Suzanne O
Well-known member
It depends upon where the admin is living.
Uk law, it could be hosted by some company in the USA but run by Australians who went too far.
UK Online Safety Regulations and impact on Forums
- Thread starter lazy llama
- Start date
-
- Tags
- regulation
Uk law, it could be hosted by some company in the USA but run by Australians who went too far.
"Despite our best efforts ........." I assume they've seen the Child Risk Assessment stage!
They probably just couldn't comply at all, as this is what Wikipedia says about the site
"*****ute is an alt-tech video hosting service launched by Ray Vahey in January 2017. It describes itself as offering freedom of speech,while the service is known for hosting far-right individuals, conspiracy theorists, and hate speech.<Some creators who use *****ute have been banned from YouTube; some others crosspost content to both platforms or post more extreme content only to *****ute."
They probably just couldn't comply at all, as this is what Wikipedia says about the site
"*****ute is an alt-tech video hosting service launched by Ray Vahey in January 2017. It describes itself as offering freedom of speech,while the service is known for hosting far-right individuals, conspiracy theorists, and hate speech.<Some creators who use *****ute have been banned from YouTube; some others crosspost content to both platforms or post more extreme content only to *****ute."
https://en.wikipedia.org/wiki/*****ute
Suzanne O
Well-known member
Had to laugh at that site's name falling under the swear filter. LOL
But hey yeah that's fair enough.
It would be the same if it was another site that i won't name on here that could be very much the site that is being investigated.
It fits all the categories that have been listed on here that OfCom are wanting to investigate.
But hey yeah that's fair enough.
It would be the same if it was another site that i won't name on here that could be very much the site that is being investigated.
It fits all the categories that have been listed on here that OfCom are wanting to investigate.
Suzanne O
Well-known member
It's got a swearword in it's title that xenforo have filtered out.
As mentioned previously, I still currently have my home page online. Anyone putting the site address in is taken there. However I've noticed that if people click on links to posts etc on google, it takes them to the login page. Although there's a message saying "please click on the home button", that isn't easy to see on mobile (it's in the hamburger menu). Is there a way I can set things so all links clicked on just direct to the home page?
Further Age Verification info.
OneID got back to me following up my initial query. It seems they have a free solution called Age Check 18+. I've linked the details below. It verifies an age with confirmation from a customer's bank. I don't quite understand how that works and presumably there would still need to be API integration. It says it's all done digitially and the user uses some bank Auth app to confirm to the bank to share the info.
A free option is good. But I think it might put people off having to give consent to their bank sharing information. Also maybe not everyone uses an auth banking app. I still don't quite understand it but details below.
They have two more paid-for options which also use bank verification and I'm not sure what difference there is from their info.
OneID got back to me following up my initial query. It seems they have a free solution called Age Check 18+. I've linked the details below. It verifies an age with confirmation from a customer's bank. I don't quite understand how that works and presumably there would still need to be API integration. It says it's all done digitially and the user uses some bank Auth app to confirm to the bank to share the info.
A free option is good. But I think it might put people off having to give consent to their bank sharing information. Also maybe not everyone uses an auth banking app. I still don't quite understand it but details below.
They have two more paid-for options which also use bank verification and I'm not sure what difference there is from their info.
MentaL
Well-known member
If its free, they must be selling data.
Mr Lucky
Well-known member
I can see a lot of my users hating this, especially the US ones who aren’t going to get why we have to do this in the first place, and probably assuming their data is going to China…
Suzanne O
Well-known member
You could maybe make it that all adults need to show ID first in the registration process.
You then use a multiple check box of upto 4 different ID's
Similar to how meta have the ID for the verification badges.
All in partnership with the companies you've contacted. (Use their links)
You then use a multiple check box of upto 4 different ID's
Similar to how meta have the ID for the verification badges.
All in partnership with the companies you've contacted. (Use their links)
chillibear
Well-known member
I quite liked OneID when I had a meeting with them. The banking solution was quite a neat one as regards user journey. In essence IF you had a UK banking (and it was limited to UK banks) app installed on a phone/tablet device you can via Openbanking supply some information to another company (OneID) via this system. So OneID request some data (what depended on quite what you were doing) and the user authorised the transfer of the data from within their banking app. So it was nice in that assuming they had a banking app installed it didn't require faffing around with scanning IDs or your face or anything and was quite painless.
