If you need urgent support, call 999 or go to your nearest A&E. For Crisis Support (open 24/7) text THEMIX to 85258.
Read the community guidelines before posting ✨
Want to share your experience of using our Community?
We're collecting Community Case Studies which could be used on our website, on social media, shared with our volunteers, or shared with third parties who may be interested to hear how online communities help people.
Click here to fill out our anonymous form
We're collecting Community Case Studies which could be used on our website, on social media, shared with our volunteers, or shared with third parties who may be interested to hear how online communities help people.
Click here to fill out our anonymous form
The Online Safety Act - Why I believe it fundamentally fails at safeguarding and fails as a law
DonnerKebab
Community Connector Posts: 2,264 Boards Champion
A few days ago, the topic of the Online Safety Act came up in chat. I wanted to set out my stance clearly here with my sources so we can have a healthy, informed debate about it. I believe the online safety act is one of the most flawed laws ever written, it fails at genuine safeguarding, and why I believe it’s wrong to claim it provides effective protection. Please feel free to debate this or explain why you disagree, I'm really interested to hear your opinions on it and your unique perspectives. Also, I'll post next week as to why i think the governments intended Digital ID system is immensely flawed, and how it can be improved.
Why the Online Safety Act is a poor law (in my opinion)
The first issue is how weak the law is in practice. It can be bypassed with a VPN. That’s all it takes to digitally step outside UK jurisdiction and beyond the reach of the Act. All a user need do is simply set their digital location to another country and suddenly they're outside the online safety act's jurisdiction logically. Most young people already know this. They use VPNs to watch shows unavailable on UK Netflix or YouTube by changing their device's logical location. NordVPN adverts are practically everywhere on youtube showing this, so this isn’t some obscure trick. The people most affected are those who aren’t tech-savvy, which is older generations mostly, not younger generations who the act is supposed to be protecting. When the most recent phase of the Act came into effect, VPN usage in the UK actually spiked by over 1400%, with ProtonVPN alone reporting an 1800% increase in UK signups almost immediately [1][2]. Instead of safeguarding users, the government has unintentionally driven many of them into the arms of VPN providers and outside the protection of existing British safeguarding laws, to which even Ofcom have admitted this is known about, and they have failed to come up with any solution. This has wider consequences. UK ISPs are currently mandated to keep logs of all users’ internet traffic for one year. DNS lookups, IP addresses, metadata, and full browsing activity are all stored under the Investigatory Powers Act 2016 for a year, and act that I myself have always been in support of. By pushing people towards VPNs, these logs become practically useless. Once someone starts using a VPN, all the ISP sees only an encrypted tunnel, nothing else. [10][11][12][13]. So in other words, this accountability and safeguarding measure is rendered useless. So, in effect, the OSA, by pushing users toward VPN’s, undermines one of the few practical accountability tools the UK already has. Speaking technology wise, this law does not stand up.
Another major flaw is vagueness. Laws should define terms precisely to prevent loopholes or overreach. The OSA does the opposite. it leaves key phrases vague and introduces terms like “harmful but not illegal” without clarity of what is even covered by that. The predictable result is that platforms, fearing fines of up to 10 % of global revenue, will over censor to avoid risking said fine. We’ve already seen real consequences. A speech in Parliament by Conservative MP Katie Lam, discussing grooming gangs, was restricted online under the online safety act [3]. So already, “harmful but not illegal” has already been extended to suppression of parliamentary discourse.
Thirdly, one section of the act previously demanded that encryption algorithms include government backdoors, not just for UK users but globally. That would mean UK authorities potentially being able to access private communications between two US citizens in the US, for example. Encryption is foundational to global digital security and by having a backdoor, nations using said algorithms would also be compromised. Unsurprisingly, the move triggered backlash. The US Director of National Intelligence called the demand a “clear and egregious violation of Americans’ privacy and civil liberties” [4]. US lawmakers condemned it outright and raised concerns about treaty compliance [5]. There are lawsuits filed against Ofcom for jurisdictional overreach on US soil and suppressing US constitutional rights [6]. Faced with this, the UK eventually dropped the blanket backdoor requirement, but the fact it was even proposed shows how poorly thought-out the law was from the get go [7], far from being advanced.
Now, the fourth point is that when it comes to digital ID and age verification, the rollout has been chaos. Again, people with VPNs bypass it instantly. The people left with said ID checks are often those with the least tech savvy skills. It’s no surprise that cases of identity fraud have already surged [17], and legal forums are full of people trying to recover from scam sites posing as official verifiers. Additionally, ethical hackers have demonstrated that some digital ID systems can be bypassed in seconds [8]. So even these technical safeguards are weak. It’s especially crazy that less than five years ago, the UK introduced strong data protection laws to limit how big tech collect and use personal data. Now, the government demands that users hand over even more sensitive information, including photo ID to the same private companies. Worse, many of these big tech firms outsource the ID verification to companies outside of GDPR jurisdiction, where those same protections do not apply. It's an insane reversal of the data protection principles the UK once championed. At the very least, as much as i hate such government overreach, the safer option would be having a government agency verify said ID’s, as opposed to outsourced non GDPR compliant third parties, and even that wouldn’t fully work.
Perhaps the most concerning phrase in the OSA is “harmful but not illegal.” By leaving “harmful” undefined, the government and regulators have enormous power to suppress a wide range of content, provided they label it as such. Files released by U.S. Senator Jim Jordan revealed the UK government previously asked platforms to restrict debate on “two-tier policing” and immigration [9]. Civil liberties groups have also reported that government units flagged online criticisms of asylum policy for removal.
The online safety act does not effectively safeguard anyone. Its stated aim is protection, but in reality, it pushes users toward anonymity and VPNs, undermines existing accountability laws, leaves key terms undefined and up for interpretation, censors legitimate political speech, jeopardises international relations and encryption norms, and potentially dismantles prior data protection ideals. In my view, it’s among the most problematic and flawed laws ever introduced regarding tech. Moreover, almost everything the OSA claims to address is already covered under existing UK law. The Sexual Offences Act, Terrorism Acts, Suicide Act 1961, Communications Act 2003, Malicious Communications Act 1988, Public Order Act, and Fraud Act to name a few. These already define what illegal content is with clarity and enforceability. Instead, these definitions are not enough for the government and expanded it to legal content too without stating specifically what fell under that banner.
So, here’s how the OSA could be improved to actually protect people effectively:
1 - Precise Definitions — Replace vague categories like “harmful but not illegal” with explicit references to existing laws. Platforms should be complicit if they knowingly host content that violates those laws.
2 - Regulate VPNs, Don’t Ban Them — VPNs are practically impossible to ban. China, even with the great firewall and the strictest online censorship laws in the world can’t enforce their bans, nor even detect obfuscated VPN’s. Instead, the law can be improved by trying to apply similar logging or accountability requirements to VPN providers that ISP’s face, rather than banning and forcing them underground further out of grasp.
3 - Reasonable Digital ID Limits — Digital ID verification will always have loopholes. VPN logs might help detect evasion, but realistically without global coordination enforcement on VPN’s it will be fragmentary due to evasion. This was acknowledged somewhat by Ofcom.
4 - No Encryption Backdoors — Backdoor demands risk losing tech services, harming data security, and causing diplomatic fallout. The UK should have discarded that approach entirely [4][5][7] as US tech firms will not comply.
5 - Preserve Proactive Removal of Illegal Content — One worthwhile element of the OSA is forcing platforms to actively seek and remove illegal content rather than waiting for reports. That should remain as it was a positive improvement. But “harmful-but-legal” must go, and “harmful” should be constrained to violations of existing law. Expand those existing law definitions if required.
References
Why the Online Safety Act is a poor law (in my opinion)
The first issue is how weak the law is in practice. It can be bypassed with a VPN. That’s all it takes to digitally step outside UK jurisdiction and beyond the reach of the Act. All a user need do is simply set their digital location to another country and suddenly they're outside the online safety act's jurisdiction logically. Most young people already know this. They use VPNs to watch shows unavailable on UK Netflix or YouTube by changing their device's logical location. NordVPN adverts are practically everywhere on youtube showing this, so this isn’t some obscure trick. The people most affected are those who aren’t tech-savvy, which is older generations mostly, not younger generations who the act is supposed to be protecting. When the most recent phase of the Act came into effect, VPN usage in the UK actually spiked by over 1400%, with ProtonVPN alone reporting an 1800% increase in UK signups almost immediately [1][2]. Instead of safeguarding users, the government has unintentionally driven many of them into the arms of VPN providers and outside the protection of existing British safeguarding laws, to which even Ofcom have admitted this is known about, and they have failed to come up with any solution. This has wider consequences. UK ISPs are currently mandated to keep logs of all users’ internet traffic for one year. DNS lookups, IP addresses, metadata, and full browsing activity are all stored under the Investigatory Powers Act 2016 for a year, and act that I myself have always been in support of. By pushing people towards VPNs, these logs become practically useless. Once someone starts using a VPN, all the ISP sees only an encrypted tunnel, nothing else. [10][11][12][13]. So in other words, this accountability and safeguarding measure is rendered useless. So, in effect, the OSA, by pushing users toward VPN’s, undermines one of the few practical accountability tools the UK already has. Speaking technology wise, this law does not stand up.
Another major flaw is vagueness. Laws should define terms precisely to prevent loopholes or overreach. The OSA does the opposite. it leaves key phrases vague and introduces terms like “harmful but not illegal” without clarity of what is even covered by that. The predictable result is that platforms, fearing fines of up to 10 % of global revenue, will over censor to avoid risking said fine. We’ve already seen real consequences. A speech in Parliament by Conservative MP Katie Lam, discussing grooming gangs, was restricted online under the online safety act [3]. So already, “harmful but not illegal” has already been extended to suppression of parliamentary discourse.
Thirdly, one section of the act previously demanded that encryption algorithms include government backdoors, not just for UK users but globally. That would mean UK authorities potentially being able to access private communications between two US citizens in the US, for example. Encryption is foundational to global digital security and by having a backdoor, nations using said algorithms would also be compromised. Unsurprisingly, the move triggered backlash. The US Director of National Intelligence called the demand a “clear and egregious violation of Americans’ privacy and civil liberties” [4]. US lawmakers condemned it outright and raised concerns about treaty compliance [5]. There are lawsuits filed against Ofcom for jurisdictional overreach on US soil and suppressing US constitutional rights [6]. Faced with this, the UK eventually dropped the blanket backdoor requirement, but the fact it was even proposed shows how poorly thought-out the law was from the get go [7], far from being advanced.
Now, the fourth point is that when it comes to digital ID and age verification, the rollout has been chaos. Again, people with VPNs bypass it instantly. The people left with said ID checks are often those with the least tech savvy skills. It’s no surprise that cases of identity fraud have already surged [17], and legal forums are full of people trying to recover from scam sites posing as official verifiers. Additionally, ethical hackers have demonstrated that some digital ID systems can be bypassed in seconds [8]. So even these technical safeguards are weak. It’s especially crazy that less than five years ago, the UK introduced strong data protection laws to limit how big tech collect and use personal data. Now, the government demands that users hand over even more sensitive information, including photo ID to the same private companies. Worse, many of these big tech firms outsource the ID verification to companies outside of GDPR jurisdiction, where those same protections do not apply. It's an insane reversal of the data protection principles the UK once championed. At the very least, as much as i hate such government overreach, the safer option would be having a government agency verify said ID’s, as opposed to outsourced non GDPR compliant third parties, and even that wouldn’t fully work.
Perhaps the most concerning phrase in the OSA is “harmful but not illegal.” By leaving “harmful” undefined, the government and regulators have enormous power to suppress a wide range of content, provided they label it as such. Files released by U.S. Senator Jim Jordan revealed the UK government previously asked platforms to restrict debate on “two-tier policing” and immigration [9]. Civil liberties groups have also reported that government units flagged online criticisms of asylum policy for removal.
The online safety act does not effectively safeguard anyone. Its stated aim is protection, but in reality, it pushes users toward anonymity and VPNs, undermines existing accountability laws, leaves key terms undefined and up for interpretation, censors legitimate political speech, jeopardises international relations and encryption norms, and potentially dismantles prior data protection ideals. In my view, it’s among the most problematic and flawed laws ever introduced regarding tech. Moreover, almost everything the OSA claims to address is already covered under existing UK law. The Sexual Offences Act, Terrorism Acts, Suicide Act 1961, Communications Act 2003, Malicious Communications Act 1988, Public Order Act, and Fraud Act to name a few. These already define what illegal content is with clarity and enforceability. Instead, these definitions are not enough for the government and expanded it to legal content too without stating specifically what fell under that banner.
So, here’s how the OSA could be improved to actually protect people effectively:
1 - Precise Definitions — Replace vague categories like “harmful but not illegal” with explicit references to existing laws. Platforms should be complicit if they knowingly host content that violates those laws.
2 - Regulate VPNs, Don’t Ban Them — VPNs are practically impossible to ban. China, even with the great firewall and the strictest online censorship laws in the world can’t enforce their bans, nor even detect obfuscated VPN’s. Instead, the law can be improved by trying to apply similar logging or accountability requirements to VPN providers that ISP’s face, rather than banning and forcing them underground further out of grasp.
3 - Reasonable Digital ID Limits — Digital ID verification will always have loopholes. VPN logs might help detect evasion, but realistically without global coordination enforcement on VPN’s it will be fragmentary due to evasion. This was acknowledged somewhat by Ofcom.
4 - No Encryption Backdoors — Backdoor demands risk losing tech services, harming data security, and causing diplomatic fallout. The UK should have discarded that approach entirely [4][5][7] as US tech firms will not comply.
5 - Preserve Proactive Removal of Illegal Content — One worthwhile element of the OSA is forcing platforms to actively seek and remove illegal content rather than waiting for reports. That should remain as it was a positive improvement. But “harmful-but-legal” must go, and “harmful” should be constrained to violations of existing law. Expand those existing law definitions if required.
References
[1] - TechRadar – VPN demand skyrockets in the UK as age verification checks are enforced (2025) – https://www.techradar.com/vpn/vpn-privacy-security/vpn-demand-skyrockets-in-the-uk-as-age-verification-checks-are-enforced
[2] - Financial Times – VPN signups surge in Britain amid Online Safety Act rollout (2025) – https://www.ft.com/content/356674b0-9f1d-4f95-b1d5-f27570379a9b
[3] - The Guardian – Social media restricts MP’s speech under Online Safety Act (2025) – https://www.theguardian.com/technology/2025/aug/04/social-media-battles-and-barbs-on-both-sides-of-atlantic-over-uk-online-safety-act
[4] - The Guardian – US intelligence chief condemns UK encryption backdoor demand (2025) – https://www.theguardian.com/us-news/2025/feb/26/tulsi-gabbard-uk-apple
[5] - Computer Weekly – US lawmakers say UK has gone too far by attacking Apple’s encryption (2025) – https://www.computerweekly.com/news/366625614/US-lawmakers-say-UK-has-gone-too-far-by-attacking-Apples-encryption
[6] - Fordham Privacy Blog – US lawsuits challenge Ofcom jurisdiction overreach (2025) – https://www.fordhamipjournal.org/ofcom-jurisdiction-overreach-lawsuits
[7] - NextGov – UK agreed to drop backdoor encryption demand, DNI confirms (2025) – https://www.nextgov.com/cybersecurity/2025/07/uk-backdoor-encryption-drop-dni/369258/
[8] - Sky News – Hackers bypass UK porn site age-verification systems in seconds (2025) – https://news.sky.com/story/hackers-bypass-uk-porn-site-age-verification-in-seconds-12345678
[9] - Big Brother Watch – The perverse outcomes of the Online Safety Act (2025) – https://bigbrotherwatch.org.uk/news/the-perverse-outcomes-of-the-online-safety-act
[10] - Gov.uk – Investigatory Powers Amendment Bill: Communications Data and Internet Connection Records (fact sheet) – https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-communications-data-and-internet-connection-records
[11] - Legislation.gov.uk – Investigatory Powers Act 2016, Section 87 – https://www.legislation.gov.uk/ukpga/2016/25/section/87
[12] - Wired – The UK’s secretive web-surveillance program is ramping up, and authorities already test national ICR collection – https://www.wired.com/story/uk-secret-web-surveillance
[13] - KLGates – Investigatory Powers Act 2016: requirement for ISPs to save Internet history for 12 months – https://www.klgates.com/Investigatory-Powers-Act-2016-ISPs
[14] - The Telegraph – Exposed: Labour’s plot to silence migrant hotel critics (2025) – https://www.telegraph.co.uk/news/2025/07/31/exposed-labour-plot-silence-migrant-hotel-critics
[15] - Evening Standard – Government accused of plot to silence critics of asylum hotels (2025) – https://www.standard.co.uk/news/politics/labour-government-plot-silence-migrant-critics-protests-b1241123.html
[16] - U.S. State Department – Announcement of a Visa Restriction Policy Targeting Foreign Nationals Who Censor Americans (2025) – https://www.state.gov/announcement-of-a-visa-restriction-policy-targeting-foreign-nationals-who-censor-americans
[17] - Cifas – Fraudscape 2025: record fraud levels in the UK – https://www.cifas.org.uk/newsroom/fraudscape-2025-record-fraud-levels
[2] - Financial Times – VPN signups surge in Britain amid Online Safety Act rollout (2025) – https://www.ft.com/content/356674b0-9f1d-4f95-b1d5-f27570379a9b
[3] - The Guardian – Social media restricts MP’s speech under Online Safety Act (2025) – https://www.theguardian.com/technology/2025/aug/04/social-media-battles-and-barbs-on-both-sides-of-atlantic-over-uk-online-safety-act
[4] - The Guardian – US intelligence chief condemns UK encryption backdoor demand (2025) – https://www.theguardian.com/us-news/2025/feb/26/tulsi-gabbard-uk-apple
[5] - Computer Weekly – US lawmakers say UK has gone too far by attacking Apple’s encryption (2025) – https://www.computerweekly.com/news/366625614/US-lawmakers-say-UK-has-gone-too-far-by-attacking-Apples-encryption
[6] - Fordham Privacy Blog – US lawsuits challenge Ofcom jurisdiction overreach (2025) – https://www.fordhamipjournal.org/ofcom-jurisdiction-overreach-lawsuits
[7] - NextGov – UK agreed to drop backdoor encryption demand, DNI confirms (2025) – https://www.nextgov.com/cybersecurity/2025/07/uk-backdoor-encryption-drop-dni/369258/
[8] - Sky News – Hackers bypass UK porn site age-verification systems in seconds (2025) – https://news.sky.com/story/hackers-bypass-uk-porn-site-age-verification-in-seconds-12345678
[9] - Big Brother Watch – The perverse outcomes of the Online Safety Act (2025) – https://bigbrotherwatch.org.uk/news/the-perverse-outcomes-of-the-online-safety-act
[10] - Gov.uk – Investigatory Powers Amendment Bill: Communications Data and Internet Connection Records (fact sheet) – https://www.gov.uk/government/publications/investigatory-powers-amendment-bill-communications-data-and-internet-connection-records
[11] - Legislation.gov.uk – Investigatory Powers Act 2016, Section 87 – https://www.legislation.gov.uk/ukpga/2016/25/section/87
[12] - Wired – The UK’s secretive web-surveillance program is ramping up, and authorities already test national ICR collection – https://www.wired.com/story/uk-secret-web-surveillance
[13] - KLGates – Investigatory Powers Act 2016: requirement for ISPs to save Internet history for 12 months – https://www.klgates.com/Investigatory-Powers-Act-2016-ISPs
[14] - The Telegraph – Exposed: Labour’s plot to silence migrant hotel critics (2025) – https://www.telegraph.co.uk/news/2025/07/31/exposed-labour-plot-silence-migrant-hotel-critics
[15] - Evening Standard – Government accused of plot to silence critics of asylum hotels (2025) – https://www.standard.co.uk/news/politics/labour-government-plot-silence-migrant-critics-protests-b1241123.html
[16] - U.S. State Department – Announcement of a Visa Restriction Policy Targeting Foreign Nationals Who Censor Americans (2025) – https://www.state.gov/announcement-of-a-visa-restriction-policy-targeting-foreign-nationals-who-censor-americans
[17] - Cifas – Fraudscape 2025: record fraud levels in the UK – https://www.cifas.org.uk/newsroom/fraudscape-2025-record-fraud-levels
5
Comments
I saw articles about the dramatic increase in the use of VPNs around the time the act came in. Almost every teenager I know knows at very least what a VPN is, if not how to use one. Before this, I had never really felt the need to use a VPN, but now I would consider it an option if I didn’t want to submit a selfie or worse, my actual ID.
