The introduction of the Online Safety Act’s child protection provisions last week has reignited serious concerns about the future of free expression online in the UK. Many companies must now introduce safety measures to protect children from harmful content, typically via age-checking procedures. This includes pornography sites, but also includes big social media platforms, who could be required to use “highly effective” age checks to identify under-18 users in order to comply with the Act. Not only will the provisions impact under-18s’ ability to access information online, they will – by default – limit anyone who refuses to verify their age on certain sites. 

The Act risks overreach, creating a chilling effect on legitimate speech. In the lead-up to the Act’s passage in 2023, we were vocal about our concerns around certain aspects of it and were pleased to see the clause around “legal but harmful” removed. We remain concerned about end-to-end encryption, which is not sufficiently protected in the Act’s wording. Our concerns go beyond encryption though, as the child protection provisions reveal. 

Overall, we fear the Act opens up too many avenues for increased surveillance and monitoring, all of which fosters an environment of self-censorship, stifles open dialogue and erodes the right to free expression and access to information. The fact that the age limitations specifically target young people is doubly concerning when you consider that the UK plans to lower the voting age. It has the potential to limit young people’s access to information and their ability to participate in democratic life. 

Creating a safer internet for young people is a noble cause and we don’t criticise the intentions of those behind the Act. We do though take issue with the aforementioned and whether it indeed does make the internet any safer. And with that in mind please do read more about the negative implications of the age verification system introduced by the OSA, as argued by James Ball, political editor of the New European, in his piece on Substack earlier this week. We are re-publishing it here with his permission.

Okay, so age verification is pretty painless. It’s still not a good thing. At all.

Two years ago, British politicians passed the Online Safety Act, a wide-ranging law which – among many other measures – introduced widespread age verification for anyone wishing to access “adult” content online.

This sort of measure is always very popular, because it’s easy to make opposing it look bad: why do you want children to be able to access porn online? Many supporters of this kind of bill are all too eager to jump to that kind of argument, and do so shamelessly – it’s presented as obvious and agreeable. Decent people want to protect children online. This measure protects children online. So…who would oppose it?

Despite that, the minority of us who do oppose these kinds of measures tend to be quite vocal, sometimes to the point of exaggeration. At one point, the UK’s age verification was going to be for specialist adult sites only – meaning that verifying your age was essentially an admission you wanted to watch porn.

That could have created blackmail potential, even within a secure system – if someone could access which bank card had been used to verify age for a domain showing gay porn, just that information alone might be useful. But as it happens, it is being rolled out more broadly: Bluesky, for example, is requiring it for anyone to use the DM function. This means it affects far more people, but does mean the fact of being age verified can’t be used to shame anyone. That’s probably good.

Similarly, there are numerous posts going viral suggesting that the age verification law is resulting in Reddit search results being more anti-LGBT, and some are suggesting that was even the intent of the legislation (despite the law being passed by a different government than the one now in office). The basic factual claim here is false: Reddit search results haven’t been altered by the legislation.

This is just another version of the online chain letters that do the rounds now and then – like messages saying you need to copy/paste certain text to stop Facebook’s new privacy policy applying to you (never true), or the one that went around the other week about WeTransfer, which was also almost entirely false/misunderstood.

Anyway, let’s get into the realities of the new age verification regime.

The good: it’s quick, easy and pretty secure

So far, the only website that’s asked me to verify my age is Bluesky. It has, like almost every site affected by the law will, outsourced this to a third-party provider, who offers multiple quick ways to verify – which for most people means either a quick automated confirmation using a live image, or else a check with a bank card.

In my case, the technology took an insultingly short amount of time to confirm that the haggard 30-something in front of it was clearly an adult, and the process was completed in less than a minute. The verifier promises to delete all images and data used in the process, relaying only the successful result to the site.

This is a good system, but there is a long track record of services saying that they don’t store personally identifiable information, and then accidentally storing it anyway – which tends to only emerge later, after they’re hacked. But hopefully the companies involved in this one are aware of the heightened scrutiny on them with this legislation and have audited everything more carefully.

So…what’s not to like about this process? If you’re an adult trying to verify yourself, this is about the best version of things. It’s not difficult, it’s not intrinsically intrusive, and it’s fast. This was enough to have quite a few people – including some friends of mine – post their “I told you so” takes about why age verification was fine, actually. I’m not there yet.

The bad, part one: it’s quick and easy to avoid, too

The stated aim of age verification is to protect children and teenagers from inappropriate content – this usually means sexual content, but can also be extended to include violent online imagery and video.

Broadly speaking, there are two separate groups we are trying to protect here – younger children and teens who might accidentally or unwittingly encounter inappropriate content, and older teens who are deliberately seeking it out. Age verification doesn’t work very well for either.

Evidence – including that collected by the regulator Ofcom itself – consistently shows that when younger children (typically age 10-14) encounter adult content they don’t wish to see, they overwhelmingly see it via messaging apps, typically from their peers. Most of these apps aren’t supposed to be used by under-13s, but sites barely enforce this requirement and many parents don’t supervise it.

The current age verification rules do almost nothing to help protect this group. There are some people calling for under-16s (or even under-18s) to be barred from messaging apps – or even all social media – entirely. That’s a legitimate position, but one I personally find ridiculous: life is lived online now.

If we try to keep young people away from it, they will be woefully underskilled, undersocialised, and unprepared for the world they’ll first encounter as 16-year-olds and 18-year-olds. A phased, parentally supervised introduction to the internet is clearly the only way through here. Too much of this debate feels like efforts to outsource parenting to social media companies.

So much for the younger children who might be accidentally exposed to adult content. What about older teenagers who are trying to find it, who might be stopped by age verification? The short answer is that teenagers are very good at avoiding anything that stands between them and porn – especially when they’re often more tech savvy than their parents.

The UK’s age verification requirement can be bypassed simply by downloading a VPN, which lets you spoof where your traffic is coming from – if you use a VPN and say you’re browsing from the USA, the age requirement prompts vanish immediately. At the time of writing, VPN apps are in the 1st, 2nd, 4th, 5th, 6th and 9th spots in Apple’s app store. Go figure.

Making VPNs illegal is the stuff of dictators (and would also be terrible for corporate remote workers and other legitimate business use purposes), so they are likely to hang around as an effortless way to avoid age verification. In the short term, the technology can also be fooled by various simple tricks.

At the moment, using photo mode in the game Death Stranding fools age verification – and since the service doesn’t save the photo, presumably if it works once there is no way to tell how many people falsely verified themselves in this way. This loophole will doubtless be closed, but new ones will be found just as quickly. Again, the government is trying to do through regulation and tech quick fixes what can only practically be achieved through parental supervision.

The bad, part two: it creates new problems

Using a paid VPN is good for your online security – it can help restrict tracking and protect you from sites trying to steal your card details. But teenagers downloading and using VPNs will inevitably be looking for free services, and these are a very different story.

At best, they’re monetising by selling browsing data, showing questionable ads, or some similar practice. But malicious software often poses as VPNs and is then used to harvest and steal credentials used while the VPN is running – which might include the bank or card details of parents using the same laptops, phones or networks.

Not every teen is going to be tech savvy or connected enough to set up a VPN, but others will try different ways to avoid age verification tech. That means a lot of them will look for small or niche adult sites, who haven’t bothered trying to comply with the law – unlike the relatively ‘respectable’ mainstream adult companies. This does mean that one unintended consequence of age verification could be sending teens towards more extreme adult content than they would otherwise deliberately seek out.

This is going to do some serious damage, and there will be deliberate criminal enterprises working to target teenagers looking to circumvent age verification. While those people are responsible for their criminal acts, we shouldn’t forget that they’re a direct consequence of the legislation, either.

The bad, part three: it won’t stop at age verification

If you’ve read this far, you hopefully get the impression that I think the current system of age verification is mostly harmless, but also largely pointless – I don’t think it will do anything to make the internet safer.

But that in itself is part of the problem: the policy’s advocates won’t take failure as a sign that the approach is wrong. They will instead frame it as proof the policy doesn’t go far enough. Much of this is sincere campaigning on this issue, but it is also deliberately exploited by the UK’s intelligence agencies as part of their efforts to regain surveillance capabilities in the online era.

I recognise this makes me sound like someone who wears a tinfoil hat, so let me give one qualifier here: I don’t think intelligence agencies do this as part of a nefarious Deep State agenda. I think they are legitimately working to keep the UK safe, and their inability to access all messaging on the internet feels like an obstacle to that. I don’t assume any bad faith on their part.

