final logo red (RGB)

 

Communications and Digital Committee 

Corrected oral evidence: Online Safety Act: additional safety measures

Tuesday 9 September 2025

2.35 pm

 

Watch the meeting 

Members present: Baroness Keeley (The Chair); Viscount Colville of Culross; Baroness Fleet; Baroness Healy of Primrose Hill; Lord Holmes of Richmond; Lord Knight of Weymouth; Lord McNally.

Evidence Session No. 1              Heard in Public              Questions 1 - 37

 

Witnesses

I: Dr Beatriz Kira, Assistant Professor in Law, University of Sussex; Dr Bernard Keenan, Lecturer in Law, University College London; Dan Sexton, Chief Technology Officer, Internet Watch Foundation.

 

USE OF THE TRANSCRIPT

This is a corrected transcript of evidence taken in public and webcast on www.parliamentlive.tv.

 


19

 

 

Examination of witnesses

Dr Beatriz Kira, Dr Bernard Keenan and Dan Sexton.

Q1                  The Chair: Good afternoon and welcome to this meeting of the Communications and Digital Committee; it is our first public session following the summer break. My name is Baroness Barbara Keeley, and I chair the committee. I welcome our witnesses and thank them for joining us.

Today, we are focusing on the Online Safety Act, in particular the additional safety measures that Ofcom is consulting on, which would be incorporated into the existing codes of practice under the Act. Our session is being broadcast live and a transcript will be taken; our witnesses will have an opportunity to make corrections to that transcript if necessary. I start by asking our witnesses to introduce themselves, starting on my left.

Dr Bernard Keenan: I am a lecturer in law at University College London.

Dr Beatriz Kira: I am an assistant professor in law at the University of Sussex. I am very happy to be here; thank you for this invitation to provide comments on the important work that the committee is doing in scrutinising the implementation of the Online Safety Act.

Dan Sexton: I am the chief technology officer at the Internet Watch Foundation.

Q2                  The Chair: Thank you very much. As I mentioned earlier, thank you for battling the conditions to get here.

The first question is largely targeted at you, Dan. Ofcom’s consultation places significant emphasis on proactive technologies. Can you give us an overview of how those proactive technologies are currently being used and the risks and benefits of this type of content moderation?

Dan Sexton: Certainly. The IWF is one of the providers of the data of known child sexual abuse material, particularly in hash-based detection, which is the proactive detection of files based on digital fingerprints, and, more broadly, in proactive detection on content. This is running an algorithm against a file, which creates a number. You have a database of those numbers and they all relate to, in our case, images and videos of child sexual abuse. We provide that data to industry. This is what it does with that data: at the point when a file is uploaded or shared, it turns it into a number, compares it against the database and, if that number corresponds, it has found child sexual abuse and would be expected to take the appropriate actions.

This proactive technology includes at its minimum fingerprinting but it also includes perceptual fingerprinting, which is looking for near-duplicates of those images; descriptor-based tools, which are looking for similar shapes and colours and patterns in imagery; and AI classifiers, which are looking for new, unknown content that looks like child sexual abuse. At the end of that proactive workflow, there will normally be a human moderator aspect, so there is a full stack of moderation techniques that we would expect industry to use if it is a high-risk platform or a platform that enables the uploading and sharing of user-generated content.

Q3                  The Chair: Can you talk to us about hash matching? How is it used to detect terrorism and intimate image abuse content? Can you tell us anything about the barriers to implementation of hash matching?

Dan Sexton: The technology itself is agnostic to the harm type; so in terms of the technology of hash matching and how that mechanism works, it is irrelevant what the actual content is. The processes for creating those databases and assessing whether an image is of a harm type will vary based on the organisation, so I can talk about only the assessment criteria that we use where we decide whether an image is child sexual abuse.

Other organisations, such as the South West Grid for Learning and the Revenge Porn Helpline, have their own processes for ascertaining whether something is non-consensual intimate image abuse. Organisations such as Tech Against Terrorism will follow their own processes for terrorist and violent extremist content.

Regardless of those processes, once an image has been confirmed by experts as being criminal or harmful, it is then turned into this number and added to the relevant databases. From there, the mechanisms are identical regardless of the type of content that you are looking to detect.

Q4                  The Chair: There is a key question—it is always there—around what mechanisms there are to hold platforms to account for their use of proactive technologies.

Dan Sexton: At the IWF, we have more than 200 industry members that take data from us for use in the proactive detection of child sexual abuse content. However, we know that they are taking the data, but we do not know how and where they are using it, or if they are using it everywhere they should be. That tends to be within the organisations.

We have seen success in regulation regimes, such as the eSafety regulator in Australia, which publishes transparency reporting. That reporting has been incredibly useful in seeing not just what data larger platforms, in particular, are using but how they are using it, where they are using it and where they are not using it, so we have those assumptions.

Transparency reporting is an incredibly important area of going beyond They have access to the data”. Many of the larger platforms are running many different services. It is about whether they are using them across all of their services and all of the services that have a risk of harm. I would argue that regular transparency reporting is key, particularly for large platforms.

Q5                  Lord Knight of Weymouth: Can I follow up on that before moving on to the second question? I have a couple of questions for Dan. One is around where the classification of criteria are set. The thresholds for where these measures should apply are currently set at large user-to-user services, medium-risk services and user-to-user services with more than 700,000 monthly UK users. Do they have that right?

