[Notice] Georestriction of the UK

I do agree with you here, but OFCOM have deliberately left it open to interpretation. However it would be up to the Haiku forum admins to argue their methodology should the need arise. It would be quite reasonable to look at only UK users active over the last 12 months, which would likely change the percentage. Without seeing actual numbers though, this argument is rather academic.

Private Eye contains political satire. The magazine itself is primarily an investigative journalism outlet, e.g. see its work on the Horizon IT system failures.

This was not in the satire pages.

A better question would be what our specific site has to do to comply with the act.

There’s a handy guide to the Risk Assessment online here:

But the basics are pretty straight forward and revolve around: how could your forum be used to post illegal content, how will you try to prevent it, how will you deal with it should it happen, and how can people disagree with you if you remove something they think is legal. Subscribe to the OFCOM update service, to be notified if any of the rules change, and do a quick checkup every 12 months. Keep the documents accessible. Perhaps for clarity, update the policy docs on here too.

One thing I noted another post mentioning was how GDPR was a not-dissimilar thing… and that implementing it was a well defined and easy process. In which case, why is this particular site (discuss.haiku-os.org) not fully compliant?

When signing up for an account the Privacy Policy states “last updated 2013”, which is five years before GDPR became law. Your Terms of Service was updated 2 years before GDPR. There is no mention of where user’s data is stored. There’s no mention of how to request a portable copy of a user’s data. Both these items are core components of GDPR compliance. Where’s your Cookie Compliance opt-in banner that should show before any cookies are created? Interestingly GDPR violators can be fined up to €20 million or up to 4% of annual worldwide turnover, but I guess that’s not happened for Haiku yet?

My point here is that blocking a whole country because of a local law, aimed at protecting minors, that requires a small amount of paperwork to be compliant seems an odd decision, when you haven’t also blocked the entire EU because you’re not compliant with their laws (and haven’t been for 6+ years). Why not just make this site USA only?

I’m not sure how to respond to that? There’s specific sections of the Highway Code for cyclists, motorists, equestrians and pedestrians, each with a separate subset of rules, along with a section that applies to all (the Highway Code isn’t law, it’s a guide on following the law).

The Online Safety Act does not differentiate corporations or individuals. It’s just as illegal for Facebook to break this specific law as it is for me to. What the law does state is that “reasonable steps” must be taken to comply. Reasonable steps for me, an individual vs “reasonable steps” for Google are two very different things. For me, my private non-profit forum might need a more prominent “report this post” button to be considered compliant, whereas Google has the technology and funds to use AI to proactively detect illegal content - and already does. Both perfectly reasonable steps.

I doubt that a bureaucrat in the UK would say the same thing, but if we had only 10 users, and one was from the UK, that would be a significant portion of our own user base, but an insignificant number altogether. I believe someone already said this, but it’s probably purposefully vague so that anyone in charge can decide what they feel like qualifies in order to meet their own goals.

If Haiku is worried about their officers in the UK getting into trouble, maybe just maintain the block, and not worry about policing potential workarounds because that’s none of our business. If it turns out that they have no jurisdiction to go after UK officers for something an American organization does, then maybe stop the geoblocking and let’s not worry anymore.

How many Haiku officers are in the UK, just curious?

I’m saying I find this law, clearly not meant for small not-for-profits and purposely defined vaguely, bizarre.

No, that’s not how it works. That’s what Ad Tech companies want you to think GDPR does, and then they can say “blame the stupid EU for how annoying and bloated the web has become”.

GDPR is only about tracking cookies, and there are exceptions for the cookies that just allow you to stay logged in to a forum. So, the whole two (2) cookies used by this forum, which are not shared with anyone else, do not require a banner. We decided to not have Google Analytics or similar tools long before GDPR was a thing.

Data exporting is easily done from your preferences page by clicking the “Export your data” button. That is easy to find, and does not need to be explained in the terms of service.

Your data is stored on Haiku servers and not shared with anyone else.

