Hacker News new | past | comments | ask | show | jobs | submit login
UK Online Safety Bill proposes age verification for all user-interactive sites (openrightsgroup.org)
52 points by HeckFeck 43 days ago | hide | past | favorite | 63 comments

I hate saying it because it makes me sound like a paranoid loony, but we're literally getting close to being a config file change away from being an inescapable totalitarian dictatorship, all the parts are slowly being put in place and then all it'll take is someone to go for it.

In the name of keeping us safe they're making us powerless and helpless before the powerful

The UK has always been authoritarian-monarchist with the minimum level of reform and public inclusion necessary to placate the middle class. In some ways this was better than comparable European countries; whenever there was a flashpoint there was always enough reform to avert armed revolution in the capital, so the UK had no 1789 moment. (Don't forget the armed rebellion in Northern Ireland for half the 20th century! Complete with kangaroo courts, political prisoners, troops shooting people in the street, and of course censorship. Anyone else remember Gerry Adams MP being banned from speaking on television and the "words read by an actor" compromise?)

However the country had no formal free speech guarantee until the Human Rights Act 1998. The public and press retain an authoritarian streak; the Tory press are generally quite happy to support Internet censorship because it won't affect them and in fact affects their competition.

The UK has a lot of aspects which are "authoritarian on paper, liberal in practice, don't worry about the lack of formal guarantees, we don't do that here because we're British". Until we do do that here and nobody is held accountable.

Everytime I see the news about our countries slowly moving in that direction, usually helped by the new wonders of technology now used to circumvent the protections europe put in place after world war 2, I'm reminded of this quote for the v for vendetta movie

> How did this happen? Who's to blame? Well certainly there are those more responsible than others, and they will be held accountable, but again truth be told, if you're looking for the guilty, you need only look into a mirror.

> I know why you did it. I know you were afraid. Who wouldn't be? War, terror, disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. Fear got the best of you, and in your panic you turned to [the politicians asking for more power]. He promised you order, he promised you peace, and all he demanded in return was your silent, obedient consent.

The situation is always more complex, but still, had "child abuse" to that list and it fits almost too perfectly.

At the end of the day, we demand solutions, and when the leadership says "for that I need more power" we're all too eager to give it to them. Because we don't really care, we're complacent, we just don't want to be interrupted in our relatively pleasant little lives so we agree to give them whatever they say they need to stop it. Of course, it doesn't actually stop the bad things from happening, but little by little it erodes our control and freedom, and we are not getting them back.

The sad truth is: even had we the will to resist, we haven't the means.

I think they are actively “going for it” right now. Scary times

How are LibDems reacting to it? I expect them to be strongly opposed.

> inescapable totalitarian dictatorship

For context the government is also proposing:

- Voter ID for voter disenfranchisement (Elections Bill)

- To rig elections in favour of the Conservatives and stifle opposition (Elections Bill)

- All but banning protests (Police, Crime, Sentencing and Courts Bill)

There is multi-pronged attack underway which is in no way hyperbole.

Northern Ireland has had a free voter ID card for years. I can't recall hearing complaints about disenfranchisement.


The bigger issue is that the bill has a whole raft of other changes included alongside voter ID, and they're using arguments such as "other countries have voter ID" to effectively win public support for the entire bill.

I will not engage in a debate on voter id right now because of this (but thanks for attacking the weakest part of my post, using a throwaway :)

The Conservatives have been trying to criminalize all sorts of things since at least back to the 1994 criminal justice and public order act. Yet still people can glue themselves to motorways. Statutes and case law are only part of the picture.

I went and checked the proposed legislation and this is also included in the UK scheme; free electoral ID. https://publications.parliament.uk/pa/bills/cbill/58-02/0138... (page 63)

In the context of the UK, I've never heard a good argument against Voter ID.

How about not only there being a lack of evidence showing significant election fraud in the UK but there's also positive evidence there is no significant election fraud, and that there are hundreds of thousands of people in the UK who have the right to vote but cannot get ID and adding the extra hurdles and steps to allow these people to vote anyway will discourage at least some from voting?

And that this could potentially unfairly affect the results of elections, which is exactly the problem that voter ID is supposed to prevent

Well there was the well publicised case of Luther Rahman, the Tower Hamlets Mayor. See https://www.bbc.co.uk/news/uk-england-london-32428648

But I'm more inclined to suspect postal fraud. There was talk of students voting twice but whether that was a big thing is unknown. But clearly there has been some level of election fraud going on.