Dan Sexton: On large platforms, if there is a possibility of uploading a user-generated image, there is a risk. I am more concerned about the 700,000 UK users and the measures there. The internet knows no boundaries in that respect. We find images and videos of child sexual abuse on websites all around the world. It would be really damaging to us to see a site trading and sharing images and videos of children being sexually abused but not having to do anything because it has only 600,000 UK users or something. These seem rather arbitrary measures. It is not, in our case, about how many UK children may be victims on these sites. I am not sure whether that is the right measure in terms of which ones should and should not be doing it.

Q6                  Lord Knight of Weymouth: If the harms are illegal or harmful to children, that applies to all sites. It is just about the greyer areas, I suppose.

Dan Sexton: This is the first legislation of this kind. I was encouraged to see it as an iterative approach, so maybe that measure or threshold is not right. As long as there is openness to test that, improve it and feed back on whether it should be higher or lower, I would much rather see it in and working to start to get evidence and see how things are. Lower is better as far as we are concerned, because you should never have a place that is a safe harbour where this harmful activity can occur, but I will give Ofcom the benefit of the doubt and hope that it iterates that.

Q7                  Viscount Colville of Culross: I want to pick up on what we are talking about: transparency. I understand that you generate this number, which goes to a number of organisations. What I do not quite get is the connection between those organisations, how that is transmitted to the platforms and how you make sure the platforms take it down. Do we need further transparency codes or something to ensure that that happens?

Dan Sexton: There are two methods. We maintain the database. We have more than 3 million unique numbers, which each relate to a unique image or video of a child being sexually abused. Larger companies will download that database. Every day, they will download the 3 million numbers and use them in their own solutions. They tend to work internally. They write their own code and run their own solutions.

There are many reasons why I do not want to give a database of 3 million child sexual abuse images to a new start-up with one person. In those cases, they will be provided with a checking service so that they can check against the database without sharing the whole thing. It tends to be them taking the data and doing their own thing. This is where the transparency is important because all we see is that they downloaded today. So they can check, but where and when they are checking is outside of us. We do not see that. With the service’s checking function, you can see them checking. You see the evidence there. If someone says that they are proactively checking for child sex abuse content, if they are using a hash check service but they have not checked anything, then they are not. The transparency there is a lot easier with the smaller platforms.

That is one of the things we must remember with regulation: obviously, there is a lot of focus on the large tech platforms, including the large American onesfor good reasonbut that is not the whole of the internet. The whole of the old-style internet, which many of us do not see, tends to be where we do most of our work and find most of the images and videos of child sexual abuse. Ofcom has done a reasonable job there in generating two methods, one of which relies on the large companies offering up that information, but it is very difficult to see what happens inside those companies.

Q8                  Viscount Colville of Culross: Might there be a need to follow up on them providing information if you are worried that they are not giving all the information?

Dan Sexton: Ofcom in particular is looking at this question—certainly in our interactions with it—but how do you prove a negative? How do you prove that someone is not doing something? It is possible to do that. That is a function of ensuring that the regulation works and is not about people saying, “Yes, Im definitely doing it”, then finding out two years later that they have not been doing it or it was not working. So that is a way of verifying whether they are doing it. It is difficult with child sexual abuse, non-consensual image abuse and terrorism. The content has to be handled very sensitively. You cannot test these functions but, certainly, one of the things is to validate whether they are doing what they say they are.

Q9                  Lord Knight of Weymouth: Finallyfor now, anyway—this is well established with CSAM, and there is a good amount of confidence that these systems work well. I am interested in how well the same systems are working, and can work, for intimate image abuse, as well as how well they could work for self-harm material. We have heard in the past day or so that the Government intend to ban the sharing of self-harm material. Is that technically feasible?

Dan Sexton: Technically, yes. It is agnostic in that case. Once you have decided that a file is criminal, whether it is child sexual abuse or terrorist content or whateveror even if it is not criminalthe file should not be shared. Once you turn it into a number, it goes into the database. The key bit there is the transparency on that side around the decisions that are made to say whether an image is or is not legal. It is important for the public to have confidence in these systems. They should not be black boxes where an organisation decides what should and should not be on the internet.

This is clear from our point of view. We are very transparent. There is a very rigorous process, with a certain number of votes and a certain number of humans. We measure every image. We do not just say whether it is illegal. We say how many children, what sexual act is happening, the skin tone, the genderthere is full detail. It is not just, “This is bad. This should be taken off the internet”. I have certainly seen for other harms that, as long as there is that level of integrity and transparency, there is no reason why, once it is fed into the system, the same measures cannot be equally effective.

Q10              Lord Knight of Weymouth: In theory, algorithms could be fed that flagging through metadata or whatever, which is at a granular level in terms of what the content contains, to say that for vulnerable adults, vulnerable children or whoever with these sorts of conditions, this is inappropriate and therefore the algorithm should suppress it. Is that technically feasible even if it is not what happens?

Dan Sexton: That is outside my area of expertise as far as changing the experience for the user. I would argue that children should have child-safe experiences online, but I cannot comment on how you go about doing that technically. Certainly, detecting and blocking the sharing of images and files is technically very simple.

Q11              Lord Knight of Weymouth: If we wanted to do age-appropriate design, currently, the regime is that you are either a child or you are not, but content could be flagged as being inappropriate for those below the age of 14 if the platform knew the age of the person.

