Geoblocking the UK with BunnyCDN
I recently wrote about performing an Online Safety Act assessment for my Mastodon server.
In that post, I noted that Ofcom's vague statements meant that they could feasibly conclude that another of my sites might _potentially_ fall in scope of Part 5.
Since then, I've performed an assessment and ultimately concluded that it's impossible to say whether Ofcom would consider it as being in scope or not.
Given the potential for multi-million pound fines, the only **safe** way to proceed is to assume that they _would_ consider it in scope and so would have expectations around compliance.
The problem with that, is that it's impossible to comply with demands for "highly effective" age verification without significantly infringing the privacy of everyone who visits. It's not like a licensed premises where you check anyone who _looks_ sufficiently young, verifying that no online user is underage means that you have to track the age **of everyone**.
That's a disaster waiting to happen, and I'll not be a part of it.
Instead, I've taken the decision to move the site _definitively_ out of scope by geo-blocking UK users.
This post describes how to configure BunnyCDN to geoblock requests from specific countries. I'll describe both how to block and how to redirect them to a page explaining the reasons behind the block.
* * *
#### Blocking Rule
To create a rule which simply blocks the request:
* Browse to your CDN pull zone in Bunny's dashboard
* Choose Edge Rules
* Provide a meaningful name
* Set the action to Block
In the match rules section:
* Match All
* Country Code (2 Letters)
* GB
Once ready, click `Save Edge Rule`.
* * *
#### Redirect Rule
Simply blocking users is effective, but potentially comes with a support burden: if you're reachable via other means (say, social media), you may find that you start getting messages from confused visitors saying that your site is broken.
To avoid that, I created a page to explain the block and suggest that, if they want to bug anyone, visitors should talk to their MP.
Technically, it's possible to serve the blockpage from the same domain, but I didn't want to have to mess around with a complex ruleset, so decided to serve it off a different domain (`www.bentasker.co.uk`) instead.
To create a redirect:
* Browse to your CDN pull zone in Bunny's dashboard
* Choose Edge Rules
* Provide a meaningful name
* Set the action to `Redirect`
* Enter the URL to redirect to
* Set the status code to either `302` or `307`
Then, in the match rules section:
* Match All
* Country Code (2 Letters)
* GB
* * *
#### Adding Exceptions
The reason that we chose `Match all` rather than `Match any` is that it allows us to add additional rules to create exceptions.
For example, I'd _quite like_ for my home address to still be able to access the site (I don't count as a user under the OSA because I'm the provider).
Because the rulesets are set to `Match All`, we can achieve this by creating a condition which will not match for our excluded IPs:
* Click `Add condition`
* Set the match type to `Remote IP`
* Click `Match none`
* Add an IP that you'd like to exclude
You can add additional IPs by clicking `Add Property`:
Any IP included in this rule will **not** be redirected.
* * *
#### Bonus: Block Page Status
Having created my block page, I decided that I wanted to ensure that it was served with an appropriate status code.
HTTP/2 451
`HTTP 451: Unavailable For Legal Reasons` was mooted in RFC 7725 and seems the most appropriate here.
My site is _also_ served by BunnyCDN, so I decided to add the override there
* Browse to pull zone
* Edge Rules
Then
* Set the action to `Set Status Code`
* Set `Status Code` to `451`
Create a condition
* Request URL
* Set the URL to be the URL of your block page
* * *
#### Conclusion
It is, all things considered, a fairly ridiculous situation.
It's not as if I'm operating Pornhub, it's a small archive of photos from when I was more active as a photographer. It's not even _particularly_ focused on model photography: there's architecture, vehicles and even flowers mixed in.
Personally, I don't think that it would fall within Parliament's intended scope, because the act's wording relies on the creator's intent
> content of such a nature that it is reasonable to assume that it was produced solely or principally for the purpose of sexual arousal
Unfortunately, Ofcom have said that they believe it is, instead, driven by context
> Whether content has been produced either solely or principally for the purpose of sexual arousal is likely to be dependent on the nature of the content itself, having taken the relevant contextual factors into account, rather than the intent of the uploading user or any viewer of it.
As I noted in my previous post on the subject, this leaves a ton of unanswered questions
* Is explicit content OK in a non-sexual context? If not, at what point does content become inherently in-scope?
* Do viewer interactions alter the context? If users have left sexually suggestive comments, could that push something in scope?
Ofcom's stated position is, essentially, that it'll all get ironed out in court.
No-one sensible is going to want to be the test case for _that_ , so all we have in the meantime is chilling effects.
