32 comments

[ 2.7 ms ] story [ 47.9 ms ] thread
So will openvpn now get a new command line argument '--passport-number-for-age-verification 8371652299'?

And presumably also a '--webcam-to-use-for-identity'

Not made clear in this article - this bill will be passed back to the House of Commons to debate/amend before going back to the House of Lords. This was not the final say.
Just for clarification. House of Lords amendments do not have to be accepted by the House of Commons and may not make it into law. If you do not agree with an amendment then write to your MP, write to the ministers concerned. If you do not tell them your concerns they will not know. You can ask for an appointment with your MP. You can ask for an appointment with ministers. Better still you can form an advocacy group and lobby.
What if I rent a cheap VPS overseas and wireguard my traffic to that?
This is very bad news because I have been in contact with low cost providers (lowendtalk) and the community & even they usually end up renting etc. from datacenters and they usually would have name as well

So theoretically, suppose I have a vpn company on A) either such lowend niche providers who might support let's say my mission or we are aligned or B) the hyperscalers or large companies.

Now I am 99% sure that large companies would actually restrict VPN creation usage (something remarkably rare right now but still it's a gone deal now)

And I feel like even with niche lowendbox providers, suppose I am paying 4 euros or something to a provider to get an IP, they are either using hyperscaler themselves (like OVH) or part of a datacenter itself

If a server they own in some capacity runs a vps, can it be considered that they are running a vps and they can get sued by the Safety Act too? If not, then what if this happens one layer above at datacenter and now datacenters might have to comply with them

I haven't read the article but wtf.

Suppose I run a tmate instance (basically allows you to connect one ssh server to another both inside nat), theoretically this is a vpn as well.

I was calling out that they might ban vpn's when online safety act came and I realized that theoretically nothing's stopping them technologically to do so. It's a cat and mouse game but they didn't have a legal reason to do it so much. Now... You have it.

Is the end of total privacy for UK here?

I feel like even privacy oriented VPN's will move out of UK and non privacy oriented (ie. who will accept your id's) will probably have to manage it or use some third party and I am pretty sure that this basically gives govt. even more, they might now look at which IP said something, contact the now compliant VPN and block other truly private, for which user Id used a particular IP at particular time and seek their ID. I don't know how Dystopian UK's gotten but what's stopping a "reasonable cause" or some UK fbi equivalent contacting.

I feel like even one or two such extreme case of VPN providers would be enough to scare the whole country into check where if you are UK citizen and you talk against UK online, you will be screwed.

Atleast that's the direction I am seeing it heading.

Depending on the instance & how many more such dystopian laws UK adds. It's democracy gets really questionable... and I am not sure what it will be replaced by.

Both parties are kind of aligned in this from what I can tell. Just raise what "reasonable" suspicion to contact means and abuse any laws or create new dystopian laws but online safety act wasn't okay but VPN's provided a way around it.

Now that VPN's themselves are affected. It's kind of gonna wreak havoc imo of any individual privacy.

I am worried what this might mean on tor. Since tor can be considered a vpn, so will UK company sue me if I run a tor instance now?

The crazy thing is that you don’t need to show an ID to stay at hotel in the uk, but you will need one to use the internet.
I'm very interested to see how some VPN providers react to this. For a zero logs VPN provider, if such a thing can really exist, how big of a problem is this? Presumably many customers pay with a debit/credit card already so there's some PII on file? Usage remains the same? Surely savvy people can just use their existing VPN to buy a VPN from outside the UK.

Of course, we're sliding quite rapidly down that slippery slope here so I'm sure logging and easier government tracking would be next. The justifications will get weaker and even more lacking in supporting evidence for their implementation.

What societal "harm" is the UK actually trying to reduce with this age verification? It almost feels like the amount of effort they're putting into this is out of balance with the actual harm.
The UK is clearly moving towards pervasive digital monitoring. I’m curious how Mullvad would even comply given their accountless authentication model.
What I find particularly tragic about all of this legislation (the OSA and now this) is that there are obviously technical people in the room that would advise against this clusterfuck of a direction and they are being ignored by politicians who think the internet is something they can aggressively control. This will continue to push people towards providers who operate outside UK jurisdiction or providers that care less about UK law and are less trustworthy.

