I personally know how this works in Europe & UK. Not only government, this applies to big companies such as large banks as well. They recruit two kinds of staff. One that works to progress some work and one who puts an many hurdles as possible and call it risk management, compliance, security, regulatory etc (RCSR). They hire approximately 3 times more people into these RCSR positions compared to the technical and real work related positions. These RCSR guys dump thousands of pages of guidelines, making it impossible for any meaningful work to progress. My technical team has been running around for 4 months for approvals for testing an upgrade of a database.
Top management can never go against the RCSR guys, who are like priests of the church in medieval ages. And the RCSR guys have no goals linked to the progress of the real work. The don't like any thing that moves. It's a risk.
Management thinks that RCSR helps with controls around the work. But what happens is, you put more people in building controls, they deliver fort walls around your garbage bins.
It's also interesting how much worse security gets with all this RCSR oversight.
Because the policy teams don't understand the technical details, they get hung up on things that don't matter so all your "security budget" (in terms of dev effort available for improvement) gets spent on useless things.
Because there is a CIS guideline recommending "do not put secrets in environment variables" in k8s, a team I work with recently spent two weeks modifying deployments of all their third party charts to mount all secrets as volumes, this included modifying / patching upstream helm charts. This will be a maintenance burden forever lol. Actual security benefit in context is approximately zero.
Meanwhile they COULD have spent that time implementing broadly effective things like NetworkPolicy or CSP for the front-end but now there is no dev time for that.
At the top levels of their process there are plenty of risk x impact matrices but there aren't corresponding effort / payoff assessments, so the things being done end up not being engineering.
Enterprise security is cargo cult to the max.
You can run 10 different dependency scanners, static analysers, AI analysers, it doesn’t prove shit. You can be SOC1, SOC2, SOC1337, whatever and still have the most moronic bugs. The same ones looked over by the pen test firms running some basic ass open source tooling and bike shedding over shit that makes no difference.
The same companies won’t run a security bounty
program because they think it’s a waste of money.
Security people just don’t get it, they don’t think like the bad guys.
(i - briefly - worked for place that did things this way. They didn't update the chart, but they _did_ use `sed` to update the image tag from time to time.)
I imagine it must feel like that. The reality is that engineers are blasé with data and have been since the personal computing revolution.
Legal frameworks are incredibly irritating and often defined by people who know nothing about what they're regulating. This can lead to very bad laws.
Given that we live in the real world and one can be sued for violating those laws, the stakes are quite high and low cost. Many states in the US allow individuals to bring suit based on these laws, meaning all that needs to happen is you make a mistake and some rando has time to hire a lawyer.
And that is, by the way, notwithstanding the reality that many of the annoying compliance requirements are actually not all that annoying in principle, they are annoying to implement because many software development practices involve the free flow of data.
Maybe that was fine when it was public blogs. But when it's someone's medical records or their financial data, or when it lands in the bucket of a Cambridge Analytica type, sorry, there's a higher burden.
It is frustrating, I know. But we as engineers need to take responsibility for the consequences and stakes of what we're building. It's lack of that awareness that caused many of the largest controversies in our industry.
America has a similar (if less severe) version of this problem where nobody can contradict any compliance-adjacent function. Because if you get sued, someone will ask you "why did you ignore the guidance of your compliance team??" and might even try to use that to justify piercing the corporate veil. Of course compliance types have no incentive to let business happen just like business types have a limited incentive to operate in a compliant fashion, but lawsuits favor compliance always taking precedent with a hyper-cautious approach.
These are at some level businesses that do well because they avoid regulatory regimes. That risk is built-in from day one and basically their raison d'etre. I happen to think that's fine and good, but it's still the case.
In other words, the guys who actually believe in a normal level of compliance are hamstrung, defection is rewarded, classic failure mode of this kind of thing.
IOW, America also has a stagnant, risk-averse business culture, except that superimposed on this culture there's a thin, fragile, layer of risk taking, one geography- and sector-constrained, but in which ~all US value creation and economic differentiation happens.
It's like how the growth of a tree trunk happens in a thin layer beneath the bark and the rest is inert wood.
You’re right IMHO, but now look at what it’s like to build a business in places like France or England or China or India and you’ll learn we are in a place with an order of magnitude less trouble building a business. Frightening.
> we are in a place with an order of magnitude less trouble building a business.
What is this claim based on?
Is there 10x as much stress among French business owners? Are entrepreneurs working 10x as hard in China? Are there 10x fewer businesses in England?
And, stepping back a bit: To the extent that running a business is easier in America, how much of that is because the US exploits and bullies the rest of the world?
How much is because it's a huge country with vast resources (that were stolen from its murdered inhabitants)?
How much is because the lack of regulations allows for rampant externalization of costs?
How much is because businesses are more 'free' to exploit their own workers?
How much is because most of the mechanisms for basic accountability are broken?
These aren't "gotcha" questions. They're fundamentally important to our future, because none of that is sustainable.
Airbnb has created a lot of value for its shareholders. I think it’s an open question whether it’s been a net negative or positive for the world at large when you consider all the externalities.
This is not limited to Europe. I worked for a company like this in the US. The problem of course is the incentive structure: The penalty for violating some minor regulation was that the company would cease to exist (or so management assumed) while there was effectively no penalty for not getting the mission accomplished.
Thus the only reasonable course of action was to do nothing.
Sounds like the rest of the world couldn't be bothered with learning code, but couldn't tolerate code being law, that they tried to dilute the code's stake by adding more laws, despite code still being the law.
> My technical team has been running around for 4 months for approvals for testing an upgrade of a database.
Jeez, and I was just grumbling how it takes up to 24 hours for a change I make to appear in prod,
compared to about 4 hours at my previous job.
It should be possible to develop automated systems and processes to keep most changes on the “happy path” where approvals are quick. These sorts of organization responses were a new layer of people who can say “no” grow whenever a problem happens or a regulation changes are suffocating.
> These RCSR guys dump thousands of pages of guidelines, making it impossible for any meaningful work to progress.
This always reminds me of Darwin’s discovery — survival of the fittest — especially in the ruthless and highly competitive world of commerce. Yet this truth is often misunderstood or even outright rejected by those with a so-called "woke" mindset.
In such a competitive world, the only inevitable outcome for a business that isn’t fit enough is failure and eventual disappearance. Always remember: no one can be forced to buy a product or service if they live in freedom. Deals won’t happen because of burdensome frameworks like "RCSR." Trade flows naturally toward what creates the greatest value for both parties — usually better products or services at lower costs. From a Darwinian perspective, this kind of trade helps make the parties involved more fit. So why wouldn’t they choose it?
Hope all come to recognize this natural/divine will with reverence — and try our best to align with it and stay fit (while helping to keep those we love fit as well). This can truly help foster a competitive market and benefits all.
This is a crude strawman argument at best. I don't disagree that compliance/regulation requirements can be overdone, but unfettered progress-at-any-cost has its own downside. History is overloaded with technological innovations followed by regulation efforts to mitigate the the unintended consequences.
Reality, as always, as much more nuanced than this hot take. It's a balancing act.
The act does seem poorly thought out practically & I really dislike the UK's overall mindset to online safety. The laws consistently feel like they were written by someone that prints out emails to read...
That said the thinking that smaller platform should equal exemptions seems a touch flawed too given topic. If you're setting out to protect a child from content that say is promoting suicide the size of the platform isn't a relevant metric. If anything the smaller less visible corners (like the various chan sites) of the internet may even be higher risk
Smaller entities are rarely looking for a full exception, they just want the regulations to be implementable without being a megacorp.
Take something like a plastic packaging tax, for example. A company like Amazon won't have too much trouble setting up a team to take care of this, and they can be taxed by the gram and by the material. But expecting the same from a mom-and-pop store is unreasonable - the fee isn't the problem, but the administrative overhead can be enough to kill them. Offering an alternative fixed-fee structure for companies below certain revenue thresholds would solve that problem, while still remaining true to the original intention.
I get the impossible bind this puts small companies in & having people resort to IP blocking the entire country is clearly a sign of a broken setup
But playing devils advocate a bit here if the risk profile to the kid is the same on big and small platforms then there isn't any ethical room a lighter regime. Never mind full exemption, any exemption. The whole line of reasoning that you can't afford it therefore more kids potentially getting hurt on your platform is more acceptable just doesn't play. And similarly if you do provide a lighter touch regime, then the big players will rightly say well if that is adequate to ensure safety then why exactly can't we do that too?
Platform size just isn't a relevant metric on some topics - child safety being one of them. Ethically whether a child is exposed to harm on a small or big website is the same thing.
Not that I think this act will do much of anything for child safety. Which is why I think this needs to go back to drawing board entirely. Cause if we're not effectively protecting children yet killing businesses (and freedoms) then wtf are we doing
The big players actually like this sort of thing, since it stifles any nascent competition. Sure, it hurts margins a bit, but also really entrenches their position.
"Platform size just isn't a relevant metric on some topics - child safety being one of them."
Agreed, but I guess it could be the case that the current regulation is too burdensome even for large corps, but they could afford to have the resources necessary to deal with the regulation?
The question is whether the laws are efficient. Imagine that as a protection from the occasional meteorite, all buildings are mandated to upgrade their roofs to be 1 meter of solid concrete. We cannot allow another random space rock kill another innocent inhabitant.
This, or course, would disproportionately burden smaller buildings, while some larger buildings would have little trouble to comply. Guess who would complain more often. But it, while outwardly insane, would clear small huts off the market, while the owners of large reinforced buildings would be able to reclaim the land, as if by an unintended consequence.
Driving the risk tolerance of a society lower and lower interestingly dovetails with the ease of regulatory capture by large incumbent players, as if by coincidence.
UK's final goal to anything online always seems to be spying. They never seem to have a clue what to do with the data after that, but they're always damn eager to implement laws to allow for spying
> I really dislike the UK's overall mindset to online safety. The laws consistently feel like they were written by someone that prints out emails to read
The UK is a leading example of what calls for regulation turn into in the real world.
I’ve noticed a lot of calls for regulation in Hacker News comments lately. In the past week I’ve read multiple threads here where people angrily called for regulations and consequence for anything LLM related they didn’t like: When LLMs produced mistakes, when they produce content too close to copyrighted works, and so on.
There’s an idea that regulation is a magical function that you apply and then the big companies suffer consequences, products improve to perfection to avoid the regulations, and nothing is lost for consumers.
Then you look at real-world heavy handed technology regulation and see what really happens: Companies just have to turn off access to countries with those regulations and continue on with their business. People who use the tools get VPNs and continue operating with a little extra hassle, cost, and lag. Businesses avoid those countries or shut down because it doesn’t make sense to try to comply.
There’s a constant moving of goalposts, too: Every time someone points out the downsides of these regulations it’s imagined that better regulation would have exempted the small companies or made it cheap to comply (without details, of course).
I think heavy handed technology regulation is yet another topic where the closer it gets to reality, the less people like it. When you point out real world examples, the response is always “No, not like that”
The unfortunate, but understandable, fallback suggestion from thehamsterforum of all moving over to Instagram shows why large corps _love_ laws like this. More laws just raises the barrier to entry until only those that have entire office blocks of lawyers can afford to participate.
You can afford to be so flippant because in the chance that Ofcom's enforcement will lead to prison or another punishment, it won't be you who's suffering it.
I have no idea what this service is, but clicking around on their site they mention it's 18+, that they don't allow "Child pornography, Sexualized depictions of minors, Heavy gore, Bestiality, Sexual violence".
