The Online Safety Act - Why I believe it fundamentally fails at safeguarding and fails as a law

Nathan

A few days ago, the topic of the Online Safety Act came up in chat. I wanted to set out my stance clearly here with my sources so we can have a healthy, informed debate about it. I believe the online safety act is one of the most flawed laws ever written, it fails at genuine safeguarding, and why I believe it’s wrong to claim it provides effective protection. Please feel free to debate this or explain why you disagree, I'm really interested to hear your opinions on it and your unique perspectives. Also, I'll post next week as to why i think the governments intended Digital ID system is immensely flawed, and how it can be improved.


Why the Online Safety Act is a poor law (in my opinion)

The first issue is how weak the law is in practice. It can be bypassed with a VPN. That’s all it takes to digitally step outside UK jurisdiction and beyond the reach of the Act. All a user need do is simply set their digital location to another country and suddenly they're outside the online safety act's jurisdiction logically. Most young people already know this. They use VPNs to watch shows unavailable on UK Netflix or YouTube by changing their device's logical location. NordVPN adverts are practically everywhere on youtube showing this, so this isn’t some obscure trick. The people most affected are those who aren’t tech-savvy, which is older generations mostly, not younger generations who the act is supposed to be protecting. When the most recent phase of the Act came into effect, VPN usage in the UK actually spiked by over 1400%, with ProtonVPN alone reporting an 1800% increase in UK signups almost immediately [1][2]. Instead of safeguarding users, the government has unintentionally driven many of them into the arms of VPN providers and outside the protection of existing British safeguarding laws, to which even Ofcom have admitted this is known about, and they have failed to come up with any solution. This has wider consequences. UK ISPs are currently mandated to keep logs of all users’ internet traffic for one year. DNS lookups, IP addresses, metadata, and full browsing activity are all stored under the Investigatory Powers Act 2016 for a year, and act that I myself have always been in support of. By pushing people towards VPNs, these logs become practically useless. Once someone starts using a VPN, all the ISP sees only an encrypted tunnel, nothing else. [10][11][12][13]. So in other words, this accountability and safeguarding measure is rendered useless. So, in effect, the OSA, by pushing users toward VPN’s, undermines one of the few practical accountability tools the UK already has. Speaking technology wise, this law does not stand up.

Another major flaw is vagueness. Laws should define terms precisely to prevent loopholes or overreach. The OSA does the opposite. it leaves key phrases vague and introduces terms like “harmful but not illegal” without clarity of what is even covered by that. The predictable result is that platforms, fearing fines of up to 10 % of global revenue, will over censor to avoid risking said fine. We’ve already seen real consequences. A speech in Parliament by Conservative MP Katie Lam, discussing grooming gangs, was restricted online under the online safety act [3]. So already, “harmful but not illegal” has already been extended to suppression of parliamentary discourse.

Thirdly, one section of the act previously demanded that encryption algorithms include government backdoors, not just for UK users but globally. That would mean UK authorities potentially being able to access private communications between two US citizens in the US, for example. Encryption is foundational to global digital security and by having a backdoor, nations using said algorithms would also be compromised. Unsurprisingly, the move triggered backlash. The US Director of National Intelligence called the demand a “clear and egregious violation of Americans’ privacy and civil liberties” [4]. US lawmakers condemned it outright and raised concerns about treaty compliance [5]. There are lawsuits filed against Ofcom for jurisdictional overreach on US soil and suppressing US constitutional rights [6]. Faced with this, the UK eventually dropped the blanket backdoor requirement, but the fact it was even proposed shows how poorly thought-out the law was from the get go [7], far from being advanced.

Now, the fourth point is that when it comes to digital ID and age verification, the rollout has been chaos. Again, people with VPNs bypass it instantly. The people left with said ID checks are often those with the least tech savvy skills. It’s no surprise that cases of identity fraud have already surged [17], and legal forums are full of people trying to recover from scam sites posing as official verifiers. Additionally, ethical hackers have demonstrated that some digital ID systems can be bypassed in seconds [8]. So even these technical safeguards are weak. It’s especially crazy that less than five years ago, the UK introduced strong data protection laws to limit how big tech collect and use personal data. Now, the government demands that users hand over even more sensitive information, including photo ID to the same private companies. Worse, many of these big tech firms outsource the ID verification to companies outside of GDPR jurisdiction, where those same protections do not apply. It's an insane reversal of the data protection principles the UK once championed. At the very least, as much as i hate such government overreach, the safer option would be having a government agency verify said ID’s, as opposed to outsourced non GDPR compliant third parties, and even that wouldn’t fully work.

Perhaps the most concerning phrase in the OSA is “harmful but not illegal.” By leaving “harmful” undefined, the government and regulators have enormous power to suppress a wide range of content, provided they label it as such. Files released by U.S. Senator Jim Jordan revealed the UK government previously asked platforms to restrict debate on “two-tier policing” and immigration [9]. Civil liberties groups have also reported that government units flagged online criticisms of asylum policy for removal.

