On the 5th July, the government introduced an amendment to the Online Safety Bill to strength Ofcom's powers in relation to Child Sexual Exploitation and Abuse (CSEA).
The amendment will grant Ofcom, the UK’s regulatory authority for telecommunications, additional powers to ensure technology companies take action to identify, remove and prevent users from encountering child sexual abuse and exploitation (CSEA) content.
How will this amendment strengthen the Bill exactly?
Under the current Bill, where necessary and proportionate, Ofcom can issue a Notice requiring individual companies to use accredited technology to identify and remove illegal CSEA content, including on private communications.
However, where existing technologies are not effective or compatible on a given platform, then it is critical that Ofcom should have the power to require companies to address the harm.
As a result of this amendment, it will not be sufficient for companies to state that they cannot deploy an accredited technology because it doesn’t work with the functionality of their platform. This amendment will now give Ofcom the explicit power to require companies to make proportionate changes to enable them to use accredited technology.
Where technology does not exist or a company is unable to use accredited technology, Ofcom will now have an additional power to require a company to use best endeavours to develop/source and deploy technology that works with their platform. This amendment therefore ensures that companies are taking the necessary steps to tackle the harms occurring on their platforms. It will also deliver a flexible approach allowing companies to innovate and to use the best-fit method of tackling CSEA.
If they fail to do so, Ofcom will be able to use enforcement measures, including imposing fines of up to £18 million or 10% of the company’s global annual turnover - depending on which is higher.
We are also amending the current wording in the Bill so that Notices can require a company to use tools to prevent individuals from encountering content, in addition to identifying and taking down content, as is appropriate.
What does ‘best endeavours’ to develop and/or source technology look like?
‘Best endeavours’ describes the steps the provider would be expected to take to comply with the Notice. The steps required to demonstrate ‘best endeavours’ must be proportionate; Ofcom will have examined the circumstances and requirement for a notification on a case-by-case basis before setting out steps the company should take in a notification.
Before issuing a Notice, Ofcom would be expected to enter into informal consultation with the company, and/or exercise information gathering skills to gather evidence to demonstrate whether a Notice is necessary and proportionate. This consultation period will assist in establishing what a Notice to develop tech may require and what the appropriate criteria would be for how the company will make best endeavours.
We are also amending the skilled persons report provisions, so that Ofcom can rely on third party experts to make an assessment about the risks and what technical mitigations would be suitable.
When Ofcom issue a Notice, it will set out what best endeavours looks like (i.e., the steps the provider would need to take). These steps should be proportionate and based on engagement between Ofcom and the company.
Ofcom will judge that the company has made best endeavours by assessing how the company has complied with the steps set out in the Notice.
Why are we making this amendment?
Online child sexual exploitation and abuse is an appalling crime that we are committed to stamping out. These changes will help ensure that there are no safe spaces for offenders online.
Platform design has a significant impact on a company’s ability to detect CSEA. It is critical that Ofcom should have the power to require companies to develop and/or source tools to address this harm. Through providing clarity on our high levels of expectation, this amendment will help ensure companies build/source and implement solutions to tackle CSEA which are effective and proportionate on any part of their service, including before the content has been fully uploaded, if necessary.
The Bill as it is currently, is silent on whether Ofcom could expect a company to make changes to ensure the deployment and integration of relevant accredited technologies. Our amendment provides clarity that Ofcom can require companies to do that.
If there are currently no tools available to detect CSEA on a given platform or a company is unable to use those tools, it is critical that Ofcom should have the power to require companies to develop tools to address this harm. Through providing clarity on our high levels of expectation, this amendment will help ensure companies build and implement solutions to tackle CSEA which are effective and proportionate.
Ofcom could expect a company to make alterations to ensure their service is compatible with the required accredited tools. There is no explicit requirement or incentive for companies to source or develop technologies to detect CSEA if they are unable to do so due to a certain design choice, such as end-to-end encryption (E2EE).
Will the amendment ban end-to-end encryption?
These powers are designed to be technology neutral. They do not represent a ban on any specific type of technology or design, including E2EE. They align with the UK Government’s view that online privacy and cyber security must be protected, but that technological changes should not be implemented in a way that diminishes public safety. It will ensure a flexible approach so that companies can use their expertise to develop or source the most effective solution for their service.
What is the government’s position on privacy and end-to-end encryption?
The government is pro-privacy and a supporter of strong encryption, including E2EE, when it is used responsibly. The responsible implementation of encryption is a vital part of our digital world.
However, the implementation of E2EE in a way that intentionally blinds companies will have a disastrous impact on child safety. E2EE, without adequate child safety measures in place, risks blinding companies to the abuse of children occurring on their platforms. And it will also prevent law enforcement from accessing the critical information that is required to ensure children are safeguarded from abuse, and those who seek to abuse them are brought to justice.
Our view is that it is possible to implement E2EE in a way that ensures our children remain safe online, whilst persevering the right the privacy. Last year the government launched the Safety Tech Challenge Fund to encourage innovation and support the development of new tools that could detect and address CSEA content without breaking or weakening E2EE. Companies can also choose to innovate by investing in the development of technical solutions that will tackle CSEA content appearing on their platform, or their service being used by offenders to commit these awful crimes.
Ofcom will not have the power to ask platforms to stop using E2EE or prevent them from using E2EE, either under existing powers in the Bill or as a result of the proposed amendment. The amendment will instead give companies the flexibility to use the best-fit method of tackling CSEA, which works on their platform.