UK Online Safety Act angers users, NGOs, billionaires alike

The UK’s rollout of the Online Safety Act has proven to be an uphill climb, as debates over age verification measures rage and the world closely watches what is proving to be a test case in digital safety legislation, with the attendant fumbles and lessons.

Ostensibly targeting pornographic content and other material that could prove harmful to children, such as child sexual abuse material, the OSA and its enforcer, Ofcom, are finding out that the law as applied has impacted users of sites and platforms far beyond the XXX world, who find themselves being asked submit photo ID for age verification or undergo biometric facial age estimation (FAE) procedures.

Two noteworthy examples are Reddit and Wikipedia – massive sites long considered to be among the vital organs of the internet.

Wikipedia not exempt from category 1 status, says High Court

The case of Wikipedia, in particular, seems on the verge of becoming a public conflagration. This week, the High Court ruled against the beloved collaborative knowledge resource in its challenge against the age assurance component of the OSA.

The non-profit Wikimedia Foundation, which runs Wikipedia, has asked the platform to be exempt from the law’s category 1 class, arguing its inclusion would force the age verification or age estimation process on contributors for whom it is important to remain anonymous. Privacy risks could deter Wikipedia contributors writing in politically repressive nations, for instance.

The foundation says that making age assurance mandatory for all users would turn articles into gibberish, as content from non-age-verified sources is filtered out. It has also floated the idea of putting a cap on monthly users from the UK, to bring it below the threshold for category 1 classification.

According to a report from Scotland’s The National, a judge determined that working within the law can be done “without causing undue damage to Wikipedia’s operations” – meaning Wikipedia must comply, and that consequences of one kind or another are likely.

Gaps appear in anticipated results; rights group says told you so

The story is a potent illustration of the difference between a law in theory and in practice. Losing access to Wikipedia was likely not on many UK legislators’ lists of likely outcomes. Yet it is now a real possibility that the law will reshape the UK’s access to one of the world’s largest and most popular resources.

Fears of overreach, and accusations that the government’s shovel was too broad for the job at hand, appear to be coming to fruition as the scope of the OSA becomes clear. And pushback from digital rights groups continues.

The Electronic Frontier Foundation (EFF) has published a statement detailing the ripple effects of age check laws on UK Reddit forums: “as soon as the policy took effect,” it says, “reports emerged from users that subreddits dedicated to LGBTQ+ identity and support, global journalism and conflict reporting, and even public health-related forums like r/periods, r/stopsmoking, and r/sexualassault were walled off to unverified users.”

The EFF says this is “exactly what digital rights advocates warned about.”

The group further points to a surge in VPN usage in the UK soared, and a petition that has been signed by nearly 500,000 people, seeking the repeal of the OSA. “Some shrewd users even discovered that video game face filters and meme images could fool Persona’s verification software,” it claims. (Persona provides age assurance services for Reddit.)

Marc Andreesen wants Peter Kyle chastised for sex offender comment

Rights groups dislike the OSA for how it can limit access to information. Silicon Valley billionaires claim to dislike it for the same reasons, although their objections must be weighed against the interest they have in retaining young users.

Regardless, they generally do not like being linked to sex offenders. This includes Marc Andreessen, the billionaire venture capitalist who co-founded Netscape and now sits on Meta’s board of directors.

Andressen has lodged a complaint with the UK government over the law, and asked Prime Minister Keir Starmer to reprimand Technology Secretary Peter Kyle over his comment that opponents of the legislation were “on the side of predators,” which also referenced serial sexual abuser and pedophile Jimmy Savile.

A report from the Financial Times suggests the rollout has caught Kyle unprepared, with ministers last week requesting data from Ofcom about how and when VPNs were being downloaded. He now says he is “not considering a ban on VPNs” but that “ministers are keen to understand how the tools are being used, particularly by children.”

Joining Andreesen in his disdain for UK law is the platform formerly known as Twitter, but rebranded by Elon Musk as X. The platform says the OSA “risks suppressing free speech due to its heavy-handed enforcement,” according to a report from Reuters.

“When lawmakers approved these measures, they made a conscientious decision to increase censorship in the name of ‘online safety’,” X says. “It is fair to ask if UK citizens were equally aware of the trade-off being made.”

Age assurance providers should be prepared for evil eye

Vilifying the technology, be it social apps or VPNs, is often an easy out when considering regulations. Age assurance vendors are likely to feel some of this ire aimed in their direction. Indeed, the Financial Times says “privacy campaigners argue the legislation has opened a space for unscrupulous companies purporting to provide age assurance services to gather and misuse reams of personal data.” Specters of data honeypots on which hackers can gorge continue to haunt the conversation.

The overarching call would seem to be for more clarity. The Times quotes a “senior government figure” who notes that “there are clear examples of companies doing things even though Ofcom’s guidance clearly does not require them to do so.” In the official’s view, the OSA has “become a bit of a political punchbag.”

The truth is buried somewhere in the mire. It is certainly easy for Andreesen to slam laws that could impose massive fines on him and his friends who run the largest social media platforms. It is also true that gaps in planning are leading to unintended consequences, suggesting that the law needs to be considered a work in progress. Likewise, while recognized age assurance providers, such as those accredited under the UK digital identity and attributes trust framework (DIATF), wish to collect as little data as possible, there is currently little to stop sites from hiring the Acme Age Verifaction Company™ to provide a shoddy, unproven system; the requirement for “highly effective age assurance” remains broad by design, and open to interpretation.

The EFF overdramatically says that “if we allow age verification, we welcome new levels of censorship and surveillance with it” – but is accurate in its statement that it could be a boon for “the slew of for-profit age verification vendors that have popped up to fill this market void” (or at least many providers hope so).

As the drama unfolds, a truth that comes into clear focus is the critical importance of globally recognized standards for age assurance technologies. Good faith operators in the age assurance sector understand (and will tell you) that their business model depends on a trust that they have to earn; they will invite standards that provide a common baseline upon which that foundational trust can be built. They know what getting it wrong could mean for the entire project – and how closely they are being observed.

FT quotes another official, who says missteps put the law at risk. “If there is a perception of over-reach, that can be quite damaging,” they said, noting that if there were “embarrassing cases of the law going wrong and the possibility of legal action, that’s where things can start to fall apart.”

Article Topics

age verification  |  biometric age estimation  |  biometrics  |  data privacy  |  legislation  |  Online Safety Act  |  Reddit  |  VPN (virtual private network)  |  Wikipedia