The most disturbing thing about this saga is that websites that have no physical/legal/business presence in the UK are proactively geoblocking UK-origin IPs.
Censorious governments have always been a thing since the beginning of the internet. Websites (especially non-corporate ones like 4chan or R34) preemptively surrendering to a foreign government that has no jurisdiction over them is what's new.
> surrendering to a foreign government that has no jurisdiction over them is what's new
Many countries, including the US, claim jurisdiction if you are providing services to their citizens. Some claim jurisdiction if someone in that country sees your web page (ie you've now "published" it there).
You've been blissfully unaware, perhaps, but this has been a thing for a long time.
You have probably seen sites having sections of their TOS tailored specifically for Californian users- this is not that different.
I think the UK legislation here is hamfisted and very harmful, but the jurisdiction argument is nothing new.
Harmful in which way? Porn addiction is as harmful as gambling, tobacco and alcohol addiction.
High school students with phones at school are showing porn to their friends, even younger kids. Some schools have banned phones, but teens aged 12–17 can still access porn sites freely when they get home.
In my opinion, gambling sites and porn sites should always verify age, same goes for shops selling tobacco and alcohol.
You don’t get to sidestep a country’s laws just because you happen to sit outside of the country. If you want to provide services to people within any country then you must obey their laws.
If you’re unwilling to accept this, then you must be extremely careful when you travel internationally or turn off access to that country altogether.
This is true for every country on Earth. This is the price of doing business internationally.
Unlike the UK Internet Safety Act, the GDPR is really easy to comply with for small independent websites. It was aimed at the big companies and companies unethically mining data, and it didn't do much outside of that scope.
There is absolutely zero risk as long as you stay out of the UK. Even if you do travel to the UK, there is no practical risk for the foreseeable future.
And yet we're seeing websites panicking and blocking all UK visitors... which is my point.
Also, thinking that there might be a risk if you travel to the UK because your random website on the other side of the world does not comply with a specific UK law is rather overestimating your importance and the British authorities.
Mainly because, I think, these services are doing the calculation of the risk vs the proportion of users they have from the UK (already small) and that cannot figure out how to use a VPN (even smaller)
The GDPR is designed to protect citizen's right to privacy and prevent websites from just plundering and selling people's private information. We need more places to implement GDPR style laws to ensure that companies don't think that they own people's data.
Are people still thinking a face image can be used to verify age? That's absurd. Former globally leading facial recognition developer here, and the article lightly mentions using a face image and age verification face analysis - that's not age accurate at all. Ask many ethnicities with experience, "age verification" image analysis is so unreliable it is fraud used in this context.
Conversely, people in the UK have mentioned that they looked old enough to purchase age-restricted items at physical stores under an "does they look over 25?" protocol and still asked for ID to purchase them.
Well, it's not really a verification method, it's the use of age estimation models in a computer vision sense. The problem with age estimation models is they are only better in statistically unreliable ways within controlled ethnic demographics. That word salad means that age recovery trained algorithms have a variance of accuracy that is difficult to reduce, and when successful is only successful on narrow classifications of ethnicity. Part of the issue is ethnicity carries meaningful changes in age representation. Asian, African and several other ethnicity show age later and significantly more subtle than others. Now add in the existence of large demographics of mixed ethnicity, and then add in the issue of the uncontrolled illumination age verification systems are expected to operate... and age verification computer vision is rendered kind of useless. Kind of a joke. Kind of leading one to think anyone trying to sell a solution here could be dumb or a fraud. Might be some new breakthrough, but could it?
I’m not sure - I think between the NIST tracks for age estimation and the work entities have done to gather large, diverse sample sets shows meaningful progress and perhaps real world usage.
Your points above are valid and real concerns, in addition to liveliness. There is work further to be done and improvements to be made. But it seems to me that they are solvable problems.
These datasets are getting granular, monolid vs non, 12+ different ethnicity sub groups and so forth.
Do you not think that with enough data it’s solvable?
Well, it all depends if the politicians actually care if this works.
You see, this bill was passed in 2023, under a Conservative government; then a Labour government was elected in 2024, before the bill came into force.
A nice little time bomb, set by the outgoing government - impractical and illiberal, but labelled all over with 'children' and 'cyber-bullying' and 'violent pornography'
So if the Labour government keeps the legislation, they look like heavy-handed censors silencing LGBT voices and local hobby/community forums, yet if they repeal the legislation you can criticise them for wanting children to have access to violent porn.
A Labour politician who thought this was shitty legislation, but who didn't think going on record as a pro-pornography voice would help his or her re-election prospects, might be entirely happy for age checks to be easy to bypass.
Labour, if anything, mainly had issue with the Online Safety Act not being strict enough, and Labour has already gotten itself massively unpopular with a range of LGBT groups and do not seem to care.
I really hope you are right. I'm not UK resident now, but I lived enough there, have family there and know enough about local politics to understand that when it's comes to privacy and freedoms there is very little difference between Conservative and Labour.
The last Labour government (1997-2010) passed the counter terrorism act and had multiple public arguments about how long suspects could be detained without being charged or released in their future legislative attempts - see "prolonged detention" in this: https://www.jrrt.org.uk/wp-content/uploads/2019/06/Rules_of_.... They similarly passed the Regulation of Investigatory Powers Act, which amongst other things includes compelled key disclosure (or compelled decrypt). They also had the national identity register planned as part of ID cards.
For fairness/balance, the tory government passed multiple acts. Online Safety Act was one, but the Investigatory Powers Act another - this did some relatively mundane things like call security service hacking "equipment interference" and say they were legally allowed to do it, but it was the act used on Apple to mandate technical capability to access iCloud e2e (act written by Tories, but TCN probably by Labour home office I would guess based on timing).
Banning in-store sales of VPN activation codes seems well within the ability of the British state to do, especially when they already banned bank/credit card payments.
They're already using the "online safety act" to silence people online.
