Hey folks,
The UK’s Online Safety Act is scheduled to take effect on March 16, 2025. Lobsters can’t comply with it and needs your help to avoid having to geoblock the UK.
The Online Safety Act regulates most sites where users can interact with each other. The law explicitly claims authority over all forums with visitors located in the UK, regardless of where it’s are hosted or the nationality of their owners.
As a practical matter, Lobsters can’t comply. The OSA is written for commercial sites far bigger than this non-commercial, hobbyist forum. The regulator’s statements include many long, cross-referenced legalese documents (an incomplete sample, because I can’t find a directory): 1 2 3 4 5. Sites are required to produce lengthy documentation about their features, practices, and risks - both up-front and as they moderate. Attempting to understand which sections apply and how to comply would be a huge project. Doing so correctly would require legal advice we can’t afford. The cost in time and money to implement the bureaucratic processes it demands also outstrip a hobbyist forum.
There’s also an ideological matter, that Lobsters is not a UK entity or operated in its jurisdiction. The OSA isn’t written to directly regulate the UK’s occupants, it exerts authority over non-UK maintainers of sites that UK occupants read. Even if the OSA was proportionate and reasonable, complying would encourage every jurisdiction to write similarly broad laws.
The OSA’s civil penalties run up to $22 million USD, and it includes also criminal penalties. While poor and despotic countries have written laws to curtail freedom of speech internationally online (usually a broadly over-enforced “no criticizing the rulers”), as a practical matter those have been vanishingly unlikely to be enforced against Western citizens. Because the UK is wealthy, powerful, and threatening large penalties, I can’t ignore the risk that the UK attempts to enforce the law against Lobsters, perhaps to make a political point against American Big Tech as promised by the regulator.
So the current, bad plan is that Lobsters will geoblock the UK before the law takes effect on March 16. While the inaccuracy of IP databases and availability of VPNs mean that this can’t be perfectly accurate, unambiguously blocking UK occupants as effectively as we can is the only course I see to substantially reduce the risk the OSA is enforced against the site.
UK users, we need you to please help improve this situation. You have the local knowledge and political representation needed to address the OSA. I can see a couple courses of action that would sufficiently mitigate the risk:
- Some kind of guidance or waiver from the implementing regulator Ofcom that this law won’t apply to Lobsters individually or as a class of non-UK, small, and/or noncommercial forums.
- Delay or cancellation of the Parliamentary approval required for the regulator’s guidance to be adopted into legal effect, at least until something like the previous option can happen.
- Legal advice from a UK lawyer that the law does not apply to Lobsters for some plausible reason.
- A statement from the US Department of State that it does not believe the law applies to American entities and a commitment to defend them against it.
- Something else I haven’t thought of that would greatly reduce the risk the OSA is enforced against Lobsters.
I’m reaching out to people I know who also run sites that will be affected by the OSA, in and out of the UK, to ask how they’re handling this. I’m also reaching out to organizations that focus on online rights like the EFF and ORG. I’ll post update in the comments below so this story will be the best single resource to watch for news.
There’s more background info and thoughts in the story on LFGSS shutting down, previous and today’s office hours streams, which include searchable transcripts.
There are a lot of distracting off-topic rabbit holes here like recent political events, international diplomacy, defining “free speech”, pretending to practice UK law, and many more - please do try to stay focused on the existential problem at hand.
Thanks for your help,
- Peter
I’m now a bit unhappy that I did actually read the documents last time this came up, but didn’t write down my off-the-cuffs assessment. For context, I’ve done some GDPR-Compliance related stuff before.
The first thing to look for in those documents is the thresholds and IIRC, lobste.rs is below all thresholds. Below those, a lot of things become relatively tame or already exist. E.g. you need to have a content policy (lobste.rs has one) and you need to present that you can remove illegal content on need. All of those exist.
It’s similar to the GDPR: a lot of the things look daunting until you figure out that you’re actually out of scope.
All that being said, no one is helped with 5 40 page PDFs for running an international service, so I would totally understanding if you just blocked the UK.
I did a quick review as a refresher. This is the most important document for you: https://www.ofcom.org.uk/siteassets/resources/documents/online-safety/information-for-industry/illegal-harms/illegal-content-codes-of-practice-for-user-to-user-services.pdf?v=387711
Note that “recommended” does not mean all of them need to be implemented. However, at a quick glance, lobste.rs is neither a large service, nor a multi-risk service (none of the content deemed a risk is discussed here), so a lot of the heavy-hitters do not apply. We do have a content policy, and we do have a legally responsible person and a path to report illegal content. There’s no need for documenting all this at a higher level.
I thought so as well, having worked for a MEP. Well, I’ve started to read the actual law and OH MY GOD, what a mess! Are all UK laws written in this impenetrable style? With multiple levels of outlining and gotos that criss-cross the document?
