Macrobius
Megaphoron
tl;dr -- lol. Fuck the Red Coats. Sorry, Canada, but you can't fix broken.
Last month I wrote a post about the UK’s “world-leading” vision for age-gating the open web. It got a bit of attention. That post, sadly, encompassed only one aspect of your compliance obligations under the Online Safety Bill. In this post, I’m going to tell you about the rest.
I apologise in advance.
“This is fine”
This post was tricky enough to write, but on top of that, last week I found myself in the Palace of Westminster, representing my employer at a roundtable of small tech businesses and startups who stand to be collateral damage in the UK’s determination to regulate the internet around Facebook, via this Bill. That meeting gave me a chance to work through some of these concerns and to sharpen others.
Or it would have, if the nine MPs across three parties who were scheduled to attend actually showed up.
Only one did.
And he’s a good ‘un who “gets it”, but who also has skin in the game about being on the receiving end of the most horrific online abuse and wants us to help him and people like him.
That is the kind of person we should be working with, and doing business with, to help him and people like him without throwing everyone and everything else under a bus. Me, I will sit down and work with representatives like him any time.
Where was everyone else? Well, you could assume that they were off playing real-life Game of Thrones; Boris Johnson’s time was up, you see, so they were all elsewhere drawing up factions and sharpening knives.
Or you could be cynical and say that a meeting about small businesses like yours held no interest for them; there’s no headline, no PR, no wild west hero sheriff fantasy, no “big tech crusader” mantle to claim for anyone sitting in a room with the likes of me and, by representative extension, the likes of you.
So the roundtable was a real-life version of the “this is fine” meme, as everyone who was in attendance sipped their coffee and nibbled their patisserie and chatted amiably while the room was on fire.
Still, being on one side of the building while the government was literally collapsing on the other side of the building, and then heading up the street to have a giggle fit at the party in front of No 10 (link NSFW), made it a meeting I’ll never forget. I mean, what are the chances that I walk into Parliament for the first time in two and a half years and the government implodes?
Whoopsie.
By “you”, I mean anyone working in a company or a project which will fall in scope of the Bill, whether that’s your paid work, your software community, or your personal hobby.
And by “you”, I mean a company which is Not Big Tech, or as I’ll call it for the purposes of this post, NBT. They have their compliance departments, legal teams, and policy specialists. You don’t.
“You” also means an NBT whose product or service does not engage in legal and consensual adult content or conduct. That means porn. And that means porn either as your main business model or as some of the content on it; because if you are, you’ve got specialist compliance experts for that too.
As with the previous post, this is tremendously long: 4100 words. There’s really no way to make it shorter. You’re going to need something slightly stronger than coffee. Please drink as responsibly as a Conservative MP with poor impulse control at the Commons bar in the middle of the day.
It goes without saying that this is not legal compliance advice. It also goes without saying that this is a draft Bill, not quite “the law” yet, so anything I write here is subject to change.
Additionally, I present this post for information only: so don’t shoot the messenger. Not all of these ideas are necessary, proportionate, or even feasible. I’m presenting them to give you the facts you need to work with.
When you see a numbering system following an excerpt from the Bill, that’s my shorthand for the Part, Chapter, Clause, and Paragraph it came from within the draft Bill text. So for example, 3/2/8/(5) refers to Part 3, Chapter 2, Clause 8, Paragraph 5. I wouldn’t have to do this if legislators published legislation in open text formats rather than PDFs. Pfft.
As you read this post, you should also hold everything in it in the light of these two questions.
The first is:
how will my having to do this address online harms and make the web a better place?
And the second is:
Why is this government throwing me, and my team, and my project, under a bus, with these compliance requirements and obligations, in order to get back at “big tech”?
If you can’t come up with an answer to either of these questions, that itself is the answer.
I have divided this guide into six areas:
Then you’re in scope.
NB “accessed” doesn’t necessarily mean that a user can set up an active account on your service. If a British adult can merely download your app on the app store, the app is in scope. If a British child could merely type your URL into a browser, the site is in scope.
This Bill has been aggressively promoted as being about “big tech” “social media” “tech giants”, but it is not, and it never was. The ongoing line that it’s here to “rein in the tech giants” is, and always has been, bullshit. In fact, I’m going to start being really hardline about this by saying that anyone – be it politicians, media, or civil society – who still discusses it as being about “big tech” and “social media” and “tech giants” is spreading disinformation.
And you folks need to stop that.
So the bottom line is that it’s easier and safer to assume that you and your work are in scope, than to assume that you are not.