They're super scared because a great many people have had enough. Crimes numbers, including rapes, are through the roof in the UK. And they want to silence anyone who wants to talk about criminality on the ultra rise.
The UK is on a very dark path. It's the country in the world with the most millionaires fleeing the country: mainstream media brainwash the people saying it's supposedly for tax reasons these millionaires are leaving.
But I live in a country where many millionaires and families have family offices and trusts and the tune is very different.
People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate. And not only is the government doing nothing about it, they're going after those denouncing the crimes.
People are now stabbed to death for their watch in London. A few days ago:
Leftists refuse to see it. They'll rationalize that that man was a capitalist oppressor for wearing a Rolex and that he provoked these people by wearing a $10 K watch. That he's the reason these killers were broke and forced to act evil. That they shouldn't get much jail time because now they'll surely be nice members of a high-trust society.
These people are precisely those who brought the Online Safety Act. But it's Orwellian and Orwellian talk: for what the Online Safety Act is really used for is to silence talk about crimes.
I'm in the EU: in a few years leftists shall probably have put a system in place where police shall come and knock on my door for my posts on HN.
Before anyone comments that the numbers are from 2020. I think the important point is the relative position of the UK to other countries (scroll down to the rankings table)
Crime is “generally down” in the past 10 years according to the ONS, so I wouldn’t expect the ranking to have changed much (in the subsequent 5 years).
This is far right fear-mongering rhetoric. It’s the standard hatred of ethnic minorities whipped up by bigots. The UK is not on a “dark path”, that’s absolute nonsense. Nor do people live in fear. I assume you don’t actually live in the UK. Because none of your description is the UK I live in.
> “People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate.”
Crime is down and has been going down for 10 years. For “religious extremism” I’ll just read “I don’t like brown people”, because extremism is only really growing due to white supremacy groups.
> “they're going after those denouncing the crimes.”
No, they are not, they are going after those fomenting violence (literal riots). In one case leading to white supremacists trying to burn down a hotel with refugees in it.
Crime happens. It doesn’t mean one crime is a symptom of a wider problem. And breaking news: crime is committed by white people too. RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear. Nobody I know in the UK is scared or living in fear — that’s just agenda driven rhetoric.
Maybe get off twitter and/or the far-right manosphere and try changing your news sources for something more balanced.
> RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear.
Which route do you take? Just asking for, er, a friend…
:D Dalston high-street mostly. It’s insured anyway, have it: I’d never argue/fight with a mugger! Which seems to be what happened to Rolex guy: no watch is worth fighting for, just hand it over.
> RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear.
If anything, having spent quite a bit of time walking through the only areas of East London recently that slightly unnerved me when I first moved to the UK in 2000, they're now mostly solidly gentrified...
I moved to London in 1996 and even Notting Hill wasn’t fully gentrified then! I used to walk home from nightclubs and have no issues (early morning, empty streets, dark alleys, etc). I actually did it recently (for old time’s sake), walked back from Fabric to Dalston. Again, no issues, no concerns, no hassle. If anything it seems safer now because of all the police cctv cameras.
In a city of 10 million people crime is bound to happen, but I’ve never felt unsafe in London. No more than any other major city I’ve been to. And the same with the UK as a whole.
I've never felt seriously unsafe either even back then, but there were parts that seemed creepier to me. I think in general people are really bad at assessing real risk, and which flawed risk indicators and stereotypes people build into their assessment will make it hard to convince them of what the risks actually are...
There’s a note: “Trends in police recorded violence with and without injury should be interpreted with caution, as improvements to recording practices have had a substantial impact on the recording of violent crime over the last 10 years. For further information, see Section 19: Data sources and quality”
So, if your stats are a mirror of the ONS then they’re not telling a complete story.
The ONS states: “Crime against individuals and households has generally decreased over the last 10 years with some notable exceptions, such as sexual assault”
But it also states: “Trends in police recorded sexual offences should be interpreted with caution as improvements in recording practices and increased reporting by victims have contributed to increases in recent years. For further information, see Section 19: Data sources and quality.”
There’s no way the OP’s original statement holds up: “Both criminality and religious extremism are rising at a more than alarming rate”
I notice he’s now edited to “criminality and rapes” — he has an agenda. It’s utterly tiresome hearing people outside the UK trying to tell us how scared we are, when it’s complete bullshit.
Fair enough, then this caveat should still apply: “Trends in police recorded violence with and without injury should be interpreted with caution, as improvements to recording practices have had a substantial impact on the recording of violent crime over the last 10 years. For further information, see Section 19: Data sources and quality”
The ONS states that crime is generally down. That’s all I claimed. The OP has been editing away to make his point seem less racist are more pertinent to these follow up replies, which is utterly tedious.
This whole forum seems to have had a lurch into extremism over the past year or so. Either that or these people have been lurking in threads I wasn’t looking at before. I find it crazy that people are downvoting my response which cited facts and pushed back against blatant misinformation and veiled racism. We live in a crazy world where people think this rhetoric is reasonable and ok.
We literally had riots in the UK last year due to white supremacists. It is writ large all over social media, especially because of Elon Musk, who I assume you lionise based on your handle. Its hateful rhetoric and actual violence is on show in the UK more than any other form of extremism.
What other forms of extremism do you believe is growing? Compared to, say, 2007? Where we had hate preachers at Finsbury Park mosque that led to 7/7 and the ‘shoe bomber’
You greatly overestimate our legislators. Of course, they may react in the way you described, but I sincerely doubt we're witnessing some great master plan.
UK is literally the only country except for China that pushed to disable Apple E2E encryption country-wide. It doesn't matter how secure Avanced Data Protection is and how trustworthy is Apple. Just think on it.
Also UK had law for years that can land you in prison for not providing decryption keys for data that you supposedly encrypyted. It's not actively used, but it's there.
So nope, there plenty of UK politicians from both parties that will happily push something that will invade your privacy. And really no one who push against it.
> Also UK had law for years that can land you in prison for not providing decryption keys for data that you supposedly encrypted. It's not actively used, but it's there.
It is actively used, it's just most people fold and hand over the data [0][1][2].
Indeed, the simplest explanation is that they are hearing from voting constituents that porn and other objectionable content is too easy for kids to get online, and want to be seen as "doing something about it."
Most parents don't want their kids looking at porn. While there are steps they can take to prevent it, they require some technical knowledge and are generally easy to get around. The easy availability of this content is what has changed. You used to have to go to a seedy bookstore, "adult" movie theatre, or video rental business to get it, and they wouldn't let kids in. Also you had to pay for it, and most kids don't have any money.
I suspect it's more likely that there actually are a handful of politicians and influential people who do think and plan like that, who exploit the fact that most other politicians and influential people are quite ignorant and easy to lead around by their fear.
Is this hysteria about sex a new thing? I feel like I grew up in an age where it was pretty normal to see these things as soon as you were old enough to be interested in them.
It's just iteration N of a series of power grabs to expand the panopticon of mass surveillance on the internet under the guise of 'but think about the children!!!'.
Wouldn't age verification without revealing identity be solved with a service that acts as an identity authority?
1) Site that needs to verify age generates a globally unique id, creates requested data array ["is_over_18"], valid_until property and hmac signature of this message.
2) Client forwards just the id and requested data array to identity authority. Identity authority returns the id, map of data {"is_over_18": true}, public key information, and signature of returned message.
3) Client returns original message with message received from identity authority to the site. Site verifies that id's and requested data match in both messages, original message authenticity via HMAC and signature of message from identity authority using public key cryptography.
User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing.
Requirements: User registers and verifies identity at identity authority. Site trusts identity authority.
Limitations: Site could, behind the scenes, send the generated ID to the identity authority, informing it which site was accessed using this ID.
EU is working on something like this[1] (got limited discussion here[2]).
I haven't looked into it very much, but at a glance it doesn't sound terrible. Here's the basic flow[3]:
- The User initiates an age verification process by enrolling with an Attestation Provider (AP), which collects the necessary evidence from authentic sources or trusted 3rd party private data sources.
- The AP generates a Proof of Age attestation and issues it to the Age Verification App Instance (AVI) of the User.
- The AVI presents the attestation to a Relying Party (RP) when attempting to access age-restricted services.
- The RP checks the validity of the attestation, referencing the trusted list to confirm the AP's authorisation.
So it uses an app on a mobile device as a proxy of sorts. They're also working on incorporating zero-knowledge proofs[4].
Yeah, something like that. I wonder, if their zero-knowledge proof version prevents leaking of identity, if any service is sharing data with the other.
You're making this far more complicated than it needs to be. It requires no cryptography more than a random number generator.
Create a service that generates a random token and then gives it to anyone who is over 18. Any service with any employee who is over 18 can get the token and then compare it to the one submitted by the client. Everyone uses the same token across every service and the token is only available to someone over 18.
The security isn't any worse than having user or service-specific tokens and the privacy is significantly better.
There's still privacy issues here: e.g. the service is generally still aware of what services the user is using that require verification. ZKP can eliminate this hole.
> e.g. the service is generally still aware of what services the user is using that require verification
How? The token isn't specific to any user or service. The only information the ID provider gets is that you requested the token and the only thing the service verifying your age gets is the same token shared by everyone over 18.
In the solution you described as 'far more complicated than it needs to be', this is significantly mitigated by the inclusion of a valid_until timestamp.
If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.
If someone uploads shared token publicly, it's hard to identify who did it and anyone can use it until you rotate the token for everybody.
The first problem is easy: Write the token on the back of your ID when the government issues it to someone over 18.
The second problem is universally intractable. If you have the cooperation of someone over 18, the service will let you in and has no way of knowing that the person using it is a different person.
> The first problem is easy: Write the token on the back of your ID when the government issues it to someone over 18.
Now realise the UK doesn't have a government issued national ID. Not to mention if it did this would mean everyone re-requesting it on their 18th birthday...
I dunno, I was imagining much simpler ways before I clicked through. Or maybe easier ways. Having to buy something and then configure it is a real barrier.
Age limits on buying cigarettes are easily thwarted by finding a corner shop that needs the sale and will sell to kids. Height restrictions on fairground rides are easily thwarted by putting bits of wood in your shoes. None of this matters.
The point is that this kind of control will drastically reduce under 18s consuming content that they shouldn't. We don't need the all of society's controls to be flawless.
Without co-opting the loaded notion of what we mean by "shouldn't," I do agree that, at a certain point, manipulating controls to feather through the margins and outliers has diminishing positive returns and increasing negative ones.
Should or shouldn't is a matter of opinion that I disagree with because it has no evidential basis. Downloading a free VPN isn't just doable, it's completely trivial in the privacy of your home and doesn't require any confrontation or risk unlike trying to buy alcohol or cigarettes illegally.
And that is before you consider that what you're ultimately doing, even if your blocking strategies were successful, is steering kids towards the darker markets where illegal and actually harmful content isn't removed and that don't care about your ID laws.
A VPN is a hell of a lot easier to access then a corner shop that's willing to break the rules, and such rules on corner shops didn't exactly stop teenagers from finding porn before the internet
For a kid, finding porn before the internet was significantly more difficult.
If you were old enough to pass for 18 yeah a newstand might sell you a magazine. Most would not if you were clearly younger. And you needed to pay for it. Most kids (especially young kids) don't have any money.
And then you had one magazine. Still photos. And it didn't show anything but naked bodies. No real sex, the hardcore stuff was only in adult bookstores.
It was virtually impossible, pre-internet, for an average kid to find a way to spend hours and hours looking at an endless stream of hardcore porn.
According to the article, Ofcom are encouraging "parents to block or control VPN usage by their children to keep them from dodging the age checkers."
