UK Online Safety Act¶
The Online Safety Act 2023 is a set of UK laws that protects children and adults online. It puts a range of new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms.
The Act will give providers new duties to implement systems and processes to reduce risks their services are used for illegal activity, and to take down illegal content when it does appear.
Introduction¶
Our understanding is that the OSA does not currently apply to app stores.
Our view is that the LVFS service is a form of app store for device firmware, comprising a two-sided system, allowing registered hardware vendors to upload firmware on the one side, and users to download that firmware on the other. As such, our interpretation is that the LVFS service is currently out of scope of the Online Safety Act 2023.
In any case, for the reasons set out below, we consider that the LVFS service is of incredibly low risk, and fundamentally not the type of service, or the degree of risk, which the OSA was enacted to tackle.
Even if app stores were within the OSA’s scope, our view is that the LVFS service is not a “regulated user-to-user service” anyway, and so falls outside Part 3 OSA too.
Links with the UK¶
In our view, the LVFS service does not have “links with the United Kingdom”.
There are three tests underpinning this, and the LVFS service does not meet any of them.
We have assessed if the LVFS service has a significant number of UK users. We are mindful that there is no statutory definition of “significant number”, nor any clear regulatory guidance. A “user” - although, again, the definition is not 100% clear - is someone who interacts with the service. We understand that someone who merely reads/consumes a service is not a “user” for the purposes of the OSA. As such, people who download firmware via the LVFS service are not “users”. In terms of people who upload firmware to the LVFS service, there are not a significant number of uploads from the United Kingdom.
The UK is not a “target market” for the LVFS service. The service comprises a tool which can be used by anyone, anywhere in the world, to download firmware updates provided by registered uploaders of the LVFS service. It has no target market.
The LVFS service can be accessed by people in the UK but there are no reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by user-generated content present on the service.
Because none of the three tests are met, our view is that, even if app stores were in scope, the LVFS service would be out of scope by virtue of its lack of links to the United Kingdom.
Device Vendors¶
These are users which can uploaded firmware, with various different roles/permissions. Device vendors could be considered “users” for the purposes of the Online Safety Act. A child (employed by the hardware vendor) could upload firmware, but the likelihood that significant numbers of children in the UK do this, or would experience any harm associated with LVFS, is incredibly low.
Device Owners¶
These are users which can download and install firmware using fwupd. Device owners have a less clear position from an OSA point of view. The view of the LVFS developer team is that these are merely consumers, and not “users” in the sense meant by the OSA, and so are out of scope.
A child could download and deploy firmware, but the likelihood that significant numbers of children in the UK do this, or would experience any harm associated with LVFS, is incredibly low.
Conclusion¶
Even if we are wrong in our understanding that the OSA does not apply to app stores, or our assessment that the LVFS service is an app store for this purpose, we consider that the LVFS service does not meet the definition of “regulated user-to-user service”, for the reasons above.
In any case, the assessed risk is negligible for all of the users in the scope of the OSA, given the nature and functionality of the service.