Dan Sexton: If the content is assessed in that manner, yes. The focus for us and the regulator at the moment is the content that is criminal or illegal, which should be blocked and removed. Potentially, you would be able to get to that point. The reason why the measures work with child sexual abuse is that you have 3 million unique images; that is a massive amount, but it is a tiny amount of the total number of files and images in the world. It is not desirable or necessary to have a database that has all of the images in the world in its categorisation; that is not proportionate to the harm. In this case, we do not need to know what everything else is. We just need to know the stuff we want to block; that is the important part.

Q12              Lord Knight of Weymouth: Thank you. I will move on to question 2, which is for Dr Keenan and Dr Kira. Do you think that the proposed changes to recommender systems will limit the spread of illegal content online?

Dr Beatriz Kira: That is a good question. We are reflecting here on Ofcom’s proposed additional measures, which have been made available for consultation, focusing on recommender systems. My short answer is that it is unlikely that they will address the core problem. They misdiagnosed the recommender systems and missed the mark for the solution.

Before explaining why, it may be helpful to take us back and acknowledge that I see that Ofcom is in a difficult position here in regulating recommender systems. That is because a lot of the concerns, worries and criticisms about the systems do not focus on the legality of content. Very often, people are worried about recommender systems because they recommend and amplify content that is awful but, often, lawful. As many of you know, that was removed from the scope of the Online Safety Act during its passing through Parliament, so Ofcom is left with an Act that allows it to act only within the limited scope of harmful to children or illegal content. That means it is not able to do a lot of what could be done in the systems approach to the recommender systems because it does not have that kind of leverage.

That said, there are issues that could be solved in strengthening the proposals that Ofcom currently has on the table for the recommender systems. In chapter 14 of the additional measures consultation proposals, there is a mismatch in what they are proposing and how recommender algorithms work. Briefly, Ofcom is proposing that platforms should ensure that content that is indicated as potentially being certain types of priority content is excluded from the recommendation feeds of users. That implies a two-step process where, in the first step, a platform makes a preliminary assessment of the legalityor notof a given piece of content. If it is probably illegal, it is put in some type of probational period of recommending. Then, in the second step, it assesses again the legality of the content; based on that second assessment, it decides whether it should be taken down or kept up. It is unlikely that this is how many platforms work, and I do not think it is a fair description of recommender systems.

The recommendation here from Ofcom is conflating the function of amplification with the tools of content moderation that platforms also have at their disposal. On the one hand, a recommender system is a kind of content-agnostic engagement engine. The goal of the system is to maximise engagement. It feeds you content that is more likely to engage you and keep you engaged because the business model is advertisement-based. This is the engine of amplification. Much of what these recommender systems amplify is very much legal contentcontent that many people may dislike or disagree with, but legal content.

What Ofcom is describing in the proposal is something else. Ofcom is focusing on the description of something which is demotion as a content moderation tool. The idea here is that demotion is the practice of reducing the visibilitylowering the volume and dissemination of content. This is very much content-sensitive. For demotion, you can target specific types of content. Platforms often do that. They have terms of service that tell users what type of content they reduce the volume of, what they do not recommend and what they demote. This is helpful, too, but I do not think that Ofcom is quite engaging with the problem of recommender systems here. It is very much focused on demotion.

I have some recommendations that I could share with you but I am going to pause here and give you the opportunity to ask more.

Q13              Lord Knight of Weymouth: Thank you. I am trying to follow what you are saying. On the internet, for some time, we have become used to search engine optimisation and people whose job it is to try to understand, algorithmically speaking, how things work and how to get their content up the rankings. Technically, the idea that companies play around with the algorithmto decide what content has prominence and what has less prominenceis not unfamiliar. In that respect, what Ofcom is trying to do feels logical. Certainly, when we were debating it, we were keen to see the systems work in such a way that you might have freedom of speech but you do not necessarily have the right to amplification.

Dr Beatriz Kira: I completely agree. That is exactly the goal of the measure: to reduce the spread of content that is not necessarily illegal but could be harmful. That is, unfortunately, not the focus of what Ofcom is currently proposing in the measures because the focus of the proposed measure is very much about having a preliminary assessment of whether the content is legal or not then making sure that it is legal at the second step. It is not looking at the other things.

Q14              Lord Knight of Weymouth: Is the reality of that that the technology that the tech companies would deploy would mean automation in assessing content? So it would not be humans assessing all of the huge amount of content that is being uploaded, but there might be an expectation or a requirement from Ofcom that they would have those machines programmed to flag some things so that the content might then be checked by a more sophisticated machine or, ultimately, by a human.

Dr Beatriz Kira: I completely agree. Companies have this. They are called content moderation tools. Often, they are triggered towards either taking down or keeping up content, but they could also be tweaked so that, if the machine is not 100% sure whether the content is illegal and there is a margin of error, it will precautionarily put it on probation and not recommend it. Machines do that. Algorithms can do that. Most of the larger social media platforms already have policies for that, but it does not address the core of recommender systems. They are a content moderation tool that lowers the volume of amplification, in a way.

So it is not amplifying; it is the regulation of amplification, which is very welcome. Ofcom really should acknowledge this, but this is even more useful when it comes to legal content, content that might be illegal and content that is almost illegal. Most of the content there is what I call in my research cumulatively harmful. Some types of content may not be harmful in lower doses but, when accumulated, could cause a lot of harm. We may come on to that later in our discussion. A lot of the circulated content leading up to the Southport riots falls within this category.

Q15              Lord Knight of Weymouth: I will come on to the Southport riots in a second. I want to hear from Dr Keenan. Without wanting to put words in your mouth, in direct answer to the question, “Would the proposed changes to recommender systems limit the spread of illegal content online?”, it sounds like you are saying, “They would for illegal content online, but there’s a whole bunch of questions around legal content, which is different and is of some concern. Is that a fair summary?

Dr Beatriz Kira: Exactly.

Q16              Lord Knight of Weymouth: Dr Keenan, what is your view?

Dr Bernard Keenan: First, thank you for inviting me. In principle, I completely agree with you. You put it succinctly: there is no right to be amplified on the internet, and we should not conflate that with the right to freedom of expression. The idea that you would have this kind of requirement where every platform covered by the Act would be required to have a pipeline, where something is flagged up as potentially illegal before it can be amplified, makes a lot of sense in principlethere is no general reason why I would be against itbut the issue is the grey areas. This is where we are in complete agreement, I think; everybody here will understand that issue.

In relation to chapter 9, the entire process obviously relies on automated triage. In that chapter, Ofcom sets out three broad principles that any such technology has to meet: it has to be accurate, effective and free of bias. We will have a period of experimentation, so all platforms covered by the requirement will have to test and assess this, if I read it correctly. However, those assessments will be limited to CSAM, grooming, fraud and suicide-related content and, for children, primary priority content. That is very sensible, but how this feeds through into a situation like Southport, which is completely connected, both in the committee’s questions and in Ofcom’s paper, becomes very problematic. What it indicates is that we do not yet know that those automated tools can handle political content.

Q17              Lord Knight of Weymouth: Let us move on to Southport, then. Ofcom did its own assessment. Obviously, it said that the posts around the Southport incident and subsequent events from high-profile accounts reached millions of users, demonstrating virality. I do not think that anyone would argue with that.

What Ofcom then argued is that, had the codes of practice coming into play now been in force at the time of the incident, they would have provided a firm basis for urgent engagement with services on the steps that they were taking to protect UK users from harm. I can see that that is a firm basis but, when the science committee in the other place looked at this, it concluded that, even if the Online Safety Act had been fully implemented, it would have made little difference to the spread of the misleading content that drove violence and hate in the summer of last year.

Do you agree with the science committee or do you think that, attached to what Ofcom said, there is a tone that suggests that it thinks that, if these codes of practice had been in place, it would have been all right?

Dr Bernard Keenan: The first caveat is that we are playing with questions of counter-factuals and causality. I do not think that anybody can really determine what difference it would have made.

From the perspective of civil liberties and human rights, I am pretty concerned by this thinking and the statement from Ofcom. I do not think that Ofcom is doing itself any favours by making this kind of claim. To answer your question directly, I agree with the committee in the other place on that. Riots happened before social media, and there are structural and political reasons why they erupt. The triggers are changing but saying that Ofcom could have been in a position to influence events more directly raises dangerous expectations around what this Act could do, how we might measure its success and how we might circle back to ratchet it up.

Lord Knight of Weymouth: It implies real-time interference.

Dr Bernard Keenan: Yes. It implies a form of political causality that Ofcom is in no position to assert. The potential consequence of creating that expectation is that we then ask, “Well, why is it not working? Lets clamp down further”. There is a risk here. Let me put it in another way: throughout the passage of the Act, and in all the communication we have had from Ofcom, this has rightly been described as being about systems and not about intervening on matters of content. Yet the first time there is a major political crisis in the countryor what appears to be a crisis in the country in terms of legitimacy of governmentthe first thing that happens is that Ofcom publicly comes out and says, “Were intervening”, or, “If only we could intervene, we would”. That is troubling.

Q18              Lord Knight of Weymouth: You do not think that it would lean on the crisis response protocols as being the reason why it would have been better?

Dr Bernard Keenan: There is a legitimate point in there. The capacity to require platforms to show that they have actively been assessing incitement and potential public order offencesand that they have been doing that as quickly as they can, with the help of automated toolsis fine, but I am a bit concerned about the political reading of that. We have to be very careful here because we are moving away from CSAM, grooming and fraud and into talking about politics.

Q19              Lord Knight of Weymouth: Dr Kira, do you agree with those concerns?

Dr Beatriz Kira: I agree with everything that Bernard said, but I would add that my understanding is closer to the reading of the other place. I say this not only in terms of causality and it being difficult to pinpoint specifically what led to the riots; if one was going to try to identify some of the factors, one of them could be the unfounded claims about the nationality and background of the assailant in that content. It was very inflammatory content that a lot of people shared, and its amplification could have contributed towards the riots. That is probably something with which most people would agree.

In my interpretation, a lot, if not all, of that content would not be illegal content and would not be within the Act’s definition in terms of the powers of Ofcom to act. The threshold for being considered a false communications offence under Section 179 of the Online Safety Act is that the offence requires a provider or a sender to send information that they know to be false and which intends to cause serious harm to a known audiencebut the sender has to know that the information is false. A lot of the people who shared the content were worried precisely because they thought that it was real. Their understanding of the information that they were sharing and resharing was real, not false, so they were not committing a false communications offence in that sense.