I don't agree with everything in the Online Safety Act, but if anything needed a risk assessment, it's surely this?
Agreed. I read the article and I was thinking "this sounds pretty bad", but after clicking through to the main site my experience was "there's no explanation of what this is, but it looks like it probably falls within the need for some form of regulation".
Are there services which offer a less... risky... service that are similarly affected here?
Lobste.rs is a tech-focused website quite similar to HN, and it's also affected (although they decided that the risks of legal action are low enough to avoid geoblocking UK users entirely).
From what I understand, it is just giving people access to AI models with minimal censorship - so illegal content [0] is still disallowed, but otherwise you can do what you want. And I’m sure a lot of that will be sexual material, but that’s more about the nature of the market demand for uncensored AI than anything inherent to the offering in itself
[0] “law” here isn’t just laws made by governments, but also regulations made by e.g. Visa and Mastercard
They're in scope because they provide a pornographic service, I don't see that is arguable. If you don't have the competence in house to follow the guidelines and need to hire expensive lawyers, then yes it's an "extreme cost", but that's not true of all businesses.
But that's the whole complaint, the overhead of compliance with the law (not necessarily the controls on protecting minors themselves but just the legal burden) is so high as to be untenable for anyone but big corps.
The way these laws and regs don't even consider the provider size is aggravating. Doubly so because they always use "big bad provider" and think of the kids as populist support gaining strategies, but in the end the same big providers benefit. They have the billions to spend on everything from lawyers to fiscal optimisation, and they rake in the entire market since they're the only ones left to serve that market.
That's happening with the AI act here as well. Almost no-one wants to even touch the EU shitshow and they're still going forward with it. Even Mistral was trying to petition them, but the latest news seem like it had no effect. Fuck us I guess, right? Both consumers and SMBs will lose if this passes as is.
They did consider the provider size, it is probably the main element of this law: the problem is that the consideration was to assume that you are always dealing with mega-large companies with teams of lawyers...because these companies have been lobbying regulators and civil servants (not Parliament so much, they don't matter anymore) for years. This is extremely common in the UK (very low corruption by historical methods but when decisions are actually made, there is corruption almost everywhere). The provider size was an active choice.
It isn't populist either, no-one supports this. The UK has media campaigns run by newspapers, no-one reads the papers but politicians so these campaigns start to influence politicians. Always the same: spontaneous media campaign across multiple newspapers (low impact on other kinds of media), child as a figurehead, and the law always has significant implications that are nothing to do with the publicly stated aim.
Democracy has very little to do with it. Elections happen in the UK but policies don't change, it is obvious why.
“if people find other methods to access the site, that is entirely on them - there are no legal consequences for users.”
For a site operator who seems really concerned about potential liability under this law, I sure wouldn’t have put this in writing. Feels like it really undermines the rest of the post and the compliance measures being taken.
It's basically impossible to prevent people from using VPNs without some serious governmental control over every telco - which of course may be the case in the UK, but I don't think a site operator can be held liable for that in any sane way.
China's great firewall is reported to take resources the UK just couldn't muster. The UK is still at the level of storing highly classified information in Excel and sending it by email.
Circumvention means you're following the law after all, i.e. you're circumventing, not breaking it.
Every other Youtuber these days is thanking NordVPN for sponsoring their channel then proceeds to walk through specifically how to use it to view geoblocked Netflix content, and they (and NordVPN!) are fine.
Yes, but the recommendation was for the platform, not the users ("For a site operator who seems really concerned about potential liability", emphasis added). Spelling out how anyone (including minors) can get to the site without any age check may not be an issue for users' own good but a liability for the platform
Not saying I agree or disagree, just clarifying what the text above meant
The law does require sites to not explicitly advocate a specific method for bypassing the checks (or to allow third parties to do so on it's platform, so it'll be interesting to see how that works for Reddit).
But I doubt this is specific enough to hit that bar - it is more of a factual note about what the law is for UK users rather than a specific call of "don't use our verification methods, use a VPN instead."
This is the kind of comment you get from someone who's never interacted with a Western legal system. Any kind of winking reference is immediately seen through.
I’d personally be interested in a risk analysis by a lawyer for that statement but it doesn’t seem particularly problematic. It does not seem to be actual encouragement to use a VPN, just acknowledgement that they exist.
I think you assume the fact that it's a winking reference means they have to use a winking reference. It seems like it would be legal for them to post a full guide for UK users on how to access their site using a VPN service.
There's literally "Best VPNs For Accessing Porn in the UK" articles, they'll be fine.
> It seems like it would be legal for them to post a full guide for UK users on how to access their site using a VPN service.
It isn't, the Ofcom OSA act codes explicitly say that the site cannot explicitly tell people how to get past it's verification methods.
> There's literally "Best VPNs For Accessing Porn in the UK" articles, they'll be fine.
They're on journalism sites that are explicitly exempted from the law, so they aren't advocating for getting around that specific site's methods.
It will be interesting to see how this works on any social platform though. To my reading of the guidance Ofcom require Reddit, BlueSky/Twitter etc to block any posts discussing using a VPN to get around it, or at least require age verification to access those posts too.
But I think that contradicts other parts of the legislation, and Ofcom have got themselves into quite a predictable mess.
Fwiw, he very explicitly states that the end goal is to go back on the UK market and thus be compliant. They just misjudged the scope of the regulation, forcing him to ban the UK - at least temporarily until a solution is found.
From what I'm reading, Amazon will have to implement age-checks over 8/10 of its book inventory, with the other 2/10 opening the company for liability about the very broad definition of "Age-appropriate experiences for children online." And yes, janitorai is correct that the act applies to them and the content they create, and a blanket ban to UK users seems the most appropriate course of action.
For what is worth, the act does not seem to apply to first-party websites, as long as visitors of that website are not allowed to interact with each other. So, say, a blog without a comment feed should be okay.
The statement from Ofcom is at the very end, and they're very clearly saying you need to only allow moderator-approved on-topic comments on such a blog site in order to fall under the exemption. Any off-topic comment will be subject to the act.
My reading is that as long as the comments are somewhat related, the provider is safe from being held accountable for them, but the exact level of connection isn't clearly defined.
So if you filter out known bad words and spam comments, that could very well cover things.
This kind of thing makes we wonder if the internet as a whole is heading for a Kessler Syndrome kind of situation.
Another example: here in the USA we have 50 states vying to each regulate AI; my understanding is that the plan was to have the OBBB put them off from doing this for at least 10 years, but that effort failed, leaving them free to each do their own thing.
Complying with all rules and regulations in all jurisdictions to which a website/service could be exposed (i.e. worldwide, by default) seems like it's becoming a well nigh impossible task these days.
Well, if we make it expensive enough to operate everywhere, then there will probably be one or two huge "global" sites and hundreds of small local, region-locked ones. Maybe that is the future.
Cyberspace is not, eventually, independent[1] if you plan to make money off it and use real world IDs.
Balkanization was always the inevitable end state of the Internet, because the alternative is ceding sovereignty over what is now critical infrastructure, and states simply do not do that.
It was fine when the Internet was a side hobby for a slice of the population, but now that it’s fundamental to all aspects of life, having it under the control of a foreign government (and the tech companies which act as de facto organs of that government) is no longer acceptable.
Ofcom submitted their advice – and the unerpinning research that had informed it – to the Secretary of State on 29 February 2024 and published it on 25 March. In summary, its advice is as follows:
Category 1
Condition 1:
Use a content recommender system; and
Have more than 34m UK users on the U2U part of the service
Condition 2:
Allow users to forward or reshare UGC; and
Use a content recommender system; and
Have more than 7m UK users on the U2U part of the service
Ofcom estimates that there are 9 services captured by condition 1 and 12-16 likely to be captured by condition 2. There is one small reference in the annex that the 7m+ monthly users threshold corresponds to the DSA (A6.15)
Category 2a (search)
Not a vertical search service; and
Have more then 7m UK users
Ofcom estimates that there are just 2 search services that currently sit (a long way) above this threshold but that it is justified to put it at this level to catch emerging services.
Category 2b (children)
Allow users to send direct messages; and
Have more than 3m UK users on the U2U part of the service
Ofcom estimates that there are “approximately 25-40 services” that may meet this threshold.
Everybody (who's not specifically exempted by Schedule 1, which has nothing to do with what you linked to) gets a "duty of care".Everybody has to do a crapton of specific stupid (and expensive) administrative stuff. Oh, and by the way you'd better pay a lawyer to make sure that any Schedule 1 (or other) exemption you're relying on actually applies to you. Which they may not even be able to say because of general vagueness and corner cases that the drafters didn't think of.
Also, it's not a "ruling". It's a law with some implementing regulations.
Ofcom’s “Does the Online Safety Act apply to your service?” questionnaire [1] doesn’t use those thresholds, and it makes it sound like the law would apply to any site with paying customers in the UK.
Just ran through the questionnaire, and it's crystal clear that anything that resembles a typical web forum will need to follow this law. No thresholds as you mention. Doesn't need paying customers as far as I could see, it's enough you have UK visitors.
I just basically struggle with the concept of "x people form our country chose to talk to your web server (hosted elsewhere, responds to anybody) so we now claim jurisdiction (with possible criminal penalties) over that server (hosted elsewhere) and you (who lives elsewhere)."
Realistically they can't, unless the service owner lives in a country with an extradition treaty with the UK, and that country has an equivalent law in place. But most service operators don't want to deal with that stress, so they will just IP block the UK and Brits who know how to use a VPN will just keep using the service.
I wouldn't be surprised if this ends up being a topic in trade negotiations with the US in the future though, since this is a trade barrier that imposes significant regulatory cost on US companies for content that is legal in the US. Eg. the proscribed categories of illegal content include knives and firearms, hate, etc.
That particular approach is actually pretty sensible if you (as a law maker) want to get any results.
Otherwise everyone from small sites to Facebook would just shop around jurisdictions and formally operate their websites from wherever fits them best.
And if a service is used by citizens of your country it makes sense to scale requirements by the impact it is having on them.
This particular law may not be great overall but I've got no issues with this method. As a site provider outside the UK it's trivially easy to avoid liability (by blocking people)
Except we're not dealing with one of the web servers running out of reg-shopped countries where you can host just about anything. We're dealing with stuff that's legal as-is in most developed countries, including America. Aside from the basic question of whether it's ethical to regulate in that way (you're correct it's practical, but there are plenty of things that get results but are morally wrong) it doesn't bear on this case.
I think this is a heavy handed law which entrenches big tech companies.
However I'd argue that from the UK perspective any of these developed countries would be considered reg-shoped.
They don't consider other countries' laws as sufficient to protect their citizens (which I probably wouldn't agree with).
I'm struggling to see a better approach to make sure any law applicable to online services is actually effective.
It seems like there are only a few options:
1. Only pass globally agreed upon laws (which is basically nothing and not realistic)
2. Only regulate domestic providers (which would severely disadvantage them and not resolve the underlying issues)
3. Block all foreign services (which is even more drastic).
In the end a states' power is tied to its territory and the people living within it. If not being active in that state at all releases you from it's laws I would consider this appropriate.
This is on the UK to fix (or not fix) for themselves.
A 250+ page law will have so many edge cases I doubt you would want to test it especially in a country with a government that has recently cracked down and arrested people for online "crimes". Sad the UK government has descended to this level of stupidity.
That's an incorrect understanding. It creates a range of requirements for essentially any service with users in the UK if there is UGC or messaging.
