UK Online Safety Regulations and impact on Forums

Well I'm closing my forums down. This is not geared for small forums. I don't understand half of it, I'm not a laywer and I can't afford to pay for age verification, nor have the time to do the paperwork. Plus I wouldn;t enjoy the forums any more.
 
Alvin63 said:
But - what about guests and unregistered users? They can see the site without even signing up!
Click to expand...
A guest viewing the site - assuming they can't post as a guest makes the site just like any other website. So since that isn't user to user it would appear to fall outside the act. Caveat emptor and all, I'm not a lawyer!

Alvin63 said:
I'm beginning to see why the bike forum just threw in the towel!
Click to expand...
In the end some of the members formed a CIC to run it - that's essentially a Ltd company but aimed as social enterprise.

Alvin63 said:
That';s the "record keeping" that needs updating each year. Does it also class as a risk assessment
Click to expand...
I believe the risk assessment is seperate.

Alvin63 said:
Where do I change the age number
Click to expand...
Options - User Registration (/admin.php?options/groups/usersAndRegistration/)

Alvin63 said:
Well I'm closing my forums down. This is not geared for small forums. I don't understand half of it, I'm not a laywer and I can't afford to pay for age verification, nor have the time to do the paperwork. Plus I wouldn;t enjoy the forums any more.
Click to expand...
That's a shame, but this is the fallout from legislation like this that might have noble (giving them the benefit of the doubt) intentions, but with no realistic solutions in place to easily comply. My advice would be to take a breather from the Ofcom stuff, maybe turn off new registrations on your forums for a bit (presumably your existing members have not been trouble so far) and then come back and assess everything when it's not so overwhelming.

I know what you mean you see £18M fine and think - it's not worth it - I did and I look after both personal and paid for forums. I think any lawyer (and I am not one!) will say the odds of Ofcom fining any small forum anything is close to zero. The most likely reason you'd ever come to their attention is from a troll reporting you to them. They are most likely to just say "please comply, here is some guidance you've probably already read". At that point you could always abandon the forums! Decent moderation mostly reduces the risk of each danger, there are a few areas where I think XenForo is particularly lacking and will have to be made up with add-ons or extra functionality, but for the most part your risk assessment puts "report feature" against most risks. Beyond that private messaging is the main risk as it enables non-public communications and potentially adult to child communications. If an age verification scheme isn't practical (and I've not had time to finish polishing up mine - and that's not even a plug and play XF add-on) the easiest thing is to turn it off for most users. You can do that with permissions and groups - then you can enable it for staff and maybe for members you know are 18+ for instance.

I honestly think (not a Lawyer) that doing a reasonable risk assessment (and there are two templates in this thread (which I know is long)) and formalising a few processes will be enough to keep the wolves from your door. Otherwise a huge number of us are going to have to shut up shop. I would imagine that would apply to this XF forum as much as anywhere. I mean EU GDPR came in in 2018 and the shipped XF privacy policy doesn't 100% comply with that and most sites are still afloat. The OSA is mainly targeted at the large social media sites, it's just they went for the dragnet approach to legislation without thinking (one hopes) about the practicalities of that.
 
RobinHood said:
Stripe has an identity product, but it gets expensive fast if you need to verify a large number of users at £1.25 / $1.50 a pop

View attachment 320213

stripe.com

Stripe Identity | Identify Verification for Payments

Secure your business effortlessly with Stripe Identity. Verify the identity of users globally, and safeguard against fraud with minimal friction.
stripe.com stripe.com
Click to expand...

Work around would be to limit the X userbase ; UK to a set of limited rules - no pm, images , attachments unless verified. But, to compensate for this, you could charge a small fee. Ideal if you have a VIP package. Judging my recent checks, I don't think this law applies to me so much as long as I can limit the sign up age by 18 and we do not support pornographic content. Although, a plugin that would limit PM usage via IP would be ideal.

So;

IF X IP =

Limit: viewing of X Y Z
Limit: submissision of conversation and open
Limit: registration per age

It's money waiting to the first who makes it.
 
chillibear said:
A guest viewing the site - assuming they can't post as a guest makes the site just like any other website. So since that isn't user to user it would appear to fall outside the act. Caveat emptor and all, I'm not a lawyer!
Click to expand...
I believe this would be fine, simple to do with permissions for registered user group to not have permissions to post in forums, DMs or profile.
 
