Yes it would, and that is a good point (in our case we don't allow guest posting)
UK Online Safety Regulations and impact on Forums
- Thread starter lazy llama
- Start date
-
- Tags
- regulation
Yes it would, and that is a good point (in our case we don't allow guest posting)
Mr Lucky
Well-known member
Yes, that may be true of most forums,so it’s worth saying so in risk assesssment
zappaDPJ
Well-known member
Invision Community has just added mandatory CSAM scanning for their Cloud customers. While hashed-based image identification is useful, it won't stop the spread of CSAM via text links to folders which leaves every forum that allows personal messaging with a potential problem.
invisioncommunity.com
CSAM scanning is now available for Invision Community
We're pleased to announce that CSAM scanning is now available at no extra cost.What is CSAM scanning?CSAM stands for Child Sexual Abuse Material. The media served by your community will be scanned to identify any matches in a central CSAM database. These lists are provided by leading child safety...
invisioncommunity.com
MattW
Well-known member
Cloudflare recently made it easier to deploy as well:
developers.cloudflare.com
developers.cloudflare.com
Fight CSAM More Easily Than Ever
Simplified setup for Cloudflare's CSAM Scanning Tool, improving child safety protections for websites.
developers.cloudflare.com
CSAM Scanning Tool
The Child Sexual Abuse Material (CSAM) Scanning Tool allows website owners to proactively identify and take action on CSAM located on their website. By enabling this tool, Cloudflare will compare content served for your website through the Cloudflare cache to known lists of CSAM. These lists are...
developers.cloudflare.com
alfaNova
Well-known member
I appreciate IPB for this improvement. XenForo management has not said they will take action, nor have they shown any sign that they will. I hope they introduce improvements that surpass those of IPB, making us feel ashamed for doubting them.Invision Community has just added mandatory CSAM scanning for their Cloud customers. While hashed-based image identification is useful, it won't stop the spread of CSAM via text links to folders which leaves every forum that allows personal messaging with a potential problem.
CSAM scanning is now available for Invision Community
We're pleased to announce that CSAM scanning is now available at no extra cost.What is CSAM scanning?CSAM stands for Child Sexual Abuse Material. The media served by your community will be scanned to identify any matches in a central CSAM database. These lists are provided by leading child safety...
Mr Lucky
Well-known member
It could be that they are being more realistic about what the OSA actually means. It isn't a case of install this software/addon/upgrade and you'll be compliant. You could scan as much (probably non-existent) CSAM material as you like and still not be compliant if you didn't do your risk assessment.
MentaL
Well-known member
Enabled!Cloudflare recently made it easier to deploy as well:
Fight CSAM More Easily Than Ever
Simplified setup for Cloudflare's CSAM Scanning Tool, improving child safety protections for websites.
CSAM Scanning Tool
The Child Sexual Abuse Material (CSAM) Scanning Tool allows website owners to proactively identify and take action on CSAM located on their website. By enabling this tool, Cloudflare will compare content served for your website through the Cloudflare cache to known lists of CSAM. These lists are...
alfaNova
Well-known member
As you know, risk analysis is only a tool to determine how to comply with the relevant requirements. After determining the clauses, we need to determine how we will comply with it. If we go from the example of IPB development, Child Sexual Abuse Material is a risk that we need to control, so how will we comply or control it? Here, as administrators, our actions come into play and XenForo's involvement is required at this stage. It is not a good solution to step aside and leave us completely alone with manual methods by saying that Administrators and Moderators should take action and control the content. Even if CSAM scanning is not a 100% solution, it is still a corporate response. For this reason, I appreciate IPB again.
Last edited:
zappaDPJ
Well-known member
At this stage I'd suggest it's more about undertaking a risk assessment than implementing tools for compliance. It's worth keeping in mind that as far as OFCOM is concerned, the finer points of the Act are still a work in progress. In addition these forums are not exempt so I would imagine there will have to be some development time spent in order to satisfy the Act.
chillibear
Well-known member
Out of interest has anyone contacted either of the two main parties that do CSAM scanning?
I would assume Cloudflare and IPB are using one of these systems under the hood, since holding the material in question would, well be questionable... and all the fuzzy hash matching is kept a moderately guarded secret. XF could I guess in theory offer something on their cloud hosting and might stand more of a chance of getting in the door than the owner of a small forum! Or possibly they could branch out the business and act as a middleman layer to one of those bodies (with their approval), but time and money I guess are factors there. I keep meaning to look at the MS offering (since the IWF fees are simply too high for me) in more detail since it claims to be free "for qualified customers", but doesn't obviously say what that means.
I would assume Cloudflare and IPB are using one of these systems under the hood, since holding the material in question would, well be questionable... and all the fuzzy hash matching is kept a moderately guarded secret. XF could I guess in theory offer something on their cloud hosting and might stand more of a chance of getting in the door than the owner of a small forum! Or possibly they could branch out the business and act as a middleman layer to one of those bodies (with their approval), but time and money I guess are factors there. I keep meaning to look at the MS offering (since the IWF fees are simply too high for me) in more detail since it claims to be free "for qualified customers", but doesn't obviously say what that means.
We fail at the first hurdle for IWF membership
so according to their website they wouldn't even respond to us.
I have enabled Cloudflare scanning, but that is the best we can realistically do for now. I do consider us very low risk anyway, but we have seen with the likes of mumsnet that malicious people can always cause problems.
Mr Lucky
Well-known member
I wish I knew how to differentiate between nudity and porn. I mean in terms of laws or regulations - I know how I personally can tell the difference. And Youtube allows that scene from Colin from Accounts.
MentaL
Well-known member
Art vs getting railed.
chillibear
Well-known member
More research required?!
Suzanne O
Well-known member
Easy if somebody is posting nude pics up of themselves it's nudity and porn. You do something about it.
If it's a nude statue ignore it.
MentaL
Well-known member
Back in my day we trusted the ASL system. On a serious note, there are third party independent services that offer user verification.
Identity Verification Service | ID Verification - iDenfy
Identity verification service for user onboarding. Mitigate fraud with instant ID verification. Meet Know Your Customer, AML regulations.
www.idenfy.com
chillibear
Well-known member
Whilst I've not tested my setup in anger I hope it will do the job (certainly should for my UK users). By no means super pretty or elegant as the provider I'm using is rather geared up for product sales rather than vanilla age verification and their templates reflect this "you've recently bought an age restricted product..." etc. but they do at least offer a pay per lookup model - which suits me as I don't need to do many and others seem to be monthly fees. Whilst my company hosts several forums none are crazy big and the one I personally look after is teeny so a few hundred a month for verification services was far too much!
I didn't do an extensive search for providers however and I'm waiting to hear back from one at the moment. So I'll live with a bit of on-site documentation explaining what users should expect from the process. I really was just looking for a backstop solution in case I needed it.
It still needs a bit of spit and polish but it's getting there (as and when I work on it). Also since I I've not done more than the odd little dabble of PHP for the last 20 years and I write most of my software in Ruby it's written in Ruby and ties into XF via both the API and also directly to the DB. Sorry written primarily for myself and clients so UI wasn't a requirement and I've a bit much on to go and re-learn PHP and the XF add-on structure.
I also realise others might want checks during registration and the like - this is just hooked into the standard account upgrade purchase mechanism and currently just PayPal (since that's what our forum clients are using). So my "model" is going to be to restrict private messaging and maybe the odd other thing to just those verified as being 18+. Otherwise we'll just go for the normal T&C approach to age. If someone wants to use those features then they cough up for the verification - which was going to be something like £1.30 I think to cover fees and whatnot - run through the process (which if they are on the (I assume) electoral role in the UK should be automatic, if not then it's the standard triad of: age estimation via webcam, upload ID, credit card check). Is it foolproof? Nope, but it would appear to be compliant from the Ofcom requirements which is enough for me. To be fair I'll also be grandfathering in a good number of users since many of us know each other IRL anyway. Actually we've a decent number of grandfathers now I think of it! So I don't know how much use it will actually see!
