Update 2023-01-17: note that this relates to last week’s amendment. We are expecting a new, government, amendment, this week. My comment does not relate to that, if only because I have yet to see it!
I was asked to comment this morning about the UK’s Online Safety Bill, and the proposed criminal offence (see “NC2”), and its impact on individuals, volunteers, community groups and the like.
I’ve written before about the Online Safety Bill in the context of Free / open source software development, but this is slightly different.
Here’s what I sent back, in full - if anything gets published, I’d expect it to be but a snippet:
Of the 15 duties the bill would seek to impose on providers - including individuals, community groups, and small businesses - of regulated user-to-user services, eight apply to all providers, including the duty subject to the proposed criminal offence.
Fewer than half of the duties apply solely to providers of “Category 1 services”.
The bill, and the amendment, would impose pages of duties on someone who, for fun, runs an ActivityPub server (Pleroma, PeerTube, Mastodon etc.) for their family or local hackspace, or an interactive gaming server, hanging the threat of criminal liability over their heads if even their own children might use the services.
Simply saying “you are right, but the CPS just won’t prosecute them” is of limited comfort.
This appears to be by design, as the bill has a schedule of exceptions.
For example, “internal business services” are out of scope, but someone running identical services for their friends and family, or a local community group, is in scope.
Email and SMS are out, but someone running a chat system (Matrix, XMPP, irc) for their friends or their Free / open source software project, or a forum (e.g. Discourse) for their local gardening club to share planting tips and photos, is in.
Limiting the scope of the bill to the major commercial operators with multi-million pound turnover would not be a panacea - the bill’s cracks run deeper than this one issue - but it would remove the burden and threat to hobbyists and volunteers.
I went on to say:
… [T]he approach taken by the Online Safety Bill to individuals sits inconsistently with existing law.
For example, the UK’s data protection framework, which already excludes completely the processing of personal data by an individual in the course of a purely personal or household activity , and the obligations in the UK’s eCommerce regulations apply only to online services with an economic context.
I was asked if I could explain the criminalisation amendment a bit and simplify some of the references, so I offered two tweaked paragraphs:
Of the 15 duties the bill would seek to impose on providers - including individuals, community groups, and small businesses - of regulated user-to-user services, eight apply to all providers, including the duty subject to the proposed criminal offence which has at least 10 detailed obligations relating to child protection.
The bill, and the amendment, would impose pages of duties on someone who, for fun, runs
an ActivityPub server (Pleroma, PeerTube, Mastodon etc.)their own social media or photo/video sharing server for their family or local hackspace, or hosts a multi-player game which lets players chat or see each other’s content or creations, hanging the threat of criminal liability over their heads if even their own children might use the services.
I received a follow-up question:
Is there any reason to think that the amendment just applies to Category 1 services?
And my response:
Not as currently drafted, no.
Subsection 1 of the amendment says “The provider of a service to whom a relevant duty applies commits an offence if the provider fails to comply with the duty.”
Subsection 4 of the amendment says “In this section, “relevant duty” means a duty provided for by section 11 of this Act.”
Clause 6(4) of the bill (not the amendment) says: “All providers of regulated user-to-user services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide … (b) the duties to protect children’s online safety set out in section 11.
So quite clear to my mind that, as currently drafted, the criminal offence is broad in scope, and not limited to Category 1 services.