Lutfur not Luther.

I was once encouraged by a canvasser to vote in my home town and where I was studying because 'they'll never know'.

> How about not only there being a lack of evidence

Isn't this a chicken and egg problem? Without voter ID we don't know whether fraud has taken place or not.

> there are hundreds of thousands of people in the UK who have the right to vote but cannot get ID

That is a wider problem that should be fixed. Agreed that in the current state it would cause friction for people to vote.

> Isn't this a chicken and egg problem? Without voter ID we don't know whether fraud has taken place or not.

No, they keep a track of who has turned up to vote, if you are putting extra votes in or voting in someone else's name then either the number of votes and number of voters wont tally or you'll start seeing a significant number of people who have voted twice, once from the genuine voter and once the person who was fraudulently voting in someone else's name.

I've yet to hear a good argument for them.

There's no national ID system to base it off?

The politics is odd; voters don't want mandatory ID cards, but they seem comfortable with legally requiring ID to rent or buy a house, have a job, have a bank account, and now voting.

What training do those working in polling stations have to decide if your Voter ID matches the presenter? What is your recourse when you're turned away?

These sound like manageable problems, do they not?


I mean, to be cynical, they managed to convince the population to support Brexit so why not go for gold while they can?

By "they" I assume you mean the government? The Tory government at the time was campaigning to remain, so not sure what you're talking about?

The press and the surviving Leave faction that comprises the current Tory government?

As opposed to socialist Corbyn who attacked EU for being globalist cabal from Brussels for decades?

It would be the will of the people.

This is a bad idea.

That said, it's interesting to consider what a good idea would look like, if we imagine a world where age verification does become an inevitable strict requirement.

Is it practical to do this cryptographically on the web, with something technically similar to today's client certificates? Age verification certificate authorities who verify your age, and then issue a private key & certificate pair that says just "the holder is 18+" (and nothing else) such that you then provide this seamlessly to websites as you browse? Without exposing a consistent certificate id that can be used to track you?

That would allow the minimum verification but no more, without leaking personal data or creating any other UX impact.

Such systems are still vulnerable to children actively stealing such certificates from verified adults of course, but so is every other manual verification scheme I've seen proposed, and at least it requires a fair degree of technical acumen to steal.

Again, the UK plan here is a bad idea, but perhaps if this is a likely direction of future legislation then it would be good to get ahead of it with some kind of privacy-preserving alternative, instead of falling into easy but terrible fixes later.

> Is it practical to do this cryptographically on the web, with something technically similar to today's client certificates?

That one is easy to imagine (and is already deployed for some other use-cases in Brazil). People will be required by the government to have a client certificate, in order to interact with government services.

You just slowly increase the scope of both which people are required and for what. If you increasing it slowly enough, most people won't even notice or status-quo-bias it into being "business as usual".

Client certificates? Oh no, those are on the way out. You'll get some form of third party signed attributes. You go to a site that needs age verification, and get redirected to one of the applicable trusted providers of attributes (attributes like 'I am 18+'). In practice, this means you get forwarded to a government portal to login with your government issued ID, and then you'll be asked if you're OK with providing site X with the 'I am 18+' attribute (which you only have when you are over 18). Site X then gets a time-limited token from your browser that allows it to verify those claims with the provider of it.

This is being worked on by various governments to my knowledge, and it will all be backed by ID-apps on your Google or Apple smartphone which won't be mandatory, but neither is there a clear answer to how people without (those) smartphones or no wish to install government apps are supposed to do certain things. The Dutch government is experimenting with one at the moment.

Link in Dutch, including cheerful dystopic animated video: https://www.rvig.nl/digitale-identiteit/digitaal-identiteits...

Thanks for sharing that video!

Such a system could (and perhaps should) be generalized to all boolean expressions involving personal details of users.

A website should be able to specify a list of access conditions, such as (is not from Iran, Syria, North Korea or Cuba) and ((comes from the US and is over 21) or (does not come from the US and is over 18)). Instead of requiring the user to give them enough personal data to verify those assertions, it could just ask their certificate authority and receive a true/false answer, without receiving a reason why this answer is true or false.

Such a system could also provide seamless CAPTCHAs and abuse prevention mechanisms. Let's say every website would receive a random (but cryptographically signed) string on each visit. The CA would log what user received what string. As long as the user behaved properly, they wouldn't be identifiable to the website owner. However, a court could force the CA to hand over the information of an abusive user for whom a certain string was generated. Website owners could also ask the CA to never let a user with a given string onto their website again, still without knowing a single thing about that user.

