The Online Safety Act – implications for online service providers

How can providers of ‘user-to-user’ (‘U2U’) and search services better protect their users from the significant harms that illegal online content can cause? Ofcom published detailed proposals on this. OneID® believes these proposals are timely and welcomes them.

For too long, the internet has been a ‘wild west’ where criminals and harmful behaviour are allowed to flourish. Not knowing who you’re interacting with online is a key enabler of this ‘anything goes’ culture of the internet. With the new Online Safety Act (OSA), the UK has taken a major step towards taming the wild beast that is the internet into a platform we can use without worrying about what our kids are seeing online, who they are chatting to, and whether we are going to lose money on transactions. As an added bonus it will enable us to ‘turn off the trolls’ when we get bored of them. All of this whilst providing better control for internet users over their data and privacy and maintaining pseudonymity or anonymity where it is useful.

What is the Online Safety Act? 

The Online Safety Act makes companies that operate social media (‘user to user’, ‘U2U’) or search services legally responsible for reducing the amount of illegal content that people see. The aim is to keep people, especially children, safe online.

Last week, Ofcom published its first consultation on implementing the requirements of the Act, giving an overview of what some of this could look like in operation.

Services in scope of the Act will be required to carry out an annual risk assessment for how likely it is that their users will encounter illegal content. To mitigate these risks, providers will need to prevent illegal content from appearing in the first place, or at least remove it quickly when it gets posted. Service providers will also need to provide ways for users to verify themselves and their age. Some U2U services need to provide users with ‘enhanced user control’ that enables them to block unverified users. Services that have a risk of child grooming need to verify the user’s age and provide default privacy settings that prevent automatic ‘friend’ suggestions of unknown people.

Illegal content (as opposed to content that is just ‘offensive’ to someone) is categorised in the OSA, with links to existing legislation that covers offline ‘real world’ harm for ‘priority offences’:

Fifteen illegal harms are identified (caused by the illegal content), including terrorism, drugs, guns, child sexual abuse, revenge porn, fraud and election interference.

Promoting things that are already offences offline is now also illegal online in the UK, as it should be.

Who is in scope of the OSA, and needs to take action? 

Ofcom’s initial analysis suggests that several thousand online service companies could fall under the scope of some of the Act’s duties, which will be determined over the next few months. In particular, the Act will oblige some companies to “…offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service)”. It goes on to say that “The verification process may be of any kind (and in particular, it need not require documentation to be provided)”.

Providers of in-scope services will be subject to the measures in the Act according to size;

  • Those with over seven million users per month are ‘Large services’
  • Those with less are ‘Smaller services’

Services will self-assess whether they fall into ‘low’, ‘specific’ or ‘multi’ risk categories.

What do 'in scope' service need to do?

The OSA is all about reducing the risk of harm from things that people see online. Providers of in-scope services will need to carry out a risk assessment according to the Ofcom guidelines:

  • Understand the harms
  • Assess the risk of harm
  • Decide measures, implement and record
  • Report, review and update risk assessments

Ofcom will issue ‘Codes of Practice’ (U2U, Search) with recommended measures to mitigate risks. Though this will not be mandated, it will provide ‘safe harbour’ for compliance with OSA, so will probably be adopted to reduce the risk of significant fines (£18m or 10% of global revenue). Ofcom provides a useful table to see which risk-mitigation measures apply to which size/risk combinations.

Measures will include:

  • Content moderation teams with sufficient trained resource
  • User reporting processes
  • Allow users to block others or disable comments
  • Test that algorithm changes don’t increase risks
  • Clear T&Cs

And further specific measures on child safety, fraud and terrorism content.

How to spot illegal content

The ‘Illegal Content Judgements Guidance’ (Volume 5) provides a guide to how in-scope services can identify illegal content, to swiftly remove it as the Act requires them to.

Identity is the key

At OneID, we believe that digitally verifying your identity is key to securing the internet from harms, including fraud.  Identity verification provides a strong defence against bad actors getting online in the first place – and protecting children from accessing illegal content.  As Ofcom have said in their early guidance “Our role is to tackle the root cause of online content that is illegal and harmful for children, by improving the systems and processes that services use to address them.  Seeking systemic improvement will reduce risk at scale …”.  

