Concerns mount around UK Online Safety Act

As we reported earlier this week, the UK’s new Online Safety Act has seen a surge in interest in the use of VPNs and an online petition for its repeal has been signed by over 400,000 people.

An article published yesterday by The Critic argues that the legislation is badly drafted. Industry figures too are raising doubts about the effectiveness of the act, its likely wider impact on cybersecurity and its potential for overreach.

Brian Higgins, security specialist at Comparitech, says:

One of the more alarming emerging trends is the almost immediate mission creep of this legislation. The VPN issue was always going to deflate the effectiveness of any age verification measures, in fact it’s rather worrying that those responsible seem quite so surprised by this development. But due to the wide-ranging wording of the content potentially covered by the Bill, legislative compliance is impacting platforms and users in far more draconian fashion than may be deemed reasonable. Spotify is one service which has dismayed users by requiring AV and a prominent UK actor recently found he could no longer access pictures of his own children when posted on Social Media by their mother.

Many more examples of the swingeing reach of this Bill will undoubtedly continue to arise so it’s no wonder people will look for work-arounds. Are Ofcom going to arrest everyone who uses a fake AI Drivers License to spoof their way on to Facebook or will they be too busy getting sued by the US State Department? Only time will tell.

Lucy Finlay, director, secure behavior and analytics at Redflags, worries that the collection of ID data will make websites a more attractive target for hackers. "The requirements for certain websites to verify age by uploading a live selfie or a copy of an ID opens a whole new avenue of attack for cyber criminals and privacy questions for policy makers. Firstly, it invites setting up malicious prompts for ID verification on compromised websites, funneling sensitive data away from unsuspecting users, who are being conditioned not to question giving away their ID. This is an example of ‘sludge’, where a nudge is being used as a friction or barrier to accessing what you want, so people are instinctively acquiescing to this request rather than question its legitimacy. Except it’s now not just pressing ‘accept all’ on annoying cookie pop-ups… it’s giving away your ID or facial data. Secondly, it creates data regulation and privacy headaches, as foreign companies are engaged to carry out the verification service for the websites. Lastly, these companies are likely to be subject to increased scrutiny from bad actors wishing to get their hands on a goldmine of IDs and kompromat-worthy material associated with the ‘sensitive’ material they are viewing. Do these risks outweigh the benefits gained, given these verification checks can currently be bypassed by a simple VPN?"

Mayur Upadhyaya, CEO at APIContext, argues that the government’s aim of protecting minors argues that relying on technical restrictions alone id not the solution. "It’s incredibly difficult to put the genie back in the bottle. These platforms have been accessible for so long that viewing them has become a deeply embedded habit for many young people. Going cold turkey overnight won’t work, especially if the only alternative is technical enforcement. We’re already seeing a surge in free VPN use, which carries serious risks like malware, trackers, and compromised data. More concerning is the cultural divide this creates. When kids feel they have to hide their online behavior, it shuts down the open dialogue parents need to have. The intent behind the Online Safety Act is well meaning, but real change requires education, safer alternatives, and trust, not just technical restrictions."

The government has said, “The Government has no plans to repeal the Online Safety Act, and is working closely with Ofcom to implement the act as quickly and effectively as possible to enable UK users to benefit from its protections.”

Meanwhile US politician Jim Jordan, chair of the House of Representatives Judiciary Committee, has described the act as a censorship law and said, "It allows the British government to dictate how social media companies must censor so-called 'disinformation' 'misinformation', and hate speech."

Do you think the act will lead to problems? Do you think politicians need a better understanding of the internet? Let us know in the comments.

Image credit: AndreyPopov/depositphotos.com