Having done this tool however it would be pretty trivial to do a shiny proper add-on that did the same but was more slick. The APIs for the providers I looked at are not overly complicated. The main decision would be to decide if you were just doing periodic polling or accepting webhooks back from the provider. The latter is obviously more slick, but I ended up deciding to just periodically poll since my numbers are small. Some of the larger providers also offer digital ID solutions (eg Yoti/EasyID) - which are more private (kinda) for the end user - essentially you the forum provider ask the ID provider if 'user A' is 18+ and they say yes/no. You never see any personal data. Because the provider I am using is geared up for sales of age restricted products it assumes I (the forum provider) has things like the name and address I am sending the "goods" to etc.
The main blocker generally would seem to be the fees. If you were running as a middleman layer with an XF Add-on for sale then I suspect there is a decent sum to potentially be made and a couple of hundred a month wouldn't matter. Whilst I did wonder about this, I have enough work on right now to occupy myself. I'll leave that to XF core team or one of the Add-on devs here to spin up, they'd have a better idea than me if it'd be profitable.
I'll write up my solution here I expect once I'm using it and have tested edge cases and whatnot.
I didn't do an extensive search for providers however and I'm waiting to hear back from one at the moment. So I'll live with a bit of on-site documentation explaining what users should expect from the process. I really was just looking for a backstop solution in case I needed it.
It still needs a bit of spit and polish but it's getting there (as and when I work on it). Also since I I've not done more than the odd little dabble of PHP for the last 20 years and I write most of my software in Ruby it's written in Ruby and ties into XF via both the API and also directly to the DB. Sorry written primarily for myself and clients so UI wasn't a requirement and I've a bit much on to go and re-learn PHP and the XF add-on structure.
I also realise others might want checks during registration and the like - this is just hooked into the standard account upgrade purchase mechanism and currently just PayPal (since that's what our forum clients are using). So my "model" is going to be to restrict private messaging and maybe the odd other thing to just those verified as being 18+. Otherwise we'll just go for the normal T&C approach to age. If someone wants to use those features then they cough up for the verification - which was going to be something like £1.30 I think to cover fees and whatnot - run through the process (which if they are on the (I assume) electoral role in the UK should be automatic, if not then it's the standard triad of: age estimation via webcam, upload ID, credit card check). Is it foolproof? Nope, but it would appear to be compliant from the Ofcom requirements which is enough for me. To be fair I'll also be grandfathering in a good number of users since many of us know each other IRL anyway. Actually we've a decent number of grandfathers now I think of it! So I don't know how much use it will actually see!
Having done this tool however it would be pretty trivial to do a shiny proper add-on that did the same but was more slick. The APIs for the providers I looked at are not overly complicated. The main decision would be to decide if you were just doing periodic polling or accepting webhooks back from the provider. The latter is obviously more slick, but I ended up deciding to just periodically poll since my numbers are small. Some of the larger providers also offer digital ID solutions (eg Yoti/EasyID) - which are more private (kinda) for the end user - essentially you the forum provider ask the ID provider if 'user A' is 18+ and they say yes/no. You never see any personal data. Because the provider I am using is geared up for sales of age restricted products it assumes I (the forum provider) has things like the name and address I am sending the "goods" to etc.
The main blocker generally would seem to be the fees. If you were running as a middleman layer with an XF Add-on for sale then I suspect there is a decent sum to potentially be made and a couple of hundred a month wouldn't matter. Whilst I did wonder about this, I have enough work on right now to occupy myself. I'll leave that to XF core team or one of the Add-on devs here to spin up, they'd have a better idea than me if it'd be profitable.
I'll write up my solution here I expect once I'm using it and have tested edge cases and whatnot.
Mr Lucky
Well-known member
I posted mine earlier on the thread https://xenforo.com/community/threa...-impact-on-forums.227661/page-20#post-1733922