UK Online Safety Act: Encrypted Privacy Under Threat

The UK's Online Safety Act 2023 has entered its enforcement phase, and the implications for encrypted communications and general internet freedom are far more severe than most people realise. Here's what's actually happening.

The Encryption Problem

Section 122 of the Online Safety Act gives Ofcom the power to issue "technology notices" requiring platforms to use "accredited technology" to scan content — even in end-to-end encrypted messages. This is functionally a backdoor mandate.

The government's position is that this doesn't "break" encryption because the scanning happens client-side (on your device) before the message is encrypted. Privacy advocates and cryptographers call this a distinction without a difference: if your device is scanning your messages before sending them, your privacy is compromised regardless of what happens to the data in transit.

Age Verification: The Identity Layer

Ofcom's age verification codes of practice require sites hosting "pornographic content" (broadly defined) to verify users are over 18. The approved methods include:

• Government ID upload (passport, driving licence)
• Credit card verification
• Facial age estimation via AI
• Third-party digital identity services

Every one of these methods creates a link between your real identity and your browsing activity. The age verification database itself becomes a high-value target for hackers — a single breach would expose the browsing habits of millions of verified users.

Scope Creep Is Already Happening

The Act defines "harmful content" categories that go well beyond its original child safety mandate:

• Priority offences: Terrorism, CSAM (rightfully targeted)
• Priority harms: "Content harmful to adults" - an intentionally vague category
• "Legal but harmful": Initially removed after backlash, but Ofcom's codes of practice effectively reintroduce this concept through "duty of care" obligations

Sites that fail to comply face fines of up to 10% of global turnover or £18 million (whichever is higher), and Ofcom can order ISPs to block non-compliant sites entirely.

How This Affects You

If you're in the UK, the practical effects are already visible:

• Several smaller messaging apps have withdrawn from the UK market rather than implement client-side scanning
• VPN usage in the UK surged by over 1,000% in the week the enforcement codes took effect, with providers like NordVPN and ProtonVPN reporting record sign-ups
• Multiple legitimate educational and health information sites are being blocked or geo-fenced

What Can You Do?

Privacy doesn't defend itself. If you think client-side scanning and mandatory age verification go too far, here's how to make noise:

• Write to your MP. Tell them you oppose backdoors to encryption and mass age verification. Find yours at members.parliament.uk — even a one-line email counts.
• Support the groups fighting back. Open Rights Group, Big Brother Watch, and Privacy International are all actively challenging the Online Safety Act.
• Share this article. Most people have no idea what Section 122 actually means for their private messages. Spread the word.

In the Meantime, Protect Your Browsing

While the legal battles play out, FDat! keeps your browsing private. Smart Routing only redirects affected sites - BBC, NHS, your bank etc.all stay direct. No identity verification, no logs, no machine IDs.