GCHQ had a programme called “Mastering The Internet”, which we revealed during Edward Snowden’s revelations. It was more-or-less what it sounded like: GCHQ wanted to be able to access everything on the internet so that it would be able to find the bad stuff it needed to keep people safe.

In reality, this approach has consistently failed: when asked to evidence what US plots had been foiled thanks to mass surveillance programmes specifically, the American agencies could only come up with a single $8,000 donation to a proscribed terror group, a terrible return on a multi-billion dollar investment. Targeted surveillance works. Mass surveillance is a concerted effort by agencies trying to find a needle in a haystack to make that haystack bigger.

You may or may not agree with me on mass surveillance, but it is the case that since end-to-end encryption has become the default online, intelligence agencies are very keen to find ways to circumvent it – and to make the internet possible to monitor again.

The Home Office and intelligence agencies have consciously and deliberately put child protection at the forefront of these broader efforts, because it’s the easiest argument to win. When they push for measures that would help all of their surveillance goals, they frame it in terms of protecting children or tracking down people who view child sex abuse material online. The Home Office’s efforts to do this have occasionally bordered on the ridiculous, as I’ve reported before.

Trying to require us to use our real-life verified identity whenever we browse online would be a difficult political ask to do in one go. That’s why the efforts are incremental – first you introduce age verification, which is quick, painless and ineffective. When it doesn’t work, you go one step further, asking them to tie an identity token to that verification and allow it to be used for serious crime. In small and measured increments, you can end online anonymity – at least so far as the government is concerned.

So what? I don’t need online anonymity anyway

Perhaps you don’t! But we do generally have anonymity offline and most of us like it that way. In the UK, we aren’t required to carry ID with us, and even in countries where people do, it’s not out on display – when we’re out in the real world, people who know us can identify us and to everyone else we’re just a stranger.

It’s this that lets us talk and relax freely in public places: we can have a private conversation in a café or pub without worrying too much about being overheard, because even if the person at the next table is listening in, they don’t know who we are. Offline interactions are fleeting, without a permanent record.

The internet is different. There is no shortage of people who’ve faced ‘cancellation’ or consequences for casual online conversations on social media from ten or fifteen years’ previous. What is said there is forever, and that comes with social consequence even for speech that’s perfectly legal.

I do a job in which I’m paid to have opinions in public, and part of what goes along with that is putting up with the consequences of it. Some people will disagree with your opinions, sometimes aggressively so. Some of those will decide as a consequence that they hate you as a person. Sometimes that even spills over into the real world.

I’m largely fine about that, because it’s part of the career I chose. But most of us choose not to have opinions in public – and that’s before we start thinking about whether it could affect our employment, or other aspects of our life.

That doesn’t mean we don’t have opinions that we share with friends or families. Most of us want to be able to have relaxed conversations off-guard – and some degree of online anonymity or pseudonymity is essential for that.

Publicly connecting our online presence with our real identity is essentially condemning ourselves to a future of relentless scrutiny and self-censorship. This should not be a future any of us want.

The idea of tying our online identity to real-world ID only the government can see is much more compelling to people, but it honestly amazes me this is so. In 2013 as we reported on documents released by Edward Snowden, we would constantly hear American liberals shrug off what we found – saying, essentially, that they trusted the government needed those powers, and accusing us of scaremongering when we invited them to imagine those powers in the wrong hands. Less than four years later, Donald Trump was elected. I won’t labour that point.

People aren’t scaremongering when they say that the UK criminalises speech too much in the online world, even if certain elements of the British right exaggerate the problem.

More than 1,000 people are arrested every month over something they say online on social media, and that’s more than doubled in a decade. Most of those arrests lead to no further action, and the overwhelming majority of the rest result in nothing more than cautions – but this isn’t a small number and isn’t a zero risk.

People just trying to comment on politics, tv, or something else might fear a knock at the door and censor themselves. People deserve the same speech rights online as they have offline, both in the letter of the law and in terms of how freely they feel able to express themselves in practice.

Tackling criminally abusive speech online is important, but so is allowing free speech – a fundamental human right – in a democracy. When I look at the first few days of age verification, I don’t look at it and think “problem solved”, I see the thin end of the wedge – on its own it’s not particularly harmful, and largely useless. But as the shape of things to come, it’s a step in a bad direction.

This raised an eyebrow as I have a blue tick on there, suggesting Bluesky believes it has verified my identity as a Proper Person according to whatever mysterious criteria qualify you for a tick. But they simultaneously thought I might be a child?