> Instead of requiring the user to give them enough personal data to verify those assertions, it could just ask their certificate authority and receive a true/false answer, without receiving a reason why this answer is true or false.

This doesn't preserve privacy though: now your verification authority necessarily hears about every website you visit that wants verification, and can trace your every move.

They could absolutely issue you with a wide selection of certificates you could use to independently verify yourself though, preserving privacy all round. A certificate for "comes from the US", a certificate for "is over 21". Come up with a big list of criteria, issue a true or false certificate for each, and then you can provide the combination required to satisfy whatever a website needs to confirm from you.

You need an expiry for some though. "You're over 18" is permanently true. "You're under 18" is clearly not, but it's easy enough to set an expiry date. Meanwhile "You're an American citizen" isn't necessarily permanent, but becomes invalid unpredictably. You could publish revocations or just require occasional revalidation though.

This exists, it's called attribute-based credentials. Is this a good idea? Only if you trust the inspector(s). Do you? Probably not.

MS is following Apple's iPhone "it's not your device" model with Windows 11 needing the TPM chip, so soon we'll have less control of our hardware. I wonder if China would introduce a law which would monitor users through the camera e.g. "to ensure children (and adults) are not spending too much time on the computer".

Afaik they already force the presence of monitoring software on phones of Ughyurs...

The web is pretty broken anyway - so this could be a driving force for an alternative web? I thinking something like IPFS:


Or broadcatching:


These are of course for generally downloading content, rather than interactive content.

I know it's a joke, but there's only 1 WWW. Would be good to have at least an alternative.

I am British and will be directly affected by this. What can I do to help stop this becoming law?

Message your local MP and sign a petition on the UK Parliament petitions website when one is made (which will be soon).

I would commend to the government the age based questions from Leisure Suit Larry, but they probably have something less sophisticated in mind.


It would be nice if governments would heed the maxim 'don't interfere in what you don't understand'.

But it's too easy to propose non solutions to non problems, or where there are problems blame the wrong people and do nothing to address the actual source of the problem.

Maybe. Just maybe, leaving your children dumped at computer screens is a bad idea. Also raising them without any social defences, yes, perhaps that's part of the problem?

Predators and morally harmful content exist everywhere, and there is plenty of both in the government might I add. So using force to ruin the Internet for everyone in the UK and introducing more time wasting paperwork will just make the world worse.

Meanwhile, the kids who were vulnerable to online exploitation will fall to predators elsewhere or languish in generally miserable lives anyway.

The government can't make up for your parental failings. We should stop letting it think it can.

In today's news that will make you go "Oh, fuck off!".

Reminds me of the time Zuckerberg appeared before Congress struggling to explain internet 101 to old politicians.

Is it worth it to sites like this to implement age verification? Initially it will be too a high burden so just ban the UK IP address ranges to indemnify your site. In the long run age verification sites will emerge that are cheap but they will still cost. Anything that is supported by ads is gonna struggle so the long run has a UK accessible web being void of independent voices. This doesn’t consider the security implications once the UK identity and verification database is used for identity theft.

I think a good hedge against the web becoming more and more bureaucratic is to invest in the internet giants like Google and Facebook.

It is such a tailwind for them.

Every piece of regulation you have to comply with gives them an edge over the competition.

Implementing cookie banners or an age verification system costs you the same if you have 1000 users or 1000 million users.

So on a per user basis, these annoyances are a million times cheaper to master for the giants than for a startup.

They failed to do this with porn sites and now they want to do it with every site in existence? Preposterous.

Incompetence is common in the public sector and it's really the only thing stopping this sort of thing from happening. Political support for this is mostly unanimous among the local parties and the larger European sphere.

Every party will complain for votes and then proceed to re-implement it with a different blame figure.

I imagine many, if not most of those services, will cut of the UK, rather than enforce this on everybody.

This can be fixed with a VPN.

bad idea. They are just talking about getting rid of annoying cookie banners to "deliver a Brexit dividend for individuals and businesses across the UK". I can easily imagine this law breaking almost all of the web.

There's fair amount of support behind it, famous footballers rallying it etc. Probably every politician in the uk would support it one way or another.

KYC for every single internet service. From Twitter to TikTok it doesn't matter, It was a long time coming folks and now it is going to be a reality. A very terrible idea.