This might be stupidest advice I've ever heard. If parents aren't willing to block or control access to porn sites, there's even less chance of them blocking or controlling VPN usage. But if nothing else, it does show up this law for the nonsense that it is.
Controlling VPN seems much easier, no? Since you have to pay for a VPN service, and I imagine most kids don't have a credit card to make arbitrary purchases independently, so it would have to bubble up to a parent.
the most confusing thing about this is, do people think there's just one porn site on the internet? Nobody needs a vpn, they can literally type "porn" into any search engine and land on one of fifteen million sites sitting in Russia or some random island nation
if there's one thing the internet doesn't have a shortage of it's bootleg streaming sites
Kids aren't going to pay for a VPN, even if they had the option to. They're going to Google "Free VPN" and download the first option which will probably add their device into a "UK residential proxy" botnet. Everyone is getting something out of it, the state of UK cybersecurity is weakened further, and no money is changing hands, good luck stopping that.
It's the same thing that happens every time the government tries to ban something that customers actually want. You get a black market, criminals make more money than ever and use it to fund other crimes and the banned thing continues to be available but now the suppliers don't have to follow other laws because then the customers can't object when they're both doing something illegal.
I'm not sure most kids would jump through this many hoops. I don't know what will happen in the future, but I'm having trouble foreseeing a future where a sizeable majority of kids have cryptocurrency wallets. They'll probably just find a friend who has a VPN from parents who don't care or who don't know what it's being used for.
What stops anyone from just mining it? Cryptocurrency mining may or may not be profitable at any given time, but it doesn't matter that you're spending $7 to mine $5 worth of cryptocurrency if you're willing to pay the $7 to get the VPN.
Meh, perhaps now, but there is an easy pipeline of work (mostly menial, Turk type tasks) for crypto that runs right past KYC. Cash for crypto is also surprisingly easy to find, again bypassing most KYC.
I didn't have a debit card until I went to university :P I _think_ having a card at 11 is rare, but not sure. Also maybe gen z/etc are getting cards earlier? Also not sure if parents who do get their kids cards at a young age aren't also checking their statements. Not sure if there's any data on this.
In the UK, "GoHenry" is an app that is targeted at parents as a way to give your kids pocket money, and comes with a debit card option. Their target age range is 6-18.
Revolut also offers accounts from age 6.
Parents would get notifications, but I suspect most parents won't be technically inclined enough to have an issue with a well argued child pointing out they need that VPN to access a game server or region locked content that their parents don't object to.
That said, I'd suspect most kids looking to circumvent these blocks will just install a free VPN.
Wasn't particularly rare when I was in middle school and would've been odd not to in secondary. Bet it's only more common now.
There's also non-bank pre-pay cash cards such as Henry I think one's called, so parent loads it up with pocket money or whatever and I think gets more control/oversight than actual banks probably offer even on dedicated children's accounts.
The most disturbing thing about this saga is that websites that have no physical/legal/business presence in the UK are proactively geoblocking UK-origin IPs.
Censorious governments have always been a thing since the beginning of the internet. Websites (especially non-corporate ones like 4chan or R34) preemptively surrendering to a foreign government that has no jurisdiction over them is what's new.
> surrendering to a foreign government that has no jurisdiction over them is what's new
Many countries, including the US, claim jurisdiction if you are providing services to their citizens. Some claim jurisdiction if someone in that country sees your web page (ie you've now "published" it there).
You've been blissfully unaware, perhaps, but this has been a thing for a long time.
You have probably seen sites having sections of their TOS tailored specifically for Californian users- this is not that different.
I think the UK legislation here is hamfisted and very harmful, but the jurisdiction argument is nothing new.
Harmful in which way? Porn addiction is as harmful as gambling, tobacco and alcohol addiction.
High school students with phones at school are showing porn to their friends, even younger kids. Some schools have banned phones, but teens aged 12–17 can still access porn sites freely when they get home.
In my opinion, gambling sites and porn sites should always verify age, same goes for shops selling tobacco and alcohol.
Classic case of Wolfenstein 3d being banned in Germany in the 90s rings a bell.
You don’t get to sidestep a country’s laws just because you happen to sit outside of the country. If you want to provide services to people within any country then you must obey their laws.
If you’re unwilling to accept this, then you must be extremely careful when you travel internationally or turn off access to that country altogether.
This is true for every country on Earth. This is the price of doing business internationally.
There's the possibility that some of the users of these sites voted for these laws and want the verification in place.
Millions of worried parents, perhaps? Parents who are worried about the negative effects of gambling, tobacco, alcohol, and porn?
The world-wide-web is becoming more and more only-your-country-web.
This is because nowadays everything has to be zero-risk and "over-lawyered."
We have seen the same with the GDPR and now also with the UK Internet Safety Act.
Unlike the UK Internet Safety Act, the GDPR is really easy to comply with for small independent websites. It was aimed at the big companies and companies unethically mining data, and it didn't do much outside of that scope.
There is absolutely zero risk as long as you stay out of the UK. Even if you do travel to the UK, there is no practical risk for the foreseeable future.
And yet we're seeing websites panicking and blocking all UK visitors... which is my point.
Also, thinking that there might be a risk if you travel to the UK because your random website on the other side of the world does not comply with a specific UK law is rather overestimating your importance and the British authorities.
Mainly because, I think, these services are doing the calculation of the risk vs the proportion of users they have from the UK (already small) and that cannot figure out how to use a VPN (even smaller)
The GDPR is designed to protect citizen's right to privacy and prevent websites from just plundering and selling people's private information. We need more places to implement GDPR style laws to ensure that companies don't think that they own people's data.
Are people still thinking a face image can be used to verify age? That's absurd. Former globally leading facial recognition developer here, and the article lightly mentions using a face image and age verification face analysis - that's not age accurate at all. Ask many ethnicities with experience, "age verification" image analysis is so unreliable it is fraud used in this context.
Conversely, people in the UK have mentioned that they looked old enough to purchase age-restricted items at physical stores under an "does they look over 25?" protocol and still asked for ID to purchase them.
Can you share more about this please? I work in the industry and would love to know more about your experience with this verification method.
Well, it's not really a verification method, it's the use of age estimation models in a computer vision sense. The problem with age estimation models is they are only better in statistically unreliable ways within controlled ethnic demographics. That word salad means that age recovery trained algorithms have a variance of accuracy that is difficult to reduce, and when successful is only successful on narrow classifications of ethnicity. Part of the issue is ethnicity carries meaningful changes in age representation. Asian, African and several other ethnicity show age later and significantly more subtle than others. Now add in the existence of large demographics of mixed ethnicity, and then add in the issue of the uncontrolled illumination age verification systems are expected to operate... and age verification computer vision is rendered kind of useless. Kind of a joke. Kind of leading one to think anyone trying to sell a solution here could be dumb or a fraud. Might be some new breakthrough, but could it?
I’m not sure - I think between the NIST tracks for age estimation and the work entities have done to gather large, diverse sample sets shows meaningful progress and perhaps real world usage.
Your points above are valid and real concerns, in addition to liveliness. There is work further to be done and improvements to be made. But it seems to me that they are solvable problems.
These datasets are getting granular, monolid vs non, 12+ different ethnicity sub groups and so forth.
Do you not think that with enough data it’s solvable?
I think it is convenient for the services and probably the regulators to pretend so.
As expected, bureaucrats completely out of touch with current technology producing regulations that are out of touch with current technology
They know what they doing exactly.
But they now have a reason to require age and ID checks to buy VPN. Then ban payments to VPNs that don't follow said regulation.
You'll see.
Well, it all depends if the politicians actually care if this works.
You see, this bill was passed in 2023, under a Conservative government; then a Labour government was elected in 2024, before the bill came into force.
A nice little time bomb, set by the outgoing government - impractical and illiberal, but labelled all over with 'children' and 'cyber-bullying' and 'violent pornography'
So if the Labour government keeps the legislation, they look like heavy-handed censors silencing LGBT voices and local hobby/community forums, yet if they repeal the legislation you can criticise them for wanting children to have access to violent porn.
A Labour politician who thought this was shitty legislation, but who didn't think going on record as a pro-pornography voice would help his or her re-election prospects, might be entirely happy for age checks to be easy to bypass.
Labour, if anything, mainly had issue with the Online Safety Act not being strict enough, and Labour has already gotten itself massively unpopular with a range of LGBT groups and do not seem to care.
I really hope you are right. I'm not UK resident now, but I lived enough there, have family there and know enough about local politics to understand that when it's comes to privacy and freedoms there is very little difference between Conservative and Labour.
I'd say more like none at all.
The last Labour government (1997-2010) passed the counter terrorism act and had multiple public arguments about how long suspects could be detained without being charged or released in their future legislative attempts - see "prolonged detention" in this: https://www.jrrt.org.uk/wp-content/uploads/2019/06/Rules_of_.... They similarly passed the Regulation of Investigatory Powers Act, which amongst other things includes compelled key disclosure (or compelled decrypt). They also had the national identity register planned as part of ID cards.
For fairness/balance, the tory government passed multiple acts. Online Safety Act was one, but the Investigatory Powers Act another - this did some relatively mundane things like call security service hacking "equipment interference" and say they were legally allowed to do it, but it was the act used on Apple to mandate technical capability to access iCloud e2e (act written by Tories, but TCN probably by Labour home office I would guess based on timing).
Mullvad is quite ahead as they sell activation codes on scratch cards.
Banning in-store sales of VPN activation codes seems well within the ability of the British state to do, especially when they already banned bank/credit card payments.
Mullvad also let's you buy by mailing them cash. Or bank wire, or crypto.
> They know what they doing exactly.
They're already using the "online safety act" to silence people online.
They're super scared because a great many people have had enough. Crimes numbers, including rapes, are through the roof in the UK. And they want to silence anyone who wants to talk about criminality on the ultra rise.
The UK is on a very dark path. It's the country in the world with the most millionaires fleeing the country: mainstream media brainwash the people saying it's supposedly for tax reasons these millionaires are leaving.
But I live in a country where many millionaires and families have family offices and trusts and the tune is very different.
People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate. And not only is the government doing nothing about it, they're going after those denouncing the crimes.
People are now stabbed to death for their watch in London. A few days ago:
https://www.lbc.co.uk/crime/three-arrested-man-stabbed-death...
Leftists refuse to see it. They'll rationalize that that man was a capitalist oppressor for wearing a Rolex and that he provoked these people by wearing a $10 K watch. That he's the reason these killers were broke and forced to act evil. That they shouldn't get much jail time because now they'll surely be nice members of a high-trust society.
These people are precisely those who brought the Online Safety Act. But it's Orwellian and Orwellian talk: for what the Online Safety Act is really used for is to silence talk about crimes.
I'm in the EU: in a few years leftists shall probably have put a system in place where police shall come and knock on my door for my posts on HN.
> Crimes numbers, including rapes, are through the roof in the UK
This is far-right propaganda.
https://www.macrotrends.net/global-metrics/countries/gbr/uni...
Your source is only for all crime satistics.
https://www.economist.com/content-assets/images/20250726_EPC...
Before anyone comments that the numbers are from 2020. I think the important point is the relative position of the UK to other countries (scroll down to the rankings table)
Crime is “generally down” in the past 10 years according to the ONS, so I wouldn’t expect the ranking to have changed much (in the subsequent 5 years).
This is far right fear-mongering rhetoric. It’s the standard hatred of ethnic minorities whipped up by bigots. The UK is not on a “dark path”, that’s absolute nonsense. Nor do people live in fear. I assume you don’t actually live in the UK. Because none of your description is the UK I live in.
> “People are scared of what's going on. Both criminality and religious extremism are rising at a more than alarming rate.”