So, basically, the software itself is compliant with GDPR, and there is nothing special to write in the privacy policy.

You’re creating cookies before giving people chance to read about why you’re creating cookies (and therefore avoid having them be created in the first place). You’re not stating geographically where user data is being stored, and I shouldn’t have to go looking for information on how to download after I give you personal information, when you have a clear privacy policy and FAQ pages that are freely accessible before I give you any personal data. But again, this is just an example of how people interpret the rules in different ways. You may want to refresh your knowledge and have a read up on GDPR and the ePrivacy Directive: Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
They have a nice summary (take directly from that link):

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

• Receive users’ consent before you use any cookies except strictly necessary cookies.
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
• Document and store consent received from users.
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

(Session cookies aren’t strictly necessary until a user actually logs into a website).

So again, you may want to periodically review your compliance to the various global laws, GDPR, LGPD, etc.

Personally this doesn’t bother me, I’m just using it as an example of another daft law that also doesn’t quite understand how how the internet really works. Session cookies are very different to analytics, tracking cookies or cookies that store personal data, but sadly are treated with the same suspicion.

Ultimately you guys will do what you want to do though. I’m just sad this whole situation has arisen, and quite frankly embarrassed by it all. It’s like our government came up with a good idea (think of the children!) and just mumbled when figuring out the actual details.

The road to hell is paved with good intentions.

On the face it it, it seems like performing a risk assessment, writing down the results somewhere, and then having a reasonable process for moderation would be more than enough to keep the forum open to UK users.

I’m not a mod on here, so I can’t see how much spam etc. does get posted but I don’t imagine it’s a lot, and suspect current processes work well alrady? I’d be willing to put my hand up to review every sodding link and video that get posted if it means being able to keep access open (I’m UK based these days, so have a vested interest in it).

A lot of the spirit of the law is focusing on children and whether they’re a likely audience, and I think it’s pretty fair to say they’re not. Yes some children may access the forum, but it’s clearly not appealing to them directly. I do absolutely understand where Haiku, Inc. is coming from on this, but it seems to me like giving into well-intentioned by badly implemented laws like this will just see the net get even more degraded than it already is. If we can’t keep the small stuff alive Meta and Google will be all that’s left in a few years.

If the sum of the burden on us is a one-time risk assessment, I wouldn’t be worried about the OSA and would be 100% “leaving things alone as they are”

However, my biggest issue is the ongoing review / reporting aspect.

@mattlacey if you’re willing to step up as a UK resident and start performing these reports, it does indeed get us pretty far into OSA compliance (maybe to a degree the BOD would be happy with)

However, I think that comes with a sturdy “as soon as nobody is performing these reports in an official ongoing capacity, we’re going to have to georestrict the UK”.

I get the impression this thing has been decided - apparently in haste - and despite Haiku clearly being de-minimus.

I will however - as a UK user - have to consider my monthly donation to Haiku if I am blocked. It is only 5 bucks, so its loss won’t be the end of the world, but is the only way I can express my sense of disappointment at Haiku’s actions which I strongly feel remain excessive and made on unfounded fears.

This is pretty disingenuous to be honest.

• It was discussed for 10+ days with the whole BOD
• I raised the topic to the community to discuss after those 10 days, and asked for people to step up and help with ideas or their time.
• 112 replies later, one person in the UK actually stepped up (thanks @mattlacey)

I as a board member, can not ignore a potential threat to the donation dollars our global community of users have worked hard for, and generously donated to Haiku, Inc. People don’t donate funds to us so we can “fight UK law”, they donate to advance the development of the Haiku operating system… and I feel as though most of the responses here support that position.

With the above said, i’m going to go ahead and lock this thread. I’ll coordinate with @mattlacey to see if we can figure out a system to keep the forums available to the UK. If you’re in the UK and want to help Matt out, please reach out to the board (or Matt ;-)) directly.

Take this thread as “laws matter, laws your country passes matter”. If you’re not happy about the way this is going, complain to your representatives, not us. We’re doing the best we can with the volunteer help we got.