Lord Knight of Weymouth: I will stop soon.

The Chair: Yes—we need to move on.

Q20              Lord Knight of Weymouth: If someone was posting content that was incitement to riot, that would be an offence.

Dr Beatriz Kira: That could be considered an offence.

Lord Knight of Weymouth: Yes, but the algorithms are surfacing that to other people, who then share it. Is the sharing of that content an offence? Is the algorithmic action an offence in the context of incitement to riot because it is contributing towards and amplifying that incitement?

Dr Beatriz Kira: That is an excellent question. It is very difficult to attribute criminality and criminal intent to an algorithm. We could have a debate about that. Perhaps there will come a point where this is not the case any more, but at the moment, in criminal law, it is not directly attributed to the algorithm. I will stop soon so that we can move on.

A lot of this chaos and the sentiment of revolt could be caused by illegal content, but I would say that a lot was caused by content that was very much legal. Ofcom could still do very little about it. That is why the crisis response protocol proposed in chapter 20 of the additional measures also falls short, because it describes a crisis as only a moment where specific types of illegal content are being shared or amplified.

I think that we are going to see very little change. As has been mentioned, why focus on being content-specific? Why not get the perspective of systems and approaches? Why not focus the crisis on the amplification of content, regardless of it being specific types of priority illegal content?

The Chair: Thank you; that is very helpful. I am going to move on to the next question now.

Q21              Lord Holmes of Richmond: Good afternoon. I would like to take us on to the issues around live streaming. Are the measures related to live streaming moderation and user sanction likely to have a meaningful impact on the spread of illegal content?

Dr Beatriz Kira: Live streaming is probably one of the most difficult challenges from the perspective of moderation. That is because the potential for harm is in real time; how fast the content could go viral, and the difficulty in intervening on time, it is very difficult.

One potential safety by design or safety first approach to live streaming could be to make this type of content ineligible for algorithm amplification while it is live. This would add a delay in a way that would not necessarily stop anyone watching the content but would stop it popping up in the feeds of people in this amplified way. It would give the content moderation algorithms time to catch up and decide. That could potentially be a solution, but I really think that live streaming is a very difficult question to deal with.

Dr Bernard Keenan: I make limited comment on this. The way in which Ofcom has proposed to deal with this follows logically from the instructions it has been given by Parliament. The measures to protect child users, which are not quite within your question, are broadly sensible.

One point to be aware of—this is a slightly second order pointis that what Ofcom is proposing is extremely expensive. From the point of view of platforms, there is going to be a market effect. We do not quite know what that will look like, but this is one of the consistent themes with the Act: in a sense, it locks in the structure of the market that it aims to regulate, because it makes it quite expensive for competitors to come into this space. Live streaming is not really something on which I am an expert, though.

Q22              Lord Holmes of Richmond: What about this one then for Dr Keenan? How realistic is Ofcom’s emphasis on human content moderators when there is certainly a move from platforms to potentially go in the other direction?

Dr Bernard Keenan: It has been mentioned already but transparency reporting is so important in knowing what happens because I think a lot of platforms might try to circumvent that requirement for cost reasons. I am afraid I am not an expert on the internal economics of doing this but just as a broad point, it seems—and Ofcom say this—that some smaller companies may have to exit the market as a result if this is properly enforced, and it thinks that is proportionate. That is a consequence of a number of the iterations of the Act but it is certainly relevant here.

Q23              Lord Holmes of Richmond: Dr Kira, human content moderators?

Dr Beatriz Kira: We are seeing a movement of the industry precisely because of the quantity and volume of content generated and shared by users every day, moving to more automated content moderation so moving away from human moderators and using more of the classifiers and the algorithms to flag and take downor as I argued demotecontent in some circumstances. As my colleague has mentioned, the cost is a significant concern here. It is very expensive to keep human moderators and there have also been concerns in the literature about the work conditions of the people who are employed to perform this function. There are people whose job is to look at thousands and thousands of pieces of awful, often illegal, content to decide whether they are legal or violate the policies of the platforms.

In a way there is an economic driver towards more automation but also there are concerns about what we want in moving towards more human moderation in a sense. I do not necessarily see that as the solution. Perhaps for some types of content and prioritising the types of content where this extra precaution should be provided or as members of the panel mentioned before, if you think about the pipeline of content moderation having some preliminary assessment by a machine and then having a filter by a human could be a way as well. As I mentioned, live streaming is an incredibly complex area precisely because of this live element.

Q24              Lord Holmes of Richmond: Finally, Mr Sexton, what are the limitations of user sanctions and how can they be effectively enforced?

Dan Sexton: I do not know the detail of the proposal on user sanctions but we certainly see in the larger tech platforms at the moment the benefits and limitations of what they would call signal sharing. This is the ability for users to jump from platform to platform. We would very much endorse that if you have good user sanctions, if people have broken the rules, if they have committed acts, if they have shared illegal content or broken terms and conditions otherwise, there should be sanctions against them. But one of the key things there is to ensure that that data are shared with other platforms so you do not have somebody being sanctioned on one platform and immediately jumping to another one and another one. Part of that industry sharing, which is not a solved problem, will impact how effective they are at stopping that bad behaviour and also the ability for users to recreate new accounts.

Certainly if you are invested in a platform and you have spent 10 years building up your business, a user sanction is incredibly powerful and massively disruptive for that person, but for the dedicated bad actors that will create new accounts everywhere, the user sanctions will probably have a much lesser effect. It is a very important part of it but just in the context of the entire thing it needs to be put alongside the other measures of who it is targeting and how it is made to be effective.

The Chair: Over to you, Charles. You had a question which you did not get to ask earlier if you want to work that in or put it at the end.

Q25              Viscount Colville of Culross: Yes. I cannot remember what it was. I think I will just go on with the questions I was going to ask you because I cannot remember what my question was. Looking at the way that Ofcom is implementing the regulations, we have had a number of regulations now put forward but it is part of an iterative approach. If we start off with the illegal harms code and the gaps that there are, I think Dr Kira has written about her concern about the gap between the potential scale of harm and the measures the providers are expected to take to address them and that the safe harbour provision in the Act exacerbates that gap. Could you explain that for us and what could be done to try to improve that situation?

Dr Beatriz Kira: Thank you for the question. There is an understanding from Ofcom’s guidance that a platform is required—let us focus on the illegal code—to conduct a risk assessment to assess the risk that platforms are going to exacerbate or make available certain types of illegal content and then they must provide risk mitigation measures. The law itself does not require the platforms to follow one or the other measures, but Ofcom’s codes serve as, in Ofcom’s own words, a safe harbour, meaning that platforms will not be in breach of the legislation if they follow all the steps, all the measures that Ofcom is proposing in its illegal content codes. It does not mean that platforms cannot do something else. They can but from a legal risk perspective they will be much more inclined to do the measures that Ofcom propose them to do because they know they will be safe in a way if they do that.

My concern with that is that Ofcom, by doing this, crystallises a state of affairs in the measures, which is what we currently know and what currently a lot of the bigger platforms, the most powerful ones, already do. I heard Dr Keenan’s comment before that there are market forces there. These are the biggest players who already have a lot of resources and deep pockets for investing into these content moderation teams and measures and they are the ones who probably will not have to move much further away from what they are already doing because Ofcom is telling them, “If you do that and adhere to the codes of conduct you are fine, you are safe, you are compliant with the Act”.

The concern that I was expressing there is that it does not really raise the floor for what could be done, what could more proactively be done to identify new risks and new measures that could counter them, again from the systemic perspective. What incentives are platforms, especially the larger ones, going to have to really raise the floor? It is as if the measures in the code of conduct are providing a ceiling. That is why they are a safe harbour so they do not need to go beyond that, they do not need to more proactively act in what they do because Ofcom is already providing a recipe. This recipe is very much mirroring the state of affairs, which we know most of the large platforms are already doing.

Q26              Viscount Colville of Culross: Okay. I thought the whole point of the Act was that there were different categories of platforms anyway with different burdens depending on which category you were going to be, so there is inevitably a gap in the burden depending on what category you are. There is that gap built into the Act, is there not?

Dr Beatriz Kira: Yes, when the categorisation comes into force certainly there will be, but the categories are still not in force. The additional measures for category 1, 2A and 2B are not yet in force but most of the provisions of the Act apply to all regulated services. Additional provisions, for example, some of the transparency requirements and the user empowerment tools apply to category 1, which are the largest user-to-user services. In this sense the UK approach is different to the one in Europe, for example, with the Digital Services Act, where most of the more burdensome provisions fall within the very large online search engines or very large online platforms, so it is the top of the pyramid, whereas the other services are largely unregulated. They have many fewer obligations. The Online Safety Act is the opposite, so most of the duties in the Act apply to all regulated services, so all user-to-user or all search engines within the scope of the Actif you provide services to the UK or if you have a relevant UK user basewhereas a small share of the additional duties are the ones that fall to category 1 and categories 2A and 2B.

Q27              Viscount Colville of Culross: Dr Keenan, do you have anything to add to that about what could be done to improve the illegal harms code that was brought out?

Dr Bernard Keenan: I do not have anything specific. Building on what Beatriz has said, this is a quite unique piece of legislation and it does not have any legal analogue or model. With the iterative approach that Ofcom is taking, it is critically important that Parliament be involved in trying to understand at all stages what are the effects of this and not only in what the platforms are doing but how the public responds. The reason I say that is the way I understand it is that the Act requires every service to effectively interpret these codes for itself on the basis of its own self-assessed unique risk profile. What that means effectively is that we should end up, if this works as intended, with a wide range of different kinds of platforms that have a different level of tolerance for lawful speech that might approach something that looks like it could be illegal.

The idea that these codes exist as your baseline—and Beatriz wrote a very helpful paper about this invoking the idea of a bypass strategy—almost invites platforms to get away from these complex questions of inferences about the criminal law and just draw the line a little bit more narrowly, so exclude quite happily a lot of lawful speech to be compliant with the Act. That might be fine if we regard these platforms as consumer-facing products that are potentially harmful, which is the approach you have taken that these are technologies that people use, and people should expect to be safe when they use these technologies, but when you look at them as the primary forum for public debate these days it becomes a bit concerning.

I do not have a better solution in answer to your question but I think that the iterative approach and the risks of suppressing lawful speech need to be constantly assessed.

Q28              Viscount Colville of Culross: Are we seeing that lawful speech is being suppressed because platforms are erring on the side of caution?

Dr Bernard Keenan: It depends upon what you think is your starting point.

Viscount Colville of Culross: Well, the starting point surely is the set of illegal crimes that were set out in the Online Safety Act.

Dr Bernard Keenan: But it is also the case that a lot of lawful content will be suppressed unless you verify your age, so that is something that we have not really talked about today. We basically have an age-gated internet now for the UK public and some people would say that is not acceptable and I think that is a legitimate argument. That is what I mean by that.

Q29              Viscount Colville of Culross: Dan Sexton, we have been talking about the iterative approach that Ofcom is doing but there has been concern by the Molly Rose Foundation that it is very slow and that it might well be that we have had these regulations brought out, we have had the response to the regulations but nothing new is going to happen for up to 18 months sometimes. However, having just listened to Dr Keenan, he has said that you need to know what the response is going to be to the way that the regulations are being worked out and how the different platforms are responding to them and how users are responding to them before you then go further. What is your view about this iterative approach?

Dan Sexton: I agree on both counts. Certainly on child safety you look at these measures, how long it takes and at some of the victims and by the time they come out they are not children any more, it has bypassed them. There is the urgency to protect children now while harms are happening, so that precautionary principle, “We think this is bad. We should probably make sure it does not hurt people” rather than, “Let us wait until we have done enough studies and then we are sure”. How do you go back to those victims and say, “Yes, it was harmful. I am really sorry we did not do anything”?

That being said, on regulating the internet, the fact that it has taken so long emphasises the importance of getting it right, because if you get it wrong and that says, “You cannot do it” we do not want to lose another 10 years in that case. Getting it in and getting it right and getting it iterative is important, not making the wrong decisions, not ending up in a position where we end up doing all of the horrible things that people are concerned about happening.

From our point of view, what will get lost in all of that discussion is that there are still children being abused out there. That part of how you make the internet safer is comparatively easy. It is black and white. I do not want to end up where people are not stopping the sharing of child sexual abuse because of an incorrect algorithm that suppresses speech somewhere else. Bundling it all together, if there was something we would like to see, is just get the stuff that is very clear and works out and working first. I do not want to lose that part of it and those children be suppressed because of the other, greyer, more difficult areas. As much as I would like to do everything for everyone, I think the iterative approach is correct.

We are nearly 30 years old now, so we are older than Google. We have been doing this for a long time and now we are starting to see regulation come in. It is not a new problem. It is getting worse. I would like to be able to say that the regulations that have come in have made things better but we are at that point where we need to have that evidence to show that and the evidence will build confidence. It will build confidence not just in the UK but in Europe, America. Everyone is looking at us and asking if it is going to work. If we get it wrong it could set back regulation for years, so we do not want to wait and say, “Let us have another go in a decade”.

Q30              Viscount Colville of Culross: This is a totally separate question but it is something that I am concerned about because it has arisen as a result of the age verification regulations. We have been told that hundreds of thousands of children are getting around the age verification by doing things such as going on VPNs. Is there anything that we can do to try to stop children going on to VPNs or would the censure of VPNs have an enormously adverse effect across the whole of the internet?

Dan Sexton: I am not sure where the evidence is that children are using VPNs. In this case if adult men in the UK are using VPNs to access pornography that is fine, because that is not the people that the age verification is designed to stop. If children are using VPNs to bypass, that is bad because that has not worked and they are accessing pornography, but if it stops half the children, that is half the children who were viewing pornography that are now not, and that is good. VPNs are not the reason to throw out age verification. All a VPN does, and the VPN is not really the point, is to allow you to appear as if you come from a different country. In this case it is the failure of other countries to not protect children. It is not okay in France or Hungary or America for those children to be able to view pornography. The damage to them is no different to the damage in the UK. We have done it first and it seems a problem but if other countries also prevented pornography being viewed by children the VPN would not help.

Q31              Viscount Colville of Culross: This is a technology question. Would it be possible to stop children going on to VPNs pretending their location is in Italy?

Dan Sexton: Technically, yes. It is exactly the same approach you have taken to a platform that has to verify the age before you are allowed in. The VPN providers could also ask to verify the age before they are allowed in and then VPNs are only being used by adults and therefore children cannot use them. Technically you would simply apply the same mechanisms. None of these things are perfectpeople get round thingsbut the difference between a 17 year-old getting round age verification and a nine year-old stumbling on pornography is vastly different. It is not to put them all in the same bucket there.

Q32              Viscount Colville of Culross: I imagine that most of the VPNs are located abroad, so would it be possible to impose those age verification requirements?

Dan Sexton: If you looked at where they are getting access. If you went by the question of if we believe that children are using VPNs to access pornography online specifically and understanding which VPN they are using, how they are getting access to them—are they via an app store, are they a browser plug-in—you could look at how you introduce friction to reduce the chance of that happening without potentially breaking legitimate uses of it. I think just as the right age verification makes it harder for children, you could also make it harder for children to access VPNs. On an app store, if that tackles 70% of the cases, you are already making it smaller and smaller. Just like children might use fake IDs for 17 year-olds to enter bars and things, they are not the ones you are trying to protect. Really it is the child on the bus to school at age 11 who is being protected.

There is a lot of amplification and a lot of discussion but what is the evidence here? Who is being targeted? Then it is having the right intervention there and not just throwing the whole thing out because lots of people downloaded a VPN in one week.

