“Big Brother is Watching You.”
― George Orwell, 1984
Since 2022, when the UK’s Online Safety Bill (OSA) was first discussed, you’d have been forgiven for thinking, “That’ll never happen.” But happen it did. And, like something out of a dystopian novel, UK residents now face restricted access to various forms of online content and increased monitoring across numerous platforms.
As many have already noted, the Act pushed VPN searches and usage through the roof. Comparitech saw a 56% increase in impressions for blog posts related to the law and guides to using VPNs as a means of accessing restricted content. Our article which focuses specifically on legislation and the use of VPNs saw a 943% spike in clicks the day the legislation came into effect.
NordVPN noted a 1,000 percent increase in purchases following the implementation of the law. ProtonVPN, which has a free tier, said that its downloads increased by 1,800%.
These and other statistics have led the UK government to look “very closely” at how VPNs are being used.
But VPNs aren’t the only way people are trying to circumvent the OSA. It’s also pushed people to carry out other, perhaps more concerning, searches. These include searching for fake IDs, how to access the dark web, and torrenting services.
The Washington Post also found that more people were flocking to porn websites that hadn’t complied with the laws. In some cases, those that had disregarded the “show your face” had seen double or triple the number of visitors, while those who had complied had seen a vast decrease in traffic.
The OSA was introduced as a way to help safeguard children (and adults) online, but it’s a slippery slope toward increased online censorship. As the above demonstrates, it pushes people to access content through means that are unsafe, unregulated, and in some cases illegal.
Below, we’ll explore what the OSA means in terms of censorship, including:
- Accessing porn and the implementation of age verification
- Forcing messaging apps to scan messages before they’re encrypted
- Monitoring social media platforms
And we’ll look at the dangers of increased interest in fake IDs.
How does the UK’s new age-verification requirement for porn compare to other countries?
As the map below demonstrates, the UK has become one of a handful of countries that require age verification through ID-based systems. It – alongside Belgium, France, Germany, Ireland, and Italy – all have similar systems in place.
Australia, Canada, Denmark, Greece, Poland, Spain, and the United States have all taken steps toward similar systems. For example, the US has age-verification requirements in some states, while Denmark, Greece, and Spain are part of some EU member states that are testing age verification. Italy and France are also part of the EU campaign but already have their own age-verification requirements in place.
Those with “government restricted” labels include countries where some (but not all) websites are banned, countries where porn is technically illegal but online porn consumption is still high/uncensored/unmonitored, or images are pixelated (as is the case in Japan).
While the UK’s OSA isn’t enforcing the same amount of censorship as an outright ban, it has raised privacy concerns. These relate to users having to share personal data to view porn online as well as the safety of the age-verification systems used by porn websites.
For example, our team recently observed an unsecured database owned by a US-based micro-mobility company. In it, thousands of user ID pictures and face matches were exposed. Worryingly, this isn’t an isolated case, as we observe dozens of such misconfigured instances that contain Know Your Customer (KYC) documents. These kinds of leaks are goldmines for threat actors looking to bypass KYC systems. Increased use of these systems in the UK makes them a target for hackers.
How does the Online Safety Act undermine end-to-end encryption?
Popular messaging services such as WhatsApp and Signal use end-to-end encryption (E2EE) to prevent third parties from being able to “see” the content of the messages being sent and received by users. Messages protected by E2EE are encrypted on the sender’s device and can only be decrypted by the receiver’s device.
E2EE has been a cause of constant frustration for many governments and law enforcement as it prevents access to messages that could play a pivotal role in catching criminals. To make evidence gathering easier for police and state security services, governments around the world frequently call for access to E2EE.
Rather than overtly “breaking” E2EE, the OSA aims to prevent individuals from encountering Child Sexual Abuse Material (CSAM) by preventing it from being uploaded in the first place.
For users of E2EE services, this would involve having their devices scanned prior to encryption (client-side scanning) and the content of their messages being compared to a database of prohibited content. The Act requires that messaging services use unspecified “accredited technology” to achieve this, or come up with their own and have it green-lit by Ofcom.
At this moment in time, the UK government has said it won’t force messaging services to perform client-side scanning until it’s “technically feasible” to do so. But the fact that the law has this provision in place means it’s probably only a matter of time.
The UK & the majority of EU countries want client-side scanning
Fifteen out of the twenty-seven EU countries currently support a “Chat Control” proposal, which would make it mandatory for messaging service providers to scan private messages for CSAM. Only six countries have opposed the regulation.
At the time of writing, Germany’s position on the proposal is undecided, and its vote in October is critical to the overall outcome. Sweden’s position may also feasibly change as its opposition is subject to approval by parliament.
A recent report in the Journal of Cybersecurity, which looked at the risks of client-side scanning (CSS), said the following about the EU’s proposal:
“The proposal to preemptively scan all user devices for targeted content is far more insidious than earlier proposals for key escrow and exceptional access.” And suggested that the aim of such proposals was likely “bulk scanning of everyone’s private data, all the time, without warrant or suspicion.”
It finishes by stating that it: “is unclear whether CSS systems can be deployed in a secure manner such that invasions of privacy can be considered proportional.”
Ultimately, WhatsApp and Signal have threatened to leave the UK if compelled to implement client-side scanning (CSS).
Are you safe to use E2EE messaging services?
Due to there currently being no workable solution that would make CSS possible, the OSA on its own doesn’t pose an immediate threat to your privacy when using E2EE services.
However, governments have found other ways to undermine E2EE in recent years. These include restricting or banning the use of E2EE-based apps, trying to force providers to incorporate some form of backdoor access, compelling providers and/or users to disclose decryption keys/access to devices, or using spyware.
As you can see from the above, the UK already has some of these privacy-encroaching practices in place. For example, through various laws–such as the Regulation of Investigatory Powers Act 2000 (RIPA), the Terrorism Act 2000, and the Investigatory Powers Act 2016 (IP Act)–authorities can request the decryption of data or require users to disclose their passwords.
CSS is an entirely different ballgame, though, as this has the potential to give law enforcement real-time access to messages that they’d currently only be able to access after jumping through numerous legal hoops.
Are VPN restrictions next on the UK government’s list?
The UK government insists that banning VPNs isn’t part of the plan but that it is monitoring their usage “very closely.”
What does this mean?
The government has already said that it will take enforcement action against VPN providers that “deliberately target UK children and promote VPN use” with the aim of bypassing safety protections.
Beyond this, experts suggest the government could implement further restrictions, e.g. age-verification systems on VPN platforms as well. This would ensure only users over 18 were able to access both VPNs and online porn. Another option involves detecting and blocking VPN traffic, which would require the sort of Deep-Packet Inspection tools currently used by China and Russia.
Trying to limit access to VPNs is controversial and would take considerable resources to enforce. Our research suggests that, out of 178 countries, only eight countries have fully banned VPNs. A further 34 currently impose VPN restrictions, or have done so in the past.
The dangers of buying fake IDs to circumvent the OSA
As the UK’s Online Safety Act came into force, our Head of Security Research, Mantas Sasnauskas, noted ripple effects across dark web forums and marketplaces with an increased interest in fake or leaked UK IDs.
On one prominent forum, a user posted the following message:
“Hello I’m very interested to buy big leaked UK (driving license, passport). I want to buy 5k-10k-50k-100k driving license.”
Mantas noted that this wasn’t a “casual” post but that the user was demonstrating clear intent to buy a large number of stolen documents. He said this was likely wholesale-level interest, possibly for resale or large-scale identity fraud.
He also found one advertisement for 510 UK passports on Breached forums. The post came from a high-level user, who was offering the 510 scanned UK passports at zero cost. Mantas said these were likely from a past data breach.
Mantas also investigated the price of forged documents on a darknet marketplace. These documents aren’t just scans of legitimate IDs from previous breaches but physical counterfeits that could bypass identity verification systems.
Fake ID risks: malware, scams, and legal exposure
Buying or interacting with these documents exposes users to:
- Scams: Many forums are rife with fake sellers or bait-and-switch schemes.
Malware: Leaked documents often come with infostealers or other types of malware bundled in the ZIP/RAR files. - Legal consequences: In most jurisdictions, knowingly acquiring or using fake IDs (even for research) is illegal.
Summary
While any attempt to reduce the dissemination of CSAM should be applauded, it’s clear that the UK’s Online Safety Act comes with a number of concerning and privacy-encroaching practices.
- Not only does the age-verification system for online porn encroach on users’ privacy, but it may also leave them open to identity theft and fraud in the future if their data is leaked.
- The client-side scanning provisions within the law create a worrying future loophole for widespread, real-time surveillance of citizens (whether they’re implicated in a crime or not).
- Any potential restrictions of VPN use would further impinge on citizens’ digital freedom.
- Forcing users to go through age-verification systems means those looking to circumvent the restrictions may find themselves exposed to unsafe alternatives, scams, and threats.
- And as more people look for alternatives to the age-verification systems, it’s often the sites that comply with the legislation that are punished.
Methodology & Sources
To see how the UK’s new Online Safety Act positions it against other countries, we built on our previous study on Internet Censorship – A Map of Internet Censorship and Restrictions.
When looking at porn restrictions, some countries may be scored as having banned online pornography, but residents may find ways to circumnavigate these bans, e.g. with VPNs or mirror sites. However, as the country enforces this ban by blocking websites or implementing laws, the country is scored as having banned it. On the other hand, if a country has brought in regulations to try and restrict or ban an area but users continue to be able to freely use these services/websites, the country is only scored as being “restricted” because the regulations/laws aren’t being enforced.
For a full list of sources, please request access (along with your name and requirements) here.
Researchers: Justin Schamotta, Mantas Sassanoukas, Danka Delić