Crime is down and has been going down for 10 years. For “religious extremism” I’ll just read “I don’t like brown people”, because extremism is only really growing due to white supremacy groups.
> “they're going after those denouncing the crimes.”
No, they are not, they are going after those fomenting violence (literal riots). In one case leading to white supremacists trying to burn down a hotel with refugees in it.
Crime happens. It doesn’t mean one crime is a symptom of a wider problem. And breaking news: crime is committed by white people too. RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear. Nobody I know in the UK is scared or living in fear — that’s just agenda driven rhetoric.
Maybe get off twitter and/or the far-right manosphere and try changing your news sources for something more balanced.
> RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear.
Which route do you take? Just asking for, er, a friend…
:D Dalston high-street mostly. It’s insured anyway, have it: I’d never argue/fight with a mugger! Which seems to be what happened to Rolex guy: no watch is worth fighting for, just hand it over.
> RE: the Rolex watch crime — I walk through East London with a Patek Philippe on my arm and have zero concerns, I’m not scared, nor do I live in fear.
If anything, having spent quite a bit of time walking through the only areas of East London recently that slightly unnerved me when I first moved to the UK in 2000, they're now mostly solidly gentrified...
I moved to London in 1996 and even Notting Hill wasn’t fully gentrified then! I used to walk home from nightclubs and have no issues (early morning, empty streets, dark alleys, etc). I actually did it recently (for old time’s sake), walked back from Fabric to Dalston. Again, no issues, no concerns, no hassle. If anything it seems safer now because of all the police cctv cameras.
In a city of 10 million people crime is bound to happen, but I’ve never felt unsafe in London. No more than any other major city I’ve been to. And the same with the UK as a whole.
I've never felt seriously unsafe either even back then, but there were parts that seemed creepier to me. I think in general people are really bad at assessing real risk, and which flawed risk indicators and stereotypes people build into their assessment will make it hard to convince them of what the risks actually are...
Violent crime is way up
https://www.statista.com/statistics/288256/violent-crimes-in...
Not sure what statista.com is, but it’s not the Office for National Statistics, here’s violent crime:
https://www.ons.gov.uk/peoplepopulationandcommunity/crimeand...
There’s a note: “Trends in police recorded violence with and without injury should be interpreted with caution, as improvements to recording practices have had a substantial impact on the recording of violent crime over the last 10 years. For further information, see Section 19: Data sources and quality”
So, if your stats are a mirror of the ONS then they’re not telling a complete story.
The ONS states: “Crime against individuals and households has generally decreased over the last 10 years with some notable exceptions, such as sexual assault”
But it also states: “Trends in police recorded sexual offences should be interpreted with caution as improvements in recording practices and increased reporting by victims have contributed to increases in recent years. For further information, see Section 19: Data sources and quality.”
There’s no way the OP’s original statement holds up: “Both criminality and religious extremism are rising at a more than alarming rate”
I notice he’s now edited to “criminality and rapes” — he has an agenda. It’s utterly tiresome hearing people outside the UK trying to tell us how scared we are, when it’s complete bullshit.
The Statista graph is based on this ONS data, table A5a in the spreadsheet: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeand...
Fair enough, then this caveat should still apply: “Trends in police recorded violence with and without injury should be interpreted with caution, as improvements to recording practices have had a substantial impact on the recording of violent crime over the last 10 years. For further information, see Section 19: Data sources and quality”
The ONS states that crime is generally down. That’s all I claimed. The OP has been editing away to make his point seem less racist are more pertinent to these follow up replies, which is utterly tedious.
This whole forum seems to have had a lurch into extremism over the past year or so. Either that or these people have been lurking in threads I wasn’t looking at before. I find it crazy that people are downvoting my response which cited facts and pushed back against blatant misinformation and veiled racism. We live in a crazy world where people think this rhetoric is reasonable and ok.
> extremism is only really growing due to white supremacy groups.
Nonsense.
We literally had riots in the UK last year due to white supremacists. It is writ large all over social media, especially because of Elon Musk, who I assume you lionise based on your handle. Its hateful rhetoric and actual violence is on show in the UK more than any other form of extremism.
What other forms of extremism do you believe is growing? Compared to, say, 2007? Where we had hate preachers at Finsbury Park mosque that led to 7/7 and the ‘shoe bomber’
[dead]
This isn’t the Daily Mail comments section.
You greatly overestimate our legislators. Of course, they may react in the way you described, but I sincerely doubt we're witnessing some great master plan.
UK is literally the only country except for China that pushed to disable Apple E2E encryption country-wide. It doesn't matter how secure Avanced Data Protection is and how trustworthy is Apple. Just think on it.
Also UK had law for years that can land you in prison for not providing decryption keys for data that you supposedly encrypyted. It's not actively used, but it's there.
So nope, there plenty of UK politicians from both parties that will happily push something that will invade your privacy. And really no one who push against it.
> Also UK had law for years that can land you in prison for not providing decryption keys for data that you supposedly encrypted. It's not actively used, but it's there.
It is actively used, it's just most people fold and hand over the data [0][1][2].
[0] https://www.bbc.co.uk/news/uk-england-11479831 [1] https://www.pinsentmasons.com/out-law/news/court-of-appeal-o... [2] https://news.sophos.com/en-us/2017/09/27/campaigner-who-refu...
Indeed, the simplest explanation is that they are hearing from voting constituents that porn and other objectionable content is too easy for kids to get online, and want to be seen as "doing something about it."
Most parents don't want their kids looking at porn. While there are steps they can take to prevent it, they require some technical knowledge and are generally easy to get around. The easy availability of this content is what has changed. You used to have to go to a seedy bookstore, "adult" movie theatre, or video rental business to get it, and they wouldn't let kids in. Also you had to pay for it, and most kids don't have any money.
I suspect it's more likely that there actually are a handful of politicians and influential people who do think and plan like that, who exploit the fact that most other politicians and influential people are quite ignorant and easy to lead around by their fear.
