The good advice | Libera Chat

25th October 2025

by She

First of all, a massive thank you to everyone who donated since
our last post. Our income on Liberapay has roughly
quadrupled from what it was before the post. We have also had people reach out
to us for large one-time monetary and hardware donations. Your support is
truly appreciated!

And now for a followup from our last post. TL;DR: the legal firm we’ve engaged
has sent us a memo indicating that in their opinion we can reasonably argue
we do not have sufficient links to the UK for the Online Safety Act to be
applicable to us. They also believe we would be at low risk of attempted
enforcement action even if Ofcom does
consider us to be in-scope for the OSA. We will continue to ensure that this
is the case by keeping internal estimates of our UK user base and by
continuing with our current efforts to keep Libera.Chat reasonably safe. We
have no plans to institute any ID requirements for the forseeable future.

If that’s all you wanted to know, then feel free to stop here.
However, we feel it’s in the best interest of online communities
like ours for us to summarise the advice we were given in hopes that it
will be useful to others. This is not legal advice from us to you.
This advice was provided to Libera Chat as an assessment of our specific
case. We accept no responsibility if you decide to apply advice given to us
to your own online service.

Why does this even matter?

You might be asking why we’ve even bothered to get legal advice on this
matter. Libera Chat (the non-profit that runs the Libera.Chat IRC network)
is based in Sweden. Our bank is Swedish, and we do not rely on any UK-based
payment providers. We have a few servers in the UK, but they can be migrated
on short notice. In other words, the British government has relatively little
authority over us. The most damaging action they can reasonably take is to
instruct internet service providers in the UK to deny access to us.

Relatedly, some online communities have decided that they want to minimise
the authority the British government has over them. In response to critical
analyses of the OSA pointing out its potential for regulatory overreach,
some online communities have taken the understandable precaution of entirely
blocking access from known UK IP addresses, thus cutting off any reasonable
argument that they somehow have links to the UK (more on that later).

The end result is the same: a denial of service to people in the UK solely
because of the country they live in. It’s not an insurmountable barrier to
access in either case, but it shouldn’t be necessary for individuals in the
UK to look into censorship-defeating proxies just to engage with
free software developers and peer-directed projects that choose to have a
community on our IRC network. It doesn’t serve our users, it doesn’t serve
our communities, and it doesn’t serve the UK open source movement.
Therefore, it’s in everyone’s best interest for us look into what’s necessary
to keep things from getting to the point where users in the UK cannot access
Libera.Chat, and that means getting guidance on the OSA.

Who does the OSA apply to?

As the OSA is fairly vague in its definitions, Ofcom has
significant latitude in deciding where the thresholds are for whether an
organisation meets certain criteria or not. Ofcom also hasn’t been forthcoming
with its opinions on where those thresholds are, so there are relatively few
hard guarantees about the applicability of the OSA. Still, there is a strong
argument that while we definitely meet one of the criteria for the OSA to
apply to us, we do not meet the other.

The OSA applies to online service providers that provide a regulated service
and have links to the UK. We unarguably provide a regulated service because
Libera.Chat is a so-called U2U service, i.e. it “allows
‘user-generated content’ to be encountered by another user of the service”.
This is an incredibly broad class of services. Some exceptions are made for
user content that is posted in relation to service content
(e.g. the comment section of a blog) and a few other service types,
but none of them reasonably apply to us. Every chat service, forum,
federated social media server, or code forge counts as a regulated service,
and therefore meets one of the criteria for the OSA to apply to them.

So be it. What about our links to the UK? To quote the memo:

An online service provider has “links to the UK” for the purposes of the OSA
if any one or more of the following apply:

• the service has a “significant number of UK users”
• UK users form a “target market” of the service; or
• the service is capable of being used by individuals in the UK,
  and there are reasonable grounds to believe that there is a material risk
  of significant harm to individuals in the UK presented by the content
  generated by the service.

One factor that does not automatically give us links to the UK is the fact
that we have staff members in the UK. Curiously, employees of the
service provider who do not engage with that service as users are actually
excluded for the purposes of determining whether a service has a
“significant number of UK users”. Our staffers are also users, but our
UK staffers make up an insignificant portion of our user base.

Speaking of which, the memo implies that “significance” in this context is
interpreted as being relative to the population of the UK, not relative to
the user base of the service. We have seen risk assessments that take the
other interpretation and consider their UK user base to be “significant”
because it makes up a large portion of their overall user base, but the advice
we received suggests we should not use this interpretation. The exact fraction
of the UK’s online population that must use a given service to be considered
“significant” is unknown, but based on our counsel’s observations of Ofcom’s
previous regulatory actions, it appears to be much higher than our internal
estimates of how large our UK user base is.

The “target market” criterion is meant to capture services with a low number
of UK users that target the UK specifically. While our target market
(people interested in using an IRC-based platform for discussing free
software or other peer-directed projects) is inclusive of UK users, it isn’t
specifically for them. Our network is predominantly English-speaking, but
we do not promote, direct, or tailor our service to UK users in particular.

Finally, there is no atypical material risk of significant harm to
individuals in the UK presented by the messages on Libera.Chat. We block spam
and client exploits. We are proactive in ensuring that our network’s
acceptable use policy is upheld. We do not tolerate incitement to
violence, doxxing, or defamation. And finally, we do not provide file hosting
that can be used to distribute pornographic or sexual abuse media, though when
we sought legal advice from the firm, we acknowledged the existence of DCC
as a commonly-supported mechanism for transferring files using an IRC network
to establish a peer-to-peer connection.

In the coming weeks, we will be finalising a statement
similar to this risk assessment that we can provide to
Ofcom should we ever be contacted by them about the OSA.

What if the OSA does apply to us?

While it is our opinion that the OSA does not apply to us, Ofcom might
disagree, and appealing that disagreement would likely involve further
legal expenses. So, what is the risk that Ofcom would decide to try to
impose fines or other regulatory penalties on us?

For the time being, services like ours do not appear to be Ofcom’s priority.
Currently, according to our legal sources, the focus appears to be file and
image hosts that are at high risk of being used to transmit sexually-explicit
depictions of minors. IRC has been used as a way to facilitate piracy, but
those days are generally in the past thanks to more attractive options. Even
if they weren’t, using Libera.Chat for this purpose is risky. We prefer to
exercise the minimum power necessary to keep the network clean, but that
doesn’t mean we don’t have the tools necessary to proactively stop the network
from being used for piracy or CSAM distribution.

We have also been reassured that Ofcom is very likely to contact us with
concerns before attempting any sort of action against us. There are some
classes of concerns that we would certainly be willing to hear out,
and we do prefer a constructive approach to problem resolution where possible.
We’re confident that there isn’t anything for them to be reasonably
concerned about, but we are willing to engage with good-faith reports of
potential abuse of our service.

Will Libera.Chat ever require my ID?

We have no plans to require users to provide us with proof of identity
and will take every reasonable measure to avoid requiring it.
The justification for us to compromise the privacy of our users
given the content we forbid on Libera.Chat is not adequate,
and the risk of material harm should an identity verification mechanism
compromise our users’ privacy far outweighs the plausible harms caused by
not having such a system. Such violations of privacy aren’t hypothetical;
another chat platform recently was affected by a data breach that potentially
exposed the legal identities of tens of thousands of its users.

That said, it’s conceivable that legislation will be created that could apply
to us and could force us to identify or spy on our users.
If that happens, we will evaluate our options once drafts of such legislation
reach a point where they can conceivably pass. Until then, we hope that the
general public will remain vocally opposed to such attempts at overreach.
Popular opposition
stalled Chat Control earlier this month.
There will probably always be efforts to compromise the free internet,
but their success is not inevitable.