And don’t forget that this regulatory regime is expected to be extraterritorial. If you are not in the UK but your site, service, or app can be accessed by anyone in the UK, you’re fair game.
First and foremost of these are the risk assessment obligations you will be required to devise and produce to keep Ofcom, as the online harms regulator, happy. This is a result of the Bill’s attempt to transfer the offline “health and safety” model to the open web, in the belief that online harms are a series of trip hazards which can be nailed down with proper risk assessments.
I’ve had a good few years to reflect on this model of internet regulation, and it finally dawned on me that the “trip hazard model” was a Freudian slip that gives the game away. The intention is not to prevent companies from laying “trip hazards”. The intention is to use the legislation to lay trip hazards in front of companies, in the form of these impossible risk assessment compliance processes, which exist solely to create the paperwork needed to set you up to fail.
It’s these assessments that are the trip hazards, on purpose.
Sometimes risk assessments can be good. However much everyone rats on GDPR, the privacy impact assessment is a priceless opportunity to ask open-ended questions, and follow where they lead, to prevent problems from ever happening down the road and mitigating the ones already in play. Those questions, of course, are based in international standards and human rights principles. What’s on the table here, by contrast, don’t seem to be open-ended questions nor the upholding of international principles. This is table-pounding which demands: prove yourself, or else.
So what are these assessments? Your NBT will have to go through these, at the very minimum. Their specific shape, size, and requirements are yet to be determined – that’s for Ofcom down the road, as with so much else of this legislation – but what is about to be hammered down in law are the following:
[In Yul Brynner King Voice] et cetera et cetera et cetera
- 30 -
Older, on the same topic
Last month I wrote a post about the UK’s “world-leading” vision for age-gating the open web. It got a bit of attention. That post, sadly, encompassed only one aspect of your compliance obligations under the Online Safety Bill. In this post, I’m going to tell you about the rest.
I apologise in advance.
Preamble from the room where it happens
“This is fine”
This post was tricky enough to write, but on top of that, last week I found myself in the Palace of Westminster, representing my employer at a roundtable of small tech businesses and startups who stand to be collateral damage in the UK’s determination to regulate the internet around Facebook, via this Bill. That meeting gave me a chance to work through some of these concerns and to sharpen others.
Or it would have, if the nine MPs across three parties who were scheduled to attend actually showed up.
Only one did.
And he’s a good ‘un who “gets it”, but who also has skin in the game about being on the receiving end of the most horrific online abuse and wants us to help him and people like him.
That is the kind of person we should be working with, and doing business with, to help him and people like him without throwing everyone and everything else under a bus. Me, I will sit down and work with representatives like him any time.
Where was everyone else? Well, you could assume that they were off playing real-life Game of Thrones; Boris Johnson’s time was up, you see, so they were all elsewhere drawing up factions and sharpening knives.
Or you could be cynical and say that a meeting about small businesses like yours held no interest for them; there’s no headline, no PR, no wild west hero sheriff fantasy, no “big tech crusader” mantle to claim for anyone sitting in a room with the likes of me and, by representative extension, the likes of you.
So the roundtable was a real-life version of the “this is fine” meme, as everyone who was in attendance sipped their coffee and nibbled their patisserie and chatted amiably while the room was on fire.
Still, being on one side of the building while the government was literally collapsing on the other side of the building, and then heading up the street to have a giggle fit at the party in front of No 10 (link NSFW), made it a meeting I’ll never forget. I mean, what are the chances that I walk into Parliament for the first time in two and a half years and the government implodes?
Whoopsie.
Now let’s amble.
I want to help you understand what the UK’s draft Online Safety Bill will mean for you and your work on the open web. This post is my attempt to explain the compliance obligations, as they’ve been drafted, and how they will hit you.By “you”, I mean anyone working in a company or a project which will fall in scope of the Bill, whether that’s your paid work, your software community, or your personal hobby.
And by “you”, I mean a company which is Not Big Tech, or as I’ll call it for the purposes of this post, NBT. They have their compliance departments, legal teams, and policy specialists. You don’t.
“You” also means an NBT whose product or service does not engage in legal and consensual adult content or conduct. That means porn. And that means porn either as your main business model or as some of the content on it; because if you are, you’ve got specialist compliance experts for that too.
As with the previous post, this is tremendously long: 4100 words. There’s really no way to make it shorter. You’re going to need something slightly stronger than coffee. Please drink as responsibly as a Conservative MP with poor impulse control at the Commons bar in the middle of the day.
It goes without saying that this is not legal compliance advice. It also goes without saying that this is a draft Bill, not quite “the law” yet, so anything I write here is subject to change.
Additionally, I present this post for information only: so don’t shoot the messenger. Not all of these ideas are necessary, proportionate, or even feasible. I’m presenting them to give you the facts you need to work with.
How to read this post
This post reflects the second draft version of the Online Safety Bill, plus amendments as was published on 28 June 2022. Unfortunately, it is only available in PDF (that link opens up the document, which is 230 pages).When you see a numbering system following an excerpt from the Bill, that’s my shorthand for the Part, Chapter, Clause, and Paragraph it came from within the draft Bill text. So for example, 3/2/8/(5) refers to Part 3, Chapter 2, Clause 8, Paragraph 5. I wouldn’t have to do this if legislators published legislation in open text formats rather than PDFs. Pfft.
As you read this post, you should also hold everything in it in the light of these two questions.
The first is:
how will my having to do this address online harms and make the web a better place?
And the second is:
Why is this government throwing me, and my team, and my project, under a bus, with these compliance requirements and obligations, in order to get back at “big tech”?
If you can’t come up with an answer to either of these questions, that itself is the answer.
I have divided this guide into six areas:
- Is your work in scope?
- Compliance assessment obligations
- Administrative obligations
- General monitoring obligations
- Compliance costs
- What can you do?
Is your work in scope of the UK’s Online Safety Bill?
Is it possible for your site, service, or app, which allows content to be shared and/or people to communicate with each other, to be accessed by any adult or any child within the UK?Then you’re in scope.
NB “accessed” doesn’t necessarily mean that a user can set up an active account on your service. If a British adult can merely download your app on the app store, the app is in scope. If a British child could merely type your URL into a browser, the site is in scope.
This Bill has been aggressively promoted as being about “big tech” “social media” “tech giants”, but it is not, and it never was. The ongoing line that it’s here to “rein in the tech giants” is, and always has been, bullshit. In fact, I’m going to start being really hardline about this by saying that anyone – be it politicians, media, or civil society – who still discusses it as being about “big tech” and “social media” and “tech giants” is spreading disinformation.
And you folks need to stop that.
So the bottom line is that it’s easier and safer to assume that you and your work are in scope, than to assume that you are not.
And don’t forget that this regulatory regime is expected to be extraterritorial. If you are not in the UK but your site, service, or app can be accessed by anyone in the UK, you’re fair game.
Compliance assessment obligations
First let’s talk about the paperwork. As you’ll recall from the previous post, the government’s digital regulation strategy is to scrap EU bureaucracy and paperwork and red tape in order to, erm, make way for UK bureaucracy and paperwork and red tape. Bumf, but British bumf!First and foremost of these are the risk assessment obligations you will be required to devise and produce to keep Ofcom, as the online harms regulator, happy. This is a result of the Bill’s attempt to transfer the offline “health and safety” model to the open web, in the belief that online harms are a series of trip hazards which can be nailed down with proper risk assessments.
I’ve had a good few years to reflect on this model of internet regulation, and it finally dawned on me that the “trip hazard model” was a Freudian slip that gives the game away. The intention is not to prevent companies from laying “trip hazards”. The intention is to use the legislation to lay trip hazards in front of companies, in the form of these impossible risk assessment compliance processes, which exist solely to create the paperwork needed to set you up to fail.
It’s these assessments that are the trip hazards, on purpose.
Sometimes risk assessments can be good. However much everyone rats on GDPR, the privacy impact assessment is a priceless opportunity to ask open-ended questions, and follow where they lead, to prevent problems from ever happening down the road and mitigating the ones already in play. Those questions, of course, are based in international standards and human rights principles. What’s on the table here, by contrast, don’t seem to be open-ended questions nor the upholding of international principles. This is table-pounding which demands: prove yourself, or else.
So what are these assessments? Your NBT will have to go through these, at the very minimum. Their specific shape, size, and requirements are yet to be determined – that’s for Ofcom down the road, as with so much else of this legislation – but what is about to be hammered down in law are the following:
- An illegal content risk assessment
- Your duties towards that illegal content
- Your duties towards the reporting of content
- Your duties towards establishing complaints procedures
- Your duties about freedom of expression and privacy (this is all the Tory culture war BS landing on your doorstep)
- Your duties about record-keeping and review of your content moderation and takedown policies
- Your child access assessment (the age gating)
- A child risk assessment
- Your duties about children’s safety
- Transparency reports
[In Yul Brynner King Voice] et cetera et cetera et cetera
- 30 -
Older, on the same topic
Last edited:
