Why UK Online Safety Act may not be safe for bloggers
- Reference: 1738830307
- News link: https://www.theregister.co.uk/2025/02/06/uk_online_safety_act_bloggers/
- Source link:
According to Neil Brown, director of British law firm decoded.legal, it's a possibility under the wording of the law, though clear direction has not been provided.
The Online Safety Act (OSA) was [1]passed in 2023 for the stated purpose of protecting children and adults online. It attempts to do so by [2]requiring that designated online service providers police content and activity related to [3]17 categories of harm [PDF], including terrorism, harassment/stalking, coercion, hate, intimate abuse images, and child sexual exploitation and abuse (CSEA), among others.
[4]
As Ofcom, the regulatory body charged with implementing the law, [5]explains , "The rules apply to organisations big and small, from large and well-resourced companies to very small 'micro-businesses.' They also apply to individuals who run an online service."
[6]
[7]
The rules cover a variety of "user-to-user" services that serve the UK market in a significant way, whether they're inside or outside the country. This includes social media sites, photo sharing sites, chat or instant messaging services, dating services, and gaming services. The rules also cover search services.
Ofcom has created an online [8]Regulation Checker to help those operating web services understand whether they're obligated to comply. That decision is consequential because the penalty for non-compliance can be severe – a fine of £18 million ($22 million) or 10 percent of their global revenue, whichever is greater. There's also the potential of criminal liability for senior managers who have ignored obligations or lied about compliance.
[9]
Affected web services are expected to conduct a [10]risk assessment and to put in place various mitigations (eg, more effective content filtering technology) to deal with identified risks. Even so, there's still some confusion about what's required of individuals operating websites.
"As with quite a lot of the Online Safety Act, even with Ofcom's tomes of guidance, the answer to some of these most basic questions, particularly in the context of services provided by individuals, is, at this point at least, 'sod knows,'" Brown told The Register via email.
Brown said he intends to put this question directly to Ofcom, though he doesn't expect a straight answer.
[11]
As we [12]reported last month, the Online Safety Act has a set of obligations that come into force on March 17, 2025, and large website operators are already concerned. [13]Several , like London Fixed Gear and Single Speed, have stated that they [14]will shut their online forums rather than attempt to comply. And outside the UK, online discussion site [15]Lobsters has [16]implemented a geoblock that will prevent UK visitors from accessing the site after March 16.
if a service allows someone to comment on anything else, the exemption no longer applies
The issue for operators of small websites is whether they are [17]exempt from the obligations imposed on what the law defines as a "regulated user-to-user service."
Because the wording of the law offers an exemption with regard to "posting comments or reviews relating to provider content" (eg, comments about bikes posted to a bike blog) and specifically says that user-generated content is not provider content, Brown believes individuals running websites could be held accountable for posts by third-parties that are unrelated (off-topic) to the content on that site (eg, an AI-generated explicit image posted to a bike blog).
"I think there's a reasonable interpretation of the words written by Parliament that, while a user-to-user service comprising posting comments relating to a blogpost is exempt, if a user-to-user service allows someone to comment on anything else, the exemption no longer applies, and the service is in scope of the Online Safety Act," Brown explained.
[18]UK government pledges law against sexually explicit deepfakes
[19]Investigatory Powers Bill to become law despite tech world opposition
[20]Brits must prove their age on adult sites by July, says watchdog
[21]DeepSeek rated too dodgy down under: Banned from Australian government devices
Brown makes that case in more detail via a [22]sample illegal content risk assessment for a hypothetical blog. His conclusion is that the exemption from liability applies only to the extent that third-party blog comments relate to the topic of the blog post. If off-topic posts appear, the exemption no longer applies, he suggests.
"There is an argument that [23]4(a) applies only to comments about Alice blog posts, and that, if a commenter comments on something else, the comment brings the whole services outside the scope of 4(a), and thus is no longer exempt," Brown's content assessment explains.
Brown also observed in a Mastodon [24]post that the UK government has [25]exempted itself from liability for content posted by those visiting government websites.
Ofcom did not immediately respond to a request for comment. ®
Get our [26]Tech Resources
[1] https://www.theregister.com/2023/10/27/online_safety_act_charles/
[2] https://www.theregister.com/2024/11/21/online_safety_act/
[3] https://www.ofcom.org.uk/siteassets/resources/documents/online-safety/information-for-industry/illegal-harms/overview-of-illegal-harms.pdf?v=387538
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z6SWVVPLBgOPLAjC-o4QkQAAAFU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/guide-for-services/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6SWVVPLBgOPLAjC-o4QkQAAAFU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6SWVVPLBgOPLAjC-o4QkQAAAFU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://ofcomlive.my.salesforce-sites.com/formentry/RegulationChecker
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z6SWVVPLBgOPLAjC-o4QkQAAAFU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.ofcom.org.uk/siteassets/resources/documents/consultations/category-1-10-weeks/270826-consultation-protecting-people-from-illegal-content-online/associated-documents/annex-5-draft-service-risk-assessment-guidance?v=330403
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z6SWVVPLBgOPLAjC-o4QkQAAAFU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2025/01/14/online_safety_act/
[13] https://onlinesafetyact.co.uk/in_memoriam/
[14] https://www.lfgss.com/conversations/401475/
[15] https://lobste.rs/
[16] https://github.com/lobsters/lobsters/commit/259b9117edb8dfff289b54a68a17af6461f8815b#diff-766c34fd6533171eaf54300c153f89d6002c35c02cfc9c5b219251f85180ad07R97-R102
[17] https://www.legislation.gov.uk/ukpga/2023/50/schedule/1/paragraph/4
[18] https://www.theregister.com/2025/01/09/uk_government_promises_law_against_deepfake_smut/
[19] https://www.theregister.com/2024/04/26/investigatory_powers_bill/
[20] https://www.theregister.com/2025/01/16/ofcom_age_verification/
[21] https://www.theregister.com/2025/02/05/australia_deepseek_ban/
[22] https://onlinesafetyact.co.uk/ra_blog_with_comments/
[23] https://www.legislation.gov.uk/ukpga/2023/50/schedule/1/paragraph/4
[24] https://mastodon.neilzone.co.uk/@neil/113951568023855807
[25] https://www.legislation.gov.uk/ukpga/2023/50/schedule/1/paragraph/9
[26] https://whitepapers.theregister.com/
Brown said he intends to put this question directly to Ofcom
I put the question.