The Chair: Veronica, you still had a point.

Q33              Baroness Fleet: Thank you, Dr Keenan, for what you were saying about raising the age verification because that is a huge issue. Are you satisfied that the measures in place at the moment are working? Put aside VPNs because in a way that is very important but slightly different. Do you think for those children who are not trying to use VPNs that the age verification is working or do you think it is very difficult to keep pace with changes that might be coming down the line before any further action can be taken by Ofcom?

Dr Bernard Keenan: It is a great question but I have no insight into that because there is no evidence at this point. It is something I am definitely interested in tracking. I look forward to the transparency reports that might give us some insights into this. I will not raise another point.

Baroness Fleet: No, go on, because I think it is on the mind of a lot of people who are not involved in the industry but are very aware of it.

Dr Bernard Keenan: Yes. I think that it is a potentially larger set of questions but one of the things about this Act is that age verification has been legislated for according to a very abstract set of principles with very little sense of who is going to provide it and under what conditions. It is not surprising to me that the public has very little trust in the verification mechanisms that they are suddenly being presented with and I think that is a procedural failing, in a sense. This is something that is a major cultural shift and by introducing it so suddenly we have ended up with a cultural response which is, “I am going to get around this” rather than, “Okay, I may have to verify my age to use the internet the way I did yesterday but I know that I can do that in a way that protects my privacy and will not associate me with the things that I am then browsing”, which is the whole point of encrypting your signal.

Q34              Baroness Fleet: Dr Kira, do you have any insight into this or is your answer similar, and likewise Dan?

Dr Beatriz Kira: My answer is very similar. I would double down on the point about transparency, the transparency report and how Ofcom uses the transparency notice powers under section 77 of the Act. I think it is incredibly important to gather the evidence that is necessary to understand who is circumventing, what type of technologies are working, if it is targeting the right people, if it is at the end of the day achieving the goal of protecting people, children on the one hand, whereas still protecting fundamental rights such as privacy and freedom of expression, which are also part of the Act.

Q35              Baroness Fleet: But who is going to provide that evidence? Is Ofcom going to do the research? Where is that evidence going to come from, because it is not going to come from the tech companies, is it?

Dr Beatriz Kira: There is a good piece of recent news, which is the approval of the Data (Use and Access) Act that received Royal Assent in June, I think. There is now a new provision in the Online Safety Act when it comes into force, section 154A, which requires a platform to give access to researchers for the data, so in that way it will be easier to scrutinise them. It will still be a lot of effort. We, as researchers and the academic community, need more funding and more time to do all the work that is necessary to review the evidence and platforms need to be forthcoming in sharing it, but I do not think Ofcom needs to do that by themselves. Ofcom is an important player here in requiring this information through the transparency reports but providing access to data to a wider set of researchers will open the possibility for more people to engage with the data and create evidence that would help to answer some of these questions, which I think are important and we should be looking at them.

Q36              Baroness Fleet: Is there anything you want to add?

Dan Sexton: I probably agree with my colleagues here. It is early days. I do not think it is sudden. Age verification for pornography providers was supposed to happen before the OSA started, so it has been delayed and delayed. I agree that it is a culture shift because people are used to being able to do anything they want online and there is a weird parallel that things you would never be able to do in the real world are okay to do online. Seeing those worlds come together is a culture shock because it has been 30 years of an internet with very little control there. I am not surprised. I am hoping some of this will die down and we will get to sift through a lot of the reports and understand what the real impact is and iterate it as well and make sure they are positive impacts and as much as we can mitigate the negative ones.

The Chair: Thank you. We are right on our time I think but Jim still had a little question.

Q37              Lord Knight of Weymouth: It is a very quick one, and it is probably for Dan, again on the VPN issue. Some VPN providers reported an 1,800% spike in downloads when the age verification came in. The Children’s Commissioner clearly thinks that there is a problem for children. I am a VPN user to protect my data and phone when I am using public wifi. When I am abroad if I want to watch sport, it knows I am using a VPN. Do you think Ofcom should work harder with regulator platforms around using the same technology that sports broadcasters use to prevent VPNs being used to circumnavigate age verification processes?

Dan Sexton: You are correct and I believe Ofcom are aware of this and have said that it is robust age verification, so if you allow or encourage—and there are some sites that have actively encouraged, “Please use a VPN to access our services”. You are right, the sites know that. Where you place the intervention and the friction is a case of, as I said, if it is adults in the UK using VPNs there is nothing wrong with that. There is nothing wrong with those adults accessing pornography. It is legal and it is absolutely fine to do it.

I think we must go back to the core purpose of why we are doing it and ensure that is successful and try to reduce any collateral damage as much as possible everywhere else. That might be, to go back to the VPN providers, the app stores themselves not providing their services to children, but you can also look at how, particularly those services, they know if people are using VPNs or not. There are mechanisms in place for the streaming services and others. There are known workarounds to get better pricing or access content and they fix those problems because there is a market incentive for them to do so. You could potentially argue with some of the other services that the marketing incentive is the other way round.

The Chair: Thank you. We are a couple of minutes over, but thank you very much for your time today and being with us. It has really helped us on examining those additional safety measures and Ofcom’s approach. We move on next week to look at further protections for children with civil society organisations. Thank you very much for your time today.