I recently read Online Safety Regulation: The Duty of Care Framework and Implementation Blind Spots from All Tech Is Human, which, through the writing of Emma Hatheway gives us a balanced take on the state of online safety laws in the UK and the US. The article is way too well written for my humble prose to give it justice: go read it. I simply point out a few arguments that I found particularly enlightening.

First, it’s important to point out that these laws are well-intentioned: they are about protecting children, and lawmakers certainly did their best to write good policy. The sad fact is that the complexity of the situation is likely to make those policies ineffective, if not harmful. This is very well summarized by this quote:

Although well-intentioned, this approach has been implemented through vague obligations and a tendency to conflate safety with restriction.

Safety is indeed not the same as restriction - and not the same as surveillance. Restricting access to weapons will obviously lead to a reduction in armed violence - by the simple fact that you can’t commit armed violence without a weapon. But as the text points out as an example, restricting access to material related to suicide may or may not have the intended effect of reducing youth suicide. While there is some harmful material that will encourage teenagers to commit suicide, there is also a wealth of resources that is very valuable to prevent suicide. Mentioning suicide to someone with suicidal thoughts - if done from a place of care - actually reduces the risk by providing the person with a way to express their pain.

More generally, the duty of care that both American and British laws introduce is well-intentioned, but does not translate easily into action for companies. Quoting again:

In trust and safety, vagueness is not neutral, but rather opens up opportunities for different motivations and applications. With ambiguous obligations, or duty-of-care operating as a catch-all, platforms may default to the interpretation that mitigates risk.”

How does that happen? Because companies, big or small, usually see the law as a risk to be mitigated and don’t really care about the intention behind it or - in that case - the actual well-being of their customers. If the law specifies that platforms must protect young people from material that could encourage them to commit suicide, they are likely to go for the simple implementation: restrict access to all material mentioning suicide, taking away as collateral damage a wealth of very valuable resources that young people need. The net result might end up being the opposite of the desired goal. Similar things can happen with surveillance of children’s communication, with the intention of protecting them from abusers (see for example CRIN’s Privacy and Protection, chapter impact of encryption, scenario 8).

The article concludes that implementation realities are the thing to watch now. I would add this is something that lawmakers and government are notoriously bad at - you don’t get points for recognizing that the law you voted two years ago doesn’t work. Here lies the work of civil society and NGOs, to monitor the situation as it unfolds and put pressure on lawmakers to improve it as issues will inevitably arise.

Some of those issues are already predictable, particularly around age restrictions. This one can (and likely will) be mitigated by simply ignoring the law: concerned parents will work with their children to work around age gating, and young people will find ways on their own when needed. Whether governments will be wise enough to ignore these violations is to be seen. It would be sad if they didn’t, and even sadder if they didn’t adapt the laws in the future.

Some interesting reads, on related topics: