Tech firms must use a range of measures to protect their users from illegal content online – from child sexual abuse material and grooming to fraud – under detailed plans set out by the new online safety regulator.

Ofcom is exercising its new powers to release draft Codes of Practice that social media, gaming, pornography, search and sharing sites can follow to meet their duties under the Online Safety Act, which came into law in October 2023.

Ofcom’s role will be to force firms to tackle the causes of online harm by making their services fundamentally safer. Its powers will not involve it making decisions about individual videos, posts, messages or accounts, or responding to individual complaints.

Firms will be required to assess the risk of users being harmed by illegal content on their platform, and take appropriate steps to protect them from it. There is a particular focus on ‘priority offences’ set out in the legislation, such as child abuse, grooming and encouraging suicide; but it could be any illegal content.

“Regulation is here, and we’re wasting no time in setting out how we expect tech firms to protect people from illegal harm online, while upholding freedom of expression,” stated Dame Melanie Dawes, Ofcom’s Chief Executive. “Children have told us about the dangers they face, and we’re determined to create a safer life online for young people in particular.”

Combatting child sexual abuse and grooming

Protecting children will be Ofcom’s first priority as the online safety regulator. Scattergun friend requests are frequently used by adults looking to groom children for the purposes of sexual abuse. Ofcom’s new research sets out the scale and nature of children’s experiences of potentially unwanted and inappropriate contact online.

Three in five secondary-school-aged children (11-18 years) have been contacted online in a way that potentially made them feel uncomfortable. Some 30 per cent have received an unwanted friend or follow request. And around one in six secondary-schoolers (16 per cent) have either been sent naked or half-dressed photos, or been asked to share these themselves.

“Our figures show that most secondary-school children have been contacted online in a way that potentially makes them feel uncomfortable,” advised Dawes. “For many, it happens repeatedly. If these unwanted approaches occurred so often in the outside world, most parents would hardly want their children to leave the house. Yet somehow, in the online space, they have become almost routine. That cannot continue.”

Given the range and diversity of services in scope of the new laws, Ofcom is not taking a ‘one size fits all’ approach. Ofcom is proposing some measures for all services in scope, and other measures that depend on the risks the service has identified in its illegal content risk assessment and the size of the service.

Under Ofcoms draft codes, larger and higher-risk services should ensure that, by default:

• Children are not presented with lists of suggested friends;
• Children do not appear in other users’ lists of suggested friends;
• Children are not visible in other users’ connection lists;
• Children’s connection lists are not visible to other users;
• Accounts outside a child’s connection list cannot send them direct messages; and
• Children’s location information is not visible to any other users.

Ofcom is also proposing that larger and higher-risk services should:

• use a technology called ‘hash matching’ – which is a way of identifying illegal images of child sexual abuse by matching them to a database of illegal images, to help detect and remove child sexual abuse material (CSAM) circulating online; and
• use automated tools to detect URLs that have been identified as hosting CSAM.

All large general search services should provide crisis prevention information in response to search requests regarding suicide and queries seeking specific, practical or instructive information regarding suicide methods.

“Today marks a crucial first step in making the Online Safety Act a reality, cleaning up the wild west of social media and making the UK the safest place in the world to be online,” commented Michelle Donelan, Science, Innovation and Technology Secretary.

“Before the Bill became law, we worked with Ofcom to make sure they could act swiftly to tackle the most harmful illegal content first. By working with companies to set out how they can comply with these duties, the first of their kind anywhere in the world, the process of implementation starts today.”

Fighting fraud and terrorism

The draft codes also propose targeted steps to combat fraud and terrorism. Among the measures for large higher-risk services are:

• Automatic detection. Services should deploy keyword detection to find and remove posts linked to the sale of stolen credentials, such as credit card details. This should help prevent attempts to commit fraud. Certain services should have dedicated fraud reporting channels for trusted authorities, allowing it to be addressed faster.
• Verifying accounts. Services that offer to verify accounts should explain how they do this. This is aimed at reducing people’s exposure to fake accounts, to address the risk of fraud and foreign interference in UK processes such as elections.

All services should block accounts run by proscribed terrorist organisations.

More broadly, Ofcom is proposing a core list of measures that services can adopt to mitigate the risk of all types of illegal harm, including:

• Name an accountable person. All services will need to name a person accountable to their most senior governance body for compliance with their illegal content, reporting and complaints duties.
• Teams to tackle content. Making sure their content and search moderation teams are well resourced and trained; set performance targets and monitor their progress against them; and prepare and apply policies for how they prioritise their review of content.
• Easy reporting and blocking. Making sure users can easily report potentially harmful content, make complaints, block other users and disable comments. This can help women avoid harassment, abuse, cyberflashing, stalking, and coercive and controlling behaviour.
• Safety tests for recommender algorithms. When they update these features, which automatically recommend content to their users, services that carry out tests on them must also assess whether those changes risk disseminating illegal content.

Next steps

Over the last three years, Ofcom has been gearing up for its new role by assembling a what it describes as a “world-class” team, led by Gill Whitehead. Ofcom has also been carrying out an extensive programme of research, engaging with industry, collecting evidence to inform Ofcom’s Codes and guidance, building relationships with other regulators in the UK and overseas, and regulating video-sharing platforms.

Ofcom has additionally published a set of draft instruments which, once finalised, will form the basis of pioneering online safety regulation in the UK. As well as the Codes of Practice for online services, these include guidance and registers relating to risk, record keeping and enforcement.

Ofcom is now consulting on these detailed documents, hearing from industry and a range of experts as it develops long-term, final versions that it intends to publish in autumn 2024.

Services will then have three months to conduct their risk assessment, while Ofcom’s final Codes of Practice will be subject to Parliamentary approval. Ofcom expects this to conclude by the end of 2024, at which point the Codes will come into force and it can begin enforcing the regime. Companies who fall short will face enforcement action, including possible fines.

Fully implementing the new online safety laws will involve several phases, including:

• Later in 2023, Ofcom will propose guidance on how adult sites should comply with their duty to ensure children cannot access pornographic content.
• In spring 2024, Ofcom will publish a consultation on additional protections for children from harmful content promoting, among other things – suicide, self-harm, eating disorders and cyberbullying.

Other posts by Colin Mann:

1. Analysis: SVoDs drive $220bn content spend
2. A TikToking clock heading towards regeneration – or not?
3. European pay-radio: Getting ready

Categories: Articles, Business, Policy, Regulation, Standards

Tags: Dame Melanie Dawes, Michelle Donelan, Ofcom