UK's Online Safety Act

[MarkMLl]

So what will the people in Uk do about their government threatening online places they go to?
I guess the easiest solution from the standpoint of website owners is to block all uk ip addresses and compell uk residents to use vpn services which will likely become next target... then what? I’m glad I’m not from the uk ..

What it means in practice is that there are a whole lot of smaller, specialist forums which will block access to the UK, and since the average user hasn't got a clue about VPNs zhe will rely increasing on Facebook etc. who employ enough mealy-mouthed lawyers that they're difficult to sue.

Anybody who does try to use encryption to an out-of-jurisdiction endpoint risks having the security services come round, with the immediate result that all computers- even if they contain company accounts- being confiscated for investigation.

And that, quite frankly, is as it should be.

We cannot collectively hide behind the "brave new World" of an internationally-connected Internet on the assumption that the global community will get things right. It has to be local legislators who decide what is acceptable, not oligarchs in some backward transatlantic enclave: and if the local legislators foul up then it's the electorate's responsibility to sort things out sooner rather than later.

MarkMLl

[marcov]

Anybody who does try to use encryption to an out-of-jurisdiction endpoint risks having the security services come round, with the immediate result that all computers- even if they contain company accounts- being confiscated for investigation.

So https is outlawed now?

[MarkMLl]

Anybody who does try to use encryption to an out-of-jurisdiction endpoint risks having the security services come round, with the immediate result that all computers- even if they contain company accounts- being confiscated for investigation.

So https is outlawed now?

Potentially, to an endpoint outside jurisdiction, yes.

I'm not saying that's likely to happen in the short term, but ultimately it's the only possible way it can go: if a messaging (or banking etc.) facility wants to do business in a particular country then they will need a legal presence in that country (or at least in one with reciprocal treaties) so that their compliance with the country's laws can be verified.

It works both ways: you might not remember the enormous row when a British facility owned by an American company passed the server used by some European quasi-journalists to the FBI without the request having gone through a British court.

We've already got the situation where somebody who refuses to surrender a password can be imprisoned: even if he doesn't know the password. We've already got the situation where a paroled prisoner can be sent back to prison for clearing his browser's cache. And I'm not saying that other countries are any better... in fact most are worse since at least in the UK a court is supposed to be involved.

MarkMLl

[johnmc]

I hope the UK government has better things to do than pursue such forums as this!

Ofcom would need to have a lot of complaints before it got off backside to do anything and I think there are many more bigger targets for it to go after.

It may even be exempt, but only a lawyer could confirm that.

[MarkMLl]

I hope the UK government has better things to do than pursue such forums as this!

Ofcom would need to have a lot of complaints before it got off backside to do anything and I think there are many more bigger targets for it to go after.

It may even be exempt, but only a lawyer could confirm that.

Broadly speaking I agree. However the risk is that /if/ somebody decided to take a look and found that the service had been offered without any moderatorial procedures documented that would immediately cause a lot of trouble.

I'm not a mod and I'm not a lawyer, but my interpretation of the situation is that at the very least it has to be treated like ISO 9000: a one-para note saying "Our policy is that our service is unlikely to be abused by forum members so we don't have to take any further action." would be nearer compliance with the law than would having nothing at all on the record.

MarkMLl

[marcov]

Broadly speaking I agree. However the risk is that /if/ somebody decided to take a look and found that the service had been offered without any moderatorial procedures documented that would immediately cause a lot of trouble.

Or throw the users under the bus:

"The usage of this forum is at the discretion of the users to obey the laws in their respective jurisdictions".

[MarkMLl]

Broadly speaking I agree. However the risk is that /if/ somebody decided to take a look and found that the service had been offered without any moderatorial procedures documented that would immediately cause a lot of trouble.

Or throw the users under the bus:

"The usage of this forum is at the discretion of the users to obey the laws in their respective jurisdictions".

Yup (usual caveat that I'm not a lawyer): I think you have to have /something/ in place by the required date, even if ill-advised. However I'm not sure whether it has to be written for presentation to users: the important thing is an on-the-record procedure for managers and moderators which you can produce if challenged.

It's a bit like BS 5750 (the precursor of ISO 9000): you could in principle be compliant by having a Quality Assurance Manual that said "our measuring equipment is uncalibrated, we perform no incoming materials checks, we comply with no recognised standards during production, and we apply no Quality Control before shipping our product". But $DEITY help you if you were later found to have somebody checking that stuff worked before sending it out...

MarkMLl

[marcov]

Yup (usual caveat that I'm not a lawyer): I think you have to have /something/ in place by the required date, even if ill-advised. However I'm not sure whether it has to be written for presentation to users: the important thing is an on-the-record procedure for managers and moderators which you can produce if challenged.

It's a bit like BS 5750 (the precursor of ISO 9000): you could in principle be compliant by having a Quality Assurance Manual that said "our measuring equipment is uncalibrated, we perform no incoming materials checks, we comply with no recognised standards during production, and we apply no Quality Control before shipping our product". But $DEITY help you if you were later found to have somebody checking that stuff worked before sending it out...

In practice I think a jurisdiction defence (no representation in Brittain, nor do we explicitly target British users) would also be enough. The onus on the $UKGOV to prove otherwise is so big....

[MarkMLl]

In practice I think a jurisdiction defence (no representation in Brittain, nor do we explicitly target British users) would also be enough. The onus on the $UKGOV to prove otherwise is so big....

No: if the forum is /accessible/ from the UK, then you have to comply. The onus is on (collectively) /you/ to demonstrate that even a single para of procedures is in place by March: if HMG challenges you and you can't say "this is what we did before the required date", then you lose by default.

Look, I've been through some of this crap over the last couple of years: discovery (i.e. both parties digging out all relevant correspondence) is taken seriously, since if there is an agreed list of documents (which explicitly includes "social media postings", which is probably how discussion between forum moderators would be characterised) then the judge can read them in the comparative comfort of her chambers during the first day or so of the hearing.

If you can't produce some sort of policy document then you'll lose, you'll be fined, and (worse) you'll have to pay HMG's expenses.

If you can produce even a very vague policy document, then unless somebody's been induced to do something very illegal or (self-) abusive by discussion in the forum then you might get your knuckles wrapped but- with luck- no expenses order will be made.

MarkMLl

[marcov]

In practice I think a jurisdiction defence (no representation in Brittain, nor do we explicitly target British users) would also be enough. The onus on the $UKGOV to prove otherwise is so big....

No: if the forum is /accessible/ from the UK, then you have to comply. The onus is on (collectively) /you/ to demonstrate that even a single para of procedures is in place by March: if HMG challenges you and you can't say "this is what we did before the required date", then you lose by default.

If you are an UK citizen, sure. Because as a citizen you are supposed to be reasonably aware of the law.

But that is the point, we aren't in any way affiliated with the UK, so the HMG has no rights what so ever and can't compel us to do anything.

Now, it might be that there is some reciprocal arrangement that gives them jurisdiction in the EU or via interpol somehow, but to trigger anything, they would have to make quite some serious charges believable. And in such case, hollow phrases won't protect you either.

[Joanna from IRC]

It’s rather presumptuous of the uk government to make laws telling people located in other countries what to do with their websites {unless the british empire never ended....}

There are other options whereby they could simply not allow ordinary citizens to access foreign websites. Or they could block access to foreign websites. That would be a lot of work preventing access on a case by case basis. Better to go with the North Korean style isolationist option 

[MarkMLl]

I'm /so/ sorry Joanna, I forgot: only America can do that.

And only America can extract civilians in a hurry after they've killed somebody by driving on the wrong side of the road.

"American Exceptionalism" at its finest.

MarkMLl

[MarkMLl]

If you are an UK citizen, sure. Because as a citizen you are supposed to be reasonably aware of the law.

But that is the point, we aren't in any way affiliated with the UK, so the HMG has no rights what so ever and can't compel us to do anything.

Now, it might be that there is some reciprocal arrangement that gives them jurisdiction in the EU or via interpol somehow, but to trigger anything, they would have to make quite some serious charges believable. And in such case, hollow phrases won't protect you either.

Suit yourself, but I think you're being unwise.

MarkMLl

[Khrys]

In practice I think a jurisdiction defence (no representation in Brittain, nor do we explicitly target British users) would also be enough. The onus on the $UKGOV to prove otherwise is so big....

No: if the forum is /accessible/ from the UK, then you have to comply.

This is such nonsense legislation. They should stay in their territory when enforcing their rules. What would stop a site owner from shifting the blame to British ISPs, which actually are under HMG's jurisdiction and could very well simply block access to non-compliant sites?

[marcov]

From https://www.nortonrosefulbright.com/en-nl/knowledge/publications/0b658a5a/online-safety-act:

Geographically, the OSA applies to U2U and search services having links with the UK (whether provided from the UK or not). This generally means that the service has a significant number of UK users, or UK users form one of the target markets for the service (or the only target market). The OSA does not set out how many UK users is considered “significant”

If, in the OfCom checker you answer the first question "link with the UK" false, then checker immediately stops.