However for now I'd put them on the back burner as a possibility because I'd assumed we'd need to potentially validate ages over the entire globe. The other offering they had that would do that was the mobile phone check, but as discussed up thread I don't have confidence that the data returned by that is reliable (I think far too many contracts will be in an adults name when the user is a child and the actual user of the phone wont be logged with an age -it'll just be the adult - note I have no evidence that is the case, but it's my gut feeling despite the claims).
So what about the freebie - well I'll ask my contact at OneID what they are getting out of it - maybe it's a loss leader?
Any use for us? Thinking out loud (sorry) I think that comes down to the scope of the OSA and what we are using age checking for. I guess we have four categories of people:
So realistically I can't see quite how you'd use it unless you tie it into a UK IP address database and require anyone with a UK IP (lets just forget for a second how easy that is to bypass) to do an age check. So you'd allow rest-of-the-world adults and children to do what they want (if indeed rest-of-the-world children are out of scope of the act), but if you have a UK IP then you force them to do an age check and then restrict/grant the account as appropriate. I guess if the scope of the act is limited that might work. The main reason for age restriction is to either wholesale avoid the children's risk assessment (ie site is adults only) or to help as a mitigation in risk assessment (eg children can't be contact by PM/DM or PM/DM people, etc.). If the act only requires you to mitigate risks for UK children then I could see it working - at least as far as the law went, although rather missing the "spirit" of the law of course. I think I'd need a lawyer to read the act and tell me if we're okay to go this direction.
Anyhow interesting I shall investigate a bit more.
As an aside I'm just coming to the end of a Shufti trial period. The actual system is easy enough to use once you get your head around the documentation. I can certainly add it into my existing solution (if I abstracted some more of that code - no bad thing). So I may do that as I feel I should tidy up my codebase anyway. I feel their privacy policy and what they use the data for is a bit more wooly than VerifyMyAge and I'm less clear about exact retention (eg they keep facial photos to weed out duplicate submissions - I guess as a mitigation against someone feeding in a youtube video of a face to a virtual camera for instance for an AI age estimate). And in the backend I can see the full scan of the user's ID, etc. So that makes me a little more twitchy - I'd rather not have that data floating around to be honest (I expect I can clear it however) - I generally prefer the approach to having as little data about someone as possible. Anyhow the system seems fine and there are a couple of ways you could integrate it with XF without too much trouble.
In essence you fire off a request to their API for a type of authentication (eg check ID, or selfie estimation, etc). You can customise this request so you could ask for both ID and a selfie and they have all sorts of interfaces for more business activities (so that might be of use to some). You then get back a URL you can give to your user to perform the verification. User fires that URL up and follows the steps (pic of ID, upload ID, etc). You can check the verification status either periodically or there is a webhook. It does look like it'd lend itself better to a "middleman" supplier model at least as the branding and templates are more customisable and generic.
Model is a "purchased credit" and I think you can spend the credits as you choose on their service (but need to confirm that). Selfie checks are about $0.20 and ID checks are $0.50 and you need to buy about $750 of credit to get going.
However for now I'd put them on the back burner as a possibility because I'd assumed we'd need to potentially validate ages over the entire globe. The other offering they had that would do that was the mobile phone check, but as discussed up thread I don't have confidence that the data returned by that is reliable (I think far too many contracts will be in an adults name when the user is a child and the actual user of the phone wont be logged with an age -it'll just be the adult - note I have no evidence that is the case, but it's my gut feeling despite the claims).
So what about the freebie - well I'll ask my contact at OneID what they are getting out of it - maybe it's a loss leader?
Any use for us? Thinking out loud (sorry) I think that comes down to the scope of the OSA and what we are using age checking for. I guess we have four categories of people:
- UK adults
- UK children
- Rest of world adults
- Rest of world children
- Anyone can register and Age verification "unlocks" access to some features
- Age verification to restrict to only adults/children from registering
So realistically I can't see quite how you'd use it unless you tie it into a UK IP address database and require anyone with a UK IP (lets just forget for a second how easy that is to bypass) to do an age check. So you'd allow rest-of-the-world adults and children to do what they want (if indeed rest-of-the-world children are out of scope of the act), but if you have a UK IP then you force them to do an age check and then restrict/grant the account as appropriate. I guess if the scope of the act is limited that might work. The main reason for age restriction is to either wholesale avoid the children's risk assessment (ie site is adults only) or to help as a mitigation in risk assessment (eg children can't be contact by PM/DM or PM/DM people, etc.). If the act only requires you to mitigate risks for UK children then I could see it working - at least as far as the law went, although rather missing the "spirit" of the law of course. I think I'd need a lawyer to read the act and tell me if we're okay to go this direction.
