The UK is gonna realize real quick they can't just ban their way out of the mess they have created. Most VPN providers are going to be outside their jurisdiction and players like Mullvad will have no way to actually comply because of the way their VPN's are setup.
The only step the UK can take is to force ISP's to block these VPN's which will kick off a cat and mouse game and for the reasonable technical, getting around any VPN ban will be as easy as spinning up an EC2 outside the UK.
>The only step the UK can take is to force ISP's to block these VPN's which will kick off a cat and mouse game and for the reasonable technical, getting around any VPN ban will be as easy as spinning up an EC2 outside the UK.
They can make it very difficult if they want, just look at China[1]. It's not impossible to get around, but it's not as easy as buying a random VPS, and following a tutorial for openvpn/wireguard.
Personally I don't think China is a good comparison in this case. Yes China has the great firewall but they also a highly top-down government whereas the UK us much more like the US.
Beyond straight government control, there's also the politics of all of it. China being a one party system doesn't really care if something is popular with the public but with the UK's parliamentary system, one wrong move and your party gets voted out of power.
>Beyond straight government control, there's also the politics of all of it. China being a one party system doesn't really care if something is popular with the public but with the UK's parliamentary system, one wrong move and your party gets voted out of power.
But apparently that wasn't enough to stop the online safety act from being implemented in the first place? If voters okay with sites requiring intrusive id/face scans to access 18+ sites, they're probably also fine with ISPs requiring 18+ verification to use VPNs.
However, even if politicians / clueless administrators acknowledged their actions aren't doing much I don't see those people / groups reaching for any other tool other than "let's ban / legislate more".
There's no going back for some folks who are so clueless.
It's not quite that hard. Hypothetically, you have a digital certificate, signed by the government, for your VPN provider with a list of VPN endpoints. Your client presents that certificate to the ISP, unblocking ports in that specific instance, to those endpoints. Otherwise, all common ports are blocked, and anything that smells VPN-y gets throttled.
Alternatively, the UK could have a self-service whitelisting system, when a legal entity signs a contract stating that traffic inside the tunnel is also filtered, at the endpoints listed.
Also: The UK government, believe me, does not expect 16 year olds to be capable of spinning up EC2. And if somehow they do, how are they paying for it?
As a dad of teenagers, I can confidently tell you every single school will quickly have at least one enterprising kid who will set up wireguard on an Oracle free tier box and charge other kids to use it. The government is essentially incentivising kids to dip their toes into criminality.
Heuristics again. 99% of your traffic is going to one endpoint... and it's hundreds of gigabytes, both up and down. Obvious red flag. Even an automated system could throttle it.
That step of the cat and mouse game is over a decade obsolete.
If I spent a week setting up a VPN provider, I’d start with this: 99% is spread across 100 endpoints, 55% are cloudflare, and 45% are amazon/azure/google.
A special client mode would check for non-blocked IPs in your country and have those bypass the VPN.
The government doesn't care... because no 16 year old is doing that or can afford that. And if one VPN provider did that, that specific VPN provider can have all their endpoints manually blocked by the government. In which case, the objection is irrelevant.
Also, heuristics again: 99%+ of your traffic is going to the same two or three companies only. The owners of the endpoints are not very diverse, which is statistically extremely unlikely. Throttle you to 0.5mbps, so you won't be watching anything, and call it a day.
Considering Gen Z is one of the least tech-savvy generations right now, even less tech-savvy than Boomers, and unable to use anything that isn't an app; yes, I don't think it's possible to underestimate them.
Those rules would only apply to VPN providers in the UK, so the whole mechanism would be pointless.
They could start whitelisting money / credit card transfers, I guess. However, reputable VPN providers already accept envelopes full of cash and crypto, so I guess the UK would need to start reading all international mail, and block crypto.
At that point, people could just use tor to bootstrap the VPN account + payments.
History says teenagers will figure this stuff out before adults (due to infinite free time and infinite bragging rights for knowing how to do it).
> Those rules would only apply to VPN providers in the UK, so the whole mechanism would be pointless.
Did you miss the part where every VPN port is blocked, and all other ports have heuristics in place to detect and throttle VPN-like patterns (e.g. 99%+ of traffic going to less endpoints than you can count on one hand), unless you're specifically whitelisted?
> Did you miss the part where every VPN port is blocked
Many protocols can use https ports and packet envelope. Also, there's special censorship resistant VPN protocols, which work even in China despite its nigh-infinity money to block it via DPI
I believe it. The numbers are likely different between boys and girls.
It’s also easy to underestimate the number of kids raised in strict and/or religious households. Working with college students I’m constantly a little surprised at how many of them arrive at college with semi-strict religious upbringings that they continue.
Bush Porn. Here in Scotland, way back when I was, oh, 7, 8, 9 years old, always stumbled across discarded porn magazines in the woods I used to play in. Moved area when I was 11, once again, always used to stumble across discarded porn. Bush porn was a thing.
I have a grandfather who shared Scottish ancestry. In the "woods" of suburban Los Angeles he found some porn in the alleyway, and then stashed it under the "davenport" couch. My grandmother found it while cleaning in anticipation of our departure. I'll never forget the look on his face as he tried to extricate himself from that mess.
"Bush Porn" is a funny term. If you invented it, nice work.
Similar. Just not one :-) From 11 years old, going on and on, with about same age girls(and their mothers!(at the same time!)), most slightly older though, or really grown up, extremely fit female joggers in the forest(exactly 13tienth bday), a bunch of NUNS, female teachers, a bunch of(bi-sexual)nurses(exactly 16tienth bday), ...
All without much exposure to porn, which I've found to be ugly, from the little I've seen. Because it isn't real, and staged.
Whereas I effortlessly gave them ultimate bliss, without hurting them in any way, enjoying the glory of their moments very much.
All things being equal, I find it easier to believe in people being dishonest on a survey, than somehow never seeing a single article of porn by age 18.
Is this not going too far? It's a pretty weak "let's save the kids argument" that only serves to improve mass-surveillance outside of the argument presented. Like, this is the advent of strong thought policing and thought monitoring over the wires—oh no, you can't use a VPN because it's bad for "the kids"!
I don't think anybody thinks this has anything to do with child safety. It's not a coincidence that the UK, US and the EU, all working on implementing similar surveillance and censorship regimes. The platforms will develop the infrastructure, similar to the GFoC just privatized. The legacy media lost all influence with younger generations, just look at what the vast majority of young people think of Israel now. If the media can't fulfill its role anymore they need a big stick.
In the UK, most of our elected MPs are idiots. I cannot imagine they're anywhere near intelligent enough to be part of some sophisticated conspiracy while on the face of it saying "save the children". So it can't be coming from the MPs. If this is all a cover for full government control, where is it coming from? Who is doing the push and how are they keeping it secret?
Oppression doesn't necessarily have to be deliberately planned by brilliant villains in secret smoky rooms, twirling their mustaches and conspiring against the public. It can easily emerge organically out of hundreds of tiny, stupid decisions made by stupid people.
You can be malicious and incompetent. The only reason we know about project mkultra was because parts of the project were misfiled in the wrong place and were stumbled upon by accident.
You don't have to invoke some sort of conspiracy, the western liberal world is deeply interconnected and its all in the open, you just never hear about any of it. Nothing is secret, they don't have to hide anything there is nobody that would tell anyone. You also shouldn't make the mistake to separate or governments from private interests, they are identical that's the whole problem to begin with.
In 2021 the WEF launched the Global Coalition for Digital "Safety" [1] it includes Google, Meta, Interpol, and any neoliberal goul you can imagine. The push for universal digital identity cards is much older ofc. like (eIDAS 2.0) in the EU [2]
Meta and TikTok already developed AI based age estimation tools into their platforms, then lobby to have have laws passed accordingly. See this from 2023 [3]
There are also companies that offer these sorts of services pushing legislation, how else are they gonna justify their hundreds of millions in valuation? (Like yoti [4] or Clearview ai [5])
Just in case anybody is under any false impressions: there is no grass roots movement pushing for this. this isnt "democracy run amok" or the Labour party pandering a little too much.
Labour arent interested in protecting children from pedophiles any more than they were interested in ensuring that Prince Andrew received justice for abusing a minor.
Deanonymizing internet users IS the point. The attack on civil liberties is the only point.
> Chris Sherwood, chief executive of children's charity the NSPCC, said Friday's new rules mean services "can no longer evade their duty for protecting children".
> For Prof Elena Martellozzo, professor of child sexual exploitation and abuse research at the University of Edinburgh, the rules send a message to the tech industry that "child safety and child protection are not optional".
> The Molly Rose Foundation, a charity founded by the family of Molly Russell - who took her own life at the age of 14 after seeing harmful content online - has said stronger legislation is needed to better protect children.
> Derek Ray-Hill, interim head of the Internet Watch Foundation, meanwhile welcomed the new rules for sites allowing porn but said "there is still more to be done".
I think there absolutely is pressure on the government for things like this. Certainly not mass pressure in all segments of the population but neither is the government acting alone.
I know somebody who was interviewed for an agenda pushing article like this for the BBC.
He said a lot of very sensible stuff which they didnt quote and then plucked a phrase that implied he agreed with the agenda (something similar to "stronger legislation to protect children is needed" where he would have meant some OTHER legislation).
I wouldnt be surprised if half of the people quoted here had the same thing done to them.
Also many might not be as grassroots as they imply as you said. I am sure that the NSPCC's opinions on matters like these are more about what the board thinks than, say, the average mother of an abused child.
Anyway, it's enough to confuse the average (perhaps dim) person into thinking there is a grass roots movement when it's the government doing all the pushing.
On the converse, I think any accusation that charities (like the NSPCC in particular!) are fronts for some nefarious group looking to crush civil liberty needs even the slightest bit of evidence before it can be taken credibly.
When the OSA’s supporters accuse their critics of supporting serial rapists without evidence, accusing them of pretty much anything else without evidence seems like fair game.
> Just in case anybody is under any false impressions: there is no grass roots movement pushing for this.
I’ve actually been surprised at how many Hacker News comments have been in support of the UK’s regulations. There were a lot of “What’s the big deal? We already check IDs for liquor. Why can’t we do it for porn?” comments on all of the previous threads.
The slippery slope was brought up a lot but dismissed. I think a lot of people believed there was an easy solution that wouldn’t inconvenience them or creep into other areas of their lives.
> any more than they were interested in ensuring that Prince Andrew received justice for abusing a minor
Prince Andrew didn't break any laws in the UK, though, did he? Virginia Giuffre was 17 (over the age of consent) when she was photographed here with Andrew.
The USA didn't charge him and seek extradition so what was the UK to do?
We've been stealing from Peter to pay Paul since the 1970s, or rather the UK was in a mess in the 70s, so we raised money by selling off state-owned assets such as British Telecom, British Gas, the water board, and so on, to build the economy whilst dropping taxes (though the Laffer curve helped immensely), then we deregulated further to allow foreign ownership and investment in companies which resulted in things like the closure and hollowing out of British Steel, arguably a national security industry, and brands like Rowntrees, to pick one, now owned by Nestle and manufactured abroad. All we're left with is service industries and call centres. Perhaps that's harsh.
And now we're here in 2025, and the UK is running to stay still.
How, exactly, can the UK be accused of dismantling the EU in slow motion? All right, they dismantled themselves out of the EU; you could view that as a single step of dismantling. Beyond that, first, what further dismantling has happened or is going to happen, and second, how is that the UK's fault when they aren't in the EU anymore?
Through history, the people and the government have been close to parity. A sufficient amount of planning by everyday people with everyday equipment could topple a government.
If that parity, that use of force, that forceful evolution of government is to remain a possibility, we must sacrifice some security in order to maintain privacy from government and we must be able to possess tools for communication and offense and surveillance (drones).
Any government that can perfectly quash a rebellion is too dangerous to exist.
Some VPN providers let you mail them cash. Bitcoin or other crypto currencies are also pretty common payment methods. Honestly VPNs are cheap enough that there are a lot of options that don't require a debit/credit card.
If you are outside of UK's jurisdiction (i.e. EU), why would you even care if somebody from UK is paying by a debit card? What is UK going to do? Send bobbies on you?
EU/Asia-Pacific/US firms obey UK jurisdiction if they sell to a significant number of UK customers, believe it or not. Collecting and remitting UK VAT is normal, for example, so is recognising UK consumer rights, distance selling regulations etc.
Obeying the laws of the jurisdictions where your customers are is actually pretty central to successful international trade. Surprised to find anyone on this site who thinks otherwise.
Yeah, no. Otherwise DMCA from USA would be enforceable in EU and Asia, which they are not.
And if you believe they are, tell me when USA last time successfully DMCAed Chinese company in China.
Alcohol in Nordic countries is extremely taxed, so Nordic youth often times goes to central Europe for drinking parties. Should pub owners in central Europe be arrested by Nordic police for selling improperly taxed alcohol? Good luck with that.
Or you have draconic UK anti-hate speech laws. How are you going to enforce them in i.e. France?
