UK govt pushes online safety regulations but commits major fumble on One Login

The online safety regulatory landscape in the UK is currently in the midst of a bizarre conflict, as the government leads with a sword of justice in one hand while brandishing a flimsy shield of digital ID in the other. Having announced its Gov.uk Wallet as a potential home for the digital ID and age assurance services it claimed to be fostering under the Digital Identity and Attributes Trust Framework (DIATF) – causing great consternation among providers with government certification, who fear they will be crushed between government and Big Tech – the government has lost its own certification for the One Login service proposed as the backbone of the wallet scheme.

Meanwhile, on the front lines, Ofcom is notching up its regulatory activity, targeting sites that promote self harm and pornographic video sites that have failed to implement highly effective age assurance.

Ofcom investigates 2 adult content sites for potential OSA violations

UK regulator Ofcom is making good on its promise to enforce the Online Safety Act (OSA), with new investigations launched under the age assurance enforcement program, into two entities that own and operate websites that host pornographic and exploitative content.

They follow Ofcom’s first enforcement action, an investigation into a suicide discussion forum.

In that case, Ofcom opted not to name the site or company in question, so as not to draw further attention to an entity that had already appeared in multiple coroner’s reports.

This time, however, Ofcom has named the defendants as Itai Tech Ltd., which has a registered UK office in Norwich and operates a “nudification” site, and Score Internet Group LLC, a Miami, Florida-based group that publishes a variety of adult magazines and runs at least eleven adult content websites.

A release from Ofcom says “in January, we wrote to online services that display or publish their own pornographic content to explain that the requirements for them to have highly effective age checks in place to protect children had come into force. We requested details of services’ plans for complying, along with an implementation timeline and a named point of contact.”

“Certain services failed to respond to our request and have not taken any steps to implement highly effective age assurance to protect children from pornography.”

It says both Itati Tech Ltd and Score Internet Group LLC run sites that “appear to have no highly effective age assurance in place and are potentially in breach of the Online Safety Act and their duties to protect children from pornography.”

Safety by design, innovative age assurance among DSIT priorities

The Department for Science, Innovation & Technology (DSIT) has published its Draft Statement of Strategic Priorities (SSP) for Online Safety.

The document, which was “developed with the input of those who have experienced the offline impacts of failures in online safety” aims to set out the government’s focus areas for online safety.

“Tech companies benefitting from conducting their business in the UK must accept their responsibility to keep people safe on their platforms and foster a safer online world,” it says in the intro.

DSIT identifies five areas it will prioritize: implementing safety by design, increasing transparency and accountability of online platforms, maintaining regulatory agility to keep pace with changing tech, building an inclusive and resilient online society of well-informed users, and supporting continued innovation in safety technologies.

The first, safety by design, makes specific mention of protecting girls and women, and targeting content enabling or promoting child sexual exploitation and abuse, acts of serious violence, hate and self-harm. It also references the “Southport tragedy in July 2024,” in which the proliferation of hateful content online fuelled violence and civil unrest across the UK.

“When we discuss safety by design, we mean that regulated providers should look at all areas of their services and business models, including algorithms and functionalities, when considering how to protect all users online,” DSIT says. “The government believes the goal should be to prevent harm from occurring in the first place, wherever possible.”

It concedes that this is “ambitious” and “clearly a material challenge,” it notes the “significant powers at its disposal – including information gathering, audit, enforcement and penalty powers – to ensure providers comply with their statutory duties to protect users online.”

Moreover, subsection 1.2 addresses the commitment to “ensuring companies are effectively deploying age assurance technology to protect children from harm online and investing in technological developments.”

“Services should take advantage of the technologies that are already available to identify child users and ensure that they cannot access harmful content on their services – this includes both age estimation and age verification technology.”

“Ofcom’s regulatory approach should promote the development of age assurance technologies to improve child safety outcomes, particularly with regard to identifying children of different age groups to deliver age-appropriate online services, and create an environment where platforms deploy these technologies safely.”

It may raise some eyebrows among biometrics and digital identity providers working in the age assurance space to see that DSIT’s has included, among stated priorities under the technology and innovation umbrella, “supporting the development of more effective age assurance technologies.” In the light of the government’s announcement on the Gov.uk Wallet and its potential for facilitating age assurance, many providers – and investors – have questions about the government’s commitment to fostering innovation that leads to a diverse ecosystem of age assurance providers in the long-term.

Nonetheless, DSIT insists that “innovation is particularly important for age assurance technologies. While age assurance solutions exist, the government recognises the importance of continued innovation to maximise their effectiveness, as well as consistent standards for these technologies.”

Promising to support work on standards for age assurance technologies, and to enable Ofcom to continue developing its understanding of those technologies through shared knowledge, DSIT says it hopes for “continued ambition in age assurance technologies,” and swears it wants to “ensure that there is space in the regulatory landscape for the innovation of age assurance solutions.”

‘How is the government’s flagship digital identity system failing so badly?’

It may be the case that the government is recognizing the limits of its capability in competing with the market. A few days back, Richard Oliphant, legal counsel for several major tech firms, posed an interesting question on his social media feed: “Why is the government’s One Login scheme no longer in the official register of DIATF service providers?”

We now have the answer. According to Computer Weekly, the government’s Gov.uk One Login digital identity system has lost its certification against its own trust framework. CW reports that “a key technology supplier to One Login chose to allow its certification to lapse, and as a result, One Login has also been removed from the official accreditation scheme.”

The supplier in question is biometric IDV provider iProov, which failed to renew its DIATF compliance, causing the One Login certification to automatically expire.

Technology secretary Peter Kyle, who is meeting this week with representatives from the age assurance and digital identity sectors, had planned for One Login to be used for identity verification for the Gov.uk Wallet. That decision – already causing furor among those who don’t see why taxpayers should pay to compete with government-certified private firms – will surely be called into further question in light of the epic standards failure.

A spokesperson for iProov is quoted as saying that “iProov holds a number of certifications, both in the UK and internationally, which we regularly review against customer requirements. Following a standard review, our Trust Register certification was allowed to lapse. We will look to recertify in line with customer requirements.”

Regardless of iProov’s commitment to renewal, One Login may have a ways to go before it can be considered as a legitimate service worthy of government efforts and pounds sterling. Computer Weekly says the One Login team has yet to fully meet NCSC guidelines detailed in its Cyber Assessment Framework (CAF), and has not yet fully implemented the government’s Secure by Design practices.

It makes one wonder, to quote Liberal Democrat digital spokesman Tim Clement-Jones, “How is the government’s flagship digital identity system failing to meet standards so badly, given that it is expected to shortly form an essential part of our immigration controls?”

Article Topics

age verification  |  Department for Science Innovation and Technology (DSIT)  |  DIATF certification  |  digital identity  |  Gov.UK  |  iProov  |  Ofcom  |  One Login  |  Richard Oliphant  |  UK