I did not get an answer, straight or otherwise.
Nor did Ofcom provide answers to other questions I asked about some of the other exemptions in Schedule 1 which could be valuable to people running small hobbyist sites, including:
1) how Ofcom will interpret "email" for the purposes of Schedule 1, paragraph 1. Ofcom said that there is a "common definition", but despite prompting, it did not provide it.
2) how Ofcom will apply the "or other concern" wording in Schedule 1 paragraph 7, and whether closed groups, like a forum run solely for members of a cub pack, with no external access, could take advantage of it.
3) how Ofcom will apply s227(3), the effect of which is intended to be that the "provider" of a service cannot also be a "user" of it (a sensible position). But the opening words appear to limit it to "when acting in the course of the provider’s business", and so it may not be applicable in the context of hobbyists, and so understanding Ofcom's intent here would be valuable.
Re: Brown said he intends to put this question directly to Ofcom
Thank you for the time you've spent trying to make sense of this legislation and Ofcom's "guidance" from the point of view of small service providers, Neil.
It's all so vague, and reliant on the service provider's own personal assessment of risk. Risks that cannot ever be quantified.
Specifically says that user-generated content is not provider content
> "posting comments or reviews relating to provider content" (eg, comments about bikes posted to a bike blog)
So if a comment section veers off-topic from its TFA, in particular starts discussing other comments, it stops being related to provider content and then *does* become the responsibility of the website?
This gets a bit silly and meta, but especially if comments are plucked from the web page and presented out of context...
The root cause of the issue is that the UK* doesn't have freedom of speech
Probably best to do all your Internet communication through a VPN server in the US and give them an American phone number if needed - that way authoritarian governments will by default assume you're enjoying your First Amendment rights even if you don't actually have them.
* (nor any other European country)
Re: First amendment ?
Er, is this in a country that is busy passing laws that you can't criticise DOGE ? And where several state legislatures are debating banning criticising the president ?
With a Supine court that takes a very narrow view of the constitution.
Bet
I bet when this happens on a big corporation's website, there will be dinners, meetings, perhaps champagne, some "sweeteners" and matter will go away.
When it happens on a small site, there will be penalties, hounding, harassment, bankruptcy and site closure.
Just appears to be systematic lawfare from many angles to finish off small businesses and working class initiatives.
Re: Bet
The quickest response will be when OT comments start being posted to MPs' particularly Labour MPs' blogs, ministers' personal blogs or government sites.
VPN to connect the family "intranet"[1]
Cursory reading followed by a run through the online checklist, really hoping I missed a paragraph...
But what constitutes an "online" service or website? Is it explicitly defined somewhere as something on an IP address that is exposed to the Internet and can be accessed (at least to a login page) by anyone with a just web browser?
What if the service is only accessible via a VPN - and that has been set up already such that the various households see no functional difference between it and, say, The Register? That is, they just put in the URL and off they go, as it ought to work. Second cousin Timmy (who I don't actually know other from his posts) is letting his school chum Doug post from Timmy's room as Doug has the photos of their garage band[2]
Note that there are exclusions if the site is only providing access to your businesses Intranet-type stuff (CRM etc) but there is nothing about if you are not a business! And that still leaves a Doug as a problem.
[1] sorry for using that word
[2] trying to come up with a reasonable scenario that includes a wider group of people
Re: VPN to connect the family "intranet"[1]
Yes, the "business intranet" exemption should really be extended to "services limited to a small specific group of people" or something like that. My family NextCloud instance is technically covered by the Online Safety Act, it's a file sharing and messaging user-to-user service and not internal to a business.
For now I think the best thing is to carry on as before, the chances of Ofcom even discovering small user-to-user services (within the entire internet!) is minuscule. And they promise to "work with" services and to "be constructive". Fines and criminal sanctions only follow if they think you're obstructing their aims. They do like saying "£18 million maximum fine!" though - I think it makes them feel they have some power that doesn't exist in the real world.
Re: VPN to connect the family "intranet"[1]
How do you define small and specific?
Re: VPN to connect the family "intranet"[1]
Other examples mentioned at the Ofcom presentations were things like local WI group discussion boards, forums for members of a club or interest group.
Even if you hide everything behind a member login system, and restrict who can sign up, it's covered by the OSA unless a "business" runs it for its own internal use.
Exactly as we all predicted
A government apparently overrun by legal advisors and lawfare opportunists puts in place legislation that opens the door to legal advisors and lawfare opportunists.. what a surprise. Particularly ironic as we watch America self-immolate through misuse of their overly enthusiastic legal system.
Dear Rachel Reeves - you want to know why we're not all magically growing the economy for you? It's stuff like this.
Re: Exactly as we all predicted
I think it's more a case of Politician's Syllogism: Something must be done; this is something therefore it must be done.
I am the ghost of Demon past
So a UK company has to fend off shoals of hungry landsharks, but post the same content on a US web site and it is effectively unactionable (unless some vested interest such as a publisher is offended)?