UK Online Safety Regulations and impact on Forums

An available addon for an API would be very popular I think
Given I'm not hearing anyone clamouring about the Stripe one I suspect it's just not something many people are going to worry about. However if XF add-ons was "my thing" and the day-job it'd not be hard to do something as a small side project. I imagine a few larger XF boards may have built in house solutions - not everyone posts here after all!
Presumably it would even be possible to develop an addon to verify age as well
You could. It'd be a good chunk of work and there are various accreditation bodies you might want to join and so forth. I think given the general low interest interfacing with a handful of existing suppliers is probably the best bet.
 
I just know nothing about Stripe and I suspect my members wouldn't either. I'm more interested in implementing the age verification than working out how people pay for registration now, because I want to try and keep it simple or people won't join. So considering how much I can afford to invest longer term. One forum is staying closed and has gone elsewhere. Which might save some running costs for the other one - a bit anyway. Only one email package to fund. Server costs stay the same regardless.
 
Sorry maybe I wasn't quite clear - Stripe offer a verification service in addition to their payment processing you don't need to do payments via Stripe to use their verification service (you yourself need to register an account of course and pay for the verifications). They are quite a substantial payment provider so I expect some members will have come across them. At some point I'll get back to testing their system out, but it does work via webhooks so wont work with my existing approach.

So if you want a solution "tomorrow" the options presently are Stripe at £1.25 per check with integration into XF via the add-on (not personally tested), or VerifyMyAge at £1 per check via my Ruby Gem, or probably in a week or two Shufti at $0.20-0.70 per check (~$700 credit upfront) via my Ruby Gem (although I wont have test account by then so it will be untested).
 
Thanks. I didn't realise Stripe had an age verification service. But don't verifymy still have the £2000 upfront thing? I was quoted that plus 50p a verification. Or is there a different option they have?
 
So the Stripe option requires them to do a photo of id and a selfie is that right? And £1.25 a check. I just don't think people will want to show ID. It's an option though, with the addon. That would mean I'd have to charge members though. Too expensive otherwise. It's great you've programmed something that would work with Shufti though. So will that only work with a two layer registration? Ie join free and pay for upgrade? Or will it work with just registration and no payment needed as well?
 
But don't verifymy still have the £2000 upfront thing?
That's for their email only solution their Stores and Custom API has no up-front costs and it'll be about £1 per check at the volumes we're talking.

I just don't think people will want to show ID.
Well I think that's a fundamental issue full stop. I'm not sure many people will want to do an AI based facial age estimate either (especially with some companies retaining the images for further use). I'd have thought twice about registering an account here if I had to send the XF staff a copy of my ID, etc... even though we have a commercial relationship.
 
Which is why I preferred the email checking option :-) The verifymy one is reliable by the sound of it. It's just it's too expensive.

The Shufti one I could maybe do without charging people - but it still needs a selfie - face id - and I think that would put some cautious people off as well.
 
Just wondering if any company has an option using National Insurance No for age verification. That would at least prove someone is over 16. But only in the Uk .......... Although I guess a lot of people wouldn't know their NI No off the top of their heads without digging out paperwork. I memorised mine when I was 16 lol
 
Or. If google implemented age verification so all google accounts had to be over 18, you could just ask someone to sign in with gmail or a google account. But maybe they are leaving their age limit at 13.
 
using National Insurance No for age verification. That would at least prove someone is over 16
Well it would prove you have access to an NI number ... nothing more. If you wanted a 16+ "homebrew" UK option doing a Driving Licence check would be better. Since it's not crazy money to have a provisional licence just as ID licences are fairly common even with non-drivers. You can share driving licence information securely with a third party (so they could share it with you). Whilst no DoB is shared - That would in essence prove you were 16+ - Since you need a national insurance number 16+ and a provisional licence 15y9m+ in order to actually be able to share the information in the first place. It's a reasonably non-invasive method obviously not designed for this purpose, but interesting.

But maybe they are leaving their age limit at 13.
I can't imagine they would choose to reduce their user-base. The 13+ comes from the US Children's Online Privacy Protection Act (COPPA), which is probably why XF defaults to 13+.

The Shufti one I could maybe do without charging people
From the descriptions of your budget only if you do the Selfie AI age estimate only - that's the one that costs $0.20. ID checking is another $0.50. I was happy enough with their system so they seem like a decent bet.
 
Absolutely no barrier. Once the guidance is published I'll be doing one myself given I'm not going to age-gate actual registrations.

From the draft guidance (part of the consultancy) it does seem like it leans more towards preventing "harm" (ie never seeing the "bad" thing) rather than the adult guidance which is more about mitigating further harm (say quick removal of content). So there is the worry that it'll be very hard to satisfactorily implement solutions. So I can see why if you don't want children on "your" site then sticking in age-verification may reduce your workload considerably. The existing guidance document is a bit wooly in places - talking about how a post might be okay, but if someone else with a different "mindset" reposts it then it could be bad, things like that. So I can see why it'll be a bit off-putting.
 