Then there are additional requirements applied to 3 classes of services: Category 1, 2A, 2B. The latter have the thresholds as discussed above.
But, as usual, poorly written. eg a "Content Recommendation System" -- if you choose, via any method, to show content to users, you have built a recommendation system. See eg wikimedia's concern that showing a picture of the day on a homepage is a bonafide content recommendation system.
The definition
> (2)In paragraph (1), a “content recommender system” means a system, used by the provider of a regulated user-to-user service in respect of the user-to-user part of that service, that uses algorithms which by means of machine learning or other techniques determines, or otherwise affects, the way in which regulated user-generated content of a user, whether alone or with other content, may be encountered by other users of the service.
How can they even enforce this? What happens if you run a plattform in let's say Germany and just tell them to fuck off, UK Law is of no interest to me.
Generally, if they identify you and you decide to visit London as a tourist for a week you could be arrested at the airport. If they wanted to enforce this. So obviously, it's of interest if you ever want to take a trip to the UK.
I don’t agree with the legislation, but I assume the same way they can go after you for any crime they perceive as being committed in the UK: extradition. It’s obviously incredibly unlikely.
I used to think that, and that may be the case where you live (I'd be interested to read more if you have a link), but not in the Netherlands for example
Source: I was recently listening to a podcast about court cases and an extradition case came up. They mentioned that reasons to not be sent are mainly about human rights, like if you need medical treatment that the target country can't (or isn't likely) to give, or if you would have to sit out your punishment under inhumane conditions (oftentimes you can sit out your punishment in the country that extradited you after having stood trial in the other country's legal system), or if the country you're being sent to was involved in your torture (them handing you over to another party that you know does torture would count, even if their own hands are 'clean'; that was the crux in this case, whether the victim aka accused person was handed over by the united states to pakistani intelligence and the usa therefore had forfeited their claim to further try the person for the alleged crime)
Or you travel to a 3rd country that has the same law and an extradition treaty with the UK.
Or, you travel to the UK! It’s a pretty popular destination and Heathrow is a major European hub. It would be easy to get caught out.
The law may well be onerous and misguided. But looking at that site, it seems they reeeeally should do their due diligence. Not just to avoid the long arm of UK justice, but other territories too. It looks extremely dubious.
Their mitigation doesn’t make sense either. If they don’t shutdown UK accounts and those accounts use UK credit cards which continue to use the service via a VPN. It could be reasonably argued that they know they’re providing a service to a UK resident. So, they really need to do their homework.
What they’re actually complaining about is the cost of doing business. It sounds pretty amateurish.
The entire United Kingdom is amateur hour, and the UK will stay poor and irrelevant as long as they keep blaming businesses for being grumpy about nonsensical laws.
Only if you are not a German national. Germany notified UK after a certain period after Brexit that they will not extradite their own citizen, they will only do that to other EU countries.
Having said that, it can limit a lot ones travel possibilities.
To be clear - German nationals can be extradited to other EU countries under German law, but not third countries like the UK.
If the UK had remained in the EU, then extradition might be possible (depending on whether courts approve it) but right now it's pretty unambiguously impossible.
IANAL but there appears to be an agreement between the UK and Germany. Not sure if it’s just criminal cooperation, or whether extradition is part of that:
Not a lawyer, but that seems to be from the 60s and a quick Google search showed some court decisions that extraditions to the UK are not possible as staying silent can harm your defense, which contradicts German basic law where it states: "No German may be extradited to a foreign country. The law may provide otherwise for extraditions to a member state of the European Union or to an international court, provided that the rule of law is observed."
I’m sure they won’t, but it might be annoying to never be able to take a flight that connects in London for the rest of your life.
I have no idea if this is a likely or even possible consequence, but that’s one way lots of people have gotten ensnared by the long arm of the law, even when jurisdiction is otherwise normally lacking.
Not at all. Many people avoid Heathrow because it's a terrible airport and many more because they don't want to submit themselves to the UK justice system, which is as classist and corrupt as they come.
You also have no human rights in British Airports. The state can just randomly decide to question you. They'll force you to hand over passwords to all electronic devices and slap you with a terror offence if you don't comply. You won't even have the right to remain silent.
You'd be well advised to avoid a country this like.
the UK has been a swirling toilet bowl for free speech for years... unfortunately it seems to have accelerated.
I really dont understand why parents don't bare the responsibility of their kids internet access as opposed to the expectation the internet raises their kids...
Teachers are having to toilet train children as some come to school unable to use a toilet, more children are non-verbal, more children are unable to sit through lessons, the number of children with special needs has skyrocketed, in one council area there was a single taxi firm with a £20m contract to take children to school, not only are there free school meals but some schools are now running breakfast and dinner services because parents can't feed children...no, parents won't take responsibility.
And all this is because websites weren't doing age verification? Wow, I'm glad we could solve those problems once and for all with this excellent legislation that doesn't have any side effects whatsoever!
no, the problem is parents. all of these are happening at the same time which proves that the issue is that a significant minority of parents are incapable (there is also a reason why this has happened but saying it is verboten).
the question of whether the state should try to fix this stuff is irrelevant, it cannot
My GF works in schools helping children who have special needs. It's really sad some of the things she tells me. Many parents of these children will spend all of their child's DLA on giving their hair or nails done. Kids regularly turn up to school hungry and sometimes don't even get presents on their birthdays.
Many kids from these backgrounds are seen as little more than cashcows to help their parents get homes and income without having to work.
Yes...there is more I would like to say but that is the issue.
If you turn having children into a profit-seeking enterprise, you will get bad outcomes. The UK is in the bizarre position where people who should have kids aren't having kids but they are paying for the children of those who shouldn't have kids.
The statistics coming out about this are incredible. We are looking at 20-30% of this cohort likely being unable to work at any point in their lifetime.
That doesn't mean society should pass more laws so the state takes on more responsibility of raising children though. We're dumbing down people and allowing what you describe to happen even more... It's like manufacturing a cycle of increasing dependence on the state.
the solution to children stabbing each other was to attempt to ban knives
i believe they are also gearing up for a ban on cigars, cigarettes have a scale which will make them effectively illegal for children born today, more types of pornography are being banned
...this is the same country which has legalised heroin use regionally btw...you need a licence to watch porn but your neighbour can shoplift, shoot up heroin, and you pay his rent...
It's a common trope on this site that people wholeheartedly believe the legal systems of the world should and do conform to their personal beliefs, no matter how outlandish.
I can assure you that this is such a scenario, as a restaurant in the UK is absolutely responsible for providing safe toilets for their customers, especially if a risk has been brought to their attention.
Do you have kids? I don’t, so I don’t have any idea how realistic this is. How do you ensure your kids aren’t skirting any blocks you put in place, looking things up with their friends, getting access to a VPN, etc.?
I also don’t think this act is the way to address these issues, but I don’t think it’s as easy as just putting everything at the feet of the parents as I imagine it almost impossible to police at home, not to mention at school.
When I think of older technologies like television, we have rules and regulations about what can be shown when.
Again, this isn’t to say this approach is right, but wanting to regulate isn’t an attack on free speech. It seems there is regularly a tension on HN between free speech absolutists, usually from the US and those more happy to accept regulation, usually from the EU
> How do you ensure your kids aren’t skirting any blocks you put in place, looking things up with their friends, getting access to a VPN, etc.?
I don't, because I don't need to.
I had unrestricted access to internet when I was my kids age and I turned out just fine, just like the extreme majority of my generation.
I know that serious discussions about important topics are enough to make sure that even if my kids do access content that's not meant for children, they're not negatively affected by them, just like I wasn't.
The world is a very very different place technologically then when you grew up.
Again I don’t have kids, so I’m not in a position to judge, but I can only imagine the pressures on children are completely different nowadays. For example, we didn’t have computers in our pocket 24/7 with all of our peers on the other end influencing us indifferent ways.
Yes, it's now a hell of a lot easier to exist on the internet and not see gross shit. Shock content was a huge part of the internet while I was growing up, it's now a lot less acceptable. As far as the kind of thing the OSA is seemingly worried about, the internet is already miles safer than it was.
We cannot legislate away this problem. We will try, we will fail, and the costs in this case are absolutely massive.
Just as an aside, the UK has been doing this for decades. One of the most permanent causes of legislative failure in the UK has been making laws based on media pressure that have potentially huge costs in the future. And as these costs emerge, guess what the only solution is? More interventions.
I would suggest that a country which cannot control crime, cannot control borders, has a collapsing economy, cannot house people, etc. has bigger problems than trying to arrest people for saying things on Twitter or shut down end-to-end encryption.
Its a control thing. The online safety act connects every account to a government ID, leading to easier arrests if you say somehing the good ol' government dont like. Its an attack on free speech
i’m really curious if the policy of simply blocking ip addresses from random states or countries with laws you don’t like is legally sufficient and making someone assert where they are located or from is necessary.
I think they probably should not have implied its accessible via VPN, the UK might still go after their asses for having UK users even with the IP block
I doubt the government cares, especially since they drove many post office heads to suicide claiming they stole money when it was really software bugs despite all evidence showing this.
We have a free-to-use technical forum for our (data wrangling software) forum, powered by Discourse. I believe that might allow users to directly message each other. Does that count?
There was an election, both parties said this Act was going to happen.
It depends what you mean by government but elected officials in the UK are almost completely irrelevant in this (and in most other things, their job is to get in front of a TV camera say how appalled they are that it has happened, no-one could have foreseen this, don't look back in anger, and that they are going to select from the same policy options that the Civil Service presented the last government with...which results in the same conclusion: more civil servants, more regulation, more corruption).
Ofcom has been making a massive power grab, this bill and other recent regulations are granting them massive new powers, and the UK has a system in which ministers have no functional capacity to block this.
Oh give over. This is politician led. If you think this is some civil servant's unilateral wet dream you have a serious misunderstanding of how the UK government and the civil service work. You would do better reading up on these institutions than blaming all the countries ill's on some nebulous idea of "Civil Servants as Illuminati".
I would read more about the new powers that Ofcom has...the type of person who bloviates online about everyone else being stupid tends not to have actually checked what is going on.
Also, none of these laws are led by politicians. All the communications-related offences were led by security services. Do you know when Molly actually passed? 2017? And you are telling me that a law passed in 2025 is related? A law which largely contains things unrelated to her passing (i.e. significant expansion of Ofcom powers).
It is genuinely funny that people who have no idea about politics...as in first-hand knowledge which will just imagine that everything works the way they assume it must work. At the very least, you should exercise some common sense: we have seen multiple Home Office ministers pass through, ministers are gaining no new extra powers, Ofcom staffing has gone up by thousands, the amount of graft that has already gone on is staggering...but the one's to blame are, conveniently, the ones who are always blamed...but seem to be strangely unable to do anything...you cannot possibly be this credulous.
I’m afraid this is nonsense. Elected officials aren’t irrelevant. The majority of them support this legislation and that is why it got enough votes to become law. You don’t have to like it (I’m not a huge fan either), but it’s a perfectly straightforward case of a popular policy becoming law via the democratic process. A process that’s notoriously imperfect and not guaranteed to yield the best outcome in all cases.
Don’t fall into the trap of thinking that this law must have come about by sinister machinations just because you don’t think it’s a good law.
The reason I think this is because: 1. I know this first-hand and 2. You have to be completely blind to not see the same thing happen multiple times with multiple laws (this has been happening for decades).
Elected officials are irrelevant because, in this case, they are functionally unable to propose a reasonable alternative. Policy options were presented, all of the policy options offered in this case were to empower Ofcom (again, how old are you? are you unable to think of another situation like this: same thing happened with BoE/PRA in 2010, same thing happened with Border Force creation, same thing happened with illegal immigration where the only functional action presented was to increase Home Office staffing, I can go on and on) so what was the alternative?
You also may not understand what is going on here either: this legislation gave Ofcom new statutory powers but what you might not be aware of is that Ofcom has also been granted through non-statutory instruments significant new powers that interlock with this legislation...who voted on that? Again: media campaign by the powers that be, multiple Home Office ministers have been railroaded into this, Ofcom/security services have been granted new powers (the latter by the back door...again, tell me what that has to do with "social media abuse"? nothing).
Finally, elected officials are mostly pawns. The majority of "them" do not know what is in the legislation. They have been told the PM wants "Molly's Law" passed, so it is passed. Some of the scrutiny was laughable...do you understand that the law has a provision that requires tech companies to provide "end-to-end encryption" that the government can break? To their credit, this was questioned by legislators several times...it wasn't removed from the Bill, despite it obviously being unrelated to anything in the Act. Again, how are you this blind? Do you see why elected officials might be irrelevant if you are so blind?
Nah, just send them code 451 and ignore them. UK is still democracy adjacent, uk citicens voted for this nonesense, let them deal with the consequences.
Most of the UK didn't even vote for a Labour representative at the last general election. The Labour party's current control of our government is the result of one of the most disproportionate parliamentary majorities ever relative to its actual popular vote at the election. It's a consequence of our broken "first past the post" voting system.
There's a certain irony in our politics right now that FPTP has been maintained by two dominant political parties because it has served their purposes to have little real challenge from smaller parties despite those parties collectively having quite a lot of popular support. That same system has now all but ended one of those two dominant parties as a force in British politics and at the next election it might well do the same for the other. The scariest question is who we might then get instead if Labour don't force through a radical change to our voting system while they still have the (possibly last) chance.
But don't worry, Labour have already ruled that sort of thing out, they aren't interested. They think they can keep riding the FPTP thing indefinitely and changing would voluntarily hand power to smaller parties, which is unthinkable.
Towards the end of the last Labour government in the UK, in the lead up to the election that ended it, I heard a Labour MP on the radio being asked about bringing in PR and transferrable vote systems (like we have here in Aus). His attitude was that PR is for losers. FPTP puts the winner in place. Anyone disputing this, or trying to bring up ideas about systems which give power to candidates representing a wider slice of the electorate - they're just losers who couldn't get the votes they needed to win. It was sickening to listen to.
The problem, of course, is that any party that gets into power gets in via the existing system, and asking them to change it is like asking someone to train their replacement and fire themselves.
The problem, of course, is that any party that gets into power gets in via the existing system, and asking them to change it is like asking someone to train their replacement and fire themselves.
Indeed. But Labour might be facing an electoral wipe out next time anyway like the Tories last year. Even if they do a decent job they're starting from such a bad position that it will be tough to rebuild enough public support for another election victory. Unfortunately that becomes tougher if they actually try to fix some of our long-term problems by doing sensible things that won't pay off in time for the next election.
If they realise that their current strategy of giving the vote to 16 and 17 year olds isn't going to be enough to stay in power and Reform (populist right-wingers) look like they're going to win big instead then there will be a lot of soul searching going on at Labour HQ. Making a change that will at least see them avoiding the fate of the Tories last time might be a bit more palatable for them even if it would still be a bitter pill to swallow for the many Labour MPs who were going to lose their positions either way.
i opened the ofcom link and it has this really easy to follow guide with 17 illegal contents the users my encounter on your website like terrorism/pdf content etc like extremely bad stuff and all you have to do is asses how likely the user is to run into one of these on your site if its over 0% how do you plan on mitigating that.
Keep in mind UK terrorism legislation has been abused and is continuing to be, from prosecuting the failed Icesave bank to proscribing the non-violent Palestine Action activist group. If the Terrorism Act 2000 had been in effect in the 1980s, you could have risked 14 years in prison for advocating for the ANC against Apartheid (Thatcher's government's official policy was that Nelson Mandela was a terrorist who had been convicted in a fair trial).
The UK doesn't have a First Amendment or a Bill of Rights other than the European Convention on Human Rights, that leading parties campaign of abolishing (if a bill of rights can be abolished by the legislature, it's not worth the paper it's printed on). Heck it doesn't even have a proper written constitution, it doesn't have separation of powers or an independent judiciary (the previous Parliament considered passing a law saying "Rwanda is a safe country to deport inconvenient asylum seekers to" in response to a court ruling (correctly) saying it manifestly isn't.
The UK and Australia are in a race to the bottom to see which one is going to be the worst enemy of the Internet. The only check against these authoritarian powers is popular juries, and they are trying to get rid of these as well.
Damage to property is a form of violence. If someone broke into your home and destroyed medical equipment needed to care for your dying relative, I'm sure you would 100% call it an act of violence.
Also, the group has directly harmed people too:
> A police officer was taken to hospital after being hit with a sledgehammer while responding to reports of criminal damage.
It smells like a jumped up "assaulted a police officer" charge because you shield your face from their punches. Hitting someone with a sledge hammer is a suitably scary tabloid headline but physically unlikely and entirely out of character for the accused group.
Note that Avon Police have form as lying pieces of shit.
They attacked protestors and claimed 21 injured officers specifically: "officers got broken bones, had punctured lungs, were very seriously injured" in the national media.
Journalists contacted local hospitals and found no police were treated that night. They had to retract those claims and their list of the claimed injuries included staff who never attended the scene, a bee sting and a twisted ankle getting out of a car.
I expect similar will happen here but only after this claim has been used for years to demonise protestors.
Also there is a huge gulf between being hit with the business end of a sledgehammer and poked with the shaft. I would expect a serious assault with a sledgehammer to result in serious injury or death.
Yeah just interpret 3000+ pages of policy documents and if you screw it up, OFCOM can fine you 18 million pounds and hold you criminally liable. Their "simple guide" is 70 pages long and has numerous links to additional policy documents that have more details on how to interpret the law. Any sane company is going to hire UK legal counsel to deal with this, which is easily going to cost five or six figures. And that doesn't include the cost of adding additional technical mitigations to justify a lower risk assessment, or the ongoing compliance cost for services that aren't low-risk. So the rational move for any company that has minimal UK revenue is to just IP ban the country, like Iran or North Korea.
do people really blanket ban iranians? i run a large wiki platform for kpop and they're some of our best users-- i would much sooner ban ip addresses from the yookay.
people have literally been jailed for "hate speech" here because they clicked like on a tweet. labour is currently debating an official definition of "islamophobia" which would criminalize stating historical facts like "islam was spread by the sword" and "the grooming gangs are mostly pakistani". the govt put out a superinjunction forbidding anyone (including MPs) from mentioning they spent £7B bringing over afghans allegedly at risk from the taliban, and also criminalizing mention of the gag order itself, and so on recursively. nobody (other than judges and senior ministers) knows how many other such superinjunctions there are.
all this and more is covered by those 17 categories.
on top of this, britain claims global jurisdiction here. think a minute how absurd that is -- any website anywhere that any briton might access is in scope, according to ofcom. and they claim the power to prosecute foreigners for these "crimes" ...
> put out a superinjunction forbidding anyone (including MPs) from mentioning they spent £7B bringing over afghans allegedly at risk from the taliban
This has to be the most uncharitable reading of that situation I've ever seen. Have you been watching GBNews?
The Ministry of Defence messed up under the last government, a junior operative leaked a list of names of Afghan people who had helped the UK armed forces during the years of British and American presence. Not only that, but the list also contained the names of UK special forces and a few secret agents. This is bad and at that point they had a duty to protect the people they'd exposed.
So yeah, they got a "super injunction" to prevent reporting of the list to do further damage, and that does prevent prevent reporting of the injunction. I personally think such things are dodgy as fuck and shouldn't be available in law, but compared to using them to block discussion of (for example) a rich footballer or a journalist being caught having an affair, it seems like this was comparatively reasonable.
To paint this as purely an exercise hiding the spending of money on bringing afghans into the UK 'allegedly at risk' seems... well, uncharitable.
> on top of this, britain claims global jurisdiction here...
As do the EU (and UK) for the GDPR, and lots of other countries for lots of other things. If you're offering services to people in the UK you have to abide by UK laws.
We can talk about the laws being bad (and it seems this one is) but it's hard to see that principle as wrong, unless you're still in love with the old wild-west, no-rules-followed internet. I think those days are behind us.
>people have literally been jailed for "hate speech" here because they clicked like on a tweet
I am aware that someone was jailed for encouraging people via social media to burn down a hotel with refugees in ( https://www.bbc.co.uk/news/articles/cp3wkzgpjxvo ). But not because they clicked like on a Tweet.
Reference please.
I have also blocked yookayers from my site because I would rather spend my time on GTM for my more valuable markets or have free time than waste it on the tiny chunk of my users who are yookay based.
Also I don't know what sort of weight "guidance" from a reg agency vs statute carries there, how much of a defense it is, etc.
> i know that is terrible timing and im genuinely sorry about that.
This Twitter-style faux-casual way of writing is so common among AI people right now (see Sam Altman) and it’s extremely grating. I don’t know anything about this project, but if they really cared about their users, I would hope that they’d use capital letters and punctuation when addressing them in an official announcement.
Perhaps a bit of a personal conspiracy theory: I do wonder if this was "written" this way because having ChatGPT write it like this is the only somewhat guaranteed way to have it avoid putting em dashes everywhere.
what do you mean "twitter style"? People have written like that on the internet for years (like on IRC) for years before twitter existed. I don't know if that's where it started, but it certainly didn't start with twitter.
It reminds me of those affectations some kids back in high school picked up on purpose just to stand out. I knew a guy who went through a phase where he’d always talk about penguins and owned a bunch of penguin related paraphernalia because that was “his thing”.
That kind of posturing is forgivable when you’re a teen. When you do it as the CEO of one of the most influential companies today, it’s grating. When you do it because you’re another CEO in a similar market and you’re trying to signal that you’re part of the “in” crowd, it’s frankly embarrassing.
personally i find people who use the wrong apostrophe, don't know how punctuation works with quotes and tell pointless stories to be grating. c´est la vie.
> eg the past decade has seen us remove “that” as a qualifier, and the word literally has become interchangeable with figuratively
The latter didn’t happen just in the last decade, and the former hasn’t happened at all.
But no, I can pretty confidently say that the English language still has capitalization and punctuation in it, it’s mostly just on Twitter and in AI-related blog posts where people write like this.
I think the problem with this sort of regulation is two fold.
The first is that the cost of compliance is astronomical for small businesses and therefore it doesn't makes sense to supply your product/service to UK users if you don't really need them.
The second issue is the issue of data privacy. I don't think it is stretching the truth to say that the age verification is the Trojan horse of the upcoming digital ID requirements.
It is very clear that the UK/EU wants to move to a world were everything you do online is tied back to your digital ID somehow.
The problem with that is that we do not know how long and where this data will be stored, nor who will have access to it and what will happen when it starts being used to prosecute people in the future.
If the requirements were to simply prove you are above 18/21 and that was the end of it, then maybe it would be somewhat more palatable. But in reality, we know where this road leads.
It is not inconceivable that in 10 years from now once the full digital ID requirements are in place that you, a random citizen will find yourself in hot water because you accessed some part of Reddit and left a comment on a post where someone was advocating to go protest on the streets without the required permits to do so.
Make no mistake, this is where this leads. Full on surveillance state. And they say China is bad? Seems to me that China has become and example to follow instead of cautionary tale.
Question: What if you don't comply but are outside of the UK and have no business operating there making money, filing taxes etc. What is the consequence, criminal charges in absentia and an attempt at extradition?
Also, at $1.50/user, what if users pay for accounts? Perhaps this will be the Band-Aid ripping moment that ushers in sane communities that are no longer under attack by endless bad actors with infinite free accounts?
Once again, it seems like the regulations were likely written by the very people being regulated perfectly tailored to kill off any potential competition. An absolute classic.
Indeed. I usually expect that sites linked from HN will be reasonably safe and reputable so followed the link assuming it would be some sort of AI startup but not expecting anything like this. A warning would have been appreciated. @dang, maybe change the title to include some kind of NSFW tag?
Timely reminder to all UK people - your system is 100% set up to allow you to easily and legally change your government without bloodshed. This is the benefit of a constitutional monarchy.
By "changing your government" I don't mean "shuffle people in and out of parliament" or even "elect your 6th Prime Minister in 10 years".
They're using this as a nice marketing opportunity. "We don't understand the law...but here are our strong opinions on it...in lowercase".
Just because it's become really easy to spin-up a business doesn't mean your business should be allowed to ignore laws - regardless of your opinion on them. This should apply even more strictly to businesses selling/providing age restricted items. A small tobacconist is subject to the same laws around selling tobacco as a large supermarket. Why should this be different online?
I can understand basic disagreements with the general usefulness of the new law, but "I'm just a little guy" is a poor argument. Designing the law so you can only get your creepy AI porn from small businesses defeats the purpose of it.
Have you looked at the law though? Like actually? Elsewhere on the thread somebody posted a link where an owner of a forum for people who own hamsters as pets has to close down because they can't afford to comply with the law.
Um this website offers LLM-powered chat bots that can simulate pretty much any situation the user wants, and most of the content appears to be sexual in nature.
I’m no prude, but I think this is a not-great thing to expose kids to, and the UK government is maybe not-terrible to want some sort of way to gate kids’ access.
I think the point of the blog is still valid as the law applies to any content publisher/social media platform of any size. Even Hackernews could be a target if I understood correctly.
it places a huge compliance burden on the 99.5% of small sites out there which are completely innocent
"janitor.ai" is not one of those sites...
an effective OSA should be targeted at sites like that
and saying "UK users, we can identify your accounts and have deliberately left them open cough VPN cough" isn't going to help them in the slightest (see Section 19)
So they're whining that the UK has laws with teeth which makes it hard for them to offer AI sex bots without investing in adequate protections for minors?
It may be so, but as somebody else mentioned every site that lets people register an account and share stuff is affected because having legal age verification on site requires you to pay a third party provider and writing paperwork for the gov is too much for your site about pet hamsters.
I get both sides. Kids need some sort of protection online. But the UK law is maybe too harsh for small companies. Also hinting at VPN use to bypass the law isn't smart legally.
Protection for the kids should fall on the parents or schools, not the companies. It's not the companies fault if the kid is given full access to the internet, especially at a young age. It's bad parenting. If it's such an important issue, make the parents liable in some way.
This keeps getting parroted but it's flawed/overly idealistic/frankly naive. An awful of children are, unfortunately, poorly parented. This is not a new phenomenon, nor something we seem to be improving. OTOH, exposure to extreme material for young children is increasing, and has consequences beyond that child. Exposure to extreme pornography leads to a warped view of sex which affects everyone this child might have sexual encounters with. Exposure to extreme violent material leads to the murder of other innocent children.
I don't know where I stand on this legislation - my gut is that it's too heavy handed and will miss the mark. But I think we need to stop saying this falls solely on parents. The internet is far too big, and parenting is far too varied for this to work. I wish it would, but it won't. There simply aren't enough parents that care enough.
Damned if you do, damned if you don't. I think it's a terrible thing, but in this case, I think doing nothing is better than doing something. The unintended consequences far outweighs the benefits. The kids that want to find extreme stuff will find it anyway, regardless of regulation.
"But the unintended consequences" has been the standard response of tech startups to any kind of regulation, since they were started being regulated. At some point, it stops being believable.
Yes, and my response is compare the tech companies and sizes between the US, Europe, and else where. Over regulation. The same thing is happening with AI in Europe. I am taking an economic stance here.
Not really fair to put it on the parents. The internet has totally changed the availability. When I was a kid, to get porn you had to go to someplace that sold Penthouse or Hustler or similar magazines, those had nudes but didn't depict full-on sex. A lot of convenience stores and gas stations sold them but they wouldn't sell them to a kid. To get hardcore stuff you had to go to an "adult bookstore" or maybe the back room at a video rental place. Again they would not let a kid in those places.
Maybe you got to peek at something that a friend's older brother had, or a friend knew where his dad's stash was.
But bottom line it wasn't easily available and took some effort and risk to get it, and that's even if your parents weren't doing anything to prevent it.
On the internet it's just there. Maybe you click "Yes I'm 18" but that's hardly a roadblock.
What these laws do is try to get back to the 1990s and earlier when access was much more limited. Parents want this, they vote for this. In that sense, they are doing something about it.
You're optimizing for "fairness". The UK government, however misguided, is optimizing for good outcomes for the next generation. The thing that solves this may well be parents taking accountability, but, putting these expectations on online platforms in place doesn't hurt and can only help.
This is the same tired excuse that is given every time. Requiring parents to police their kids' Internet usage 24/7 is about as practical or desirable as controlling their location 24/7. At the latest if those kids have their own phones - or simply visit friends, it's not possible anymore.
Oh, so you want the government to police people's kids' internet usage 24/7, inadvertently screwing everyone else over in the process? I'm sure this will end well for the UK, especially the economy.
No one. Nothing should be done. If parents aren't going to do anything, what's stopping the kid from getting the parents ID when they're not looking? Or better yet, the same parent which verifies the site for the kid just to get them to shut up? It's the same parental group.
Good. Tech companies have acted far too long like the law is something like they can get to next week.
This firm doesn’t care a whit about the impact on users - they are just too cheap to follow the rules.
If your business can’t operate without regulation it shouldn’t operate at all because it clearly relies too heavily on exploiting labour and or consumers
Do you have more of your writing available anywhere? I’m fine-tuning a model to act as someone with uncritical deference to authority, a paternal view of government, and no apparent awareness of what it takes to comply with regulation or operate a real business. Your material could be the perfect training data!
Not just LOL, but I nearly fainted from laughter. Best takedown of illiberal authoritarian bootlickers on the internet today. People must be crazy or broken if they are so brainwashed or misinformed to believe even for a second that illiberalism or government oppression will somehow make their or everyone lives better.
> This firm doesn’t care a whit about the impact on users - they are just too cheap to follow the rules.
I'm old enough to remember when one of great things about the web was the low barrier to entry.
Not every site has a large company with deep pockets behind it. Some of the websites I've run, I've run at a loss because I was interested in the subject and thought it provided real value for other people. Probably the income from these sites was in the hundreds of dollars a year range, the cost in time and effort waaay beyond that.
I don't know the actual compliance costs here - I know the cost of a UK lawyer just to review obligations and liabilities is probably going to be a few hundred quid, if not substantially more. I don't know of many non-professional, or FOSS sites that could afford that.
Your curt dismissal of this huge chunk of the internet saying they shouldn't be operating at all is mind boggling
To be clear, I think a huge chunk of the tech giants also should not be operating! They need to be regulated heavily with algorithic feeds banned, anyone under 18 banned and better compensation for content creators.
The wild west of the internet was largely a mistake and created massive social disruption for the benefit of a tiny few and was caused by regulators being asleep at the switch. It is good they are finally catching up.
I have no idea why we need to require site operators to verify users ages? Just force the mobile phone companies do it. It would be pretty trivial for apple, with a front facing camera, face detection, and then just read everything on the screen. If something bad or offensive is shown, the phone is disabled and a notification is sent to the parents and the police.
The western internet as we knew it is dead. Privacy is dead, we already live in a post-Snowden panopticon. With multiple always-on microphones in every public room and often in private rooms too. HD cameras are everywhere. If you live in any major city, hundreds to thousands of hours of footage, which might contain you, is being uploaded for public view and AI training daily.
There have been other open source deathblow laws passed in the EU like the Cyber Resilience Act and the Product Liability Directive which have been repeatedly dismissed by other commenters on hn. Earlier stuff like the GDPR was dismissed too as only affecting big companies. The arguments in support of these laws have basically been you are small so you don't need to follow them. That seems like lot of disrespect for the EU's legal system but maybe it's well deserved.
It's only a matter of time until ID verification will be mandated even to make a post like this one on sites like hn. Western companies assisted authoritarian prison states in monitoring, censoring and controlling their citizens, when they should have been doing the exact opposite. Now it's really hard to argue that it isn't possible here.
Yes and also their business sounds risky as hell to impressionable children. I'm sure the creators of the Online Safety Act had websites like this in mind. They're doing the UK a favor by blocking, no-one needs these porn AI bots or whatever it is they're pushing.
It's run by a startup incubator, and a pretty large chunk of the user population has the notion that they will eventually end up part of the rarefied population of company founders that hit the jackpot and make their fortune.
Of course that affects attitudes here, even if most people on here will never actually be a founder, let alone a highly successful one.
Top management can never go against the RCSR guys, who are like priests of the church in medieval ages. And the RCSR guys have no goals linked to the progress of the real work. The don't like any thing that moves. It's a risk.
Management thinks that RCSR helps with controls around the work. But what happens is, you put more people in building controls, they deliver fort walls around your garbage bins.
Because the policy teams don't understand the technical details, they get hung up on things that don't matter so all your "security budget" (in terms of dev effort available for improvement) gets spent on useless things.
Because there is a CIS guideline recommending "do not put secrets in environment variables" in k8s, a team I work with recently spent two weeks modifying deployments of all their third party charts to mount all secrets as volumes, this included modifying / patching upstream helm charts. This will be a maintenance burden forever lol. Actual security benefit in context is approximately zero.
Meanwhile they COULD have spent that time implementing broadly effective things like NetworkPolicy or CSP for the front-end but now there is no dev time for that.
At the top levels of their process there are plenty of risk x impact matrices but there aren't corresponding effort / payoff assessments, so the things being done end up not being engineering.
The same companies won’t run a security bounty program because they think it’s a waste of money.
Security people just don’t get it, they don’t think like the bad guys.
Not if they never ever ship an update.
(i - briefly - worked for place that did things this way. They didn't update the chart, but they _did_ use `sed` to update the image tag from time to time.)
Legal frameworks are incredibly irritating and often defined by people who know nothing about what they're regulating. This can lead to very bad laws.
Given that we live in the real world and one can be sued for violating those laws, the stakes are quite high and low cost. Many states in the US allow individuals to bring suit based on these laws, meaning all that needs to happen is you make a mistake and some rando has time to hire a lawyer.
And that is, by the way, notwithstanding the reality that many of the annoying compliance requirements are actually not all that annoying in principle, they are annoying to implement because many software development practices involve the free flow of data.
Maybe that was fine when it was public blogs. But when it's someone's medical records or their financial data, or when it lands in the bucket of a Cambridge Analytica type, sorry, there's a higher burden.
It is frustrating, I know. But we as engineers need to take responsibility for the consequences and stakes of what we're building. It's lack of that awareness that caused many of the largest controversies in our industry.
In other words, the guys who actually believe in a normal level of compliance are hamstrung, defection is rewarded, classic failure mode of this kind of thing.
It's like how the growth of a tree trunk happens in a thin layer beneath the bark and the rest is inert wood.
What is this claim based on?
Is there 10x as much stress among French business owners? Are entrepreneurs working 10x as hard in China? Are there 10x fewer businesses in England?
And, stepping back a bit: To the extent that running a business is easier in America, how much of that is because the US exploits and bullies the rest of the world?
How much is because it's a huge country with vast resources (that were stolen from its murdered inhabitants)?
How much is because the lack of regulations allows for rampant externalization of costs?
How much is because businesses are more 'free' to exploit their own workers?
How much is because most of the mechanisms for basic accountability are broken?
These aren't "gotcha" questions. They're fundamentally important to our future, because none of that is sustainable.
But if the regulation is indeed oppressive or byzantine, everybody hurts and only the biggest survive.
*Social contagion effects on risk perception can be a confounding factor here, though.
Thus the only reasonable course of action was to do nothing.
Jeez, and I was just grumbling how it takes up to 24 hours for a change I make to appear in prod, compared to about 4 hours at my previous job.
It should be possible to develop automated systems and processes to keep most changes on the “happy path” where approvals are quick. These sorts of organization responses were a new layer of people who can say “no” grow whenever a problem happens or a regulation changes are suffocating.
This always reminds me of Darwin’s discovery — survival of the fittest — especially in the ruthless and highly competitive world of commerce. Yet this truth is often misunderstood or even outright rejected by those with a so-called "woke" mindset.
In such a competitive world, the only inevitable outcome for a business that isn’t fit enough is failure and eventual disappearance. Always remember: no one can be forced to buy a product or service if they live in freedom. Deals won’t happen because of burdensome frameworks like "RCSR." Trade flows naturally toward what creates the greatest value for both parties — usually better products or services at lower costs. From a Darwinian perspective, this kind of trade helps make the parties involved more fit. So why wouldn’t they choose it?
Hope all come to recognize this natural/divine will with reverence — and try our best to align with it and stay fit (while helping to keep those we love fit as well). This can truly help foster a competitive market and benefits all.
Reality, as always, as much more nuanced than this hot take. It's a balancing act.
That said the thinking that smaller platform should equal exemptions seems a touch flawed too given topic. If you're setting out to protect a child from content that say is promoting suicide the size of the platform isn't a relevant metric. If anything the smaller less visible corners (like the various chan sites) of the internet may even be higher risk
Take something like a plastic packaging tax, for example. A company like Amazon won't have too much trouble setting up a team to take care of this, and they can be taxed by the gram and by the material. But expecting the same from a mom-and-pop store is unreasonable - the fee isn't the problem, but the administrative overhead can be enough to kill them. Offering an alternative fixed-fee structure for companies below certain revenue thresholds would solve that problem, while still remaining true to the original intention.
But playing devils advocate a bit here if the risk profile to the kid is the same on big and small platforms then there isn't any ethical room a lighter regime. Never mind full exemption, any exemption. The whole line of reasoning that you can't afford it therefore more kids potentially getting hurt on your platform is more acceptable just doesn't play. And similarly if you do provide a lighter touch regime, then the big players will rightly say well if that is adequate to ensure safety then why exactly can't we do that too?
Platform size just isn't a relevant metric on some topics - child safety being one of them. Ethically whether a child is exposed to harm on a small or big website is the same thing.
Not that I think this act will do much of anything for child safety. Which is why I think this needs to go back to drawing board entirely. Cause if we're not effectively protecting children yet killing businesses (and freedoms) then wtf are we doing
Agreed, but I guess it could be the case that the current regulation is too burdensome even for large corps, but they could afford to have the resources necessary to deal with the regulation?
This, or course, would disproportionately burden smaller buildings, while some larger buildings would have little trouble to comply. Guess who would complain more often. But it, while outwardly insane, would clear small huts off the market, while the owners of large reinforced buildings would be able to reclaim the land, as if by an unintended consequence.
Driving the risk tolerance of a society lower and lower interestingly dovetails with the ease of regulatory capture by large incumbent players, as if by coincidence.
The UK is a leading example of what calls for regulation turn into in the real world.
I’ve noticed a lot of calls for regulation in Hacker News comments lately. In the past week I’ve read multiple threads here where people angrily called for regulations and consequence for anything LLM related they didn’t like: When LLMs produced mistakes, when they produce content too close to copyrighted works, and so on.
There’s an idea that regulation is a magical function that you apply and then the big companies suffer consequences, products improve to perfection to avoid the regulations, and nothing is lost for consumers.
Then you look at real-world heavy handed technology regulation and see what really happens: Companies just have to turn off access to countries with those regulations and continue on with their business. People who use the tools get VPNs and continue operating with a little extra hassle, cost, and lag. Businesses avoid those countries or shut down because it doesn’t make sense to try to comply.
There’s a constant moving of goalposts, too: Every time someone points out the downsides of these regulations it’s imagined that better regulation would have exempted the small companies or made it cheap to comply (without details, of course).
I think heavy handed technology regulation is yet another topic where the closer it gets to reality, the less people like it. When you point out real world examples, the response is always “No, not like that”
https://www.thehamsterforum.com/threads/big-sad-forum-news-o...
(Yes, the UK has effectively made it illegal to run a forum for people with pet hamsters.)
They deal with compliance in their terms and apparently did a reboot and apparently introduced new modding tools.
Did they reach the conclusion that they are not pose significant risks and that their tools are sufficient?
I'm very curious
I don't agree with everything in the Online Safety Act, but if anything needed a risk assessment, it's surely this?
Are there services which offer a less... risky... service that are similarly affected here?
You can read their community discussion at https://lobste.rs/s/ukosa1/uk_users_lobsters_needs_your_help...
[0] “law” here isn’t just laws made by governments, but also regulations made by e.g. Visa and Mastercard
That's happening with the AI act here as well. Almost no-one wants to even touch the EU shitshow and they're still going forward with it. Even Mistral was trying to petition them, but the latest news seem like it had no effect. Fuck us I guess, right? Both consumers and SMBs will lose if this passes as is.
It isn't populist either, no-one supports this. The UK has media campaigns run by newspapers, no-one reads the papers but politicians so these campaigns start to influence politicians. Always the same: spontaneous media campaign across multiple newspapers (low impact on other kinds of media), child as a figurehead, and the law always has significant implications that are nothing to do with the publicly stated aim.
Democracy has very little to do with it. Elections happen in the UK but policies don't change, it is obvious why.
For a site operator who seems really concerned about potential liability under this law, I sure wouldn’t have put this in writing. Feels like it really undermines the rest of the post and the compliance measures being taken.
Every other Youtuber these days is thanking NordVPN for sponsoring their channel then proceeds to walk through specifically how to use it to view geoblocked Netflix content, and they (and NordVPN!) are fine.
Yes, but the recommendation was for the platform, not the users ("For a site operator who seems really concerned about potential liability", emphasis added). Spelling out how anyone (including minors) can get to the site without any age check may not be an issue for users' own good but a liability for the platform
Not saying I agree or disagree, just clarifying what the text above meant
But I doubt this is specific enough to hit that bar - it is more of a factual note about what the law is for UK users rather than a specific call of "don't use our verification methods, use a VPN instead."
There's literally "Best VPNs For Accessing Porn in the UK" articles, they'll be fine.
It isn't, the Ofcom OSA act codes explicitly say that the site cannot explicitly tell people how to get past it's verification methods.
> There's literally "Best VPNs For Accessing Porn in the UK" articles, they'll be fine.
They're on journalism sites that are explicitly exempted from the law, so they aren't advocating for getting around that specific site's methods.
It will be interesting to see how this works on any social platform though. To my reading of the guidance Ofcom require Reddit, BlueSky/Twitter etc to block any posts discussing using a VPN to get around it, or at least require age verification to access those posts too.
But I think that contradicts other parts of the legislation, and Ofcom have got themselves into quite a predictable mess.
People aren’t prevented from using VPNs in the UK, in case anyone is unclear on this.
https://www.gov.uk/government/publications/online-safety-act... .
From what I'm reading, Amazon will have to implement age-checks over 8/10 of its book inventory, with the other 2/10 opening the company for liability about the very broad definition of "Age-appropriate experiences for children online." And yes, janitorai is correct that the act applies to them and the content they create, and a blanket ban to UK users seems the most appropriate course of action.
For what is worth, the act does not seem to apply to first-party websites, as long as visitors of that website are not allowed to interact with each other. So, say, a blog without a comment feed should be okay.
So if you filter out known bad words and spam comments, that could very well cover things.
https://onlinesafetyact.co.uk/ra_blog_with_comments/
Another example: here in the USA we have 50 states vying to each regulate AI; my understanding is that the plan was to have the OBBB put them off from doing this for at least 10 years, but that effort failed, leaving them free to each do their own thing.
Complying with all rules and regulations in all jurisdictions to which a website/service could be exposed (i.e. worldwide, by default) seems like it's becoming a well nigh impossible task these days.
Cyberspace is not, eventually, independent[1] if you plan to make money off it and use real world IDs.
[1]: https://www.eff.org/cyberspace-independence
It was fine when the Internet was a side hobby for a slice of the population, but now that it’s fundamental to all aspects of life, having it under the control of a foreign government (and the tech companies which act as de facto organs of that government) is no longer acceptable.
I'm broadly in favor, I think. This species can have instant global communications once it's shown itself equal to the responsibility that implies.
Is that the case here (and it just happens that I have no clue what this particular site is about) ?
Or am I grossly misunderstanding the act (very likely I guess since IANAL) ?
[1] https://www.onlinesafetyact.net/analysis/categorisation-of-s...
-------------------------------------------
Ofcom’s advice to the Secretary of State
Ofcom submitted their advice – and the unerpinning research that had informed it – to the Secretary of State on 29 February 2024 and published it on 25 March. In summary, its advice is as follows: Category 1
Condition 1:
Condition 2: Ofcom estimates that there are 9 services captured by condition 1 and 12-16 likely to be captured by condition 2. There is one small reference in the annex that the 7m+ monthly users threshold corresponds to the DSA (A6.15) Category 2a (search) Ofcom estimates that there are just 2 search services that currently sit (a long way) above this threshold but that it is justified to put it at this level to catch emerging services. Category 2b (children) Ofcom estimates that there are “approximately 25-40 services” that may meet this threshold.-------------------------------------------
https://www.ofcom.org.uk/siteassets/resources/documents/cons...
Everybody (who's not specifically exempted by Schedule 1, which has nothing to do with what you linked to) gets a "duty of care".Everybody has to do a crapton of specific stupid (and expensive) administrative stuff. Oh, and by the way you'd better pay a lawyer to make sure that any Schedule 1 (or other) exemption you're relying on actually applies to you. Which they may not even be able to say because of general vagueness and corner cases that the drafters didn't think of.
Also, it's not a "ruling". It's a law with some implementing regulations.
[1]: https://ofcomlive.my.salesforce-sites.com/formentry/Regulati...
I wouldn't be surprised if this ends up being a topic in trade negotiations with the US in the future though, since this is a trade barrier that imposes significant regulatory cost on US companies for content that is legal in the US. Eg. the proscribed categories of illegal content include knives and firearms, hate, etc.
Otherwise everyone from small sites to Facebook would just shop around jurisdictions and formally operate their websites from wherever fits them best.
And if a service is used by citizens of your country it makes sense to scale requirements by the impact it is having on them.
This particular law may not be great overall but I've got no issues with this method. As a site provider outside the UK it's trivially easy to avoid liability (by blocking people)
However I'd argue that from the UK perspective any of these developed countries would be considered reg-shoped.
They don't consider other countries' laws as sufficient to protect their citizens (which I probably wouldn't agree with).
I'm struggling to see a better approach to make sure any law applicable to online services is actually effective.
It seems like there are only a few options:
1. Only pass globally agreed upon laws (which is basically nothing and not realistic)
2. Only regulate domestic providers (which would severely disadvantage them and not resolve the underlying issues)
3. Block all foreign services (which is even more drastic).
In the end a states' power is tied to its territory and the people living within it. If not being active in that state at all releases you from it's laws I would consider this appropriate.
This is on the UK to fix (or not fix) for themselves.
what ruling are you referring to? This is about the Online Safety Act, an act of parliament.
Then there are additional requirements applied to 3 classes of services: Category 1, 2A, 2B. The latter have the thresholds as discussed above.
But, as usual, poorly written. eg a "Content Recommendation System" -- if you choose, via any method, to show content to users, you have built a recommendation system. See eg wikimedia's concern that showing a picture of the day on a homepage is a bonafide content recommendation system.
The definition
> (2)In paragraph (1), a “content recommender system” means a system, used by the provider of a regulated user-to-user service in respect of the user-to-user part of that service, that uses algorithms which by means of machine learning or other techniques determines, or otherwise affects, the way in which regulated user-generated content of a user, whether alone or with other content, may be encountered by other users of the service.
https://www.legislation.gov.uk/uksi/2025/226/regulation/3/ma...
If you in any way display UGC, it's essentially impossible not to do that. Because you pick which UGC to display somehow.
Source: I was recently listening to a podcast about court cases and an extradition case came up. They mentioned that reasons to not be sent are mainly about human rights, like if you need medical treatment that the target country can't (or isn't likely) to give, or if you would have to sit out your punishment under inhumane conditions (oftentimes you can sit out your punishment in the country that extradited you after having stood trial in the other country's legal system), or if the country you're being sent to was involved in your torture (them handing you over to another party that you know does torture would count, even if their own hands are 'clean'; that was the crux in this case, whether the victim aka accused person was handed over by the united states to pakistani intelligence and the usa therefore had forfeited their claim to further try the person for the alleged crime)
Or, you travel to the UK! It’s a pretty popular destination and Heathrow is a major European hub. It would be easy to get caught out.
The law may well be onerous and misguided. But looking at that site, it seems they reeeeally should do their due diligence. Not just to avoid the long arm of UK justice, but other territories too. It looks extremely dubious.
Their mitigation doesn’t make sense either. If they don’t shutdown UK accounts and those accounts use UK credit cards which continue to use the service via a VPN. It could be reasonably argued that they know they’re providing a service to a UK resident. So, they really need to do their homework.
What they’re actually complaining about is the cost of doing business. It sounds pretty amateurish.
When did this happen?
For an extreme case, ask Julian Assange what might happen if a country doesn't like what you put on the internet.
It's also possible for the owners or employees of the company to be held liable if they ever visit the UK.
Having said that, it can limit a lot ones travel possibilities.
If the UK had remained in the EU, then extradition might be possible (depending on whether courts approve it) but right now it's pretty unambiguously impossible.
https://www.gov.uk/government/publications/international-mut...
Apparently Germany is also (at least as of 2023) not extraditing non-citizens to the UK due to the condition of British jails as well so: https://www.theguardian.com/society/2023/sep/05/germany-refu...
I have no idea if this is a likely or even possible consequence, but that’s one way lots of people have gotten ensnared by the long arm of the law, even when jurisdiction is otherwise normally lacking.
You'd be well advised to avoid a country this like.
https://status.marginalia.nu
I really dont understand why parents don't bare the responsibility of their kids internet access as opposed to the expectation the internet raises their kids...
the question of whether the state should try to fix this stuff is irrelevant, it cannot
Many kids from these backgrounds are seen as little more than cashcows to help their parents get homes and income without having to work.
If you turn having children into a profit-seeking enterprise, you will get bad outcomes. The UK is in the bizarre position where people who should have kids aren't having kids but they are paying for the children of those who shouldn't have kids.
The statistics coming out about this are incredible. We are looking at 20-30% of this cohort likely being unable to work at any point in their lifetime.
the solution to children stabbing each other was to attempt to ban knives
i believe they are also gearing up for a ban on cigars, cigarettes have a scale which will make them effectively illegal for children born today, more types of pornography are being banned
...this is the same country which has legalised heroin use regionally btw...you need a licence to watch porn but your neighbour can shoplift, shoot up heroin, and you pay his rent...
however bad you think it is, it is much worse
??
What on earth are you talking about?
Platforms are also responsible for not allowing their services to be used to abuse children, which is also true offline.
As a wise man once said:
> The British legal system is and always has been a litany of injustices dressed up in formal attire. To be avoided at all costs.
I can assure you that this is such a scenario, as a restaurant in the UK is absolutely responsible for providing safe toilets for their customers, especially if a risk has been brought to their attention.
I also don’t think this act is the way to address these issues, but I don’t think it’s as easy as just putting everything at the feet of the parents as I imagine it almost impossible to police at home, not to mention at school.
When I think of older technologies like television, we have rules and regulations about what can be shown when.
Again, this isn’t to say this approach is right, but wanting to regulate isn’t an attack on free speech. It seems there is regularly a tension on HN between free speech absolutists, usually from the US and those more happy to accept regulation, usually from the EU
I don't, because I don't need to.
I had unrestricted access to internet when I was my kids age and I turned out just fine, just like the extreme majority of my generation.
I know that serious discussions about important topics are enough to make sure that even if my kids do access content that's not meant for children, they're not negatively affected by them, just like I wasn't.
Again I don’t have kids, so I’m not in a position to judge, but I can only imagine the pressures on children are completely different nowadays. For example, we didn’t have computers in our pocket 24/7 with all of our peers on the other end influencing us indifferent ways.
Just as an aside, the UK has been doing this for decades. One of the most permanent causes of legislative failure in the UK has been making laws based on media pressure that have potentially huge costs in the future. And as these costs emerge, guess what the only solution is? More interventions.
I would suggest that a country which cannot control crime, cannot control borders, has a collapsing economy, cannot house people, etc. has bigger problems than trying to arrest people for saying things on Twitter or shut down end-to-end encryption.
Hmm no it's really not. By the time I was a teenager, porn was easily accessible on the web, social media were in their peak use, etc.
> Your online service has links with the UK if:
> UK users are a target market for your service; or
> It has a significant number of UK users
What is "significant"? Is it a percentage or a raw number?
I'll click "no" - maybe 5% of my users are from the UK. Great, wizard complete! I don't need to worry...except:
> Please note that this result is indicative only
We have a free-to-use technical forum for our (data wrangling software) forum, powered by Discourse. I believe that might allow users to directly message each other. Does that count?
Only escape hatch they give you later is if all communication between users is delegated to other medium, eg. email or phone or sms.
I'm not sure what I need to do to comply. Anyone with a web-based forum had to deal with this? What changes did you make?
It depends what you mean by government but elected officials in the UK are almost completely irrelevant in this (and in most other things, their job is to get in front of a TV camera say how appalled they are that it has happened, no-one could have foreseen this, don't look back in anger, and that they are going to select from the same policy options that the Civil Service presented the last government with...which results in the same conclusion: more civil servants, more regulation, more corruption).
Ofcom has been making a massive power grab, this bill and other recent regulations are granting them massive new powers, and the UK has a system in which ministers have no functional capacity to block this.
Also, none of these laws are led by politicians. All the communications-related offences were led by security services. Do you know when Molly actually passed? 2017? And you are telling me that a law passed in 2025 is related? A law which largely contains things unrelated to her passing (i.e. significant expansion of Ofcom powers).
It is genuinely funny that people who have no idea about politics...as in first-hand knowledge which will just imagine that everything works the way they assume it must work. At the very least, you should exercise some common sense: we have seen multiple Home Office ministers pass through, ministers are gaining no new extra powers, Ofcom staffing has gone up by thousands, the amount of graft that has already gone on is staggering...but the one's to blame are, conveniently, the ones who are always blamed...but seem to be strangely unable to do anything...you cannot possibly be this credulous.
We are not technically a two party system and more than a handful voted for parties other than Labour and the Conservatives
Don’t fall into the trap of thinking that this law must have come about by sinister machinations just because you don’t think it’s a good law.
Elected officials are irrelevant because, in this case, they are functionally unable to propose a reasonable alternative. Policy options were presented, all of the policy options offered in this case were to empower Ofcom (again, how old are you? are you unable to think of another situation like this: same thing happened with BoE/PRA in 2010, same thing happened with Border Force creation, same thing happened with illegal immigration where the only functional action presented was to increase Home Office staffing, I can go on and on) so what was the alternative?
You also may not understand what is going on here either: this legislation gave Ofcom new statutory powers but what you might not be aware of is that Ofcom has also been granted through non-statutory instruments significant new powers that interlock with this legislation...who voted on that? Again: media campaign by the powers that be, multiple Home Office ministers have been railroaded into this, Ofcom/security services have been granted new powers (the latter by the back door...again, tell me what that has to do with "social media abuse"? nothing).
Finally, elected officials are mostly pawns. The majority of "them" do not know what is in the legislation. They have been told the PM wants "Molly's Law" passed, so it is passed. Some of the scrutiny was laughable...do you understand that the law has a provision that requires tech companies to provide "end-to-end encryption" that the government can break? To their credit, this was questioned by legislators several times...it wasn't removed from the Bill, despite it obviously being unrelated to anything in the Act. Again, how are you this blind? Do you see why elected officials might be irrelevant if you are so blind?
There was a lot of "vote splitting" and spoiler effect going on due to FPTP.
Labour have a very weak mandate.
There's a certain irony in our politics right now that FPTP has been maintained by two dominant political parties because it has served their purposes to have little real challenge from smaller parties despite those parties collectively having quite a lot of popular support. That same system has now all but ended one of those two dominant parties as a force in British politics and at the next election it might well do the same for the other. The scariest question is who we might then get instead if Labour don't force through a radical change to our voting system while they still have the (possibly last) chance.
Towards the end of the last Labour government in the UK, in the lead up to the election that ended it, I heard a Labour MP on the radio being asked about bringing in PR and transferrable vote systems (like we have here in Aus). His attitude was that PR is for losers. FPTP puts the winner in place. Anyone disputing this, or trying to bring up ideas about systems which give power to candidates representing a wider slice of the electorate - they're just losers who couldn't get the votes they needed to win. It was sickening to listen to.
The problem, of course, is that any party that gets into power gets in via the existing system, and asking them to change it is like asking someone to train their replacement and fire themselves.
Indeed. But Labour might be facing an electoral wipe out next time anyway like the Tories last year. Even if they do a decent job they're starting from such a bad position that it will be tough to rebuild enough public support for another election victory. Unfortunately that becomes tougher if they actually try to fix some of our long-term problems by doing sensible things that won't pay off in time for the next election.