GDPR can be read and grokked in a day. But this?
Like this for instance:
Why the hell do you include (1) if you scope (2) to (4) appropriately anyway? Was it an actual intention to make this into as long as possible read? Was author paid by word?
Oh god, kill me now. Yes, captain obvious, that’s what legislation is supposed to do. I am holding my breath, I am literally reading the law here, the suspense is killing me, do tell, what are the duties of various kinds of search service providers?
Another GOTO? Are you kidding me?
I give up, just block UK.
Writing laws like this is a post-Brexit cottage industry, and ensures the perpetual employment of both civil servants and lawyers.
Ah, because they are not spending their time harmonizing, they must do something. I understand. Sigh.
Speaking of the GDPR, there’s surprisingly little online furor over the OSA compared to the frankly almost hysterical coverage of the GDPR back in the day.
For instance, if lobste.rs is in scope, than HN is, and I don’t think they’re gonna take any action blocking UK users. But I might be wrong.
The fediverse also seems to be shrugging off the OSA, even if many instances probably are in scope.
TBH, I’m a fan of the GDPR. Having run affected web services for years, GDPR was mainly a slap on the wrist e.g. to providers that (already illegally) didn’t practice double-opt-in for mailing list. GDPR was a massive “we’ve had it, there’s fines now, and we note down the best practice here”. Like, a lot of the stuff the GDPR bans were already illegal, but all the large services ignored it, because the laws were toothless.
So people who were already quite conscious around privacy, which most self-hosters are, were pretty fine. Also, there are clear indicators in the GDPR should be easy to comply for small services and the first reaction is a stern warning.
The OSA documents are hard to track and even finding the definitions of what a large service is always takes me 5 minutes, because it’s hidden somewhere.
To be honest I think a lot of the furor was from online marketers who saw a credible dent appearing in their cash flow and who tried to astroturf some opposition in the US. Even now the maliciously compliant “accept all cookie” banners are being blamed on the EU, not on the advertisers who implement them.
I rather think those banners are maliciously noncompliant.
“Do not obey in advance”. It’s highly unlikely that you’ll ever hear anything about it, but even if you did, it would be something like a cease and desist letter. You can decide then what to do about it.
The general consensus in my professional network, even reaching up to EU SME’s (!), is to just geoblock the UK given the costs to reach compliance are usually much higher than any business brought in by possible UK customers. This is also in light of other impeding UK legislation.
I would also do the same here in this case, if I were you @pushcx. This is a community of tech-literate people who know how to get a VPN. At the same time, the (slight) inconvenience is a constant reminder of this overbearing legislation for all UK visitors, and it might have a stronger effect on the situation than we could imagine.
It shocks me time and time again how much of a postmodern cyberpunk surveillance- and police-state the UK has become. The UK’s people seems to be content with this development given they voted for it, so who I am to judge? Fortunately I don’t have to live there.
Realistically, is this going to affect us? Lobste.rs and most other small web forums are small and unlikely to be on the radar of regulators. If you’re doing best-effort moderation already to avoid illegal content (i.e. what you’re doing now), I think it’s unlikely you would get on said radar. In the event you somehow do piss them off, I suspect organizations like the EFF would be rallying around you and willing to help then.
Sure, but if it were me running the site, “unlikely” and “we suspect” wouldn’t be enough certainty to put my future on the line for a hobby.
Pretty much this. The UK is threatening enormous fines and jail time because it wants the law to be taken seriously. This is what taking the OSA seriously looks like absent the resources of one of the huge businesses it was written for.
I agree, while a lot of people - software engineers specifically - I know don’t even know about lobsters, you’re still exposed.
On topic - I’m curious why you include “commitment by American government that they’ll offer protection”?
I thought both American and UK governments (among others, of course) have been acting crazily enough lately that I didn’t think this would be applicable. As a few examples, I thought your govt wants to leave the WHO and has been on-again-off-again about the Paris climate agreement - they don’t seem like either willing to deal with international affairs that much, or are not stable in that dealing.
I understand having a commitment from ACLU or EFF to defend you, but other than an explicit law that protects you, it doesn’t seem like any “commitment” would be reliable. Maybe I’m just misunderstanding the context in which this would work.
Edit: to clarify, I’m asking what that commitment needs to look like.
But the UK has zero jurisdiction. What are they gonna do? Send you a fine and beg you to pay it? Straight to the shredder.
Even if there’s no legal recourse, it’s understandable that pushcx, and the other maintainers, are not willing to scratch off UK as a place they can ever visit.
IANAL, but it does look like the UK and US have at least some extradition treaties in place.
Send it to your bank, which needs to be able to route orders in GBP through london, and get it applied anyway.