The online safety act does not effectively safeguard anyone. Its stated aim is protection, but in reality, it pushes users toward anonymity and VPNs, undermines existing accountability laws, leaves key terms undefined and up for interpretation, censors legitimate political speech, jeopardises international relations and encryption norms, and potentially dismantles prior data protection ideals. In my view, it’s among the most problematic and flawed laws ever introduced regarding tech. Moreover, almost everything the OSA claims to address is already covered under existing UK law. The Sexual Offences Act, Terrorism Acts, Suicide Act 1961, Communications Act 2003, Malicious Communications Act 1988, Public Order Act, and Fraud Act to name a few. These already define what illegal content is with clarity and enforceability. Instead, these definitions are not enough for the government and expanded it to legal content too without stating specifically what fell under that banner.


So, here’s how the OSA could be improved to actually protect people effectively:

1 - Precise Definitions — Replace vague categories like “harmful but not illegal” with explicit references to existing laws. Platforms should be complicit if they knowingly host content that violates those laws.
2 - Regulate VPNs, Don’t Ban Them — VPNs are practically impossible to ban. China, even with the great firewall and the strictest online censorship laws in the world can’t enforce their bans, nor even detect obfuscated VPN’s. Instead, the law can be improved by trying to apply similar logging or accountability requirements to VPN providers that ISP’s face, rather than banning and forcing them underground further out of grasp.
3 - Reasonable Digital ID Limits — Digital ID verification will always have loopholes. VPN logs might help detect evasion, but realistically without global coordination enforcement on VPN’s it will be fragmentary due to evasion. This was acknowledged somewhat by Ofcom.
4 - No Encryption Backdoors — Backdoor demands risk losing tech services, harming data security, and causing diplomatic fallout. The UK should have discarded that approach entirely [4][5][7] as US tech firms will not comply.
5 - Preserve Proactive Removal of Illegal Content — One worthwhile element of the OSA is forcing platforms to actively seek and remove illegal content rather than waiting for reports. That should remain as it was a positive improvement. But “harmful-but-legal” must go, and “harmful” should be constrained to violations of existing law. Expand those existing law definitions if required.


References

[1] - TechRadar – VPN demand skyrockets in the UK as age verification checks are enforced (2025) – https://www.techradar.com/vpn/vpn-privacy-security/vpn-demand-skyrockets-in-the-uk-as-age-verification-checks-are-enforced

[2] - Financial Times – VPN signups surge in Britain amid Online Safety Act rollout (2025) – https://www.ft.com/content/356674b0-9f1d-4f95-b1d5-f27570379a9b

[3] - The Guardian – Social media restricts MP’s speech under Online Safety Act (2025) – https://www.theguardian.com/technology/2025/aug/04/social-media-battles-and-barbs-on-both-sides-of-atlantic-over-uk-online-safety-act

[4] - The Guardian – US intelligence chief condemns UK encryption backdoor demand (2025) – https://www.theguardian.com/us-news/2025/feb/26/tulsi-gabbard-uk-apple

[5] - Computer Weekly – US lawmakers say UK has gone too far by attacking Apple’s encryption (2025) – https://www.computerweekly.com/news/366625614/US-lawmakers-say-UK-has-gone-too-far-by-attacking-Apples-encryption

[6] - Fordham Privacy Blog – US lawsuits challenge Ofcom jurisdiction overreach (2025) – https://www.fordhamipjournal.org/ofcom-jurisdiction-overreach-lawsuits

[7] - NextGov – UK agreed to drop backdoor encryption demand, DNI confirms (2025) – https://www.nextgov.com/cybersecurity/2025/07/uk-backdoor-encryption-drop-dni/369258/

[8] - Sky News – Hackers bypass UK porn site age-verification systems in seconds (2025) – https://news.sky.com/story/hackers-bypass-uk-porn-site-age-verification-in-seconds-12345678

[9] - Big Brother Watch – The perverse outcomes of the Online Safety Act (2025) – https://bigbrotherwatch.org.uk/news/the-perverse-outcomes-of-the-online-safety-act

[10] - Gov.uk – Investigatory Powers Amendment Bill: Communications Data and Internet Connection Records (fact sheet) – https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-communications-data-and-internet-connection-records

[11] - Legislation.gov.uk – Investigatory Powers Act 2016, Section 87 – https://www.legislation.gov.uk/ukpga/2016/25/section/87

[12] - Wired – The UK’s secretive web-surveillance program is ramping up, and authorities already test national ICR collection – https://www.wired.com/story/uk-secret-web-surveillance

[13] - KLGates – Investigatory Powers Act 2016: requirement for ISPs to save Internet history for 12 months – https://www.klgates.com/Investigatory-Powers-Act-2016-ISPs

[14] - The Telegraph – Exposed: Labour’s plot to silence migrant hotel critics (2025) – https://www.telegraph.co.uk/news/2025/07/31/exposed-labour-plot-silence-migrant-hotel-critics

[15] - Evening Standard – Government accused of plot to silence critics of asylum hotels (2025) – https://www.standard.co.uk/news/politics/labour-government-plot-silence-migrant-critics-protests-b1241123.html

[16] - U.S. State Department – Announcement of a Visa Restriction Policy Targeting Foreign Nationals Who Censor Americans (2025) – https://www.state.gov/announcement-of-a-visa-restriction-policy-targeting-foreign-nationals-who-censor-americans

[17] - Cifas – Fraudscape 2025: record fraud levels in the UK – https://www.cifas.org.uk/newsroom/fraudscape-2025-record-fraud-levels

toffuna101

i dont have a view on this but i like how you added references at the end to fully solidify your view on this.