Is this hysteria about sex a new thing? I feel like I grew up in an age where it was pretty normal to see these things as soon as you were old enough to be interested in them.
It's just iteration N of a series of power grabs to expand the panopticon of mass surveillance on the internet under the guise of 'but think about the children!!!'.
Every since they stopped showing 16 year old girls topless in the UK daily newspapers (2004) things have been trending that way.
Can't solve poverty, drug use, grooming gangs or knife crime.
What saddens me about the UK geoblock notices is not a single one of them refers to the UK as Airstrip One.
IIRC the regime in 1984 produced porn for the proles. They had more sense than these middle class pricks from Somerset.
Wouldn't age verification without revealing identity be solved with a service that acts as an identity authority?
1) Site that needs to verify age generates a globally unique id, creates requested data array ["is_over_18"], valid_until property and hmac signature of this message.
2) Client forwards just the id and requested data array to identity authority. Identity authority returns the id, map of data {"is_over_18": true}, public key information, and signature of returned message.
3) Client returns original message with message received from identity authority to the site. Site verifies that id's and requested data match in both messages, original message authenticity via HMAC and signature of message from identity authority using public key cryptography.
User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing.
Requirements: User registers and verifies identity at identity authority. Site trusts identity authority.
Limitations: Site could, behind the scenes, send the generated ID to the identity authority, informing it which site was accessed using this ID.
EU is working on something like this[1] (got limited discussion here[2]).
I haven't looked into it very much, but at a glance it doesn't sound terrible. Here's the basic flow[3]:
- The User initiates an age verification process by enrolling with an Attestation Provider (AP), which collects the necessary evidence from authentic sources or trusted 3rd party private data sources.
- The AP generates a Proof of Age attestation and issues it to the Age Verification App Instance (AVI) of the User.
- The AVI presents the attestation to a Relying Party (RP) when attempting to access age-restricted services.
- The RP checks the validity of the attestation, referencing the trusted list to confirm the AP's authorisation.
So it uses an app on a mobile device as a proxy of sorts. They're also working on incorporating zero-knowledge proofs[4].
[1]: https://digital-strategy.ec.europa.eu/en/news/commission-mak...
[2]: https://news.ycombinator.com/item?id=44561797
[3]: https://ageverification.dev/Technical%20Specification/archit...
[4]: https://ageverification.dev/Technical%20Specification/archit...
Yeah, something like that. I wonder, if their zero-knowledge proof version prevents leaking of identity, if any service is sharing data with the other.
You're making this far more complicated than it needs to be. It requires no cryptography more than a random number generator.
Create a service that generates a random token and then gives it to anyone who is over 18. Any service with any employee who is over 18 can get the token and then compare it to the one submitted by the client. Everyone uses the same token across every service and the token is only available to someone over 18.
The security isn't any worse than having user or service-specific tokens and the privacy is significantly better.
There's still privacy issues here: e.g. the service is generally still aware of what services the user is using that require verification. ZKP can eliminate this hole.
> e.g. the service is generally still aware of what services the user is using that require verification
How? The token isn't specific to any user or service. The only information the ID provider gets is that you requested the token and the only thing the service verifying your age gets is the same token shared by everyone over 18.
Ahh, I see what you mean. Yeah, that works if you're gonna completely give up on the whole 'making it hard for someone to share the codes' thing
Same token for multiple people would improve anonymity for sure.
But someone could share this token publicly and then everyone could have it.
> But someone could share this token publicly and then everyone could have it.
How is this any different than using any other way of doing it? It's always the case that someone can provide their ID and let someone else use it.
In the solution you described as 'far more complicated than it needs to be', this is significantly mitigated by the inclusion of a valid_until timestamp.
If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.
If someone uploads shared token publicly, it's hard to identify who did it and anyone can use it until you rotate the token for everybody.
Now make sure that only someone over 18 can generate token, and that token cannot be given to 3rd party for reuse.
The first problem is easy: Write the token on the back of your ID when the government issues it to someone over 18.
The second problem is universally intractable. If you have the cooperation of someone over 18, the service will let you in and has no way of knowing that the person using it is a different person.
> The first problem is easy: Write the token on the back of your ID when the government issues it to someone over 18.
Now realise the UK doesn't have a government issued national ID. Not to mention if it did this would mean everyone re-requesting it on their 18th birthday...
That limitation is enough to kill such proposal.
Also authority could also do it. Nothing stops them from that.
Yes, if site shares data with identity authority then a malicious identity authority can also share full identity data with the site.
I dunno, I was imagining much simpler ways before I clicked through. Or maybe easier ways. Having to buy something and then configure it is a real barrier.
There is a sudden surge in face scanning of video game characters.
Age limits on buying cigarettes are easily thwarted by finding a corner shop that needs the sale and will sell to kids. Height restrictions on fairground rides are easily thwarted by putting bits of wood in your shoes. None of this matters.
The point is that this kind of control will drastically reduce under 18s consuming content that they shouldn't. We don't need the all of society's controls to be flawless.
Oh, if these rules would teach the under 18s to not be 'content consumers' as you seem to consider yourself, that would be great.
But I'm afraid they're only there to satisfy the puritans. The average shitty content that you 'consume' will still be fine.
Without co-opting the loaded notion of what we mean by "shouldn't," I do agree that, at a certain point, manipulating controls to feather through the margins and outliers has diminishing positive returns and increasing negative ones.
Should or shouldn't is a matter of opinion that I disagree with because it has no evidential basis. Downloading a free VPN isn't just doable, it's completely trivial in the privacy of your home and doesn't require any confrontation or risk unlike trying to buy alcohol or cigarettes illegally.
And that is before you consider that what you're ultimately doing, even if your blocking strategies were successful, is steering kids towards the darker markets where illegal and actually harmful content isn't removed and that don't care about your ID laws.
> Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
A VPN is a hell of a lot easier to access then a corner shop that's willing to break the rules, and such rules on corner shops didn't exactly stop teenagers from finding porn before the internet
For a kid, finding porn before the internet was significantly more difficult.
If you were old enough to pass for 18 yeah a newstand might sell you a magazine. Most would not if you were clearly younger. And you needed to pay for it. Most kids (especially young kids) don't have any money.
And then you had one magazine. Still photos. And it didn't show anything but naked bodies. No real sex, the hardcore stuff was only in adult bookstores.
It was virtually impossible, pre-internet, for an average kid to find a way to spend hours and hours looking at an endless stream of hardcore porn.
If you think VPN is going to stop kids from accessing porn, I have a bridge to sell you.
Porn is a service problem?
A technical advisory blunder, or overreach?
We can debate all day, but I feel very sad to be in the technology sector in the UK right now.
>I feel very sad to be in the technology sector in the UK right now
Why? I feel more sad for the citizens the government is trying to surveil upon 1984 style.
When I was a teen, all the porn was behind paywalls. But it didn't stop us from accessing it via torrent sites and other file sharing tools.
According to the article, Ofcom are encouraging "parents to block or control VPN usage by their children to keep them from dodging the age checkers."
This might be stupidest advice I've ever heard. If parents aren't willing to block or control access to porn sites, there's even less chance of them blocking or controlling VPN usage. But if nothing else, it does show up this law for the nonsense that it is.
Controlling VPN seems much easier, no? Since you have to pay for a VPN service, and I imagine most kids don't have a credit card to make arbitrary purchases independently, so it would have to bubble up to a parent.
The fact that you think you need to pay for a VPN service is a good illustration of the problem with this.
There's a plethora of free VPN services operating outside the reach of UK authorities.
My sons friend circle all figured out how to use free VPN's at around 8-9 to bypass bans on gaming servers.
That's assuming the child is smart enough to only use a paid-for VPN. I can foresee a lot of children being suckered into using a dodgy VPN.
Uptick in TOR usage?
Obligatory comment: https://petition.parliament.uk/petitions/722903
the most confusing thing about this is, do people think there's just one porn site on the internet? Nobody needs a vpn, they can literally type "porn" into any search engine and land on one of fifteen million sites sitting in Russia or some random island nation
if there's one thing the internet doesn't have a shortage of it's bootleg streaming sites
Except paying the vpn requires a credit card that does the same verification check so it’s not thwarting the rule at all.
Vivaldi has the ProtonVPN extension built in. All you need is a free Proton account.
Plenty of VPNs accept crypto or cash-in-envelope, and you don't need to be an adult to have a debit card in the UK.
Kids aren't going to pay for a VPN, even if they had the option to. They're going to Google "Free VPN" and download the first option which will probably add their device into a "UK residential proxy" botnet. Everyone is getting something out of it, the state of UK cybersecurity is weakened further, and no money is changing hands, good luck stopping that.
It's the same thing that happens every time the government tries to ban something that customers actually want. You get a black market, criminals make more money than ever and use it to fund other crimes and the banned thing continues to be available but now the suppliers don't have to follow other laws because then the customers can't object when they're both doing something illegal.
Governments never seem to learn.
Opera has a built-in VPN. No payment required.
Many, eg Mullvad, allow for crypto payments
I'm not sure most kids would jump through this many hoops. I don't know what will happen in the future, but I'm having trouble foreseeing a future where a sizeable majority of kids have cryptocurrency wallets. They'll probably just find a friend who has a VPN from parents who don't care or who don't know what it's being used for.
It's surprisingly hard to get cryptocurrency without a KYC check in the UK - bitcoin ATMs and suchlike are banned.
Far simpler, if you're a teen that wants to get around the block, to just have an older looking friend do the video selfie.
What stops anyone from just mining it? Cryptocurrency mining may or may not be profitable at any given time, but it doesn't matter that you're spending $7 to mine $5 worth of cryptocurrency if you're willing to pay the $7 to get the VPN.
Meh, perhaps now, but there is an easy pipeline of work (mostly menial, Turk type tasks) for crypto that runs right past KYC. Cash for crypto is also surprisingly easy to find, again bypassing most KYC.
I am not sure what will be easier.
Mullvad even let you send cash in an envelope in the post.
I had a debit card when I was 11 years old.
I didn't have a debit card until I went to university :P I _think_ having a card at 11 is rare, but not sure. Also maybe gen z/etc are getting cards earlier? Also not sure if parents who do get their kids cards at a young age aren't also checking their statements. Not sure if there's any data on this.
In the UK, "GoHenry" is an app that is targeted at parents as a way to give your kids pocket money, and comes with a debit card option. Their target age range is 6-18.
Revolut also offers accounts from age 6.
Parents would get notifications, but I suspect most parents won't be technically inclined enough to have an issue with a well argued child pointing out they need that VPN to access a game server or region locked content that their parents don't object to.
That said, I'd suspect most kids looking to circumvent these blocks will just install a free VPN.
Wasn't particularly rare when I was in middle school and would've been odd not to in secondary. Bet it's only more common now.
There's also non-bank pre-pay cash cards such as Henry I think one's called, so parent loads it up with pocket money or whatever and I think gets more control/oversight than actual banks probably offer even on dedicated children's accounts.
Debit cards for kids are a god send. It was extremely annoying to have to keep cash just to give the daughter pocket money when she was going out.
Got her a debit card as soon as they were available for minors.
No don't worry, there are plenty of extremely shady free "VPN" services that this law will provide with a nice stream of victims
I wonder when the UK will become another one of those countries to ban VPNs. So liberal!
The Labour party want to criminalize VPNs, so it won't surprise me if they do.
It's no coincidence that the man who wrote “1984” was a Brit.
I suspect that a porn websites will see a large number of customers looking like Norman Reedus: https://www.thegamer.com/death-strandings-sam-porter-bridges...
It's another "we got rid of families and nations so we need administrative policy to fix the problems" episode.