There’s been a mailing list set-up to gather information and try to get set-up to lobby Ofcom: https://buttondown.com/indie-and-community-web-compliance-
I’d be sad but very much understand if you just decided it was all too much and went through with the geo-block :( Ludicrously badly implemented legislation :(
I love this site and I’ll be sad to only be able to access it over VPN, but I can fully understand your need to avoid this (amongst many) post-Brexit idiot UK laws.
On a meta note, might be a good time for people to share articles about VPNs and their care and hosting.
FWIW, while https://russ.garrett.co.uk/2024/12/17/online-safety-act-guide/ is not legal advice or written by a lawyer, the author has spent enough time navigating legal bullshit that I trust what they’ve said there. It sounds like the requirements for a small site boil down to doing a risk assessment and writing some policy boilerplate. While I’m sure the average legal department would have a different opinion, generally non-lawyers are able to write these documents, and making a good-faith effort to comply is almost certainly sufficient in the first instance. I know of some fairly consequential projects (in the sense that real money was at stake) with non-trivial UK compliance requirements that have succeeded on the back of nothing more than documentation written by reasonably competent lay people. Can I suggest writing the requisite pseudo-legal stuff, possibly having them nitpicked by an actual lawyer, and seeing if that’s enough?
I will write to my MP about this, but I personally don’t think any of your bullet points is particularly likely to happen. I would be happy to contribute a bit of money to pay a lawyer to review some documentation and say they think you’re in compliance, though, which seems much more achievable if somewhat weaker.
Condolences and heartfelt thanks to the crustaceans involved in wrestling with this. It’s never easy, either logistically or emotionally.
New Scientist wrote a short article a few weeks ago https://www.newscientist.com/article/2461213-hundreds-of-small-websites-may-shut-down-due-to-uks-online-safety-act/ they key takeaway for me is this quote from Russ Garrett:
In a previous article from 2023: UK’s Online Safety Bill to become law, but can it be enforced? the most damning paragraph for me is:
The act requires that websites have policies in place to protect people from “harmful” or illegal content while being entirely vague as to what that means, what counts as “harmful” appears to have been kept intentionally vague so as to become anything the prosecutor wants it to be.
It genuinely feels as though this is the Thought Police Act.
Are you going to comply with rules of Islamic state or a communist regime somewhere on the planet? Compliance with laws of every state is impossible because they contain mutually exclusive requirements. If some state wants to „protect“ its citizens, this state should block a website (and not that the website will block a state).
However, if you are really afraid that they will attack you, just block UK – instead of this website, show them a warning that they are living in a wicked regime and that they should change it. People will use VPN/proxy/Tor/etc. or maybe try to fix the regime.
I can’t read that commit, it simply serving a 404 page from GH.
Anyway, rather than geoblock the whole site, would it not simply be sufficient to geoblock logins from UK users?
That way folks in the UK (or similarly other restrictive regimes (possibly all of EU if Chat Control V2 passes)) would simply be able to read the site like any other generic web page. i.e. read it, read the discussions by others, but not interact with folks directly on or via the site.
It would be nice if sites like Lobsters could advertise at a protocol level that they don’t comply with XYZ legislation, and have the onus be on UK ISPs to block sites that don’t comply. That way the ball would be back in the court of large industry players (the ISPs) who have an incentive to not block large swaths of the internet. And/or the UK gov would look ridiculous for blocking the majority of the internet.
There are also small ISPs whose executives won’t want to be on the receiving end of a 20 million fine or personal criminal liability.
That indeed sucks, but in general it’s untennable for anyone running a website to be liable to the laws of every country in the world simultaneously. If you start to try to comply with some, then at what point do you stop digging into each country’s legislation to check if you’re going to be liable for something?
This might also apply to anybody using IRC for service status/support: out ISP (Andrews & Arnold, AAISP) does this.
Surely somebody’s boilerplated something for this? Try reaching out to an established platform like CIX or A&A asking for fraternal assistance: at the very least it might be possible to split the admin/legal load.
I hang out vaguely in the right spaces, and as far as I can tell nobody yet considers that ofcom have given anywhere near enough information about how they intend to interpret the law to allow much actual action :( There’s a vague sense Ofcom might produce some more detail before the go live date, but they don’t exactly have a great efficiency track record :(
Sorry to hear this. I will write to my MP.
I have absolutely no idea how much this is, because the UK does not operate with USD.
This is about £17.5 million GBP. Upon googling it appears the maximum fine is £18 million.
Remember: You can write to your MP to oppose laws, this is a rather effective method I have found (well, at least my MP is effective at reading my emails and talking about it in parliament) https://www.parliament.uk/get-involved/contact-an-mp-or-lord/contact-your-mp/
This is classic rehashed New Labour technically-illiterate authoritarianism. It’ll get watered down repeatedly as it goes through parliament, and when it finally gets to implementation, they’ll realise it’s mostly unenforceable and abandon it. Bet you 50p ;)