First of all, a massive thank you to everyone who donated since our last post. Our income on Liberapay has roughly quadrupled from what it was before the post. We have also had people reach out to us for large one-time monetary and hardware donations. Your support is truly appreciated!
And now for a followup from our last post. TL;DR: the legal firm we’ve engaged has sent us a memo indicating that in their opinion we can reasonably argue we do not have sufficient links to the UK for the Online Safety Act to be applicable to us. They also believe we would be at low risk of attempted enforcement action even if Ofcom does consider us to be in-scope for the OSA. We will continue to ensure that this is the case by keeping internal estimates of our UK user base and by continuing with our current efforts to keep Libera.Chat reasonably safe. We have no plans to institute any ID requirements for the forseeable future.
If that’s all you wanted to know, then feel free to stop here. However, we feel it’s in the best interest of online communities like ours for us to summarise the advice we were given in hopes that it will be useful to others. This is not legal advice from us to you. This advice was provided to Libera Chat as an assessment of our specific case. We accept no responsibility if you decide to apply advice given to us to your own online service.
Why does this even matter?
You might be asking why we’ve even bothered to get legal advice on this matter. Libera Chat (the non-profit that runs the Libera.Chat IRC network) is based in Sweden. Our bank is Swedish, and we do not rely on any UK-based payment providers. We have a few servers in the UK, but they can be migrated on short notice. In other words, the British government has relatively little authority over us. The most damaging action they can reasonably take is to instruct internet service providers in the UK to deny access to us.
Relatedly, some online communities have decided that they want to minimise the authority the British government has over them. In response to critical analyses of the OSA pointing out its potential for regulatory overreach, some online communities have taken the understandable precaution of entirely blocking access from known UK IP addresses, thus cutting off any reasonable argument that they somehow have links to the UK (more on that later).
The end result is the same: a denial of service to people in the UK solely because of the country they live in. It’s not an insurmountable barrier to access in either case, but it shouldn’t be necessary for individuals in the UK to look into censorship-defeating proxies just to engage with free software developers and peer-directed projects that choose to have a community on our IRC network. It doesn’t serve our users, it doesn’t serve our communities, and it doesn’t serve the UK open source movement. Therefore, it’s in everyone’s best interest for us look into what’s necessary to keep things from getting to the point where users in the UK cannot access Libera.Chat, and that means getting guidance on the OSA.
Who does the OSA apply to?
As the OSA is fairly vague in its definitions, Ofcom has significant latitude in deciding where the thresholds are for whether an organisation meets certain criteria or not. Ofcom also hasn’t been forthcoming with its opinions on where those thresholds are, so there are relatively few hard guarantees about the applicability of the OSA. Still, there is a strong argument that while we definitely meet one of the criteria for the OSA to apply to us, we do not meet the other.
The OSA applies to online service providers that provide a regulated service and have links to the UK. We unarguably provide a regulated service because Libera.Chat is a so-called U2U service, i.e. it “allows ‘user-generated content’ to be encountered by another user of the service”. This is an incredibly broad class of services. Some exceptions are made for user content that is posted in relation to service content (e.g. the comment section of a blog) and a few other service types, but none of them reasonably apply to us. Every chat service, forum, federated social media server, or code forge counts as a regulated service, and therefore meets one of the criteria for the OSA to apply to them.
So be it. What about our links to the UK? To quote the memo:
An online service provider has “links to the UK” for the purposes of the OSA if any one or more of the following apply:
- the service has a “significant number of UK users”
- UK users form a “target market” of the service; or
- the service is capable of being used by individuals in the UK, and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by the content generated by the service.
One factor that does not automatically give us links to the UK is the fact that we have staff members in the UK. Curiously, employees of the service provider who do not engage with that service as users are actually excluded for the purposes of determining whether a service has a “significant number of UK users”. Our staffers are also users, but our UK staffers make up an insignificant portion of our user base.
Speaking of which, the memo implies that “significance” in this context is interpreted as being relative to the population of the UK, not relative to the user base of the service. We have seen risk assessments that take the other interpretation and consider their UK user base to be “significant” because it makes up a large portion of their overall user base, but the advice we received suggests we should not use this interpretation. The exact fraction of the UK’s online population that must use a given service to be considered “significant” is unknown, but based on our counsel’s observations of Ofcom’s previous regulatory actions, it appears to be much higher than our internal estimates of how large our UK user base is.
The “target market” criterion is meant to capture services with a low number of UK users that target the UK specifically. While our target market (people interested in using an IRC-based platform for discussing free software or other peer-directed projects) is inclusive of UK users, it isn’t specifically for them. Our network is predominantly English-speaking, but we do not promote, direct, or tailor our service to UK users in particular.
Finally, there is no atypical material risk of significant harm to individuals in the UK presented by the messages on Libera.Chat. We block spam and client exploits. We are proactive in ensuring that our network’s acceptable use policy is upheld. We do not tolerate incitement to violence, doxxing, or defamation. And finally, we do not provide file hosting that can be used to distribute pornographic or sexual abuse media, though when we sought legal advice from the firm, we acknowledged the existence of DCC as a commonly-supported mechanism for transferring files using an IRC network to establish a peer-to-peer connection.
In the coming weeks, we will be finalising a statement similar to this risk assessment that we can provide to Ofcom should we ever be contacted by them about the OSA.
What if the OSA does apply to us?
While it is our opinion that the OSA does not apply to us, Ofcom might disagree, and appealing that disagreement would likely involve further legal expenses. So, what is the risk that Ofcom would decide to try to impose fines or other regulatory penalties on us?
For the time being, services like ours do not appear to be Ofcom’s priority. Currently, according to our legal sources, the focus appears to be file and image hosts that are at high risk of being used to transmit sexually-explicit depictions of minors. IRC has been used as a way to facilitate piracy, but those days are generally in the past thanks to more attractive options. Even if they weren’t, using Libera.Chat for this purpose is risky. We prefer to exercise the minimum power necessary to keep the network clean, but that doesn’t mean we don’t have the tools necessary to proactively stop the network from being used for piracy or CSAM distribution.
We have also been reassured that Ofcom is very likely to contact us with concerns before attempting any sort of action against us. There are some classes of concerns that we would certainly be willing to hear out, and we do prefer a constructive approach to problem resolution where possible. We’re confident that there isn’t anything for them to be reasonably concerned about, but we are willing to engage with good-faith reports of potential abuse of our service.
Will Libera.Chat ever require my ID?
We have no plans to require users to provide us with proof of identity and will take every reasonable measure to avoid requiring it. The justification for us to compromise the privacy of our users given the content we forbid on Libera.Chat is not adequate, and the risk of material harm should an identity verification mechanism compromise our users’ privacy far outweighs the plausible harms caused by not having such a system. Such violations of privacy aren’t hypothetical; another chat platform recently was affected by a data breach that potentially exposed the legal identities of tens of thousands of its users.
That said, it’s conceivable that legislation will be created that could apply to us and could force us to identify or spy on our users. If that happens, we will evaluate our options once drafts of such legislation reach a point where they can conceivably pass. Until then, we hope that the general public will remain vocally opposed to such attempts at overreach. Popular opposition stalled Chat Control earlier this month. There will probably always be efforts to compromise the free internet, but their success is not inevitable.