What is the barrier to just completing the child risk assessment?
It's not so much a barrier to doing the child risk assessment (although it is extra paperwork), as the process of doing the assessment raises various things you need to show you have mitigated for and addressed. So it's the mitigations that can be the obstacle. Eg no youtube videos (or other links that lead to external sites that could potentially have content unsuitable for children), removing exif data from photos. Various automoderation of any links posted. But most other mitigations could be met provided there are plenty of moderators to give 24/7 coverage and take down something "swiftly" if anything inappropriate is posted. I think also the effect on a forum would be more restricting and heavier moderating than usual on stuff like disagreements. And no DM's.

In fact if doing a Child Risk Assessment and mitigations - it would almost be pointless to raise the age limit of the site to 18 as you have to mitigate regardless.
 
Well it would prove you have access to an NI number ... nothing more. If you wanted a 16+ "homebrew" UK option doing a Driving Licence check would be better. Since it's not crazy money to have a provisional licence just as ID licences are fairly common even with non-drivers. You can share driving licence information securely with a third party (so they could share it with you). Whilst no DoB is shared - That would in essence prove you were 16+ - Since you need a national insurance number 16+ and a provisional licence 15y9m+ in order to actually be able to share the information in the first place. It's a reasonably non-invasive method obviously not designed for this purpose, but interesting.


I can't imagine they would choose to reduce their user-base. The 13+ comes from the US Children's Online Privacy Protection Act (COPPA), which is probably why XF defaults to 13+.


From the descriptions of your budget only if you do the Selfie AI age estimate only - that's the one that costs $0.20. ID checking is another $0.50. I was happy enough with their system so they seem like a decent bet.
I like that idea! Driving licence sharing to prove age. But looking at the link you showed, it looks like they'd need to do a load of form filling online - not a quick process. So at registration it would be something like a message saying "To verify your age we need you to share driving licence information which can be done at this link - please use the contact us email address". But then every registration would need to be manually accepted.

I think that would put people off registering. Unless we ask them to do it after registering?

With a national insurance number - I think people might not want to share that anyway. And it would then need checking if it was a valid one.

Both of these options only verify the age of Uk users - but presumably that is all we need to do as per Ofcom requirements - protect Uk users. And use common sense over any other memberships if thinking they might be underage.

This is why it's all so nannyish for smaller or general sites - as if the site owner doesn't do sensible things in the first place.
 
Or two options maybe

"We need to verify your age, You can either do a selfie which will assess your age biometrically (the photo will not be saved or stored), or you can verify by means of proving you have a driving licence at this .gov link"

Although that would mean paying money for Shufti as well so not much point doing the driving licence then - sorry. They already get an option to scan id with Shufti anyway if the face estimation fails.

The ,gov link would be too arduous as they need their NI no as well.
 
Why would anyone share their driving licence or NI number to use a website forum when they can register for free with Facebook and use a plethora of groups, even start their own, without jumping through hoops?
Bearing in mind most people are scam wary and would refuse to do so in the first place.
 
Why would anyone share their driving licence or NI number to use a website forum when they can register for free with Facebook and use a plethora of groups, even start their own, without jumping through hoops?
Bearing in mind most people are scam wary and would refuse to do so in the first place.
To get verified you have to show your drivers licence
 
I like that idea! Driving licence sharing to prove age. But looking at the link you showed, it looks like they'd need to do a load of form filling online - not a quick process.
Actually it is quite quick if you have your details to hand. You get a one use code at the end that you can share. The recipient needs the code and the last eight digits of you licence. They can then enter these on another Gov page and they get a summary of the licence. Noting that it does give the full name of the driver. Otherwise it's all stuff useful if you were renting a car, but no other personal information (like DoB or address). It'll obviously say if the licence is provisional or not. So if not you can further assume the driver is at least 17. Anyhow it's not really intended for this, but it was something I knew about so mentioned.
Although that would mean paying money for Shufti as well so not much point doing the driving licence then - sorry. They already get an option to scan id with Shufti anyway if the face estimation fails.
That's not quite how it seemed to work during my trial. You could combine methods, but then they were chained together. Certainly when I was trying estimation only - that's all I got offered. I'd clarify with them to be sure. I'd also check the costs - estimation was the cheaper, but ID scans were more expensive. So even if it does "fall back" to that you might find your costs increase.

Why would anyone share their driving licence or NI number to use a website forum when they can register for free with Facebook and use a plethora of groups, even start their own, without jumping through hoops?
Bearing in mind most people are scam wary and would refuse to do so in the first place.
Indeed. Fundamentally the issue with any age-verification system. There are some where the checker simply gets a yes/no to the 18+ question, those do protect the privacy of the user from the forum site, but obviously not to the company doing the checks. Things like the Yoti/EasyID digital ID can offer that, but you have to accept giving your soul to that (the checking) company.

