The introduction of the UK’s Online Safety Act has sparked a lot of conversation and confusion. Both users and businesses are still trying to make sense of what it really means and how to navigate it. Professor George Loukas, Professor of Cyber Security (Human-centric and Cyber-physical Security) at the University of Greenwich, is here to discuss some of the challenges and to explore how we might approach the Act more thoughtfully moving forward.
Since the Act took effect, we’ve seen strong public reactions and a spike in VPN usage. Beyond these obvious responses, what does this say about public engagement, and what real-world impacts are we seeing so far?
Yes, that’s true, the reaction has been huge, but it’s something we’ve been expecting for a while. This isn’t a new conversation. The bill has been in the works for a long time, with plenty of consultations, and those will keep happening. The central issue here is the classic privacy versus safety debate, and that’s not going away anytime soon, especially because it ties into technological advances that haven’t happened yet.
For example, the bill assumes to some extent that we can scan messages without breaching privacy, but that’s not technically possible. It also expects that there will be age verification, which isn’t fully achievable yet. So in many ways, parts of the bill feel more like aspirations. Overall, though, it shows the public really does care about online safety. We just want it done the right way.
The gaming industry still isn’t tightly regulated. Are there other areas or technical challenges in implementation you think are being overlooked?
I’d say the gaming industry is the most obvious one. That’s mainly because it’s not used to the kind of regulation we see in other sectors. For example, the adult industry was impacted right away, but that was expected. The gaming industry doesn’t have that experience, so there’s more of a ‘wait and see’ approach.
Other than that, I wouldn’t say there’s a specific industry that’s completely different, but companies without strong tech resources or expertise seem just as surprised and unprepared as the gaming industry.
With age verification and ID checks, especially for younger users, there are concerns about surveillance and data handling. Do you see a risk of misuse, and how should businesses approach data responsibility?
Companies with experience in handling data will just see this as another area where they need to act responsibly. But for those who haven’t had to do it before, as in the gaming industry, it’s going to be harder. They often lack the technical know-how or experience to follow the rules and handle data ethically.
The risk is real and has always been there. And until there’s a proven, risk-free way to do things like age verification or message scanning, it’s going to remain. At the end of the day, they are still human beings behind every company decision, so mistakes will keep happening.
With AI-generated content on the rise, including age-restricted material, do we have effective ways to spot and moderate it? Could AI also help enforce the Online Safety Act more accurately?
That’s a huge point. AI is transforming everything. Including how illegal content is made, how protections are bypassed, and how we try to detect it. Since the very beginning, the instinctive reaction of all scientists to detect deepfakes has been to use another AI to spot them.
I can’t imagine a world where AI isn’t part of large-scale detection, at least for now, it’s the only way. But it can’t work alone. It needs to be part of a solution. There’s no way that AI will ethically and accurately do this on its own, humans still have to be involved. However, the only way for it to happen is through education.
If people affected by AI aren’t educated and can’t recognise the signs of AI manipulation, that’s a problem. It’s not enough to assume someone else will handle it. In the past, that might have been a company, and now it might be AI. But relying on others to do it for them isn’t the right approach.
What do you think the next phase of online safety regulation will look like? If you could advise policymakers, what would be your top recommendation?
The main thing I notice in all discussions about the Online Safety Act and in the Act itself is technology. It’s quite aspirational, as mentioned earlier, meaning it expects tech to be developed, without outlining the steps needed to achieve that. But for it to happen, it can’t just be a recommendation or general advice from lawmakers. It actually needs to happen. But companies don’t always have the interest to invest, and in some cases, the tech is impossible to develop. In my view, this hasn’t been taken into account sufficiently so far.
If we take age verification as an example, which is my primary interest, I think we need to accept that age verification solutions won’t be perfect at first. They’ll start with lower accuracy and improve over time. Right now, the expectation is near-100% accuracy from day one, which leaves people with document checks as the only real option.
The problem is, document checks kill almost every industry. No one will play a game if they have to do a document check in the beginning, and if you only check once, it defeats the whole purpose of online security; anyone could use that account later. For age verification to work, we need to allow lower accuracy at first so that innovation can grow from R&D and scientific communities. Otherwise, we stick with high-friction methods that push people to find workarounds. We’ve already seen the huge spike in VPN use from people avoiding document checks. Lawmakers should carefully consider this trade-off between reducing friction and potentially lower accuracy.
Any final thoughts you’d like to share?
Overall, I think we should stay positive about the bill because it does serve a real purpose. In science, there’s often this obsession with optimality, but this isn’t optimal, and it will make mistakes. In fact, there are already some technical errors. Still, we have to remember the goal is to make the internet safer, which is direly needed at the moment.
Watch the full interview here: YouTube
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.