Food Safety vs Online Safety

Analogies are like soufflés - they all collapse eventually.

Food can be delicious, but certain foods can cause people physical pain or, in some cases, death.

In most parts of the civilised world, governments have food safety laws. They mandate how to properly prepare, store, label, and serve food.

In the UK, the laws are onerous for a large food manufacturers because we recognise that introducing pathogens into the supply-chain could cause mass harm.

But even small food shops are subject to food safety regulations. They have to show that their staff are trained to keep customers safe because, again, mislabelled food can kill.

What about if you're cooking for yourself - do you need to have a food hygiene certificate? No. You are trusted to look after yourself and your family.

How about if you invite friends round for dinner - are there any laws governing that? Again, no. It's probably sensible to ask about allergies, but there aren't any regulations about serving friends undercooked burgers.

Having a big BBQ? Here's some general guidance which is easy to follow if you want to keep people safe.

What about starting to get a little bigger? Want to do a lot of cooking for a charity event? You don't need to register as food business nor do you need a hygiene certificate, but you do need handle food safely.

Serving food to a vulnerable group? You need to take special care - especially around pathogens and common allergies.

And, as you start to professionalise and sell food, you'll need to register and consider food safety training.

That all sounds pretty sensible, doesn't it? Food can cause harm. You can do what you like domestically, but ought to take care. If you start interacting with the public, there's some basic guidance, when you get bigger there's more admin because there's more risk. Food Safety is important.

So let's talk about Online Safety.

Ofcom are now charged with regulating online safety in the UK and they've started to produce guidance about what that means.

Can online material cause harm? Yes. Anyone who has seen distressing images knows how frightening and upsetting they can be. Violent threats might be from someone with no intention of acting upon them, but the threat itself is terrifying and you have no way of knowing whether it will lead to physical harm. Some content is specifically designed to give people dangerous eating disorders. Society at large is harmed when young people are radicalised into violent ideologies. Some websites encourage suicide.

Online harms are real harms. It's easy to make jokes about the police arresting people for memes, but the reality is much grimmer than the headlines. So - for better or worse - the government are trying to reduce the harms present in online spaces.

If you accept that certain online activity can have a detrimental effect on people, what guidance and regulations would you create?

The official guidance is vast⁰ and seems daunting. Some people are freaking out. But the prosaic reality seems much less terrifying. And, in many ways, similar to food safety laws.

Running your own website just for yourself? Basically there doesn't seem to be a problem. You probably shouldn't do anything to harm yourself. If you're publishing other people's comments, you probably moderate them anyway to prevent spam and, hopefully, you're not publishing the ones with illegal images.

Starting to get a bit bigger, maybe running a forum? You need to think about what risks you face. Are people likely to upload dangerous content? What steps could you take to prevent that? It's probably a good idea to set an acceptable use policy and document how you'll respond if one of your users does something which might be harmful. These sorts of things are pretty standard, so hopefully not a big imposition.

Dealing with lots of user generated content? You're going to need a big "report abuse" button near it. But, again, if you've been running a service for any length of time, you've probably already done that. People post stupid stuff all the time and users are always reporting each other to a moderator.

Do you have user-to-user private communications on your site? What will you do if someone complains that they are being groomed, threatened, harassed, or otherwise made to feel unsafe? Sorry if I sound like a broken record on this but, again, this is the basic sort of community hygiene most sites should have already implemented.

Primarily targetting children? Again, I hope that you already have processes in place to ensure that they're not being exploited to unwittingly exposed to content that may harm them.

I'm not going to lie; there is a lot of documentation to review. Far too much for a small site to cope with¹. There's a basic checker to see if your service is in scope but not much else yet. Having started to grind through it, there's very little that seems unreasonable to a small website owner like me.

In many ways, I liken it to GDPR. When that came in to force, lots of sites said that they were simply unable to comply with the regulatory burden. I don't doubt some of them closed, but do you really want to interact with a site which won't protect your email address and other data? That's a bit like choosing to eat a kebab from a restaurant which doesn't keep its raw and cooked meat separately.

Small restaurants need to protect their customers from food-based harm.

Small organisations need to protect their users from data-privacy harm.

Small websites need to protect their users from online-related harm.

As a website owner, at what level do you think people need protecting from your actions?

---

But.

OK, that's the most positive spin I could put on it. How do I really feel?

Well, look. Most of this is a massively over-engineered piece of crap. You can see where every possible policy objective was crammed in with no thought about the holistic experience. The way this has been (mis)communicated has been terrible - and that isn't helped by the lack of concise guidance and available tooling.

Seriously, if your policy can only be expressed in dozens of PDF files then something has gone seriously wrong. When individuals have to take time to create a usable summaries, that indicates a massive failure in process.

There's a whole bunch of stuff around pornographic services which troubles me. Not because I produce any² but because porn has been a traditional "over-reach" subject. Sex education, especially in the QUILTBAG community, is often treated as pornographic rather than educational.

I'm quite annoyed at both age "verification" and CSAM scanning requiring site owners to pay large commercial companies to provide these services. If something is mandatory, there should be a publicly provided option.

While I don't think small sites should be completely exempt - it would be far too easy for a deliberately harmful site to use that as an excuse - there needs to be more recognition that the Web isn't just Facebook and TikTok. Most of this seems to be written for large organisations. Which means small organisations are scrambling to understand what it means for them - join the Promising Trouble community to find out more.

The Web isn't the "Wild West" - it has been an established platform for decades. All the "crying wolf" about government censorship makes our industry look ridiculous - but it is easy to see why it happens when policies are this badly communicated.

Frankly, it was irresponsible for Ofcom to launch all this guidance without providing the tooling to help users understand which parts of it are necessary to them³. And I'll bet they didn't do any user testing before publication.

So we're at a stage where everyone is losing their minds over what should be a simple codification of existing best practice.

The cumulative effect of legislation mandating data protection, accessibility, security, and protection from harms is probably a good thing. I don't want a web which leaks my information, hurts my disabled friends, causes a DDoS, and exposes people to content they don't want to see.

But, to return to my original analogy, this guidance is rather like telling every home-baker that they now need to comply with all the rules pertaining to an industrial slaughterhouse.