correct now, given the inability to tell if you're dealing with a person or AI hologram!
why I specified, prostitute, as the restrictions with online sexiness, will push unrequited demand, back into real life, where nobody is concerned with bieng all nicy nice about the "titles" involved, it's kinks for sale, maddness, life on the edge, or cartoon's, so for those too chicken to buy a piece of tail, then they can buy a blow up doll, or something else in brown paper, or soon enough, personal AI...assistants, rather then the variety you can see getting lunch at noon, on the corner of young and bloor, which AI will never be able to simulate, ha!, anybody who can make it past a receptionist like those, still able to conduct serios negotiations, is made from stern and focused material indeed.
Trying to restrict access to content on the Internet by requiring "robust" age verification was never going to achieve the goals they stated, and has a number of predictable (and already seen) negative side-effects.
Unfortunately governments all over the place seem intent on continuing this type of regulation, I presume so they can be seen to be doing something. Good time to be in the VPN game, I'd guess.
reply