Skip links

King Charles III signs off on UK Online Safety Act, with unenforceable spying clause

With the assent of King Charles, the United Kingdom’s Online Safety Act has become law, one that the British government says will “make the UK the safest place in the world to be online.”

The Online Safety Act, which began in April 2019 as the Online Harms White Paper when Theresa May served as Prime Minister (before Boris, Liz and now Rishi has the job) and was passed by Parliament in September, aims to tame the internet.

The law requires tech companies to prevent illegal content from being distributed on their platforms and to remove it when identified. It also seeks to prevent children from being exposed to harmful material, a goal that demands effective online age verification. And it allows for fines of up to £18 million ($21.82 million) or 10 percent of their global turnover, whichever is greater. It even includes the possibility of imprisoning executives whose companies fail to comply.

“This landmark law sends a clear message to criminals – whether it’s on our streets, behind closed doors or in far flung corners of the internet, there will be no hiding place for their vile crimes,” said Home Secretary Suella Braverman in a statement.

Concern remains that one particular passage, section 122 [PDF], allows Ofcom to demand that online service providers scan online communications, which would effectively disallow encryption.

That appears to be more politically aspirational than practical: Lord Parkinson, a Digital, Culture, Media and Sport minister, acknowledged that any encryption bypass would have to be technically feasible – something that has been tried for decades now with no progress because math doesn’t bend to political whims.

While there was a statement last month by Lord Parkinson of Whitley Bay that “There is no intention by the Government to weaken the encryption technology used by platforms…”, the Act’s language could still be interpreted in a way that precludes private communication.

A spokesperson for Signal told The Register that the company’s position, as articulated by CEO Meredith Whittaker last month, remains unchanged.

“Signal will never undermine our privacy promises & the encryption they rely on,” said Whittaker. “Our position remains firm: we will continue to do whatever we can to ensure people in the UK can use Signal. But if the choice came down to being forced to build a backdoor, or leaving, we’d leave.”

Off with the fairies

As with Disneyland’s claim to be “the happiest place on Earth,” the UK’s status as the ultimate internet safe haven should not be accepted without evidence, though measurements may commence once the rules take full effect at the end of 2026 – barring delays.

That’s unlikely to happen in full before the end of 2026.

Ofcom, the UK telecom watchdog, says it will begin consultation on illegal harms (e.g. terrorist content, child sexual abuse material, and fraud), the first of three codes of practice, on 9 November. Once that process concludes, Parliament must approve the illegal harms codes, an event expected to occur about a year from now.

In December, consultation will commence for a second set of codes covering child safety, pornography, and protecting women and girls. Final guidance for that set of rules isn’t due until early 2025, with Parliamentary approval and enforcement scheduled for Q3 2025, by which time the UK is almost certain to have a new government – given that the current one is about as popular as a rattlesnake in a piñata.

Finally, a third consultation will begin in Q2 2024 that address the duties of covered services, which will include the publication of transparency reports and the deployment of user controls, and eventually fraudulent advertising and transparency notices. That set of rules isn’t expected to come into effect until 2026.

X, the social media service formerly known as Twitter, recently cut content moderation staff, as did Alphabet, Amazon, and Meta. Compliance obligations for the Online Safety Act may reverse that trend. ®