Ep16 - Chat Control Digital - Privacy Dies October 14th
What is going on? We are releasing this episode as an emergency, tackling a topic that cannot wait: it seems that governments all over the world have agreed to definitively destroy online privacy. We know, we talked about mass surveillance just a few months ago, but a new thing comes out every day. Unfortunately, these are not isolated cases, but a true and proper generalized authoritarian push common across that entire West that boasts so much about being democratic. And on top of all this, we have some recent moves by phone manufacturers that will make finding technical loopholes increasingly difficult.
But let's take things in order. On July 25th, the Online Safety Act came into force in England, a measure that requires various online platforms to verify the age of their users. As usual, the pretext is to protect minors, and in this case, they want to prevent them from accessing content unsuitable for their age. Okay, a noble intention, but as we have already explained in other analyses, there would be better ways to manage this kind of problem, like investing in education. Instead, they insist on control. Is there a hidden agenda?
The suspicion grows when we consider that the list of content considered dangerous for minors is quite vast. In fact, the ban does not only concern pornography, but also violent, discriminatory content, content that encourages eating disorders, depicts dangerous activities, and so on. All in all, everything seems legitimate enough, but the result is that various news reports, such as debates on immigration or updates on the situation in Gaza and Ukraine, have magically become inaccessible to anyone who refuses to be identified. You heard that right: in England, you must identify yourself with an identity document to read what is happening in Gaza or Ukraine.
And if you think that's insane, you'd be right, but hold on because it will be coming to you too. We’ll get to that in a moment, but to complete the picture, we should also mention that English law stipulates that all platforms used by more than 7 million people in England, and which include user-generated content, will have to enable an age verification system. This, of course, potentially includes all social media, but also other unsuspected sites like Spotify and Wikipedia. The problem – before anyone jumps up to say, "It doesn't concern me because I don't live in England" – is that when these things are technically implemented, it's just a matter of enabling them with a switch, State by State. And, as we will see shortly, the laws that the European Parliament is formulating are moving exactly in that direction for us too.
So, while Spotify immediately adapted to the implementation of an identity verification system, the Wikimedia Foundation filed a lawsuit against the English government, a case they later lost, although the final word has not yet been spoken. In fact, according to the ruling, the government must still commit to protecting Wikipedia, even if it is unclear how...
How Age Control Works and the Impact on Privacy
English law gives no technical suggestions and delegates everything to the service providers. Consequently, each platform has implemented its own verification system. Some ask to upload a copy of personal documents, some estimate age using AI and facial recognition, and some ask to enter credit card data. This is a disaster for privacy from many points of view. People are uploading an industrial quantity of sensitive data to multiple servers. Will they all be super secure? Obviously not. It is only a matter of time before one of them suffers a data breach, facilitating the work of all those who commit identity theft.
Furthermore, this habituates users to constantly provide their data just to access services of interest. Think of cookie banners. Most users already click "Accept" blindly just so they disappear as quickly as possible. Similarly, many people will get used to sharing their face, their ID card, and who knows what else on random sites just to access them. It is quite plausible, even logical, that phishing sites that use the pretext of identity verification to obtain sensitive information will multiply like mushrooms.
Naturally, the British did not like the measure at all and launched a petition on the official Parliament website that exceeded 500,000 signatures. They have also invented various stratagems to circumvent identity verification, some quite amusing. For example, in England, Discord and Reddit already require identity verification via camera. One user managed to pass the first step using the face of a well-known meme, but then the system asked him to open his mouth to prove he was a real person. So, he tried to use the video game Death Stranding, whose avatars can simulate various facial expressions, and the AI fell for it. One more reason why they will probably simply ask for our ID card.
Another protest initiative came from a developer who created the site usedid.com from which an AI can generate a fake document using the face of the parliamentarians who approved the law. Well, despite the writing "This is satire" that appears as an overlay, it seems that the site has been obscured by several providers, but probably the most visible reaction was the massive increase in the use of VPNs. Proton VPN released a graph showing that the number of logins increased by 1400% on the day the law came into force, and other services reported similar increases. This has worried the English bureaucrats who evidently have just discovered what VPNs are...