If they realise that their current strategy of giving the vote to 16 and 17 year olds isn't going to be enough to stay in power and Reform (populist right-wingers) look like they're going to win big instead then there will be a lot of soul searching going on at Labour HQ. Making a change that will at least see them avoiding the fate of the Tories last time might be a bit more palatable for them even if it would still be a bitter pill to swallow for the many Labour MPs who were going to lose their positions either way.
Can but hope I suppose, perhaps when they're staring down the barrel of a Farage government... but I'm not seeing it.
thats literally all there is to it.
The UK doesn't have a First Amendment or a Bill of Rights other than the European Convention on Human Rights, that leading parties campaign of abolishing (if a bill of rights can be abolished by the legislature, it's not worth the paper it's printed on). Heck it doesn't even have a proper written constitution, it doesn't have separation of powers or an independent judiciary (the previous Parliament considered passing a law saying "Rwanda is a safe country to deport inconvenient asylum seekers to" in response to a court ruling (correctly) saying it manifestly isn't.
The UK and Australia are in a race to the bottom to see which one is going to be the worst enemy of the Internet. The only check against these authoritarian powers is popular juries, and they are trying to get rid of these as well.
https://hansard.parliament.uk/commons/2025-06-23/debates/250...
"with its members demonstrating a willingness to use violence"
As far as I am aware, have only damaged property. Have they actually committed any acts of violence or advocated violence?
It is embarassing for the UK military that they were able to get into a base and spray paint military planes.
Also, the group has directly harmed people too:
> A police officer was taken to hospital after being hit with a sledgehammer while responding to reports of criminal damage.
https://www.bbc.co.uk/news/articles/c0mnnje4wlro
It smells like a jumped up "assaulted a police officer" charge because you shield your face from their punches. Hitting someone with a sledge hammer is a suitably scary tabloid headline but physically unlikely and entirely out of character for the accused group.
Note that Avon Police have form as lying pieces of shit.
They attacked protestors and claimed 21 injured officers specifically: "officers got broken bones, had punctured lungs, were very seriously injured" in the national media.
Journalists contacted local hospitals and found no police were treated that night. They had to retract those claims and their list of the claimed injuries included staff who never attended the scene, a bee sting and a twisted ankle getting out of a car.
I expect similar will happen here but only after this claim has been used for years to demonise protestors.
That seems a stretch.
>A police officer was taken to hospital after being hit with a sledgehammer
I wasn't aware of that incident.
https://www.aljazeera.com/economy/2019/10/2/locked-out-why-i...
people have literally been jailed for "hate speech" here because they clicked like on a tweet. labour is currently debating an official definition of "islamophobia" which would criminalize stating historical facts like "islam was spread by the sword" and "the grooming gangs are mostly pakistani". the govt put out a superinjunction forbidding anyone (including MPs) from mentioning they spent £7B bringing over afghans allegedly at risk from the taliban, and also criminalizing mention of the gag order itself, and so on recursively. nobody (other than judges and senior ministers) knows how many other such superinjunctions there are.
all this and more is covered by those 17 categories.
on top of this, britain claims global jurisdiction here. think a minute how absurd that is -- any website anywhere that any briton might access is in scope, according to ofcom. and they claim the power to prosecute foreigners for these "crimes" ...
This has to be the most uncharitable reading of that situation I've ever seen. Have you been watching GBNews?
The Ministry of Defence messed up under the last government, a junior operative leaked a list of names of Afghan people who had helped the UK armed forces during the years of British and American presence. Not only that, but the list also contained the names of UK special forces and a few secret agents. This is bad and at that point they had a duty to protect the people they'd exposed.
So yeah, they got a "super injunction" to prevent reporting of the list to do further damage, and that does prevent prevent reporting of the injunction. I personally think such things are dodgy as fuck and shouldn't be available in law, but compared to using them to block discussion of (for example) a rich footballer or a journalist being caught having an affair, it seems like this was comparatively reasonable.
To paint this as purely an exercise hiding the spending of money on bringing afghans into the UK 'allegedly at risk' seems... well, uncharitable.
> on top of this, britain claims global jurisdiction here...
As do the EU (and UK) for the GDPR, and lots of other countries for lots of other things. If you're offering services to people in the UK you have to abide by UK laws.
We can talk about the laws being bad (and it seems this one is) but it's hard to see that principle as wrong, unless you're still in love with the old wild-west, no-rules-followed internet. I think those days are behind us.
I am aware that someone was jailed for encouraging people via social media to burn down a hotel with refugees in ( https://www.bbc.co.uk/news/articles/cp3wkzgpjxvo ). But not because they clicked like on a Tweet. Reference please.
Also I don't know what sort of weight "guidance" from a reg agency vs statute carries there, how much of a defense it is, etc.
This Twitter-style faux-casual way of writing is so common among AI people right now (see Sam Altman) and it’s extremely grating. I don’t know anything about this project, but if they really cared about their users, I would hope that they’d use capital letters and punctuation when addressing them in an official announcement.
Also:
> "and honestly? i..."
> "this is not just content moderation - it is a..."
These are two huge shibboleths of gpt-ese. He had to specifically tell the bot to write in that style.
That kind of posturing is forgivable when you’re a teen. When you do it as the CEO of one of the most influential companies today, it’s grating. When you do it because you’re another CEO in a similar market and you’re trying to signal that you’re part of the “in” crowd, it’s frankly embarrassing.
eg the past decade has seen us remove “that” as a qualifier, and the word literally has become interchangeable with figuratively.
its worth considering whether you’re just losing touch…
The latter didn’t happen just in the last decade, and the former hasn’t happened at all.
But no, I can pretty confidently say that the English language still has capitalization and punctuation in it, it’s mostly just on Twitter and in AI-related blog posts where people write like this.
The first is that the cost of compliance is astronomical for small businesses and therefore it doesn't makes sense to supply your product/service to UK users if you don't really need them.
The second issue is the issue of data privacy. I don't think it is stretching the truth to say that the age verification is the Trojan horse of the upcoming digital ID requirements.
It is very clear that the UK/EU wants to move to a world were everything you do online is tied back to your digital ID somehow.
The problem with that is that we do not know how long and where this data will be stored, nor who will have access to it and what will happen when it starts being used to prosecute people in the future.
If the requirements were to simply prove you are above 18/21 and that was the end of it, then maybe it would be somewhat more palatable. But in reality, we know where this road leads.
It is not inconceivable that in 10 years from now once the full digital ID requirements are in place that you, a random citizen will find yourself in hot water because you accessed some part of Reddit and left a comment on a post where someone was advocating to go protest on the streets without the required permits to do so.
Make no mistake, this is where this leads. Full on surveillance state. And they say China is bad? Seems to me that China has become and example to follow instead of cautionary tale.
There are normally two shift keys on your keyboard, try either one.
Also, at $1.50/user, what if users pay for accounts? Perhaps this will be the Band-Aid ripping moment that ushers in sane communities that are no longer under attack by endless bad actors with infinite free accounts?
Having to verify your identity (without it being exposed to other users) sounds like it could reduce endless botting.
On the other hand such a system is basically begging to be abused by bad actors (state and non state)
By "changing your government" I don't mean "shuffle people in and out of parliament" or even "elect your 6th Prime Minister in 10 years".
I mean change your government.
Just because it's become really easy to spin-up a business doesn't mean your business should be allowed to ignore laws - regardless of your opinion on them. This should apply even more strictly to businesses selling/providing age restricted items. A small tobacconist is subject to the same laws around selling tobacco as a large supermarket. Why should this be different online?
I can understand basic disagreements with the general usefulness of the new law, but "I'm just a little guy" is a poor argument. Designing the law so you can only get your creepy AI porn from small businesses defeats the purpose of it.
It is actually a really bad law.
I’m no prude, but I think this is a not-great thing to expose kids to, and the UK government is maybe not-terrible to want some sort of way to gate kids’ access.
it places a huge compliance burden on the 99.5% of small sites out there which are completely innocent
"janitor.ai" is not one of those sites...
an effective OSA should be targeted at sites like that
and saying "UK users, we can identify your accounts and have deliberately left them open cough VPN cough" isn't going to help them in the slightest (see Section 19)
it's an extremely trivial thing to do and the ofcom guidance is very easy to follow.
Problem solved.
Strawmanning their position isn't helpful to anyone.
I don't know where I stand on this legislation - my gut is that it's too heavy handed and will miss the mark. But I think we need to stop saying this falls solely on parents. The internet is far too big, and parenting is far too varied for this to work. I wish it would, but it won't. There simply aren't enough parents that care enough.
Should society just be about the accumulation of wealth and no other human needs considered? Or, have I misunderstood your comment?
Maybe you got to peek at something that a friend's older brother had, or a friend knew where his dad's stash was.
But bottom line it wasn't easily available and took some effort and risk to get it, and that's even if your parents weren't doing anything to prevent it.
On the internet it's just there. Maybe you click "Yes I'm 18" but that's hardly a roadblock.
What these laws do is try to get back to the 1990s and earlier when access was much more limited. Parents want this, they vote for this. In that sense, they are doing something about it.
By "good outcomes" you mean "addicted to the government"... which is not entirely surprising.
Are you sure?
Yeah. It’s called “parenting”.
Beyond the obvious response about parenting: do they?
There was absolutely no restriction on the web when millenials were growing up, and we didn't become a generation of degenerates.
I'd like to see actual proof that there is a need for mass online protection for children.
Their business is creating virtual AI friends, often with sexually suggestive themes.
You can browse through the characters here: https://janitorai.com/
Would you want to let a lonely kid who might already have self confidence issues and problems making real-life friends loose on that site?
This firm doesn’t care a whit about the impact on users - they are just too cheap to follow the rules.
If your business can’t operate without regulation it shouldn’t operate at all because it clearly relies too heavily on exploiting labour and or consumers
I'm old enough to remember when one of great things about the web was the low barrier to entry.
Not every site has a large company with deep pockets behind it. Some of the websites I've run, I've run at a loss because I was interested in the subject and thought it provided real value for other people. Probably the income from these sites was in the hundreds of dollars a year range, the cost in time and effort waaay beyond that.
I don't know the actual compliance costs here - I know the cost of a UK lawyer just to review obligations and liabilities is probably going to be a few hundred quid, if not substantially more. I don't know of many non-professional, or FOSS sites that could afford that.
Your curt dismissal of this huge chunk of the internet saying they shouldn't be operating at all is mind boggling
The wild west of the internet was largely a mistake and created massive social disruption for the benefit of a tiny few and was caused by regulators being asleep at the switch. It is good they are finally catching up.
The western internet as we knew it is dead. Privacy is dead, we already live in a post-Snowden panopticon. With multiple always-on microphones in every public room and often in private rooms too. HD cameras are everywhere. If you live in any major city, hundreds to thousands of hours of footage, which might contain you, is being uploaded for public view and AI training daily.
There have been other open source deathblow laws passed in the EU like the Cyber Resilience Act and the Product Liability Directive which have been repeatedly dismissed by other commenters on hn. Earlier stuff like the GDPR was dismissed too as only affecting big companies. The arguments in support of these laws have basically been you are small so you don't need to follow them. That seems like lot of disrespect for the EU's legal system but maybe it's well deserved.
It's only a matter of time until ID verification will be mandated even to make a post like this one on sites like hn. Western companies assisted authoritarian prison states in monitoring, censoring and controlling their citizens, when they should have been doing the exact opposite. Now it's really hard to argue that it isn't possible here.
Of course that affects attitudes here, even if most people on here will never actually be a founder, let alone a highly successful one.