I remain upset that they do this without building the necessary infra. They already assert identity when applying for a passport (and they do this very well). If they had extended this process by creating a OAuth compliant digital id provider first, then they could have avoided all the problems on the day the OSA dropped. Even better, they could have created a non-governmental agency to exchange tokens and urls to prevent the privacy issue of the government knowing which sites people are visiting. Instead we have this status quo of encouraging UK citizens to hand over their identity documents to dubious third-parties or shifting their traffic from the UK externally to avoid these checks.

How do they define "VPN" in this? If I make a little wireguard mesh and use an aws vm in another country as the exit node for my traffic, would that go under VPN?
Where does this end? Turtles all the way down.

If VPNs require age verification, then people will shift to running a VPN on a cheap VPS. Probably via a popular single-click setup script.

Or people will just get drawn to more seedy providers that do no KYC or have ulterior motives. If I was Russia, I'd consider operating a free VPN or VPS service that MITMs the traffic.

(comment deleted)
Can we somehow get age verification without IDs? Age verification itself is OK as an idea. I’m happy to show ID to buy alcohol at the store… but the store clerk doesn’t take a photo of that ID and store it in logs somewhere forever.

Can we please get a law where kids won’t just take their parents’ IDs and upload them to random places?

Every government in the world right now wants to get their hands on the controls and put their thumb on the scales here. Modern social media has proven to be effectively remote control for their citizens, nothing like this kind of power has never existed before and is absolutely irresistible to politicians. Expect them all to be laser focused on this until they're able to seize complete control, no matter how long it takes or how roundabout the path to this is.
I think we need to accept that age verification makes the internet safer. What we cannot accept is age verification's use as a mechanism to pry too far into peoples lives. When we can separate age verification from who am I, most people will be happier. What's tricky is who validates age? Your ISP? Your government? Your OS? A thirty party? Who accredits third-parties, and can you trust them? I'm convinced there's a way to solve this do we can keep the internet safe and not intrude massively on peoples privacy.
Privacy has an age rating now ? Seems a little ironic forcing anyone under 18 away from being able to have extra layers of privacy and in some cases security online.
Are there any remaining western countries with strong free speech protections?

UK and Germany weren't ever good in this department but now worst than ever.

US supposedly good but I wouldn't risk it in practice.

Australia I hear is also quite bad.

Canada and NZ I don't know.

I expect Denmark and Sweden to have somewhat weak free speech laws too.

Norway and Finland I expect to be good.

France I expect to be just slightly better than Germany.

Netherlands and Switzerland, I have no idea.

Czech Republic I think has strong protections.

Italy and Spain and Ireland, I heard mixed reports about.

Poland, Greece, Slovenia, Portugal and other unnamed countries I don't know at all.

I don't get why the device changes the blame logic.

If child-services knew a parent was constantly watching/leaving around adult-content near children, that'd be considered the parents fault. If a parent lets a kid watch anything they want on TV and the kid watches adult content, it's the parents fault. But if the parent gives the child a phone, and doesn't manage what apps they use or content they watch, now it's the companies fault?

Because this is push to identify and track internet users, noone genuinly cares about kids.
(comment deleted)
Has anyone told them teens would create accounts with foreign VPN services?
They REALLY want people to become more tech-savvy and to learn how to create their own VPNs using cheap VMs instances from __INSERT_CLOUD_PROVIDER_HERE__, don't they?
Amendment 92 of the bill, added by Lord Nash during it's passage through the Lords says: > “consumer” means a person acting otherwise than in the course of a business; > “relevant VPN service” means a service of providing, in the course of a business, to a consumer, a virtual private network for accessing the internet;

It's quite specific wording for a piece of legislation, just VPNs. It excludes businesses but, as written, it wouldn't include network proxies, or remote desktop protocols, or TOR, or web/mobile applications that fetch pages for you, any of which could be used to circumvent the bill. The slippery slope argument could be made that those things would have to be added for this bill to have any meaningful impact, and that would require the amendment to be written in a very non-specific way. I'm not hopeful that the Government would recognise that as overreach (ignoring that the amendment already is).