I'd like to believe that technical people at OFCOM actually know the impossibility of what they're being asked to implement but are just going through the motions, so their bosses/politicians can put out pointless press releases like this.
Trying to restrict access to content on the Internet by requiring "robust" age verification was never going to achieve the goals they stated, and has a number of predictable (and already seen) negative side-effects.
Unfortunately governments all over the place seem intent on continuing this type of regulation, I presume so they can be seen to be doing something. Good time to be in the VPN game, I'd guess.
Well, OFCOM lost all credibility with me and many on how they failed to fix the Vectone UK mess. Vectone UK was a virtual operator, however they owned the number range they allocated(Most MVNO's get a block from the provider they use for their network, Vectone behind the scene would shop around and by owning the number range, could made switching core network easier I presume). So even when you ported to another network, as they owned the number, they would set up routing to the new provider(This is how number porting works, of which I was unaware as I'm sure many are not). Issue is that if the provider goes bust, all those numbers go with them. So anyone who had a number that originated from them, even if they ported it to another network, suddenly lost not only their number, but any way shape or form of getting it back. The impact was devastating for many, including myself. All 2FA, or any account ties to that number you found yourself unable to control. Even if you had access to the account, to change the number would see them use best practice security to send a verification code to the old number. THis created a right nightmare as you can imagine with all the automated support we now have. So months of fun and games, with the odd gotcha popping up overlooked from time to time.
OFCOM failed to do anything, they could have forced them to sell the number range, taken over control of the umber range, or proactively thought out such situations due to the way they port numbers being that the new provider gets control of that number and not at the mercy of the previous provider, which in this case went bust.
But like many, I myself contacted OFCOM and found a chocolate teapot far more comforting and with better results.
What with the UK pushing digital ID, funny anecdote there - I did jury service recently and they do not accept a digital ID as proof of ID, nor do they accept a selfie either as proof of age or ID ( we all had a good laugh as was done in the best possible taste ).
Phone number, which means I have a SIM I ported, able to make calls, send text messages from what is a ghost number, that can't receive calls or texts and presents in all effect to the outside as a non-existent number. So ended up getting a new number with GiffGaff, which at least has credibility I trust.
That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
Then you're into "what about all TLS connections" which can be used to send traffic, so you have to do TLS interception at scale, which is a very non-trivial problem to try and solve.
Then you're into non-TLS encrypted protocols, so your only option there is to block anything you can't intercept.....
At that point you've pretty much broken Internet access in your country, might as well just chop the cables :P
I wish I was as optimistic about the resilience of the open web as you, but I see what the Chinese government achieved and what the Russian government have been doing over the last few years, and I'm very concerned.
China has built their Great Firewall over many years gradually, and they have a lot of resources inside, so almost everything from the "western" Internet has a Chinese analog.
Russian government simply does not give a flying fuck about people and economy on either side of the border, so they can just pull the plug completely if they see it necessary from the political point of view.
So these countries are hardly reference points for what UK can achieve (although Russia is closer than China).
Oh I'm not saying they won't try and do it, just it'll either be ineffective or they'll effectively wreck the Internet.
For the UK I'm kind of doubting they'll put enough money into it to make it good, so we'll get the ineffective version and politicians will get stories like this one written about their efforts.
I saw an excellent video[1] a few weeks ago that outlined this issue perfectly in the context of Tor's anti-censorship methodologies by hiding its traffic as other kinds of traffic. The endgame is basically to cut the cables and have a countrywide intranet, or just accept that people will bypass it. Even the Great Firewall isn't perfect, and Chinese frequently VPN out of it all the time.
They're still going to try anyway though. Wisconsin is already putting up a hilariously bad anti-VPN bill[2], and I'm curious if they don't just end up trying to ban every server provider out there in the process of enforcing it.
The more practical law is to ban using VPNs to bypass local censorship/filters/etc, which is the law the UAE has for example. Companies can keep using them for security, so can individuals who aren't using them to pretend to be somewhere else to bypass local laws.
This also has the benefit (to the government) of criminalising individuals, making prosecution much easier and allowing it to be more selective according to the government's whims. It reminds me of the way the US dealt with piracy, you could go after a bunch of college kids to make a point etc.
I'd guess the tricky part there is proving intent. If I sign up to a VPN so I can watch sports or other geo-restricted content while on holiday, does that count?
In a fully authoritarian state of course you likely don't have to worry too much about proof, but I'd suggest the UK has a ways to go for that.
On the piracy front, well we've seen how successful they were in stopping piracy.... not at all.
> That is one option, but then you get into the world of Corporate VPNs which are heavily in use and it would seriously cause problems if you banned.
This should not give you /any/ comfort that they won't attempt to ban VPNs. It's as easy as making it illegal to purchase/use a VPN/proxy service as a non-business entity with some loosely drafted legislation that would scare people.
It's child's play to draft legislation that would not affect businesses, plus some appropriate PR/propaganda campaigns
What's a VPN though, just an encrypted tunnel between two nodes. For decently technical people, it'd always be possible to rent a VPS somewhere outside the country and route traffic to it.
If they're going down that route I'd expect the first service to be banned will be Tor, I'm actually mildly surprised they haven't tried that already.
It really is easy. You can not outsmart lawmakers here, if they are determined enough.
It doesn't have to be 100% perfect, just 80% plus some messaging (edit: and harsh penalties). Do you not accept this?
As to wording of the law, eg:
"A Commercial VPN is defined as a service offered to the public for remuneration that routes internet traffic through servers to obscure the subscriber's IP address or apparent geographic location, where the primary purpose is to provide anonymity or circumvent geo-restrictions."
"A Business VPN is defined as a virtual private network operated by or on behalf of an organisation to enable employees, contractors, or authorised agents to securely access the organisation's internal network resources; connect geographically separate premises of the same organisation; or comply with data protection or security obligations."
That is, until you only allow approved vendors (Microsoft, Cloudflare, etc) to provide these types of services. It’s very easy to pass laws like that, and it seems like centralization is the direction everything is headed.
So if you could get Google/Apple/MS on board, then you could embed controls onto most people's endpoints, and actually that'd work more than trying to put the burden on websites/controlling the network. The trick is those are all US corporations who may or may not want to be responsible for that level of control.
While we still have alternate operating systems, that won't be a universal control of course. You'd have to stop people owning general purpose computing devices for that to be fully effective.
> You'd have to stop people owning general purpose computing devices for that to be fully effective.
That's been the corporate and probably governmental wet dream since the iPhone released. I think the only thing keeping the x86_64 scene from doing the same thing is legacy software support, and open alternatives existing. If Microsoft could've viably banned getting software from anywhere outside their store, they would have.
I would argue with all the computers they sold in "S mode" a few years ago, they earnestly tried it in the home market.
Trying to restrict access to content on the Internet by requiring "robust" age verification was never going to achieve the goals they stated, and has a number of predictable (and already seen) negative side-effects.
Unfortunately governments all over the place seem intent on continuing this type of regulation, I presume so they can be seen to be doing something. Good time to be in the VPN game, I'd guess.