What’s more, we think that digital identity verification can provide a durable defence against the exponential increase in illegal content that is being further accelerated by the rapid growth of generative AI. 

Digital identity verification

Online service providers can verify identity in a frictionless yet accurate way, without damaging user experience. Unlike many other forms of attribute verification, a bank-verified data solution can prove age and withholds other personal information such as name and address. So this approach can preserve a user’s anonymity, where appropriate, and minimises the personal data that needs to be shared or held, protecting the user’s privacy. 

OneID® is a UK-based fintech which is the only provider of truly digital, real-time identity and age verification services that create absolute certainty between a business and a customer, in the fastest, cheapest and safest way. It is the only UK Identity Service with access to bank-verified data to ensure that every transaction is protected by the most advanced counter-fraud measures. 

The way online identity verification typically works today is that the individual is asked to upload a photo of their passport or driving license. But these current solutions cause considerable friction in the account setup process. They can be error-prone and time-consuming and are increasingly considered out-dated. Analogue processes like this, even those that have been partly digitised through techniques like scanning of physical documents, certainly won’t work for digital natives. 

Bank-verified digital identity verification is ubiquitous in many countries, such as Sweden and Norway. It is used for all online interactions, as the data sets can be set according to the risk requirement of the transaction. Here, in the case of compliance with the Online Services Act, the data to be shared with an internet firm can be limited to “the user is over 18”, or any other age gate required by the internet firm. The exact type of data to be shared is completely under the control of the individual who sees and consents to the data being shared by their bank on every occasion.

And why data from the banks?  Banks are heavily regulated and are required to apply rigorous KYC and AML checks to verify the identity of their customers and ensure they are not criminals, terrorists or money launders. It is thanks to this comprehensive level of checking that banks are ideally placed to support a digital identity and / or age verification service. Banks are also under constant attack by cyber-criminals and must maintain a higher IT security spend than any other sector to protect against attack.  A place that needs to safely secure your money is also a place to safely secure your personal data.

About OneID®

OneID® is the only provider of truly digital, real-time identity and age verification services that create absolute certainty between a business and a customer, in the fastest, cheapest and safest way.

It is certified as a Digital Identity Service Provider, authorised by HM Government’s Department for Science, Innovation & Technology (DSIT), under their UK Digital Identity & Attributes Framework (DIATF). OneID® was also the first Orchestration Service Provider to receive certification. This allows OneID to act as a hub to connect all of the UK’s high street banks with providers and any online journey that needs customers to identify themselves.  

OneID® is also the first Scheme Owner to be certified under the DIATF for any roles. It operates a multi-sector scheme that enables bank customers to consent to safely share their bank-verified identity information. OneID® ensures that all businesses in the scheme have been properly vetted and are given a OneID® Trustmark, so that you know that the business you are dealing with is legitimate.  

OneID® is also regulated by the Financial Conduct Authority (FCA) to act as an Account Information Service Provider (AISP) under the Payment Services Regulations, 2017. This means OneID® is authorised, with customer consent, to use Open Banking infrastructure to capture personal data from banks and share this with selected parties in real time.

OneID® is certified by the Age Check Certification Scheme (ACCS) at the highest level of Strict Accuracy (99.99%).

At OneID® we welcome the Online Safety Act and stand ready to support the regulators and social media platforms in rolling out a safe and cost-effective solution for verifying that users are over 18, not bots, and are verified people.


Recent posts

Identity Verification

Preparing for the Document-Free Digital ID Era

In the digital age, the evolution of identity verification has shifted from cumbersome physical processe...

Press Release

Aaron's Department simplifies DBS checks with OneID®

Aaron’s Department, a leading provider of Disclosure & Barring Service (DBS) checks for organisation...


Document-free Digital ID in KYC – Answering your top questions

As promised in my last blog recapping our webinar, 'Modernising KYC: Why Innovators are Adopting Digital...


Is Bank-verified Digital Identity the Missing Link in Solving Payment Fraud?

OneID®’s latest white paper, launched at Pay360, points the financial services and payments industry to ...