Welcome to the new internet.

One should let their local MP know about this.

> People who don't deserve to be paid propose things no one wants.

Reminder that Boris Johnson was, for a time, paid more as a "journalist" writing one column a week than as a minister. He was eventually made to give that up. But, for those willing to sell out, the pay from being in an elected position of power is only partly from the public purse.

Although the government is remarkably cheap to buy by SV standards: https://www.independent.co.uk/news/uk/politics/boris-johnson...

The temptation of power is always stronger than pay.

Reminds me of cookie banners.

Most sites that display banners don't need them to operate. Neither the banners need to take half of screen and remind how useful would be when you are' properly tracked.

This should go a step further and require ID.

In reality ("IRL") everything we do is tied to who we are. Our very faces identify us instantly to everyone we interact with.

There is no privacy of the kind people associate with the internet IRL. It's nothing more than an unhealthy vice that leads to people living unauthentic split lives with multiple incongruent personas. Those who exist solely on the internet and that which lives solely IRL.

By making the internet an extension of reality with the same social dynamics instead of treating it as an alternate reality/fantasy world we'll start to integrate our online behaviour/activities with our offline selves.

The end result being that many of the problems we associate with the internet cease to exist. No more anonymous trolls, less disinformation/fewer manipulative botnets shaping public discourse, less aggressive behaviour in online games...

Above all else: accountability.

It strikes me that the same people who want transparency of organisational behaviour (government, corp) seem to be the same people who themselves want their own behaviour to be kept secret.

>No more anonymous trolls, less disinformation/fewer manipulative botnets shaping public discourse, less aggressive behaviour in online games.

This assumption was tested extensively by several platforms, and it failed miserably all the way. You can still witness it yourself, on Facebook, where almost everybody posts under their own name and photo - and yet trolling, brigading, mass reporting, flamewars, and all other continue in force. Even worse, you'll find plenty of bot accounts on places like Twitter, with perfectly fine name and picture, while insightful and dissenting content is delivered by anonymous, or ironically branded, accounts.

The correct solution is to stop trying to shoehorn our preconceived notions from offline life to online activities - and to reminding individual users that power is in their hands. The solution to Eternal September is to teach and integrate newcomers - and sometimes to also gatekeep - rather than trying to become a campus police of sorts. The much different nature - the vastly larger scale - of the internet makes it entirely unsuitable to govern by offline intuition.

Counter proposal: We should do the exact opposite of everything in this post. The internet is good exactly in the ways it is not limited by RL. Using IRL ID is at best playing into advertisers hands, and at worst the aberration which is damaging the positive aspects of the internet.

>It's nothing more than an unhealthy vice

Poster's morality is subjective and geographically constrained. Definitely doesn't scale in relevance to a global network.

>people living unauthentic split lives with multiple incongruent personas

This is already the state of a person living in a consumer society. Adopting personas plucked from lifestyle marketing, just long enough to consume products (socially/publicly), before discarding said personas. Social media personas in their very congruence are synthetic and inauthentic, because they're built as audience pleasing product. People’s pre-social media compartmentalized internet personas are the closest humanity has come to authenticity.

>extension of reality with the same social dynamics

All social dynamics are historically contingent, so why is it axiomatic that they should apply to the internet, rather than have its own new and organic social dynamics or netiquette.

>The end result being that many of the problems we associate with the internet cease to exist.

Those problems almost immediately became magnitudes worse in the facebook/twitter age of RL ID.


Who are these platforms to hold anyone accountable? What a colossal double standard. The users may be held accountable, but the platforms make their own rules. The platform which has the power to authenticate you has power over you. We’re better off with our own weak IDs.

It's cute that you think this is in any way achievable when the UK has left the EU. Your fantasy would require global cooperation. More chance of disarming nuclear weapons.

You need to prove who you are to take part. No verification means no internet to you. It's a barrier to entry to get in the system in the first place. Immigrants won't be able to use the internet for months upon first arrival in the UK. Your identity is stolen so you can't report it because you're locked out of the system. How do you prove you are 'you'? I don't believe you are you.

Lack of anonymity breeds fear and intimidation if you step out of line. It causes self-censorship for fear of reprisals if you don't adhere to acceptable policy.

You see such intimidation and self-censoring from the people of Communist China who don't speak up due to actors overseas who will intimidate them.

This whole thing is the death of the UK internet access freedoms.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact