In July, the UK government announced the enforcement of the long-awaited Online Safety Act, which is intended to protect online users, particularly children, from accessing harmful and illegal content online, writes Nathan Webb, principal consultant at Acumen Cyber.
Online platforms now have a legal duty to protect children and have a mandatory obligation to adopt age-assurance measures, designed to prevent under-18s from accessing adult material or content that promotes self-harm, bullying, hate and the encouragement of dangerous stunts.
While the Act’s intentions are undoubtedly well-meaning, its arrival has been met with significant criticism of its impact and effectiveness from across the globe. Debates in parliament have centred on accusations of excessive government control over internet use and increased online surveillance, some going as far to call it censorship. Meanwhile, social media firms have faced backlash for over-blocking, where they have restricted legitimate websites in a bid to avoid massive fines, which can reach up to ten per cent of global revenue or £18m.
The security industry has also voiced concerns. Since the Act, VPN searches and downloads have surged to the top of app store charts, potentially providing a new approach for threat actors to take advantage of by posing as legitimate VPN applications.
Experts have also warned of children using AI and video games to bypass authentication checks, a potential spike in spoofed “age-assurance” websites designed to steal personal data, plus ongoing worries over the security and jurisdiction of where that data is stored.
VPN sales surge
One of the most visible consequences of the Act has been the sharp rise in VPN usage and purchases on app stores. While VPNs are a legitimate privacy tool, the sudden rush, driven by the Act, has resulted in many users hastily downloading free solutions that may not put privacy of the user first.
Researchers continue to identify cyber criminals who have been quick to exploit this demand, pushing malicious or insecure VPNs that can harvest data or install malware, with many questionable apps exceeding 50 million downloads. In trying to sidestep the Act’s guardrails, some users could therefore be placing themselves in danger of being attacked by cyber criminals and having their confidential data stolen.
Bypassing authentication
Despite the Act’s call for “robust” age assurance, advances in generative AI services have made these defences far from impenetrable. Internet users have been actively promoting their bypasses online. From deepfaked identity documents to AI-generated face swaps, depicting anyone from the Prime Minister to popular video game characters, there have been stories circulating online about internet users bypassing age verification providers in creative and flagrant methods.
Amongst this, there has also been a wave of new established service providers that specifically to help youths bypass the verification standards. Some of these specialise in creating ID of MPs, citing the Act as a security and privacy nightmare that will inevitably see the confidential information being caught up in a data breach.
Spoofed age-assurance domains
Every new verification process presents cyber criminals with a fresh opportunity for exploitation and it’s likely we will soon see a new wave of attacks specifically in response to the Act. As internet users become desensitised to handing over their confidential information to websites, we could see attackers spoofing age verification domains in a bid to steal confidential information, such as passport details or driving licences.
These phishing attacks are especially dangerous because they appear entirely plausible in the context of the Act. Once stolen, many types of identification data are impossible to reset, unlike a compromised password, leaving victims vulnerable to long-term identity fraud.
Data storage and sovereignty
One of the biggest issues with the Act is around data storage. There is no one centrally hosted verification system. Many of the popular age verification providers are based outside the UK, meaning highly confidential citizen data is now being held in different countries, which may not adopt the same privacy and security measures as the UK.
This could leave these citizens more exposed to breaches. Furthermore, with users actively bypassing the authentication measures of these service providers, this calls into question what other measures can be bypassed?
There have also been concerns some online sites have gone for the cheapest providers out of defiance against the Act. This could also call into question how good their security is and if it meets the UK’s more stringent requirements. If not, sooner or later, we could see highly confidential data on millions of Brits being breached and exploited by criminals, which will cause huge and completely unmanageable identity theft attacks.
Protecting yourself
Although the Online Safety Act was designed to improve safety online, it has also created new risks that all internet users must navigate.
When it comes to mitigating these, users are advised to:
- Choose trusted VPNs: Regardless of the purpose of the VPN, it’s always advised to go for products with good reviews, and clear and transparent privacy policies, rather than free or unfamiliar apps. It’s also wise to check beyond app stores alone for reviews.
- Stay alert to phishing attempts: Treat all requests for identification and personal information with caution, even if it appears legitimate. Always check the domain address and verify requests directly with the platform.
- Limit personal data sharing: Provide only the minimum information necessary for verification and ensure the provider is UK GDPR-compliant. Consider the likeliness that a site will contain themes of adult content before blindly supplying verification information.
- Educate younger users: Discuss not only the dangers of harmful content, but encourage conversations about online safety when bypassing online safeguards and what to do if they see concerning online material.
The Online Safety Act may have been introduced with the best of intentions, but its implementation creates fresh opportunities for cyber criminals, which brings its overall effectiveness into question.
These concerns must be addressed. Otherwise, it won’t be long before the Act become yet another unwitting disaster in digital governance that shatters privacy and does little to meet its intended goals.