I haven’t handed over my actual ID to these companies but I have used a selfie to verify my age, because my face is already on the internet, but my ID is not and I’d rather it stays that way.
I was interviewed by radio 4 on the implications of the OSA on accessibility, and while I suspect it’s not too relevant to this post, it’s another point worth raising. I have no references because this is only my personal experience, but it can put up barriers for adults with disabilities, or like you say, older people who don’t know what a VPN is.
@toffuna101 I appreciate that toffuna. My lecturer at uni used to say you could never have too many references.
yeah, we have to use references in college too but its not as structured as it is in uni.
@independent_ Thanks Independent, that means a huge amount to me. This probably is a bit of a brutal strategy on the debate forum, but I tried to keep the six point breakdown as to why it's flawed as grounded in verifiable facts and technical facts as possible, rather than basing them of opinion. It's why there's so many references. Some of the points, like VPN circumvention and encryption backdoors, are based on hard technical facts, so people can debate the implications and things like that, but the facts themselves are quite hard to dispute. But i would invite anybody to give it a go though.
And you are right about accessibility. I'm really glad you raised that point. It is 100% relevant in this post and thread, and your personal experience is just as valid as any references. You have personally experienced it for yourself, so you will understand that element of it far better than I ever will. Your lived experience is a reference in of itself. It so often get's overlooked, and the act doesn't even seem to offer any adjustments for those with disabilities. And as often happens with disabled users, the government forgets about them, which is abysmal. And congratulations on the radio 4 interview, you did an amazing job raising awareness of the act's impacts on the blind and disabled. You should be incredibly proud of yourself. Everyone on here is proud of you.
@toffuna101 10% of the rubrics grading just went to referencing alone, for writing uni papers. You'd get marked on things like how many references the paper had, how old are the paper's your referencing, are they recent or not, are they academic papers/conference papers or are they just webpages (webpages got marked down), and did you directly cite them when you used data from them in text, or did you just add them to the references list and not bother with that. Things like that. I'm super glad i don't have to use the Harvard referencing style now.
thats interesting, i dont know why webpages get marked down though. yeah since im only doing a level 3 course i dont need to worry about doing the harvard referencing style. if i was doing level 4 and above that wouldve been a different story.
Honestly I love that you did this to be fair because I do it all the time when I'm producing research into things or writing articles. A really good site for referencing is Cite this for me because you can copy and paste the website or URL link into their search engine and it will quickly create a reference and bibliography list for you . I use this site all the time for things.
Also I think you wrote very very well and explained about the VPNs super well because I too have noticed that a lot of younger people are gravitating towards using VPNS because of their accessibility and what they allow people to view. The whole safety act is completely designed backwards in many forms because while they are trying to put restrictions onto websites such as adult sites for instance which I can understand but also people are still going to find ways of accessing these sites, regardless of how many restrictions are placed.
Also the digital ID scheme is very inaccessible to everyone because labour have forgot about key people like the older generation and people with disabilities who may have inability or no access to technology in general. Also I don't know if its me but the whole rolling out the ID card scheme reminds of something similar that happened during the 40s really to single out people. I also have my views on this some may not be as accurate thinking but I've noticed that it feels like it's a way of the government trying to keep tabs on people especially young people.
In college we used the harvard style referencing a lot to be fair, for things and sometimes I still do.
VPNs are so accessible these days and many of them are very easy to use. Always worth looking into the privacy policy of the individual one you are using though, esp if it’s low cost or free.
I was thinking too that the act is actually having wider implications for websites you wouldn’t even think it would. The mix, for example, have quoted the online safety act in their new policies about geofencing, turning off PMs and age verification. A mental health support site. It worries me that young people might feel less able to access support if more of these kinds of sites start implementing it. BTW this is not a rant about the mix bringing those things in, that is for another day and another thread - it’s more of a rant about the government making these sites feel they have to.
hmm ok, maybe its just my college that doesn't do harvard referencing
ive heard its hard to use especially at first