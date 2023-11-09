Following the arduous multi-year passage of the Online Security Act through the UK lawmaking process, regulator Ofcom has published its first guidelines on how tech companies can comply with the vast legislation. Its proposal – part of a multiphase publication process – outlines how social media platforms, search engines, online and mobile games and pornography sites should deal with illegal content such as child sexual abuse material (CSAM), terrorism content and fraud.

Today’s guidelines are being released as proposals so that Ofcom can gather feedback before the UK Parliament approves them later next year. Still, the specifications will be voluntary. Tech companies can guarantee they are complying with the law by following the guidelines to the letter, but they can take their own approach as long as they demonstrate compliance with the Act’s broader rules (and, possibly, with Ofcom. Are ready to fight your case).

“This puts a duty of care on tech companies for the first time to protect the safety of their users,” explains Gil Whitehead, Ofcom’s head of online security. the verge in an interview. “When they discover that there is illegal content on their platforms, they need to remove it, and they also need to conduct risk assessments to understand the specific risks that those services pose.”

The idea is for sites to be proactive in preventing the spread of illegal content and not just play around after the fact. The aim is to encourage a switch from a reactive to a more proactive approach, says Claire Wiseman, a lawyer specializing in technology, media, telecoms and data.

Ofcom estimates that around 100,000 services could fall under the broader rules, although only the largest and highest-risk platforms will have to comply with the strict requirements. Ofcom advises these platforms to implement policies such as not allowing strangers to send direct messages to children, using hash matching to detect and remove CSAM, maintaining content and search moderation teams, and providing information to users. Providing ways to report harmful content.

Large tech platforms already follow many of these practices, but Ofcom hopes to see them enforced more consistently. “We think they represent the best practice of what’s out there, but it’s not necessarily implemented across the board,” Whitehead says. “Some companies are implementing it sporadically, but not necessarily systematically, and so we think there’s a big benefit to more wholesale, widespread adoption.”

There’s also a big aspect to this: the platform known as X (formerly Twitter). The UK’s efforts with the law long predated Twitter’s acquisition by Elon Musk, but it was passed as he fired large swaths of its trust and safety teams and presided over a loosening of moderation standards. , which could put X in trouble with regulators. For example, Ofcom’s guidelines specify that users should be able to easily block users – but Musk has publicly stated his intentions to remove X’s block feature. They have clashed with the EU over similar rules and have reportedly even considered pulling out of the European market to avoid them. Whitehead declined to comment when I asked whether X had been cooperative in talks with Ofcom, but said the regulator was generally “broadly encouraged” by the response from tech companies.

Ofcom’s rules also cover how sites should deal with other illegal harms, such as suicide or serious self-harm, harassment, revenge porn and other sexual exploitation, and content encouraging or assisting the supply of drugs and firearms. For example, search services must provide “crisis prevention information” when users enter suicide-related queries, and when companies update their recommendation algorithms, they must conduct risk assessments to check that they are not targeting illegal search engines. Not promoting the content. If users suspect a site is not complying with the rules, Whitehead says there will be a way to complain directly to Ofcom. If a firm is found in breach, Ofcom could impose fines of up to £18 million (about $22 million) or 10 percent of worldwide turnover – whichever is greater. Objectionable sites may also be blocked in the UK.

Today’s consultation covers some of the least controversial areas of the Online Safety Act, such as reducing the spread of content that was already illegal in the UK. As Ofcom releases future updates, it will need to focus on sensitive topics, such as content that is legal but harmful to children, underage access to pornography, and safety for women and girls. Perhaps most controversially, it would need to interpret a section that critics have claimed could fundamentally weaken end-to-end encryption in messaging apps.

The section in question allows Ofcom to require online platforms to use so-called “recognised technology” to detect CSAM. But WhatsApp, other encrypted messaging services and digital rights groups say this scanning would require breaking the apps’ encryption systems and invade user privacy. Whitehead says Ofcom plans to consult on it next year, making its full impact on encrypted messaging uncertain.

“We’re not regulating the technology, we’re regulating the context.”

There is another technology that was not emphasized in today’s consultation: artificial intelligence. But this does not mean that AI-generated content will not fall under the rules. Whitehead says the Online Safety Act seeks to address online harms in a “technology neutral” manner, regardless of how they arise. So AI-generated CSAM would be in scope by virtue of being CSAM, and deepfakes used to commit fraud would be in scope by virtue of being fraudulent. “We’re not regulating the technology, we’re regulating the context,” says Whitehead.

While Ofcom says it is trying to take a collaborative, proportionate approach to the Online Safety Act, its rules may still prove tough for sites that aren’t tech giants. The Wikimedia Foundation, the non-profit organization behind Wikipedia, explains the verge Complying with various regulatory regimes around the world is proving increasingly challenging, even if it supports the idea of ​​regulation in general. “We are already struggling with our ability to comply with [EU’s] Digital Services Act,” says Rebecca MacKinnon, the Wikimedia Foundation’s vice president for global advocacy, pointing out that the nonprofit has only a few lawyers dedicated to EU rules, while companies like Meta and Google have dedicated Can.

“We agree as a platform that we have responsibilities, but when you’re a nonprofit and every hour of work is zero-sum, it’s problematic,” MacKinnon says.

Ofcom’s Whitehead acknowledged that the Online Safety Act and the Digital Services Act are more “regulatory cousins” than “identical twins”, meaning extra work is required to comply with both. She says Ofcom is trying to simplify operations in different countries, pointing to the regulator’s work to set up a global online safety regulatory network.

Passing the Online Security Act was already difficult during a turbulent era in British politics. But as Ofcom begins to fill in its details, the real challenges may have just begun.