Something seems odd to me. Usually to use a reputable VPN you need to pay. The free ones, which I think kids would use, have more issues to worry about than porn :) In order for a kid to pay, I think some adult will see the charge some where on one of their statements. So the adult could take action.
From what I found in UK banks will let 16 year olds to open an account independently.
You could also mail cash (Mullvad), buy a VPN gift card in a physical store or online or get something like a prepaid Visa/Mastercard or a paysafecard.
Even if that is not an option, it's not like age restrictions have prevented everyone underage from alcohol or smoking, people will find a some shady VPN provider or a friend to buy them one.
And also, the transaction can have a very useless business name.
I don't see how that could be done at either a technical or political level. From the technical, there's no difference in the traffic to detect. From the political, foreign VPNs would be unencumbered and given that it's free there's no lever to pull at banks to stop payments.
Some VPN providers will take payment in cash that you mail in. There's probably also convoluted ways to get access without a credit card. Roblox money -> Bitcoin -> VPN, or maybe just those crappy phone apps that have you do surveys and stuff that allow you to redeem a VPN coupon.
This whole online safety act thing gives me goosebumps.
I’d lived most of my live in Russia until migrating in 2022 and I’m pretty familiar with what it means when the gov starts messing with digital censorship.
If you’re not aware, it’s getting systematically harder and harder to browse the free web in Russia despite 50%+ of population using “some” VPN app.
And I’m not even talking extremist / anti-russian resources that the government turned against originally, but most of the independent websites that use CloudFlare free tier, for example.
Because cloudflare enables proxying and a couple other IP-masquerading techniques by default, to effectively block a single website you have to block the entire cloudflare IP range and DNS - which is >20% of the web.
As for the VPNs, most of the common protocols and frameworks (eg OpenVPN) are already banned + detected via DPI, and people have to get into more and more sophisticated setups like VLESS+Reality (= most of the non-technical people can’t set it up by themselves or even buy a subscription to such thing).
“Simple” shadowsocks, originally popularized in China to fight the great firewall are already almost rendered completely useless.
And it will get worse. The gov service which is responsible for blocking has a very high budget + some pretty neat tech to help them cut off more and more ways to bypass the censorship.
This is the future of any state that gets into this game.
The future where you might have to become very proficient in networking and use some “shady” stuff like Tor to just read a blog post about Linux.
It doesn’t matter what it starts with - fighting anti-gov propaganda or, for god’s sake, porn (the least harmful thing for the kids in this horrible ai-post-capitalism world that we live in) — once the regulators get the feeling of power over the free web, every lobbyist, organization and party will come for a part of the web that you personally might enjoy, or even earn living from.
It is literally just search and install 'vpn app' on phone app store of choice.
They're not spinning up servers and configuring OpenVPN or whatever, copying certificates to their client device. (Even that is pretty easy with Wireguard though.)
Concretely, if the high school has 1000 kids, you need to block the 99.9th percentile teenager. That kid’ll be a local legend if they’re the only one to figure out the bypass, and they’ll share it with friends.
(It’s actually harder than that, since kids in different high schools communicate with each other.)
We could just sequester every teen into a sound proof cell, hand them a bible for all of their educational needs, and finally dump them out into the real world the day they turn 18.
Yea doing it "right" and "yourself" by setting up your own server(s) is some work, but not a lot.
Downloading an app to your phone is easy. And it's crazy cheap for most of these services. If not free and they mine what you're visiting or use you as a node in their scraping system.
I second ProtonVPN. I assume being Android it would mean side-loading and lots of faff, but you just download it from Play and you're away. You don't even need to create a login.
A recurring thought is that the modern day really, really suffers from politicians having no clue how tech works. And if you are someone who knows how tech works, why would you go work for the government when you could earn far more working in tech itself?
I'm not really sure what the answer is. The government is always going to be susceptible to "won't someone think of the children" logic and there's no-one trusted to push back.
It won't. It will simply allow the government to further track people and attribute "anonymous" online activity to individual citizens. It's absolutely an Orwellian program and has nothing to do with the well-being of children.
The problem is, they're going to find other uses for this beyond just "thinking of the children". They'll use it for squashing dissent and blackmail.
If His Majesty's government was so concerned about protecting children they would have told Randy Andy to go talk to American police under caution during the Biden administration.
The only step the UK can take is to force ISP's to block these VPN's which will kick off a cat and mouse game and for the reasonable technical, getting around any VPN ban will be as easy as spinning up an EC2 outside the UK.