Comment by wizzwizz4
7 months ago
This is Ofcom, not the ICO; and stuff like "flood the site with child abuse material" (not in your risk assessment, why would it be? this is a public forum about cycling and nobody's ever done that before) and try to get you prosecuted for not having adequate protections in place.
Their examples of it being right to say you're low risk have a key part about it not happening before. Medium risk example had "has had warnings of csam being shared before from international organisations and has no way of spotting it happening again".
You don't have to stop everything happening to comply.
So is the scenario you're picturing that someone spams child porn, complains you don't stop it and makes you add a URL filter? Would you do something different if someone was spamming csam anyway?
Someone spams CSAM on the site. You report it to CEOP, as every forum mod knows to do (though most have never needed to do), and Ofcom let you off with a warning – but you're no longer low-risk, so there's a lot more paperwork.
Now someone copy-pastes the doxx of members of the military from a leaked Pastebin – something you have no practical way of detecting – and it's not your first strike, and there's some public attention and someone decides they need an Example, so now you're getting scary letters about potential criminal charges.
You don't hear anything about those charges, so you assume things are okay. But now someone's claiming to be the parent of one of your users, who hasn't been around for a while. They claim the user was 17, has tragically died, and you don't have a policy about giving parents access to information about this user's activity (but they claim it's a TTRPG forum, which is a children's game, so 35(1)(3)(b) says you should have had a children's access assessment), and they claim they can prove they're the user's parents (they have the password, even!) but haveibeenpwned says the associated email address was in a data breach. Do you provide the information, or not?
Fortunately, you got in context with the real parents of that child – they know nothing about this website you run, and the person contacting you is someone else. You let them know that photos of their identification documents have been stolen. (You later learn that the user isn't even dead: they tell you about a stalker ex, and you make a note to be extra careful about this user's data.)
One of the domains in your webring has expired, and now redirects to a cryptospam site. That counts as §38 "fraudulent advertising". In response, Ofcom decide (very reasonably) to make webrings illegal.