Notice

This is not legal advice. Take whatever is written in this article with a grain of salt. This article contains my personal opinion about the act and its consequences. You are accountable for your own actions!

Throughout this Article, I may refer to the Online Safety Act 2023 as OSB or OSA.

NOTE: I may make changes to this article over time, information is subject to change.

What is the Online Safety Act (2023)?

The Online Safety Act is a new UK law to make the internet safer, especially for children. It requires platforms to:

• Remove illegal content quickly, such as terrorism, child s*xual abuse, and fraud.
• Protect children from harmful material, such as p*rnography, self-harm content, and eating disorders.
• Verify users’ ages for risky content, using age-check systems.
• Give Ofcom new powers to monitor, investigate, fine, or block services that don’t comply.
  
  It applies to nearly all services with user-generated content that are accessible from the UK, even if they’re not based there.

Why is the Online Safety Act so controversial?

The Online Safety Act sounds reasonable on paper but in practice it is somewhat alarming:

1. Threat to End-to-End Encryption

One of the most controversial parts of OSA is Section 122, which allows Ofcom to issue "technology notices". ^[1]

What does that mean?
Platforms may be required to identify and remove content, even in private/encrypted communication.

This would force services like WhatsApp or Signal to implement client-side scanning, where messages are scanned before they're encrypted.

According to the Electronic Frontier Foundation (EFF), this would be a direct attack on end-to-end encryption. In their article, they warn:

"The OSB is a dangerous attempt to remake the internet. Instead of privacy, we will have age verification. Instead of security, we will have backdoors in end-to-end encryption. And instead of free speech, we will have scanning and filtering of all content, all the time." ^[2]

What is the EFF?
"The Electronic Frontier Foundation is a nonprofit organization defending digital rights. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development." ^[3]

2. Propaganda

The Online Safety Act has been marketed as a tool to protect children, something no reasonable person would be against:

• Government messaging, press releases, and even the name of the Act itself focus on safety, not the broader surveillance that comes along with it.
• Public statements frame OSA as necessary to "make the UK the safest place in the world to be online"
• Platforms are told they must "do more” to stop harm, with little mention of how.

But therein lies the issue, this framing is very selective: it creates the illusion of a protective law, without mentioning the broad censorship, forced age verification, and mass content monitoring that affects everyone, not just children.

Similar to the Patriot Act after 2001 (looking at you, USA), the Online Safety Act uses a moral panic to justify permanent structural changes to internet freedoms:

• "Think of the children” is a powerful emotional appeal that shields OSA from criticism, even when legitimate concerns are raised about privacy.
• Critics of OSA are often portrayed as being indifferent to child safety rather than concerned about civil/digital rights.

3. Information handling

The most overlooked aspect of the Online Safety Act is who actually handles your data, especially your verification process.

In practice, the verification process is often handled by private third-party companies, such as Persona, Yoti or Onfido. These companies require:

• Full face scans
• Government-issued ID documents
• Biometric data

That is a massive amount of senstive, and very personal data often handed over to for-profit companies.

These firms typically operate across borders and may store data on cloud servers outside the UK, exposing it to risks like:

• Data breaches
• State surveillance (domestic or foreign)
• Commercial misuse or resale

Even if a company claims not to store data permanently, you have no technical way to verify that. Once data is collected, you have lost any control over it.

A real-world example: Persona, the Online identity verification software retains the data indefinitely for audit and compliance purposes unless and until you, as the controller, tell them to delete the data. ^[4]

Another real-world example: the Tea app breach exposed massive amounts of private user information even though they promised not to store any. ^[5] Similar risks apply here, only at a larger scale.

4. Over-regulations

The OSA doesn't just target illegal content, it pressures platforms to over-regulate anything that might be harmful, just to avoid fines. To stay compliant, platforms are likely to play it safe and remove or restrict more content than necessary.

Examples of these over-regulations include but are not limited to:

• Spotify now requires users to verify their age before accessing songs with explicit lyrics. This can also affect podcasts that discuss sensitive topics, even in an educational way. There have been reports of users getting banned for failing age verification. ^[6]
• Wikipedia, one of the greatest free knowledge projects ever created, has warned it may restrict or block pages with sensitive or explicit content, and has even threatened to block access to the site in the UK entirely. ^[7]

This fear-driven approach leads platforms to block first, ask questions later, putting free speech and open access to knowledge at serious risk.

How to "bypass" the Online Safety Act?

NOTE: This section should not be considered legal advice.
It is strictly your own choice to follow any of these steps. You are accountable for your own actions.

1. Use a VPN or Tor

A VPN obscures your IP address. This is not illegal on its own, but:

• A VPN doesn't spare you from legal obligations.
• A VPN won’t protect you if the platform still enforces age checks on a global level.

I personally recommend Mullvad VPN, a privacy-first VPN that proved in court to not hold any identifiable data. ^[8] It comes at a cost of €5/month. However, if you do not want to pay for a VPN, ProtonVPN is a free option (that also offers paid plans).

Tor Browser is a browser that routes your traffic through multiple relays to anonymise your identity and make tracking very difficult. It is however significantly slower than a VPN but does offer a higher level of anonymity.

2. Be Creative!

In the past, people have bypassed AI biometric verification tools by coming up with creative solutions.

It was discovered that users could bypass AI-based face verification on Discord using images from the game Death Stranding. ^[9]

• Discord required users to show their face to verify age or identity.
• Death Stranding’s hyper-realistic graphics fooled the AI; users passed the check using screenshots of characters in-game.

This is obviously a proof-of-concept or loophole and probably won't work as a long-term method, but it does show how these systems can be easily fooled and are unfit for high-stakes verification.

NOTE: This technique may now be patched or blocked. It illustrates how poorly designed some of this tech actually is.

3. Choose open-source and privacy-respecting platforms

These platforms are more transparent by design: their code can be edited and viewed by anyone, reducing the risk of backdoors or extreme data collection.

However, no platform is completely immune to breaches. Even open-source services suffer hacks or get pressured into handing over data.
Nonetheless, open-source and privacy-respecting platforms tend to offer better protections and user control than closed-source ones.

Be cautious about services that require invasive ID verification or collect large amounts of personal data. Private companies handling sensitive info are often the targets for leaks. The ultimate goal is to look for solutions that minimise surveillance while maximising transparency.

4. Use your voice!

Your voice holds power!

• Sign the petition to demand a review of the Act.
• Educate others: this law affects everyone who uses the internet in the UK.

Moral questions and solutions

In this section, I want to make clear that I do support the sort of moral idea behind this Online Safety Act. Protecting users and especially children is of utmost importance. However, how it does that, matters just as much as why.

This Act pushes for:

• A surveillance-based internet
• Mandatory ID checks and scanning
• Censorship of legitimate speech
• Reliance on unaccountable private companies

We should not have to sacrifice privacy to feel safe, or give up encryption to protect the vulnerable. There are better, more respectful ways to build a safer internet, ones that empower users instead of controlling them.

The future should be open, transparent, community-driven forms of technology that:

• Respect encryption and privacy (by design)
• Allow users to control their own data
• Are open-source and decentralised
• Do not have invasive surveillance or censorship

By supporting open platforms and holding lawmakers accountable, we can work towards an internet that’s both safe and free.

Sharecode: https://myrdin.cx/articles/uk-osa