Comment by tzs

I don't know anything about lobste.rs, but they mention lfgss and when that was discussed on HN a couple months ago the person that runs lfgss mentioned these as things they would have to do to comply:

> 1. Individual accountable for illegal content safety duties and reporting and complaints duties

> 2. Written statements of responsibilities

> 3. Internal monitoring and assurance

> 4. Tracking evidence of new and increasing illegal harm

> 5. Code of conduct regarding protection of users from illegal harm

> 6. Compliance training

> 7. Having a content moderation function to review and assess suspected illegal content

> 8. Having a content moderation function that allows for the swift take down of illegal content

> 9. Setting internal content policies

> 10. Provision of materials to volunteers

> 11. (Probably this because of file attachments) Using hash matching to detect and remove CSAM

> 12. (Probably this, but could implement Google Safe Browser) Detecting and removing content matching listed CSAM URLs

A lot of those sound scary to deal with but upon closer look don't actually seem like much of a burden. Here's what I concluded when I looked into this back then.

First, #2, #4, #5, #6, #9, and #10 only apply to sites that have more than 7 000 000 monthly active UK users or are "multi-risk". Multi-risk means being at medium to high risk in at least two different categories of illegal/harmful content. The categories of illegal/harmful content are terrorism, child sexual exploitation or abuse, child sex abuse images, child sex abuse URLs, grooming, encouraging or assisting suicide, and hate.

Most smaller forums that are targeting particular subjects or interests probably won't be multi-risk. But for the sake of argument let's assume a smaller forum that is multi-risk and consider what is required of them.

#1 means having someone who has to explain and justify to top management what the site is doing to comply.

#2 means written statements saying which senior managers are responsible for the various things needed for compliance.

#3 is not applicable. It only applies to services that are large (more than 7 000 000 active monthly UK users) and are multi-risk.

#4 means keeping track of evidence of new or increasing illegal content and informing top management. Evidence can come from your normal processing, like dealing with complaints, moderation, and referrals from law enforcement.

Basically, keep some logs and stats and look for trends, and if any are spotted bring it up with top management. This doesn't sound hard.

#5 You have to have something that sets the standards and expectations for the people who will dealing with all this. This shouldn't be difficult to produce.

#6 When you hire people to work on or run your service you need to train them to do it in accord with your approach to complying with the law. This does not apply to people who are volunteers.

#7 and #8 These cover what you should do when you become aware of suspected illegal content. For the most part I'd expect sites could handle it like the handle legal content that violates the site's rules (e.g., spam or off-topic posts).

#9 You need a policy that states what is allowed on the service and what is not. This does not seem to be a difficult requirement.

#10 You have to give volunteer moderators access to materials that let them actually do the job.

#11 This only applies to (1) services with more than 7 000 000 monthly active UK users that have at least a medium risk of image-based CSAM, or (2) services with a high risk of image-based CSAM that either have at least 700 000 monthly active UK users or are a "file-storage and file-sharing service".

A "file-storage and file-sharing service" is:

> A service whose primary functionalities involve enabling users to:

> a) store digital content, including images and videos, on the cloud or dedicated server(s); and

> b) share access to that content through the provision of links (such as unique URLs or hyperlinks) that lead directly to the content for the purpose of enabling other users to encounter or interact with the content.

#12 Similar to #11, but without the "file-storage and file-sharing service" part, so only applicable if you have at least 700 000 monthly active UK users and are at a high risk of CSAM URLs or have at least 7 000 000 monthly active UK users and at least a medium risk of CSAM URLs.