RobinHood said:
Stripe has an identity product, but it gets expensive fast if you need to verify a large number of users at £1.25 / $1.50 a pop
Click to expand...
Somehow I'd missed that one in my trawl of providers. Dang now I'm going to have to decide if I abstract my software to work with that as well - I very nearly did and then thought - nah what's the point - given all the providers I'd spoken to were charging hundreds a month.

To be fair I think you just have to pass the charge onto members - either everyone has to pay, or you restrict features you feel are a risk and those users who want those features pay. I'm taking the latter approach since that avoids dealing with retrospectively verifying users. As a one off payment it'll not break the bank of many members. I was looking to charge about £1.30 I think via PayPal for my verifications to cover the paypal fees and the actual cost of lookup (~£0.80). So the Stripe pricing is on par with that.
MentaL said:
It's money waiting to the first who makes it.
Click to expand...
I'm still surprised either XF or one of the main add-on developers here has not released something. I was considering it. Lookups work out at about £0.25 for all the "big players". Generally the APIs are fairly simple to integrate with. Write a middlware layer XF can talk to. Release an add-on. Charge subscribers say £1-2 per verification and you've probably got a reasonable little business. Add plugins/add-ons for other popular systems (wordpress, etc) and job done. The only issue I can see is that I suspect a lot of user-to-user sites are not going to bother. I mean if you look at the number of people on this thread - that must be a tiny proportion of the number of XF licences that will fall under the OSA. Then there are millions of blogs with commenting enabled and all sorts. Will they all be breaking the law - well potentially. So it might be one of those "that seems like a good idea", but in reality there is little interest. We know the reality is Ofcom have not had some huge recruitment drive to staff this up, so "life goes on". This being a busy period for my company I've opted just to roll-my-own solution for now (although some extra stripe rolling might be in order - at least as an experiment - although my provider's contract does stipulate I can't use other providers whilst using them...). Anyhow hopefully will get that finished up next week.

Alvin63 said:
Thank you and I hear you but .... I aint doing all that! It's tough but I won't enjoy it any more.
Click to expand...
Quite understand that. If you're in the UK why not drop a line to your MP - no harm in letting them know another community resource is closing thanks to legislation. Likewise it's worth reaching out to the XF devs - outline what you feel the product might need to better (not saying it doesn't of course!) meet UK legislation.
 
chillibear said:
Likewise it's worth reaching out to the XF devs - outline what you feel the product might need to better (not saying it doesn't of course!) meet UK legislation.
Click to expand...

See here:
Chris D

Not planned Post in thread 'Online safety Act (UK) / compliance tools'

For the most part, XenForo is already compliant and upon reviewing the legislation, there's very little (if anything) the average forum administrator would need to do.

For anything else, the specific feature(s) that are needed should be created as their own suggestion (one suggestion for each thread).

That is much easier to track and will illicit a more productive discussion.

There are other threads in the forum already about the legislation generally for further discussion about specifics.
 
Not sure it's compliant with direct messaging and age verification software. But mainly, I just don't want to deal with all that.
 
It's a little bit of a nuanced thing. Take for example ICU D9 - If a complaint is an appeal, it should be determined promptly. So XF doesn't have a formal structure for handling complaints. You have a choice of tools however: You could have a complaints forum node, you could handle complaints via PMs, you could handle them via the Contact Us form or maybe via Reports. All of those could be valid solutions, none of them explicitly track time or provide "reminders" and so forth - so that layer (the promptly) you would have to add through manual process. So you can have manually processes using the existing tools and cover off your OSA requirements. Or look to develop solutions that make more use of software. I'd hoped that given the scope of the act that latter option might have magic'd itself into existence!

So for example fundamentally there is nothing wrong with private messaging. However it does present more risk than the public messaging since it is "out of sight" and I think the moderation toolset is very lacking. How you then manage that risk is down to you (alas!). I think a lot of us here would like to see some software solutions to assist in managing and reducing that risk beyond what is currently on offer. It's a less than ideal situation and for small fan forums I can quite understand why it drains the love out of running them. I still hope that was not the intent of the act, but just a side effect.

Personally I'm still wondering how I comply with ICU H1 - The provider must remove public content and accounts from proscribed terrorist organisations. Whilst the UK Gov does publish lists I suspect it's not something a user is going to advertise! How if DubiousDave12345 doesn't step out of line can I possibly know if he's a member of a terrorist organisation?! Similar with all the bullying stuff in the childrens' guidance that talks about knowing the state of mind of the poster. Still when Xon or someone releases their telepathy add-on I guess we'll be good!
 
I have just found the process impossible and made an official complaint to Ofcom based on the following, particularly the line I have emphasised:

record-keeping-and-review-guidance.pdf

Duty to provide risk assessments to Ofcom
3.5 As soon as reasonably practicable after making or revising a written record of an illegal content or a children’s risk assessment, Category 1 U2U service providers and Category 2A search service providers are required to provide this written record (in full) to Ofcom.12 The record should be sent to Ofcom in electronic format to the dedicated Ofcom email address, as published on Ofcom’s website at the time of submission.

  • I was unable to find the email address
  • I rang the OFCOM advice and complaint line: 0300 123 333
  • Originally I was told they cannot give advice and referred me to the website toolkit
  • I mentioned I had seen the toolkit and referenced the paragraph above and that I could not find the email address on the website
  • At that stage I was put on hold while the operative presumably went to find the email address.
  • He came back and told me that they are unable to provide any further information and that I should seek independent legal advice.
  • I took this to mean either (a) he could not find it either, or (b) that letting people know the email address they must send their records to in order to not be fines £18M is not a service they offer.
  • He then said I was welcome to log a complaint which I did.
I'm now off to find a solicitor and I imagine they will probably charged me £350 to tell me Ofcom's email address.
 
Last edited:
Sad to say that doesn't surprise me. I've had a few calls over the years with HMRC like that to clarify something where all they have been able to say is "that would be decided if we ever did an audit" which is hardly helpful in preventing a problem is it!

I do appreciate the effort of actually calling them, I tip my cap to you!
 
chillibear said:
I do appreciate the effort of actually calling them, I tip my cap to you!
Click to expand...
It wasn't that difficult or quite such the wait you get with HMRC

The trick was to ignore the recorded menu saying for advice to to the website, to report an infringement press 1. pressing 1 got me to the human, Trevor.
 
Mr Lucky said:
Duty to provide risk assessments to Ofcom
3.5 As soon as reasonably practicable after making or revising a written record of an illegal content or a children’s risk assessment, Category 1 U2U service providers and Category 2A search service providers are required to provide this written record (in full) to Ofcom.
Click to expand...
Category 1 U2U means 34 million UK users active each month, or 7 million UK users active if they can share “regulated user-generated content”, both with content recommender systems.

I would imagine that excludes most Xenforo admins.
 
lazy llama said:
Category 1 U2U means 34 million UK users active each month, or 7 million UK users active if they can share “regulated user-generated content”, both with content recommender systems.

I would imagine that excludes most Xenforo admins.
Click to expand...
From what I recall, there's nothing to define what constitutes a 'user'. Does that include guests? Is the number of times a particular user visits within a month to be counted? What about bots? Or do they really mean page views and not users?

That's just one example of so many ambiguities present within OFCOM's torrent of word salad.
 
zappaDPJ said:
From what I recall, there's nothing to define what constitutes a 'user'. Does that include guests? Is the number of times a particular user visits within a month to be counted? What about bots? Or do they really mean page views and not users?

That's just one example of so many ambiguities present within OFCOM's torrent of word salad.
Click to expand...
I assume it does, however unless you allow guest (anonymous) posting I think you can ignore them for the purposes of the act unless you have a porn site.

I'm still honing my risk assessment, but I'm using the fact that we log users' email address and IP as sort of deterrent in that anyone posting anything illegal would be immediately notified to law enforcement. OK the clever ones would have that covered but I see it as just one more thing to put in the risk assessment the makes it look like you are doing something. It ticks a box and surely this thing is all about box ticking and is unlikely to do much good in regards to its intentions.

It'll close down a few hamster and cycling forums. Or even cycling hamster forums.
 
You must log in or register to reply here.
Back
Top Bottom