Anyhow interesting I shall investigate a bit more.
As an aside I'm just coming to the end of a Shufti trial period. The actual system is easy enough to use once you get your head around the documentation. I can certainly add it into my existing solution (if I abstracted some more of that code - no bad thing). So I may do that as I feel I should tidy up my codebase anyway. I feel their privacy policy and what they use the data for is a bit more wooly than VerifyMyAge and I'm less clear about exact retention (eg they keep facial photos to weed out duplicate submissions - I guess as a mitigation against someone feeding in a youtube video of a face to a virtual camera for instance for an AI age estimate). And in the backend I can see the full scan of the user's ID, etc. So that makes me a little more twitchy - I'd rather not have that data floating around to be honest (I expect I can clear it however) - I generally prefer the approach to having as little data about someone as possible. Anyhow the system seems fine and there are a couple of ways you could integrate it with XF without too much trouble.
In essence you fire off a request to their API for a type of authentication (eg check ID, or selfie estimation, etc). You can customise this request so you could ask for both ID and a selfie and they have all sorts of interfaces for more business activities (so that might be of use to some). You then get back a URL you can give to your user to perform the verification. User fires that URL up and follows the steps (pic of ID, upload ID, etc). You can check the verification status either periodically or there is a webhook. It does look like it'd lend itself better to a "middleman" supplier model at least as the branding and templates are more customisable and generic.
Model is a "purchased credit" and I think you can spend the credits as you choose on their service (but need to confirm that). Selfie checks are about $0.20 and ID checks are $0.50 and you need to buy about $750 of credit to get going.
Not always the case, in this scenario you would likely be the sole director and therefore could be 'done' under neglect/wilful ignorance etc ' - 'consent and connivance' is the phrase.
On a different point, has anyone got an age check system working with Xen? If so, are you willing to share how and what?
I think @chillibear has - see above. Yes with the OSA a Limited Company makes no difference - you're still liable.
Thank you for clarifying it's Uk checks only. "So you'd allow rest-of-the-world adults and children to do what they want (if indeed rest-of-the-world children are out of scope of the act), but if you have a UK IP then you force them to do an age check and then restrict/grant the account as appropriate." That is interesting - and maybe is the case - that you only have to age check people from the Uk. However, there is a kind of moral/good faith element there maybe. If by any chance Ofcom did investigate or ask to see paperwork and you say you only age verify Uk people and children may view your sight - then it might be seen as not in good faith.
I think it is indeed a "leader" product as the next level paid for option seems to do the same check. So maybe they hook you in with the free product and then after a certain number of verifications they say - you're doing x number a month - would you like to upgrade. I have emailed them back with a few questions ...
I also think a lot of my members wouldn't have use of a banking app .............
I also looked into One ID's email based one - but that was the one where you needed to use Shopify I think and the shopify costs were yet another cost (not cheap) and limited to certain countries.
But yes I agree, the Shufti one is better. Except for the costs for me. Even if I was to pay the upfront $700, unless I charged people who registered, I would be paying for all the subsequent verifications/registrations myself. And even at 20c a registration - well costs would add up. I prefer a one off annual fee (like for Xenforo) rather than ongoing monthly costs. Even so $700 would give 3,500 registrations (if I've done my maths right lol) so I might never need to pay for any further registrations! So that could be worth considering - Unless there is a time limit for that upfront £700 to run out! Need to ask them that. Face ID wouldn't be too intrusive - unless it fails and I don't think anyone is going to want to go through the hassle of uploading ID.
It would take me two or three years to get up to that many registrations probably. I had about 850 registered members. So if that $700 is not time limited - I would seriously consider that as an option........
From my point of view, the Verifymy one was best and least intrusive - but just unaffordable - far too expensive. And still intrusive if you need to charge.
On a separate point - surely any site that has advertising would need to do a child risk assessment or have Age ID?
Last edited:
chillibear
Well-known member
I do indeed. Not used in anger yet mind you, but I see no reason why it wont work. I am just pondering reworking the code to be a little more generic now I've looked at the Shufti solution - I figure it would be nice to have a couple of providers supported even if I am not using them. Right now it was rather coded towards VeryifyMyAge since I signed a contract with them in January for age verification and I wanted "something" available just in case. I'd rather assumed there would be some add-ons by now to be honest. There is a Stripe one ($30 if I remember correctly) that uses Stripe Identify (£1.25 per check I think?) that has been around a while. From the description I think it would work for this purpose, but I've not bought it to try yet. I do have a company Stripe account, but I've not had time to try out Stripe Identity with my own code yet (it wouldn't work with my current solution).
Anyhow since my PHP is rusty and I don't know the XF framework and I wanted to just have "something" I wrote my solution in Ruby. It therefore interfaces with XF both directly via the database and via the XF API. The only writing to the DB is to store some state and generally where possible I've used the API to retrieve data to ensure any XF "magic" happens. There is a post somewhere upthread that outlines the approach, but the essence is simple (all fairly configurable):
- User "buys" a user upgrade (with address required).
- My script is running periodically and looking for users who have bought the said upgrade and are not already in my verified group. If it finds one it uses the data from the payment log (name/address) to kick off a verification process.
- The periodic script in addition to looking for new users checks the current state of any we have already started the process for. There are a few potential states: verified (the name/address is matched on databases (eg electoral role)) or failed, or a "we need more info" - in the case of the latter you get a URL which can kick off the whole AI selfie estimate / ID check / Credit check process. So for users in that state I send them an alert via XF with the link. Actually right now they also get the VerifyMyAge email as well, but I am trying to disable that - since it's a stock template that doesn't match my use-case well.
Developing an add-on assuming you know what you are doing is probably a few days work. Basically unless you are tying it in elsewhere in XF (eg custom menu option or as part of registration) hooking it as I've done seems easiest. Then you need to either decide to take the "polling model" (which seemed okay given I'm not high traffic) or a webhook model (which didn't make sense for my script sitting outside XF, but for an add-on would work neatly).
That's my fear even if "technically" one might be right (and I don't know that) I kinda feel if I'm going to this effort it should probably be at least for the moral reason rather than just to "tick a box" even if I think overall it'll have a negligible impact on the "Internet ills" overall.
Their email solution seemed unaffordable with the onboarding fee, but their general "product sales" type one is okay at £1 a check (does decrease with larger volumes). The licence agreement is a little restrictive - in that they have to be your sole supplier and so far I've found support to be very slow. However other than Stripe it is the only other pay-as-you-go one I've found so for now it's (VerifyMyAge) what I am using for now. So no up-front costs.
I guess you would have to consider what advertising you were showing to users you knew were children - to be fair if you didn't have many it might just be easier to not show any adverts!
Shufti say the upfront credits could be "unlimited" if you don't think you'll use them all in the first year. It's sounding more appealing. So I'd pay £550 upfront and then nothing more until the credits run out. Which could be three years or even longer on my forum. Which would be the equivalent of about £183 a year. Still to find but ........... Then there's the API to develop as a one-off cost.
Sorry @chillibear - posted at the same time.
What I wouldn't want to do is get the forum going again and then have funding issues in a couple of years time. Currently the annual running costs are between £500 and £600 a year. Donations about £150. I pay the rest myself. Adding another £183 equivalent per year could stretch things a bit. And I can't really rely on donations - it's not a huge forum. Advertising brought in pennies and didn't want the forum plastered with ads to try and increase that - which is why I went to annual donations instead. What I would consider is asking for a "voluntary" donation of say £3 after someone registers. Some would, some wouldn't, but they could simply pay via the forum paypal account then. No implementing needed.
But then if someone paid a one-off voluntary donation to be a member, they're not going to want to do an annual donation as well!
Have to say Shufti are very helpful and reply quickly. Another consideration is - rising prices in future. What if they bump the costs up in future?
@chillibear - yes I am surprised someone hasn't developed an addon yet, if it's just two or three days work. Presumably it would even be possible to develop an addon to verify age as well - although that would be a lot more work I think.
But then if someone paid a one-off voluntary donation to be a member, they're not going to want to do an annual donation as well!
Have to say Shufti are very helpful and reply quickly. Another consideration is - rising prices in future. What if they bump the costs up in future?
@chillibear - yes I am surprised someone hasn't developed an addon yet, if it's just two or three days work. Presumably it would even be possible to develop an addon to verify age as well - although that would be a lot more work I think.
Last edited: