UK Online Safety Regulations and impact on Forums

[Alvin63]

As mentioned in the thread, I met with my local MP and discussed a range of issues and highlighted concerns.

They have heard back from OFCOM, via a letter from the Chief Exec.

A section is below, hopefully to help others, and to get further feedback from anyone interested in sharing it publically or privately:

This bit has been mentioned before in other documentation, and it does sound reassuring, but it's hard to know whether to trust them with such vague things as "proportionate and appropriate" when they also cited costs for compliance for small sites would be "negligible to the small thousands". Their idea of a small fine might be a lot bigger than mine!

I can't see why any well-run site with good addons etc in place, would fall foul of the act - the issue might be if some disgruntled person decided to make a malicious report - eg say they had been bullied off the forum - or even something nastier. Because unfortunately in this world, angry people do do unpleasant things to cause trouble sometimes. Which could trigger an investigation. And that would be stressful. If they talked about numbers - eg - a small site complying in good faith that has not had a problem won't be fined or there would be a maxiumum of £100 - then that would be more reassuring!

"in most cases, give them an opportunity to remedy the situation before moving to

any formal action. We will take a reasonable approach to enforcement with smaller services that

present low risk to UK users, only taking action where it is proportionate and appropriate."

I'm remembering a car situation once when I was younger! Car had an MOT but clearly wasn't roadworthy as police found a bit hanging off the bottom (I wasn't aware of this - had just bought it). While I was driving it "in good faith" having recently bought it with an MOT - police came round and gave me two options - repair or scrap it. One option they would prosecute me, the other they wouldn't. But wouldn't say which course of action led to prosecution. So at a rough guess I said - ok I'll scrap it. Police said - good - so I won't be prosecuting you then.

I know it's not perhaps a good analogy, but if being investigated means leading to closing down or a big fine .............. Just how big would the fine be? If Ofcom receives a complaint, they are supposed to follow it up and give a response - as they do for other areas where people submit complaints. That's their job - to process complaints (as well as now enforcing breaches of the OSA).

 

[Alvin63]

Actually it is quite quick if you have your details to hand. You get a one use code at the end that you can share. The recipient needs the code and the last eight digits of you licence. They can then enter these on another Gov page and they get a summary of the licence. Noting that it does give the full name of the driver. Otherwise it's all stuff useful if you were renting a car, but no other personal information (like DoB or address). It'll obviously say if the licence is provisional or not. So if not you can further assume the driver is at least 17. Anyhow it's not really intended for this, but it was something I knew about so mentioned.

That's not quite how it seemed to work during my trial. You could combine methods, but then they were chained together. Certainly when I was trying estimation only - that's all I got offered. I'd clarify with them to be sure. I'd also check the costs - estimation was the cheaper, but ID scans were more expensive. So even if it does "fall back" to that you might find your costs increase.


Indeed. Fundamentally the issue with any age-verification system. There are some where the checker simply gets a yes/no to the 18+ question, those do protect the privacy of the user from the forum site, but obviously not to the company doing the checks. Things like the Yoti/EasyID digital ID can offer that, but you have to accept giving your soul to that (the checking) company.

Even whilst trialing the systems I instinctively did not want to use my own ID or face! Obviously Facebook fall under the same regulations, but they could tackle them via tools and moderators (and lawyers) instead. I think they do use Yoti however, but presumably not universally. The above example of the NI/Driving licence doesn't share those numbers with the end-website (ie the forum) it's only the Gov pages you input the data to (and they already know it!), but as mentioned the end-website would get a full name and 8 digits of your licence (along with knowing what you can drive, etc!).

From my testing it's a mix between the third party checking systems as to what data is retained and accessible. So Shufti for instance handled all the acquisition of the data - the forum wouldn't be anywhere near uploading scans of ID or anything like that, but in the backend for Shufti I can see a full picture of the ID, etc so I had more data than I needed. VerifyMyAge doesn't keep anything like that at least, but with the API I am using I need to submit name/address so the forum does have that information (via Paypal) it needs to eventually destroy (noting that a normal delete user does not clear the data out of the payment log). I get the impression the OIDC based flows (like OneID) probably don't retain any information. I do rather wish the UK gov had built in OIDC age checking ahead of this act into things like HMRC, DWP and DVLA, etc. That would have been rather sensible to offer free checking. Although even then do I want the UK gov to know which websites I am registering with?

As a slight aside I know we were speculating about the mobile phone age checking and how that worked and if it was vulnerable to adults just giving children phones that are in their name. The Ofcom documentation says:

So certainly potentially limited veracity to the UK if nothing more. I'm still not quite sure I totally like the solution, an adult might well want to prove they are an adult, but might still want the content filter on their phone! Anyhow I thought I'd mention it since I was speculating a bit upthread and I'd forgotten that.

Thanks @chillibear - it is really helpful that someone has looked into all so much and even trialled some of them. I also think I wouldn't like the Face ID thing myself - but as long as it was clear it didn't keep any photo and was just scanning ..... it wouldn't bother me.

So are you saying that Shufti do actually store data from the Face Scans? Or rather your implementation stores date? So in addition to email addresses, a forum could be storing image and age data?

 

[chillibear]

So are you saying that Shufti do actually store data from the Face Scans?

I think they do their privacy policy says:

To provide our identity verification services, we may collect, process, and retain personal data, including biometric and identity document data. This includes using such data for:

• Training algorithms to improve verification processes.
• Fraud prevention and detection.
• Enhancing the overall efficiency of identity verification services.

We may retain this data for reusable identity services like Fast ID for current and future verifications, provided the user has granted explicit consent for such purposes.

And you can see the selfies in the backend (you can delete the data there) so they evidently hang around a while (maybe there is a setting to clear them out automatically after a while?).

You have to consent to them processing your data to do any verification (little checkbox which says something like "I'm 16+ and agree to everything"). I was going to clarify with the sales rep to see what she said. Some of the documentation talks about checking selfies for duplication - which also suggests they keep either the image or possibly much more likely the biometric data extracted from the image (which would be vastly more efficient storage wise). Less keen on that to be honest. I wonder how it's all handled GDPR wise, I expect they have lawyers - but what happens if you request your data is removed. How do they identify your biometrics - unless you supply more biometrics - I guess? Anyhow OSA is enough of a bear without getting into GDPR again!

As mentioned in the thread, I met with my local MP and discussed a range of issues and highlighted concerns.

Robt, thank you so much for taking the time to do this. Much appreciated. At least the letter is from the CEO so that is somewhat reassuring. I still find it bizarre that the guidance still isn't ready along with the tools to support it. The three months from publication seems like such a short timeframe to implement things, which leaves everyone speculating somewhat. Anyhow good to read the response. Thanks again.

 

[Alvin63]

As mentioned in the thread, I met with my local MP and discussed a range of issues and highlighted concerns.

They have heard back from OFCOM, via a letter from the Chief Exec.

A section is below, hopefully to help others, and to get further feedback from anyone interested in sharing it publically or privately:

So their Protection of Children Statement will be issued later this month with further guidance (I hope it's much clearer than the last lot!). But the child risk assessment tool won't be available until the Summer - which seems odd if you're supposed to have done a child risk assessment and be compliant by July .........................

And that is a lot of waiting around and uncertainty to know what to do meanwhile.

 

[Alvin63]

@chillibear do you know the costs for the phone check age assurance from Verifymy please? Seeing as that ones seems less obtrusive. Although I don't remember having to take off a filter and prove my age on my phone contract?! Again some people might not want to reveal their phone number though. Which is why I thought the email checking was better (but only 84% success rate and too expensive).

Mobile phone number

An age verification method confirming the phone is in the possession of and authorised for use by a person aged 18+.

verifymy.io

 

[Alvin63]

On another note, maybe that is why google and Facebook push you hard to add a phone number to your account now. Perhaps they are using that to verify age ....

 

[Alvin63]

I think the mobile phone checking option is definitely out as far as I'm concerned. I logged into my phone account and I still have the age restricted content bar ON. Now maybe when I first got the contract, an option came up to turn it off and I didn't bother, but I don't remember. And as I have a sim only plan it carries on year after year without a change of contract.

I would think many adults would be classed as under 18.

 

[chillibear]

do you know the costs for the phone check age assurance from Verifymy please?

I don't sorry, I'd expect there to be an onboarding fee if they were charging one for email. I suspect there isn't for the system I'm using because all the onboarding was automated. The OneID solution was global as far as phone checking went and their site seems to imply it might be 16p a check. Although I'd drop them a line to confirm that as it's really not clear.

What I really need to get my head around is the UK/Non-UK scope and if I can take advantage of that.

 

[Alvin63]

I don't sorry, I'd expect there to be an onboarding fee if they were charging one for email. I suspect there isn't for the system I'm using because all the onboarding was automated. The OneID solution was global as far as phone checking went and their site seems to imply it might be 16p a check. Although I'd drop them a line to confirm that as it's really not clear.

What I really need to get my head around is the UK/Non-UK scope and if I can take advantage of that.

Thank you. I've ruled out the phone checking anyway,as mentioned above, because I think it would have multiple fails, registering adults as under 18's (seeing as my own phone contract doesn't have the adult filter turned off).

I've emailed One ID again to ask if their free solution stores any data. That was the one where people login to their banking app to verify their age. They had three solutions that all sounded similar. The second two were paid for and different price points. From what I can establish, the difference is how much user interaction is needed.

The free one they have to do a lot more themselves - ie press a button on the forum page, follow instructions, log in to a banking app and then agree for the bank to share their age. And it only verifies age. The other two verify a lot more identity which might be why they are paid for.

The second one they have two options - one is the phone check and the other is the bank check as above. It verifies name and address as well. 35p per check (based on less than 100 verifications a month.

The third paid for option, sounds the same as the first one, but I think bank checking goes on in the background seamlessley so more user friendly apparently, but they still have to log in to their bank account. But more expensive of course. Also provides name address and whether 18 plus, 21 plus or 25 plus. 78p per check.

The price per check goes down the more verifications you have per month.

Those three solutions are called

Age Check 18+ (the free one)
Age Verification (35p)
Age Assure (78p)

So the free one is the only one that just verifies someone is over 18 with no other identity info shared.

This is the free one here - it suggests data is secure. It could be fairly simple for anyone with a banking app on their phone - just like logging into various google sites asks you to open the youtube app to verify it's you by tapping on something. The downside would be if someone doesn't use a banking app or online banking at all.

For example I have a banking app. I just need to put a code in to sign into my banking app. What I can't work out is how one id sends a notification that shows up in your banking app unless they know your name and account number - that bit is a bit vague.

https://docs.oneid.uk/products/age-check-guide

I've also emailed Yoti again to ask if they can consider different pricing points for non profit making sites - and also mentioned that there are potentially a lot of forums looking for age ID and if there was a group, would they consider a different price point also. But to be honest I think it's a no go as their pricing was so high to start with (£200 a month). I think that might be for 100 to 500 verifications a month though so I've also asked for the cost of 100 or less verifications a month.

 

[chillibear]

high to start with (£200 a month). I think that might be for 100 to 500 verifications

My emails from them say 870 checks for £200.

 

[Mr Lucky]

Age verification can obviously work for registered members, but doesn’t the legislation apply to all users of a site, not just logged in members?

So age verification is useful when guests cannot view - or is it useful for members when they cannot use DMs?

 

[chillibear]

Age verification can obviously work for registered members, but doesn’t the legislation apply to all users of a site, not just logged in members?

So age verification is useful when guests cannot view - or is it useful for members when they cannot use DMs?

I interpreted it (Not a Lawyer!) that when a user was logged out - for them the site was not user-to-user and the Act did not apply. At that point the site is just published conversations (which have hopefully been moderated), so no different from any "standard" website. I really don't see how any site could hope to know if a random IP address has a child or vulnerable person at the other end of it. That said I don't intend to have anything on the site that breaks the 17 core woes so hopefully all good either way.

Not having typed that it's given me an idea for an add-on... What about a system where replies and new threads and so forth could be read by members, but were hidden from guests for 'X' hours/minutes. That would certainly reduce the fallout of any rogue bad posting (spam or worse) to just your members initially and hopefully you'd clean it up before the public at large saw it. Would it matter much if someone who is just a reader is a few hours or even a day behind on posts? Quite possibly not unless your content is very much current affairs. Anyhow just a random thought for something that might help with reputation saving.

 

[Mr Lucky]

that when a user was logged out - for them the site was not user-to-user and the Act did not apply.

Of course

What about a system where replies and new threads and so forth could be read by members, but were hidden from guests for 'X' hours/minutes.

Not great for Google though

 

[chillibear]

I think unless you are doing a site with lots of current event discussion your Google indexing is probably never that close to being realtime... say you had a lag of 12 hours - odds are if you were on your site daily then you'd have time to splat something dreadful before it went public-public, but without annoying members (even new ones - which I think generally puts off new members) by having all their stuff sat in approval queues. I can't imagine a lag like that would make any noticeable difference in Google, but then again I've never really been into my SEO optimisation!

 

[Mr Lucky]

I think unless you are doing a site with lots of current event discussion your Google indexing is probably never that close to being realtime... say you had a lag of 12 hours -

You may well be right, but I wouldn't like to second-guess Google. I have seen posts go up pretty quickly.

 

[chillibear]

but were hidden from guests for 'X' hours/minutes

Actually thinking about it - you could just tweak the thread_view template to have a block in like:

<xf:if is="($xf.time - $post.post_date) > (3600 * 12) || $xf.visitor.user_id">
  <xf:comment>Show to members or guests if the post is 12+ hours old</xf:comment>
<xf:else/>
  <xf:comment>Hide from guests if the post is less than 12 hours old</xf:comment>
</xf:if>

Granted nicer to do an add-on to make the time configurable. You'd probably also need to consider the thread list and what's new, etc to do a proper job. Anyhow I'm drifting off topic!

 

[Alvin63]

Yes it's all about whether a child can view the site, not just registered members or users. I assumed it would need to be limited viewing for guests. Previously I had the addon that limited them to 2 or 3 guest views before being asked to register anyway. So I already had limited guest viewing. It depends on the site, but that worked well for mine as many people just wanted to read articles and go, but by registering it often led to them posting questions after reading the articles.

But I see your point - how would it not still need a child risk assessment even if you have age verification? The way I read it, that is a flaw in the guidance. Because if you have age verification for registering then you don't have to do a child risk assessment so guest viewing doesn't count. Which is silly and defeats the object.

It does state though - you need to do a child risk assessment unless you have age verification. So viewing as a guest doesn't seem to count. They are not interacting with the site.

Guests just set to viewing only presumably. I did have guest commenting on my home page articles, which always went for manual moderation anyway. But could turn that off.

 

[Alvin63]

My emails from them say 870 checks for £200.

Maybe they just say £200 a month across the board then?! If I initially asked how much for 100 to 500 a month. I've emailed them now asking for a price for under 100 a month. Maybe it'll be even higher lol.

 

[Alvin63]

Just had a great response from someone at One ID though, about the free solution. No min or max limit on registrations. They don't store any data at all. (Although our site might store data so it would be up to the site to deal with storing or deleting data). The two paid for versions are for people who want more information than just age - ie full identity info.

It sounds like it doesn't even matter if they do online banking or not. An option comes up to choose their bank, this opens an app. It sounds like the one id app links with all banks. I'm getting more keen on the idea. All people would be doing is giving their bank consent to reveal their age.

 

[Alvin63]

Actually I'm quite excited about it. He sent a video showing the user journey. User taps to agree to share data. (presumably you could have a message appear first saying - the only data shared will be your age). They then choose their bank from a list. A window opens showing their age or dob and they tap to agree to share it. And that's it. The age is then sent to the forum (somehow).

So presumably then the only cost would be paying someone to implement an API for the forum. And the API would need to be set up to say if it;s this then accept registraton (presumably).