Even whilst trialing the systems I instinctively did not want to use my own ID or face! :) Obviously Facebook fall under the same regulations, but they could tackle them via tools and moderators (and lawyers) instead. I think they do use Yoti however, but presumably not universally. The above example of the NI/Driving licence doesn't share those numbers with the end-website (ie the forum) it's only the Gov pages you input the data to (and they already know it!), but as mentioned the end-website would get a full name and 8 digits of your licence (along with knowing what you can drive, etc!).

From my testing it's a mix between the third party checking systems as to what data is retained and accessible. So Shufti for instance handled all the acquisition of the data - the forum wouldn't be anywhere near uploading scans of ID or anything like that, but in the backend for Shufti I can see a full picture of the ID, etc so I had more data than I needed. VerifyMyAge doesn't keep anything like that at least, but with the API I am using I need to submit name/address so the forum does have that information (via Paypal) it needs to eventually destroy (noting that a normal delete user does not clear the data out of the payment log). I get the impression the OIDC based flows (like OneID) probably don't retain any information. I do rather wish the UK gov had built in OIDC age checking ahead of this act into things like HMRC, DWP and DVLA, etc. That would have been rather sensible to offer free checking. Although even then do I want the UK gov to know which websites I am registering with?

As a slight aside I know we were speculating about the mobile phone age checking and how that worked and if it was vulnerable to adults just giving children phones that are in their name. The Ofcom documentation says:
Each of the UK’s MNOs have agreed to a code of practice whereby they automatically apply a content restriction filter (CRF), which prevents children from accessing age-restricted websites over mobile internet on pay-as-you-go and contract SIMs. Users can remove the CRF by proving they are an adult. MNO age checks rely on checking whether the CRF on a user’s mobile phone has been removed. If the CRF has been removed, this indicates that the recorded user of the device is over 18. Confirmation of whether or not the recorded user is over 18, based on the status of the CRF, is shared with the relying party.
So certainly potentially limited veracity to the UK if nothing more. I'm still not quite sure I totally like the solution, an adult might well want to prove they are an adult, but might still want the content filter on their phone! Anyhow I thought I'd mention it since I was speculating a bit upthread and I'd forgotten that.
 
As mentioned in the thread, I met with my local MP and discussed a range of issues and highlighted concerns.

They have heard back from OFCOM, via a letter from the Chief Exec.

A section is below, hopefully to help others, and to get further feedback from anyone interested in sharing it publically or privately:

We will shortly be publishing our Protection of Children Statement which will confirm what steps

providers, including low-risk ones, need to take to comply with their duties to keep children safe.

We have developed a range of tools and resources to help service providers understand and comply

with their responsibilities, particularly recognising the difficulties for smaller organisations. Your

constituent may find our Digital Support Service tool useful in navigating the rules and determining

the measures they are expected to implement to comply with their illegal content safety duties. We

will be launching a version of the tool that covers the children’s safety duties in summer.

We do not expect services to necessarily need to shut down their private messaging functionality to

comply with their online safety duties. While private messaging carries potential risks of harm that

should be considered in a service’s risk assessment, the expectation for all services is that users must
be able to report illegal content if they encounter it within these messages. Additionally, if a service

becomes aware of illegal content, it must act swiftly to remove it.

You note that your constituent is closing all new registrations due to age assurance requirements. As

I set out above, under the Online Safety Act, all regulated services need to carry out a child access

assessment to understand whether their service is likely to be accessed by children. If the service is

likely to be accessed by children, they will need to also undertake a children's risk assessment and

implement safety measures to protect children online.

Services are required to use strong age checks to prevent children from accessing harmful content,

such as pornography. Our Protection of Children Statement, which we will publish later this month,

will set out the circumstances in which services will need to put in place age assurance. I would

encourage your constituent to refer to this when considering whether any action needs to be taken

on his service, or whether his service can meet its child safety duties without needing to implement

highly effective age assurance. As mentioned above, there will be a new version of our web tool

specifically aiming to support smaller companies through the Children’s Codes, and this will be

available in the summer.

In our approach to enforcement, we will focus on those cases where the risk and impact of harm is

highest, including where conduct we are concerned about is ongoing, repeated, flagrant or if the

service has a history of non-compliance. We are not setting out to penalise small, low risk services

trying to comply in good faith.

If compliance concerns arise about a particular service, we will engage with the provider to explain

our concerns and, in most cases, give them an opportunity to remedy the situation before moving to

any formal action. We will take a reasonable approach to enforcement with smaller services that

present low risk to UK users, only taking action where it is proportionate and appropriate.

We will continue to support businesses and individuals providing online services to navigate the

regulations so they can deliver value to their users, while ensuring a safer online environment in the

UK.
 
@robt thank you. That is really helpful. Although noting we can't check the child risk assessment tool until the summer! It would be nice to have access to that now, in my case.

"Additionally, if a service becomes aware of illegal content, it must act swiftly to remove it."

That makes it sound a bit different to "remove swiftly" and adds "if a service becomes aware of illegal content". Which makes the swiftly bit slightly less swift possibly?

@chillibear - will respond properly later when I have time.
 
Back
Top Bottom