What is the UK Online Safety Act?

The Online Safety Act 2023 is a UK law that establishes a new regulatory framework to improve online safety. It imposes a 'duty of care' on online services, requiring them to protect users from illegal and harmful content, with significant fines for non-compliance. Ofcom is the regulator responsible for enforcing the Act.

What are 'Category 1' services under the Act?

'Category 1' services are the largest and highest-risk online platforms, such as major social media networks, search engines, and video-sharing sites. They face the most stringent requirements under the Online Safety Act due to their wide reach and potential for harm.

How can I tell if an image or video is a deepfake?

It's becoming harder, but look for subtle clues: unnatural blinking patterns (or no blinking at all), poor lip-syncing, strange lighting or shadows, blurry or distorted areas where the fake meets the original content, and skin that looks overly smooth or has an unusual texture.

What should I do if I find a non-consensual deepfake of myself online?

First, do not engage with the person who posted it. Document the evidence by taking screenshots. Report the content immediately to the platform where you found it. Use the StopNCII.org tool to create a secure hash and prevent it from being re-uploaded. In the UK, contact the Revenge Porn Helpline for expert advice. You should also report the incident to your local law enforcement agency.

UK regulator moves to compel tech firms to combat AI-generated deepfakes and abuse

Introduction: A new line in the sand for online safety

The United Kingdom's communications regulator, Ofcom, has announced it will legally require major technology companies to actively combat the spread of AI-generated deepfakes and non-consensual intimate images (NCII). This directive, issued under the new powers of the landmark Online Safety Act, marks a significant shift from voluntary platform policies to legally enforceable duties. Citing an “urgent need to better protect women and girls online,” Ofcom is placing the onus squarely on the largest social media, search, and video-sharing platforms to build systems that prevent and rapidly remove this malicious content.

This move comes in response to a surge in accessible AI tools that can create convincing synthetic media, often for abusive purposes. High-profile incidents, such as the flood of explicit deepfake images of Taylor Swift on social media platform X earlier this year, have underscored the inadequacy of existing content moderation systems and amplified calls for regulatory intervention. With the Online Safety Act now law, Ofcom is beginning to wield its authority to hold platforms accountable for the harms facilitated on their services.

The technical arms race: Creation vs. detection

The challenge facing tech firms is fundamentally a technological one, pitting rapidly evolving generative AI against defensive detection mechanisms. Understanding the technologies involved is key to appreciating the difficulty of Ofcom's mandate.

The malicious content in question is primarily created using two types of AI models: Generative Adversarial Networks (GANs) and, more recently, diffusion models. GANs involve two neural networks—a generator and a discriminator—competing against each other to produce increasingly realistic fakes. Diffusion models work by adding noise to an image and then learning how to reverse the process, allowing them to generate new, high-fidelity images from text prompts. These are the engines behind popular AI image generators and so-called “nudification AI” apps, which digitally remove clothing from images of individuals without their consent.

Once relegated to specialized communities, these tools are now widely available through user-friendly apps, websites, and even automated bots on messaging platforms like Telegram. This democratization of deepfake technology means that creating convincing and harmful synthetic media no longer requires specialized skill, dramatically increasing the volume of abusive content.

In response, Ofcom will expect platforms designated as “Category 1” services—the largest and highest-risk platforms—to deploy a multi-layered defense strategy:

AI-powered content moderation: Platforms must use their own machine learning algorithms to proactively scan for and flag synthetic media and nudity. These systems analyze pixels for tell-tale signs of AI generation, such as unnatural lighting, inconsistent shadows, or subtle anatomical distortions.
Hashing databases: A critical tool in this fight is the use of perceptual hashing. Technologies like StopNCII.org, supported by major tech firms, allow a victim to create a secure digital fingerprint (a hash) of an intimate image. Platforms can then use this hash to detect and block any future attempts to upload the same image, without ever seeing the image itself.
Enhanced reporting and human review: Automated systems are imperfect and can be circumvented. Ofcom will require platforms to have clear, accessible user reporting tools for deepfakes and NCII, backed by dedicated human moderation teams who can provide context and make nuanced judgments.
Digital provenance: While not yet a widespread standard, the industry is exploring solutions for content authenticity. This could involve embedding cryptographic watermarks or signatures into media at the point of creation, allowing for a verifiable chain of custody to distinguish genuine content from manipulated fakes.

Impact assessment: A ripple effect across the internet

Ofcom's new rules will have far-reaching consequences for tech companies, internet users, and the global regulatory environment.

For “Category 1” platforms like Meta, Google, TikTok, and X, the mandate represents a substantial operational and financial challenge. They will be required to invest heavily in research, development, and the scaling of sophisticated detection systems. Failure to comply could result in staggering fines of up to £18 million or 10% of their global annual turnover, whichever is greater—a penalty designed to command the attention of even the largest multinational corporations. This moves the issue of user safety from a public relations concern to a core compliance and business risk.

The primary beneficiaries are the victims of online abuse, overwhelmingly women and girls. For years, they have faced an uphill battle, often waiting days or weeks for platforms to act on reports of NCII. A legally mandated duty of care promises faster takedowns, better preventative measures, and a clearer path for holding platforms accountable when they fail. For general users, the result should be a safer online environment with less exposure to harmful content.

However, digital rights advocates have raised valid concerns. The push for more aggressive, automated content moderation risks creating a dragnet that catches legitimate content, potentially stifling free expression and artistic creation. The immense pressure to avoid fines could lead platforms to err on the side of over-removal. Furthermore, the necessary scanning of user content, even if automated, raises ongoing questions about user privacy protection.

Globally, the UK's Online Safety Act is setting a powerful precedent. Alongside the EU's AI Act, it signals a move by Western democracies to impose stricter governance on the digital world. This could influence regulations in other countries and accelerate the fragmentation of the internet, where platforms must tailor their services and moderation policies to comply with differing regional laws.

How to protect yourself

While regulators and tech companies have a duty to act, individuals can also take steps to mitigate their risk and respond to abuse.

Manage your digital footprint: Be mindful of the images you share publicly. The more high-quality photos of you that are available online, the easier it is for a malicious actor to create a convincing deepfake. Consider making social media profiles private and reviewing your privacy settings regularly.
Use platform tools: Familiarize yourself with the reporting and blocking features on the social media platforms you use. When you encounter abusive content, report it immediately to the platform. The more users who report an item, the more likely it is to be reviewed quickly.
Recognize the signs of a fake: While deepfakes are becoming more sophisticated, you can sometimes spot them by looking for inconsistencies. Check for unnatural eye movements or lack of blinking, strange blurring around the edges of a person, misplaced shadows, and skin that appears unnaturally smooth or blotchy.
Enhance your online privacy: Using tools like a VPN service can help mask your IP address and encrypt your internet traffic, adding a layer of security and anonymity to your online activities.
If you are targeted: If you become a victim of NCII, do not panic. Do not engage with the abuser. Document everything with screenshots. In the UK, contact the Revenge Porn Helpline for support and guidance. Globally, use the StopNCII.org tool to create hashes of the images and prevent their spread across participating platforms. Report the incident to local law enforcement.

Ofcom's directive is not a silver bullet, but it is a critical step forward. It formally acknowledges that the harms caused by deepfakes and NCII are not an unfortunate byproduct of the internet, but a direct consequence of how platforms are designed and operated. The coming months will test the technical feasibility of these requirements and the willingness of tech giants to comply, but the direction of travel is clear: the era of self-regulation is decisively over.