Mephistopheles and the original sin

30 April 2025

Estimated reading time: 4 minutes
Category: UK policy
Tag:

Please appreciate the fact, dear readers, that after six years of shoveling coal into England’s dark satanic mills of regulatory hell, your faithful correspondent has sprouted an extra devil floating over her shoulder.

Because I am severely overeducated, said devil resembles Professor Woland in Bulgakov’s The Master and Margarita, the professor being the Soviet regeneration of Faust’s Mephistopheles, aka The Devil. (I told you I’m overeducated.)

The Professor occasionally ascends to hiss in my ear as follows:

are you really going to write another blog post about the Online Safety Act?

The Professor is correct: at this stage, this topic is a form of subjective and legal but harmful content, at least for everyone else trapped in the furnace with a shovel. The sun is shining! The birds are singing! And yet, here floats Mephisto, with a hot topic and a hot take, taunting me back into the furnace.

And so shovel in hand, here I go again. With another post. About the Online Safety Act.

As you will be painfully aware by now, Ofcom’s implementation of the UK’s Online Safety Act requires all services in scope – which, in their view, means 90% of the sites and apps in the world, as long as they can be accessed in the UK – to perform a risk assessment.

And as you are also aware by now, the OSA does two things. One, it treats all service providers on the planet as if they were Meta, meaning guilty of Meta-sized sins. Two, it punishes all service providers on the planet for Meta’s sins by slapping them with Meta-sized compliance obligations.

So the OSA requires service providers to evaluate the ability of their site or service to host each of these twenty-five forms of both illegal and legal content:

  1. Terrorism
  2. Child Sexual Exploitation and Abuse (CSEA)
  3. Grooming
  4. Child Sexual Abuse Material (CSAM)
  5. Hate
  6. Harassment, stalking, threats and abuse
  7. Controlling or coercive behaviour
  8. Intimate image abuse
  9. Extreme pornography
  10. Sexual exploitation of adults
  11. Human Trafficking
  12. Unlawful Immigration
  13. Fraud and financial services offences
  14. Proceeds of crime
  15. Drugs and psychoactive substances
  16. Firearms, knives and other weapons
  17. Encouraging or assisting suicide
  18. Foreign interference
  19. Animal cruelty
  20. Non-priority offence – Epilepsy trolling
  21. Non-priority offence – Cyberflashing
  22. Non-priority offence – Encouraging or assisting self-harm
  23. Non-priority offence – False communications
  24. Non-priority offence – Obscene content showing torture of humans and animals
  25. Non-priority offence – Threatening communications

To do this, service providers must analyse each of those twenty-five areas in the light of what Ofcom calls functionalities – in other words, the basic way the service works. The discussion of functionalities is not theoretical. As per their guidance – what, you didn’t read all 1200+ pages of that particular drop? – the presence of those functionalities automatically bumps a service up from low-risk to high-risk, and therefore, higher compliance obligations.

Their typical rhetoric, which is very much if A, then B, looks like this:

End-to-end encryption: Offenders often use end-to-end encrypted services to evade detection. For example, end-to-end encryption can enable perpetrators to circulate CSAM, engage in fraud, and spread terrorist content with a reduced risk of detection.

All par for the course these days, but now we get to the truly silly part. Ofcom’s  risk assessment process attempts to drag as many services possible into the highest levels of compliance obligations by defining, what in their view, is the original sin of the internet:

hyperlinks.

Their guidance cites hyperlinks – yes, that means links, like this – as a high risk factor for the most depraved crimes humanity has to offer. This means that for most of the twenty-five atrocities listed above, the presence of hyperlinks is seen as an exacerbating factor.

Even if the link is not a link.

URLs, both in the form of hyperlinks and plain text, can be used by perpetrators to share CSAM between other individuals or more widely.

Damn you, Tim Berners-Lee! *shakes fist*

But fear not, for common sense is on its way. Enter our friend the internet lawyer, Graham Smith, Britain’s second most exasperated OSA blogger. In his super excellent blog, he eyerolled:

Designation of general purpose functionality as a risk factor reaches a high point with hyperlinks. Since terrorists and other potential perpetrators can use hyperlinks to point people to illegal material, hyperlinks can be designated as a risk factor despite not being inherently harmful.

As he notes, “general purpose functionality” – meaning basic things like text and hyperlinks – is not a random phrase, nor does Ofcom get to define it based on the destination they wish to reach.

Because “general purpose functionality” has a case ruling from the European Court of Human Rights, grounded in Article 10 (freedom of expression) of the European Convention on Human Rights.

(You may pause now to rise and hum “Ode to Joy”. I’ll wait.)

This was the Magyar Jeti Zrt v Hungary ruling, which established that hyperlinks are, indeed, basic general purpose functionality.

The Court noted:

“Bearing in mind the role of the Internet in enhancing the public’s access to news and information, the very purpose of hyperlinks was, by directing to other pages and web resources, to allow Internet users to navigate to and from material in a network characterised by the availability of an immense amount of information. Hyperlinks contributed to the smooth operation of the Internet by making information accessible through linking it to each other. Hyperlinks, as a technique of reporting, were essentially different from traditional acts of publication in that, as a general rule, they merely directed users to content available elsewhere on the Internet. They did not present the linked statements to the audience or communicate its content, but only serve to call readers’ attention to the existence of material on another website.

 A further distinguishing feature of hyperlinks, compared to acts of dissemination of information, was that the person referring to information through a hyperlink did not exercise control over the content of the website to which a hyperlink enabled access, and which might be changed after the creation of the link – a natural exception being if the hyperlink pointed to contents controlled by the same person. Additionally, the content behind the hyperlink had already been made available by the initial publisher, providing unrestricted access to the public.”

General purpose functionality is central to the right to freedom of expression. And hyperlinks are central to the general purpose functionality of the internet.

That’s not my personal polemic. That’s a legal fact. And Ofcom < ECtHR. Every time.

Links are not the original sin, no matter what the Professor might say. They’re how this big, messy, wonderful internet works. Pick a better battle, Ofcom. Not this one.

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.

1 Comment

  1. tfb says

    I can see it now: ‘written text, both available on the internet or just written on paper, can be used by perpetrators to share CSAM between other individuals or more widely’.

    Yes, Ofcom, yes it can.

Comments are closed.