Fuck the Online Safety Act 2023
Note: I am no web developer, so progress on the site is slow & it probably looks aweful. Hopefully it at least gets the point across
This site is designed to detail the purpose, goals and inherent problems with the online safety act, as well as detailing secure ways to safely browse the internet without needing to hand over your ID or other personal details to 3rd party companies.
Petition to repeal the act - Please sign this petition.
The online safety act 2023 is UK legislation that was first proposed in 2023 and went live July 25th 2025. You can find the official Government documentation about the act here.
Here’s the the summary from the page:
The Online Safety Act 2023 (the Act) protects children and adults online. It puts a range of new duties on social media companies and search services, giving them legal duties to protect their users from illegal content and content harmful to children. The Act gives providers new duties to implement systems and processes to reduce risks their services are used for illegal activity, and to take down illegal content when it does appear.
So the official stance from the government is that the act is designed to protect children from potentially harmful content found online by forcing social media companies to preventing anyone who does not provide proof of age from seeing said content.
What this means for users of the affected services, if the content you view is deemed to be ‘adult’ in some way then you must provide the company, or some 3rd party service the company uses, some proof of age. This might be in the form of a photo of your ID, or a photo of yourself which will be used for age estimation.
Here’s the official list of categories that are deemed as ‘adult’ content in the view of the OSA:
Another aspect of the act is the government wanting to outlaw end-to-end encryption on messaging apps like Signal and Whatsapp, meaning they want the ability to read private messages on these encrypted chats.
Before listing the issues with the act, here’s a list of articles also detailing the issues:
While the act on the surface seems to affect obvious things like porn sites and content encouraging suicide, many other things have the potential to be affected, and already have been. Not only this, to reduce the risk of the huge fines associated with the act, companies are much more likely to overcompensate and simply block too much content, or block access to the whole site in the UK.
An example of this is reddit, and the subreddits you can no longer access from the UK without providing ID:
There are many more, this reddit thread has a number listed in the comments.
While the act primarily targets social media sites and search engines, this inherently also affects pretty much any site. Since it’s through social media & search that other sites are commonly found. So here’s a hypothetical: Imagine a horrible event occurs, such as mass genocide. Plenty of news articles and the like would be made about such an event. Rightfully so. However, such content about the genocide might fall under the ‘terrorism’ category above, or even ‘racially or religiously aggravated public order offences’ in some cases. So now social media and search engines must hide said content or risk facing massive fines. If it’s the government deciding what should and shouldn’t be considered as ‘adult’ content, then by definition they can also hide anything they don’t want you to see as long as they can loosely relate it to one of the categories in the act. The government should never be able to control the news and media in this way.
In summary, I don’t think the government should have this level of control over what we do and don’t have access to, and allowing this level of control only leads to what we’ve seen happen in china with the ‘great firewall of china’ and eventually a dystopia.
The act might also affect wikipedia.
The internet has generally been a place of freedom and free speech, where anonymity can allow for safe. This act will have a massive impact on this freedom, both around the idea of being able to post what you won’t without threat of it being suppressed in some way, but also in being able to view the content you believe in.
On the internet, on most services you can use a pseudoname and not reveal personal info, giving you an inherent level of safety and protection. We saw similar concerns back when the Government tried to end net neutrality.
As mentioned in the previous point, any control the government has over what we say and what we see online only hurts this freedom of speech and the internet in general.
Some small businesses may be hit with costs far too high when trying to implementing compliance with the OSA. An example of this is a hamster forum being shut down due to the act.
There are several costs associated with the act which could shut down a small uk business as well as potentially prevent international companies from acting in the UK.
Potential Costs:
Preventing small businesses from operating in this way would affect competition and make it only feasible for large companies to comply.
When it comes to security concerns, and the risk of a data breach from a company, it’s always a matter of WHEN it will happen, and not IF.
Due to this, it’s incredibly risky to give companies such private info such as your ID. While not directly related to the OSA, the ‘tea app’ is a clear indication of the risk of this when 13,000 users photos, IDs and GPS coordinates were leaked.
Regardless of how much you might trust a company, or how well respected they are, some things are never worth the risk. As stated above, it’s WHEN the date will be leaked, not IF it will be. It will happen at some point, and the risks associated with your ID being made public is far too high.
The stated goal of the act is to make the internet is safe for children (though it’s debatable if this is the actual goal behind the scenes due to the points mentioend above). However I would argue that if anything it creates more risk for children if anything. Children are very smart and ingenuitive, they are likely to find ways around the laws themselves by using tools like VPNs. However in using these tools without the proper security knowledge, they could open themselves up to more risk that just accessing it the normal way before the act. One example might be using a free VPN, which is very risky as the vpn host is likely collecting data that passes through the VPN. This could potentially include things like passwords.
As mentioned above, the laws are easily circumvented by using tools like VPNs, which has already seen a spike in usage from the UK since the law went live. There’s more sophisticated methods like TOR, which if used incorrectly might create access to the dark web.
Another example of how this is bypassed is by sending photos of IDs found online.
Some services also use age estimation by using a photo of your face. One example of this is discord, which has been easily bypassed by using photos taken from the video game death stranding.
Given how easy it is to circumvent the laws, it’s possible that the government will try make amendments or implment other legislation which will make it harder, thus locking down the internet even further and putting us more under their control.
This may seem dramatic, and maybe it’ll never reach that point, but stopping it at this early stage is still important to make it impossible to do so.
Part of the act aims to outlaw the use of end-to-end encryption on messaging apps like whatsapp and signal. This encryption allows users to privately message each other knowing that no-one can intercept the messages. It’s likely needless to say just how bad of an idea this is. The government should never have unrestricted access to all messages, we are entitled to a level of privacy which this act will revoke. WhatsApp and Signal have teamed up against the bill
“The bill provides no explicit protection for encryption,” they say, “and if implemented as written, could empower Ofcom to try to force the proactive scanning of private messages on end-to-end encrypted communication services, nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users. “In short, the bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copycat laws.”
From the above, it’s probably very clear I’m against the act, and refuse to give my ID to any random company. As such, until the act is repealed, I will keep this website up with information on how to use VPNs and TOR as seen below. Please sign the petition to repeal the act if you haven’t already.
Here’s an AI summary of what a VPN is: A VPN, or Virtual Private Network, is a service that creates a secure, encrypted connection between your device and a remote server, effectively masking your IP address and encrypting your internet traffic. This allows you to browse the internet more privately, access geo-restricted content, and connect to private networks remotely.
In summary, it lets you appear to be from another location, such as another country. If appearing to be from another country, this will allow you to bypass the act.
In terms of selecting a country, my initial reccomendation is Iceland, as they are reported to have the most freedom on their internet (strong data protection laws, minimal governmnet surveillance). However if you don’t get good speeds on this, you’ll want to select something geographically closer to home, so somewhere in Europe like France.
If you want to use a VPN, make sure you use a paid for service. Do not use a free VPN and those are very sketchy to say the least, and could potentially be collecting all sorts of information about you, even passwords.
When selecting a VPN, you need to consider your use-case and what platforms you need it to support. This is a good list of VPNs: Google Doc - VPNs Make sure to try pick one with a good ‘No Logs Policy’, since you dont’ want them storing any information about you as you browse, that would defeat the point of the VPN if it’s still tracking you. Make sure to also check it supports your needs in terms of devices, browsers etc.
Currently I’m using NordVPN, which has an android app I use, as well as a windows Desktop app and Firefox extension.
Some easy recommendations are:
I’m not going to provide full install instructions here as it changes depending on your operating system, device, vpn provider and browser, so I can never cover all scenarios. Once you’ve selected your VPN provider, check their documentation for how to configure it.
If you only want to VPN traffic from your web browser (on desktop/laptop), so only for websites you use, then make sure your VPN provider has a browser extension for your particular browser. For example, NordVPN has an extension for both chrome and firefox at least.
In this instance, you’ll want to go to your browsers extension ‘store’ and download the extensionh. Once installed, log into the extension and enable it. Make sure to select another country. I’d also recommend setting it so it always runs on the browser, not just when you enable it.
With NordVPN, if you have a homelab or some domain you don’t want going over the VPN, you can enable split tunneling and add your domain to it.
Make sure you VPN provider supports mobile, making sure they have an iphone or android app. This will generally VPN all traffic from the phone for all apps, rather than just the browser and web traffic, though you might be able to tweak which apps are VPN’d via the VPN app settings.
You might need to proxy all desktop apps, in which case you will need to check if the VPN provider has a desktop app for your paticular operating system.
One example of when you might need this is discord. If you are in servers with any ‘adult’ content, it is likely that you’ll need to provide a photo of your face for age verification. As mentioned above there might be other ways to circumvent this, however if that doesn’t work or is blocked in some way then you’ll probably need to use the desktop VPN app to allow discord traffic to go over the VPN. Alternatively you could use the web based version of the discord app and the web browser extension, but this won’t be an option for all apps. In the discord example specifically, I’d actually suggest self-hosting a separate service like teamspeak, as this will be very difficult for the government to track and block, but convincing friends to migrate over will be difficult, and it also requires some technical knowledge.
This method requires quite a bit of technical skill, but it allows you to send all traffic from all devices on your network over a VPN, so everything appears to be in another country. Note that for mobile devices it will only work when they are connected to your network (wifi/ethernet), for protection over cellular connection you’ll need a VPN provider that has a mobile app.
In this scenario, You will need some sort of edge router or firewall on your network which supports sending all WAN traffic over a VPN. I’d suggest a setup like this:
Internet > ISP Router > Firewall > Your devices Or ditch the ISP Router if you know how and if that’s supported by your ISP and internet connection type.
For the firewall, I would suggest a custom device running OpenWRT, OPNSense or PFSense. These all support VPNs clients and let you send all your traffic to a remote VPN somewhere, as long as your VPN provider gives you endpoints for this use case. NordVPN does for example. With one of these custom routers you also have the option of setting up a VPN server on your home network, so mobile devices over cellular can run a VPN client which connects back to your home firewall, which then sends the traffic out to the VPN server in another country.
The final option for VPN would be some sort of self-hosted VPN. This is the very technical approach and is not an option for everyone, but maybe you can ask someone technical that you trust to set one up. They likely already know about the act and maybe have something setup already, who knows.
If you want to do this yourself, you’ll need to find some Vritual Private Server (VPS) provider. This is basically someone hosting a VM for you on which you can run whatever you want. Oracle cloud has an ‘always free’ tier which allows you to spin up 2 low-spec servers for free, which are more than enough for the VPN. Just make sure to set the VPS location to somewhere outside of the UK. Once you have a VPS, you’ll need some sort of VPN application to run both the server of on the VPS, as well as the apps for on your machine. The 2 I know and have used previously and recommend are WireGuard (Fast) and OpenVPN (Easier to setup). Setup the VPN server on the VPS, then install the apps on your machines and link them up. The tools provide good documenation on how to do this.
I can’t provide much insight into this as I do not have children myself, but here’s some general guidelines and some websites detailing more:
Here’s an AI summary: