Post · bonfire.cafe

@neil@mastodon.neilzone.co.uk · 2 days ago

A gentle reminder that, if you run a regulated user-to-user service within the scope of Part 3 of the UK's #OnlineSafetyAct, which falls within the requirement to put in place highly-effective age assurance (which does not apply to all services), you have just a few more days - until 25 July - to do so.

If you are not sure, start with a child access assessment, and then, if needed, a child risk assessment.

Most problematically, I have zero recommendations for a tried-and-tested, Free / open source, data protection compliant, age assurance system.

If you cannot implement age assurance, you might want to look at ways to lessen the risk, to escape the requirement.

Ret

@ret@furry.engineer · 2 days ago

@neil maybe worth mentioning blocking UK IP addresses, since that is one of the few approaches that Ofcom have said, with certainty, will satisfy them.

Richard Hughes

@hughsie@mastodon.social · 2 days ago

@neil in your humble opinion, does the LVFS at https://fwupd.org/ need to do anything? I can't imagine there are any children working at OEMs uploading firmware, although I guess kids could read the OEM-provided release notes of firmware updates provided to gnome-software.

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@hughsie

I'd need to understand some more about how the system works, who can upload what, what reviews take place etc., but, just based on what I know at the moment, my feeling is that any OSA-related risk is so incredibly low that doing anything about it at all would be disproportionate.

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@hughsie That said, if you want to chat it through with me at some point, then that is absolutely fine!

Richard Hughes

@hughsie@mastodon.social · 2 days ago

@neil I was erring on making two changes:
* Changing the usage agreement that each uploader agrees to "You are over 18 years of age"
* Put a section in the privacy policy basically talking about the OSA and that the risk has been considered to be almost zero.

ahnlak

@ahnlak@kavlak.uk · 2 days ago

@neil sadly, I suspect it's more a case of "you might *have* to look at ways to lessen the risk", rather than *wanting* to.

If you don't have the financial backing of Meta or Pornhub, hiring enough lawyers and techs to magic up this "highly effective" tool is pretty much impossible.

awoodland

@awoodland@fosstodon.org · 2 days ago

@neil have you looked at the legal basis that early adopters are relying upon in practice for the additional data processing yet? I'm struggling to work this out because there seems to be obvious flaws in pretty much anything I can come up with mentally. (Performance of contact seems like the least wrong one perhaps? But if I had a contract yesterday that you can't honour today that might start to stray into areas that would be "unfair")

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@awoodland

> the legal basis that early adopters are relying upon in practice for the additional data processing yet

Necessity to comply with a legal obligation, I should have thought?

awoodland

@awoodland@fosstodon.org · 2 days ago

@neil sorry yes, I always forget that one, it's normally only boring stuff like tax audits that it's relied on for.

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@awoodland It will depend on context, but it is used quite broadly in my experience. But that may just be down to the type of organisations with which I tend to work.

Luke Sheldrick // an0key 🤖

@an0key@chaos.social · 2 days ago

@neil self hosted fedi instance? Would they come under the scope?

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@an0key

There is an unresolved question whether a self-hosted, single-user, fedi instance falls within scope of Part 3 at all, in terms of the definition of "user".

The same issue would dictate whether there were any "child" users.

But, pragmatically, in terms of what I've seen from you and your own instance, I cannot see any credible argument that you would be required to implement age assurance.

Luke Sheldrick // an0key 🤖

@an0key@chaos.social · 2 days ago

@neil does a user need to be logged in?

If you had a single instance fedi instance full of spicy photos not fit for kids… they could still browse to it? Is how I was thinking of it.

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@an0key

If someone runs their own instance and posts their own pornographic content, I would - personally - work on the basis that Part 5 (the pornographic content specific rules) applies.

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

If you run a porn site within the scope of Part 5, the requirement to have age assurance in already in place - this deadline is for Part 3 user-to-user services (which includes "tube" sites with user-generated/shared pornographic content.

mms :runbsd: :emacs: :c64:

@mms@mastodon.bsd.cafe · 2 days ago

@neil I wonder: how is porn defined there? Image/movies sure, but what about spicy fanfics?

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@mms If it is text only, then it is out of scope.

Jak2k 🇪🇺

@jak2k@mastodontech.de · 2 days ago

@neil @mms Let's encode the videos with base64… I mean, it's text!

mms :runbsd: :emacs: :c64:

@mms@mastodon.bsd.cafe · 2 days ago

@neil that’s kind of dumb, don’t you think? It’s not about exploitation of porn workforce, so what the difference?

Neil Brown

@neil@mastodon.neilzone.co.uk · 2 days ago

@mms

Text and images/video are already regulated differently, so continuing to treat them separately is no particular surprise.

e.g. one can readily buy "Fifty Shades of Gray" or similar offline, without any age verification, so requiring age verification online for the same content would be curious.

Daniel

@dan@axillae.telent.net · 2 days ago

@neil and yet, a major mindgeek property (the one with "hub" in its name) that I accidentally visited yesterday for research purposes merely has a popup that asks "are you 18?" . One law for them ...?

Terence Eden

@Edent@mastodon.social · 2 days ago

@dan @neil

Yes. https://www.telegraph.co.uk/business/2025/06/26/pornhub-strict-age-check/

NB, they haven't been MindGeek for a few years.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.1 no JS en

Automatic federation enabled