On May 14, 2026, the Electronic Frontier Foundation and 18 civil society organizations sent an open letter to UK policymakers with an unusually blunt message: stop trying to engineer safety into the protocol layer of the internet, and start addressing the social, economic, and educational conditions that produce online harm in the first place. The letter comes as Ofcom rolls out the most aggressive phase yet of enforcement under the Online Safety Act 2023 — including age-assurance mandates for services hosting adult content and codes of practice that civil society groups warn could be weaponized against end-to-end encryption.
The signatories' concern is not that online harm is unreal. It is that the UK's chosen instruments — content scanning, identity gating, and sprawling duties of care that apply equally to TikTok and to a hobbyist Mastodon server in Manchester — are disproportionate to the harms they target and corrosive to the open web that the UK's own innovation strategy depends on.
What the Online Safety Act actually requires
The Online Safety Act, which received royal assent in October 2023, creates a tiered regime of duties enforced by Ofcom. Category 1 services (the largest platforms) face the heaviest obligations, but the Act also imposes meaningful compliance duties on every "user-to-user" service accessible from the UK — a definition broad enough to capture forums, fediverse instances, modding communities, and hobby chat servers. Ofcom's Illegal Content Codes of Practice, which entered enforcement in March 2025, require risk assessments, complaints procedures, and, in some circumstances, proactive technology. Age-assurance duties under Part 5 went live in 2025 for services publishing pornographic content, with Part 3 checks for services that host (but do not publish) age-restricted material following on a staggered timeline.
The most controversial provision remains Section 121, which empowers Ofcom to require providers of regulated services to use "accredited technology" to identify CSAM and terrorism content in private communications. Successive ministers have insisted the power will be used "only when technically feasible," but the statutory text contains no such carve-out — and as the operators of Signal and Element have made clear, no jurisdiction-specific backdoor can be built into an end-to-end encrypted protocol without breaking it for everyone.
The case the 19 organizations are making
The May 14 letter does not ask Parliament to repeal the OSA outright. It asks for three things any pro-innovation regulator should welcome: that Ofcom and the Home Office acknowledge the Act's chilling effect on small and community-run services; that any client-side or message-scanning power be ruled out by statute, not just by ministerial assurance; and that the government redirect investment toward the offline drivers of online harm — under-resourced schools, gutted youth services, and a child-protection system that has been repeatedly described as overwhelmed.
This is a serious argument, and it lines up with what the available evidence shows. Ofcom's own media-literacy research has consistently found that the most reliable protective factor for young people online is the presence of trusted adults they can talk to about what they encounter. Building a national age-verification infrastructure does not change that; it just shifts the privacy cost onto every adult who wants to read a blog or join a forum.
The small-platform problem is now visible
The compliance burden has already produced visible casualties. The LFGSS cycling community, with a reported user base of around 75,000, announced its shutdown in late 2023 citing the OSA. Several smaller fediverse instances geo-blocked UK users in 2025 rather than risk Ofcom action. The Wikimedia Foundation has been in active litigation arguing that Wikipedia should not be designated a Category 1 service, on the straightforward ground that volunteer-edited reference works are not the algorithmic engagement machines Parliament said it was regulating.
A proportionate path forward
None of this means the UK should abandon online safety regulation. The Online Safety Act got real things right: transparency reporting, clearer takedown timelines for genuinely illegal content, and a single coherent regulator in Ofcom rather than the patchwork of overlapping authorities that complicates enforcement in many EU member states. But proportionality matters, and the current trajectory fails the test in three specific ways.
- Encryption. Section 121 should be amended to expressly exclude end-to-end encrypted services from any scanning mandate. The Home Office's own Safety Tech Challenge Fund work has not demonstrated client-side scanning at scale with acceptable error rates.
- Scale-based duties. Ofcom's codes should formally exempt non-commercial and small-community services below a clear user threshold, mirroring the DSA's distinction between VLOPs and everyone else.
- Age assurance. Where age checks are required, the regulator should mandate privacy-preserving zero-knowledge attestation rather than document upload, and prohibit retention of verification data beyond the session.
The EFF letter lands at a moment when the political consensus around the OSA is, for the first time, genuinely contestable. Probing parliamentary amendments on encryption have begun appearing across party lines, and the Starmer government — already navigating a contentious Digital ID consultation that EFF formally opposed in early May — has reason to want a less confrontational digital policy story to tell. Listening to 19 organizations who have spent decades doing exactly this work would be a good place to start.