Best Of

Update: I was right about point 4 of my post.

There’s been a significant data breach involving discord, where users photo ID’s were stolen. It affected those who uploaded their photo ID's to discords customer service, which was being outsourced to a third party (as I predicted above would happen) to appeal their age estimation rulings from photo's taken. Around 70,000 discord users are believed to have been affected by this data breach and had their photo ID’s exposed [1][8].

And what makes this an extraordinarily serious data breach is that there is no fix for this type of leak. You can change a password if a password gets leaked, you can regain access to a user account that's been hacked, but you cannot change the fact that your photo ID is out there on the dark web once exposed. It is considered biometric data under GDPR, which is considered "special category", due to the seriousness of losing it, as it cannot be changed [2].

That info, once leaked, can then be used for identity theft, to bypass security measures on various accounts owned by victims, such as their bank accounts, government accounts, and personal accounts, and it can also be used to open new accounts in the victims name, at any stage, for life. Biometric data doesn't change. That is how serious it is. It's not a short term issue [2][3][4]. It's a lifetime on a fraud alert registers, constantly watching for fraud at any point. [4]

What makes it worse is that the only reason that the photo ID's were even being collected in the first place is because of the Online Safety Act. It forced platforms to collect this sort of data from users, when photo based age predictor systems didn't work, and photo ID was required to be used instead to verify. The OSA's supposed "safeguards" have just exposed users to the possibility of life long fraud risk [5][6][7].

I mentioned in the original post that digital ID systems have been proven to be vulnerable by ethical hackers at times. I once again reiterate, that this remains a serious risk and flaw of the OSA that doesn't seem to be getting any attention.

References

toffuna101 wrote: »

DonnerKebab wrote: »

toffuna101 wrote: »

i dont have a view on this but i like how you added references at the end to fully solidify your view on this.

@toffuna101 I appreciate that toffuna. My lecturer at uni used to say you could never have too many references.

yeah, we have to use references in college too but its not as structured as it is in uni.

@toffuna101 10% of the rubrics grading just went to referencing alone, for writing uni papers. You'd get marked on things like how many references the paper had, how old are the paper's your referencing, are they recent or not, are they academic papers/conference papers or are they just webpages (webpages got marked down), and did you directly cite them when you used data from them in text, or did you just add them to the references list and not bother with that. Things like that. I'm super glad i don't have to use the Harvard referencing style now.

You should be a lawyer. This is a fantastic write up, whether people agree or not.

I saw articles about the dramatic increase in the use of VPNs around the time the act came in. Almost every teenager I know knows at very least what a VPN is, if not how to use one. Before this, I had never really felt the need to use a VPN, but now I would consider it an option if I didn’t want to submit a selfie or worse, my actual ID.

I haven’t handed over my actual ID to these companies but I have used a selfie to verify my age, because my face is already on the internet, but my ID is not and I’d rather it stays that way.

I was interviewed by radio 4 on the implications of the OSA on accessibility, and while I suspect it’s not too relevant to this post, it’s another point worth raising. I have no references because this is only my personal experience, but it can put up barriers for adults with disabilities, or like you say, older people who don’t know what a VPN is.

A few days ago, the topic of the Online Safety Act came up in chat. I wanted to set out my stance clearly here with my sources so we can have a healthy, informed debate about it. I believe the online safety act is one of the most flawed laws ever written, it fails at genuine safeguarding, and why I believe it’s wrong to claim it provides effective protection. Please feel free to debate this or explain why you disagree, I'm really interested to hear your opinions on it and your unique perspectives. Also, I'll post next week as to why i think the governments intended Digital ID system is immensely flawed, and how it can be improved.


Why the Online Safety Act is a poor law (in my opinion)

The first issue is how weak the law is in practice. It can be bypassed with a VPN. That’s all it takes to digitally step outside UK jurisdiction and beyond the reach of the Act. All a user need do is simply set their digital location to another country and suddenly they're outside the online safety act's jurisdiction logically. Most young people already know this. They use VPNs to watch shows unavailable on UK Netflix or YouTube by changing their device's logical location. NordVPN adverts are practically everywhere on youtube showing this, so this isn’t some obscure trick. The people most affected are those who aren’t tech-savvy, which is older generations mostly, not younger generations who the act is supposed to be protecting. When the most recent phase of the Act came into effect, VPN usage in the UK actually spiked by over 1400%, with ProtonVPN alone reporting an 1800% increase in UK signups almost immediately [1][2]. Instead of safeguarding users, the government has unintentionally driven many of them into the arms of VPN providers and outside the protection of existing British safeguarding laws, to which even Ofcom have admitted this is known about, and they have failed to come up with any solution. This has wider consequences. UK ISPs are currently mandated to keep logs of all users’ internet traffic for one year. DNS lookups, IP addresses, metadata, and full browsing activity are all stored under the Investigatory Powers Act 2016 for a year, and act that I myself have always been in support of. By pushing people towards VPNs, these logs become practically useless. Once someone starts using a VPN, all the ISP sees only an encrypted tunnel, nothing else. [10][11][12][13]. So in other words, this accountability and safeguarding measure is rendered useless. So, in effect, the OSA, by pushing users toward VPN’s, undermines one of the few practical accountability tools the UK already has. Speaking technology wise, this law does not stand up.

Another major flaw is vagueness. Laws should define terms precisely to prevent loopholes or overreach. The OSA does the opposite. it leaves key phrases vague and introduces terms like “harmful but not illegal” without clarity of what is even covered by that. The predictable result is that platforms, fearing fines of up to 10 % of global revenue, will over censor to avoid risking said fine. We’ve already seen real consequences. A speech in Parliament by Conservative MP Katie Lam, discussing grooming gangs, was restricted online under the online safety act [3]. So already, “harmful but not illegal” has already been extended to suppression of parliamentary discourse.

Thirdly, one section of the act previously demanded that encryption algorithms include government backdoors, not just for UK users but globally. That would mean UK authorities potentially being able to access private communications between two US citizens in the US, for example. Encryption is foundational to global digital security and by having a backdoor, nations using said algorithms would also be compromised. Unsurprisingly, the move triggered backlash. The US Director of National Intelligence called the demand a “clear and egregious violation of Americans’ privacy and civil liberties” [4]. US lawmakers condemned it outright and raised concerns about treaty compliance [5]. There are lawsuits filed against Ofcom for jurisdictional overreach on US soil and suppressing US constitutional rights [6]. Faced with this, the UK eventually dropped the blanket backdoor requirement, but the fact it was even proposed shows how poorly thought-out the law was from the get go [7], far from being advanced.

Now, the fourth point is that when it comes to digital ID and age verification, the rollout has been chaos. Again, people with VPNs bypass it instantly. The people left with said ID checks are often those with the least tech savvy skills. It’s no surprise that cases of identity fraud have already surged [17], and legal forums are full of people trying to recover from scam sites posing as official verifiers. Additionally, ethical hackers have demonstrated that some digital ID systems can be bypassed in seconds [8]. So even these technical safeguards are weak. It’s especially crazy that less than five years ago, the UK introduced strong data protection laws to limit how big tech collect and use personal data. Now, the government demands that users hand over even more sensitive information, including photo ID to the same private companies. Worse, many of these big tech firms outsource the ID verification to companies outside of GDPR jurisdiction, where those same protections do not apply. It's an insane reversal of the data protection principles the UK once championed. At the very least, as much as i hate such government overreach, the safer option would be having a government agency verify said ID’s, as opposed to outsourced non GDPR compliant third parties, and even that wouldn’t fully work.

Perhaps the most concerning phrase in the OSA is “harmful but not illegal.” By leaving “harmful” undefined, the government and regulators have enormous power to suppress a wide range of content, provided they label it as such. Files released by U.S. Senator Jim Jordan revealed the UK government previously asked platforms to restrict debate on “two-tier policing” and immigration [9]. Civil liberties groups have also reported that government units flagged online criticisms of asylum policy for removal.

The online safety act does not effectively safeguard anyone. Its stated aim is protection, but in reality, it pushes users toward anonymity and VPNs, undermines existing accountability laws, leaves key terms undefined and up for interpretation, censors legitimate political speech, jeopardises international relations and encryption norms, and potentially dismantles prior data protection ideals. In my view, it’s among the most problematic and flawed laws ever introduced regarding tech. Moreover, almost everything the OSA claims to address is already covered under existing UK law. The Sexual Offences Act, Terrorism Acts, Suicide Act 1961, Communications Act 2003, Malicious Communications Act 1988, Public Order Act, and Fraud Act to name a few. These already define what illegal content is with clarity and enforceability. Instead, these definitions are not enough for the government and expanded it to legal content too without stating specifically what fell under that banner.


So, here’s how the OSA could be improved to actually protect people effectively:

1 - Precise Definitions — Replace vague categories like “harmful but not illegal” with explicit references to existing laws. Platforms should be complicit if they knowingly host content that violates those laws.
2 - Regulate VPNs, Don’t Ban Them — VPNs are practically impossible to ban. China, even with the great firewall and the strictest online censorship laws in the world can’t enforce their bans, nor even detect obfuscated VPN’s. Instead, the law can be improved by trying to apply similar logging or accountability requirements to VPN providers that ISP’s face, rather than banning and forcing them underground further out of grasp.
3 - Reasonable Digital ID Limits — Digital ID verification will always have loopholes. VPN logs might help detect evasion, but realistically without global coordination enforcement on VPN’s it will be fragmentary due to evasion. This was acknowledged somewhat by Ofcom.
4 - No Encryption Backdoors — Backdoor demands risk losing tech services, harming data security, and causing diplomatic fallout. The UK should have discarded that approach entirely [4][5][7] as US tech firms will not comply.
5 - Preserve Proactive Removal of Illegal Content — One worthwhile element of the OSA is forcing platforms to actively seek and remove illegal content rather than waiting for reports. That should remain as it was a positive improvement. But “harmful-but-legal” must go, and “harmful” should be constrained to violations of existing law. Expand those existing law definitions if required.


References