The "user verification duty": five questions as the government prepares to publish its revised Bill
The announcement from DCMS, on 25 Feb, that a revised Online Safety Bill will contain a “user verification duty”, was extremely welcome. It's to be expected at this stage, however, that we have some outstanding questions about the details. So far, we have identified five significant areas where more detail is needed, and where it is crucial that the detail is got right:
1. Will enough platforms be in scope? The announcement says the new duty will apply just to "Category 1" platforms. In the original OSB this was defined as the very largest services by number of users, with the precise threshold left to secondary legislation. The Antisemitism Policy Trust, amongst others, has raised the concern that this could leave smaller platforms, where anonymity is nonetheless misused to cause significant harm, outside the duty’s scope. The government has hinted that Category 1 might be revised so that it takes account of the level of risk as well as numbers of users. This could mitigate these concerns, but has not as yet been confirmed. Our starting point will be that this simple principle of giving users these additional choices around verification should apply to all platforms. 2. Will verification be sufficiently rigorous? The announcement suggests that Ofcom will be tasked with setting out “the verification options companies could use” through guidance, which would be produced once the legislation is passed. However, it offers some illustrative examples, which could raise concerns. For example, “two-factor authentication where a platform sends a prompt to a user’s mobile number” is mentioned, but this would not provide any verification of a user’s name and would not even guarantee “traceability” given the ease with which “burner” phone numbers can be acquired, or “phone verified” social media accounts bought in bulk online. The revised Bill will need to clearly task Ofcom with setting minimum standards for verification processes, and that should include minimum standards of efficacy (as well as minimum standards for privacy and security, ease of use, and accessibility for vulnerable users). Such minimum standards would need to be kept under review - to allow for regular updates for example if a form of verification proved to be too easily circumvented, or technological change meant new options emerged. Essentially, we will likely need a working group on verification, and civil society organisations need to be part of that. 3. What attributes of a user’s identity will they be given the option to verify, and to whom will this be visible? The announcement notes that “The vast majority of social networks used in the UK do not require people to share any personal details about themselves - they are able to identify themselves by a nickname, alias or other term not linked to a legal identity.” However the announcement is less specific about details of the new regime - including at a minimum what attributes (e.g. Real person? Real name? Real profile picture? Real location?) a user should be able to verify; what functionalities should be reserved for those with a “verified identity” under the new regime; and to whom their verified information should be visible (just the platform? All verified users? All users?). For the “user verification duty” to fulfil its potential, as a minimum all platforms within its scope should be required to offer their users an option to verify their real name, in a way which is visible to other users. This should be made clear in the primary legislation. We’d suggest that Ofcom should be required to insist that platforms also offer users other options, such as verifying that a user operating under a pseudonym is a “real person based in the UK”, but this is detail which could be left to Ofcom to set out in its guidance. 4. How will Ofcom ensure the new duty works for “vulnerable users”? The announcement includes welcome commitments to require Ofcom to consider accessibility for vulnerable users, and to consult with vulnerable users. However, the details will be very important here. We’d suggest that the primary legislation makes clear that Ofcom must use a definition of “vulnerable users” which includes all those with protected characteristics under the Equality Act, and that Ofcom be required to set out a minimum standard for accessibility of verification features which all platforms must meet 5. Will users be given a choice of how they verify, and of verification provider? There would be potential downsides to the companies that own the largest platforms (i.e Meta, Google, Twitter, Bytedance) developing their own, in-house verification processes and making them the only option for users wishing to verify on their platform. Some users may have reservations about sharing yet more personal data with these companies. Users of multiple social media platforms may find it inconvenient, or confusing, to be required to go through multiple, different, verification processes on different platforms in order to achieve the same outcome of confirming their real name. There is a risk of the largest platforms seeking to leverage their dominance of social media to capture the market for ID verification services, raising competition concerns. Frankly we see no alternative to Ofcom ensuring that platforms accept verification from third-party providers who meet minimum standards requirements. End-users of any given platform could have a choice of provider and verification method, then subsequently be able to use the same third party to verify on a range of platforms. The details of how Ofcom could promote third party provision and interoperability, would be for Ofcom to set in guidance, perhaps in collaboration with the Digital Markets Unit, but a top-level commitment to the principle of giving users a choice of verification provider may be better included in the primary legislation.
We hope that some of these questions may be at least partially answered when the revised Bill is published. Others may require further effort to beef up the primary legislation over the coming months. There certainly also needs to be ongoing engagement with Ofcom on the detail of the guidance. In any case, it is welcome progress for the conversation to have moved on from a debate about whether or not to address anonymity, to ensuring new measures in the Online Safety Bill are as finely-tuned as possible.