figured this might be interesting... I run just over 300 forums, for a monthly audience of 275k active users. most of this is on Linode instances and Hetzner instances, a couple of the larger fora go via Cloudflare, but the rest just hits the server.
and it's all being shut down.
the UK Online Safety Act creates a massive liability, and whilst at first glance the risk seems low the reality is that moderating people usually provokes ire from those people, if we had to moderate them because they were a threat to the community then they are usually the kind of people who get angry.
in 28 years of running forums, as a result of moderation I've had people try to get the domain revoked, fake copyright notices, death threats, stalkers (IRL and online)... as a forum moderator you are known, and you are a target, and the Online Safety Act creates a weapon that can be used against you. the risk is no longer hypothetical, so even if I got lawyers involved to be compliant I'd still have the liability and risk.
in over 28 years I've run close to 500 fora in total, and they've changed so many lives.
I created them to provide a way for those without families to build families, to catch the waifs and strays, and to try to hold back loneliness, depression, and the risk of isolation and suicide... and it worked, it still works.
but on 17th March 2025 it will become too much, no longer tenable, the personal liability and risks too significant.
I guess I'm just the first to name a date, and now we'll watch many small communities slowly shutter.
the Online Safety Act was supposed to hold big tech to account, but in fact they're the only ones who will be able to comply... it consolidates more on those platforms.
https://www.ofcom.org.uk/siteassets/resources/documents/onli...
It amounts to your basic terms of service. It means that you'll need to moderate your forums, and prove that you have a policy for moderation. (basically what all decent forums do anyway) The crucial thing is that you need to record that you've done it, and reassessed it. and prove "you understand the 17 priority areas"
Its similar for what a trustee of a small charity is supposed to do each year for its due diligence.
Argentina has had nearly 100 years of decline, Japan is onto its third lost decade. The only other party in the UK that has a chance of being elected (because of the voting system) is lead by someone who thinks sandwiches are not real [1]. It's entirely possible the UK doesn't become a serious country in our lifetimes.
[1] https://www.politico.eu/article/uk-tory-leader-sandwiches-no...
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
2. This Regulation does not apply to the processing of personal data: (c) by a natural person in the course of a purely personal or household activity;
They mention especially in their CSAM discussion that, in practice, a lot of that stuff ends up being distributed by smallish operators, by intention or by negligence—so if your policy goal is to deter it, you have to be able to spank those operators too. [0]
> In response to feedback, we have expanded the scope of our CSAM hash-matching measure to capture smaller file hosting and file storage services, which are at particularly high risk of being used to distribute CSAM.
Surely we can all think of web properties that have gone to seed (and spam) after they outlive their usefulness to their creators.
I wonder how much actual “turnover” something like 4chan turns over, and how they would respond to the threat of a 10% fine vs an £18mm one…
[0] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
Orgs are already fleeing LSEG for deeper capital markets in the US.
A cycling site with 275k MAU would be in the very lowest category where compliance is things like 'having a content moderation function to review and assess suspected illegal content'. So having a report button.
The US Supreme Court disagrees. https://www.dentons.com/en/insights/articles/2024/july/3/-/m...
> Read the regs and you can absolutely see how complying with them to allow for banana peeling could become prohibitively costly. But the debate of whether they are pro-fruit or anti-fruit misses the point. If daycares end up serving bags of chips instead of bananas, that’s the impact they’ve had. Maybe you could blame all sorts of folks for misinterpreting the regs, or applying them too strictly, or maybe you couldn’t. It doesn’t matter. This happens all the time in government, where policy makers and policy enforcers insist that the negative effects of the words they write don’t matter because that’s not how they intended them.
> I’m sorry, but they do matter. In fact, the impact – separate from the intent – is all that really matters.
[0] https://www.eatingpolicy.com/p/stop-telling-constituents-the...
I think most of the examples fit this, but a few don't.
So what do you do to entertain children? Use what you have. Dunk them on the internet via YouTube first and then let them free range because you’re tired and can’t give a fuck anymore.
^1 https://abcnews.go.com/amp/GMA/Family/mom-arrested-after-son... ^2 https://www.aol.com/news/2015-12-03-woman-gets-arrested-for-...
https://www.enforcementtracker.com/
They're only cataloging the (2500+) publicly known ones, most of which have a link to a news article. As an example: some guy in Croatia emailed a couple websites he thought might be interested in his marketing services, and provided a working opt-out link in his cold emails. One of them reported the email to the Italian Data Protection Authority who then put him through an international investigation and fined him 5000 euro.
"Assuming here that the reasons expressed in the aforementioned document have been fully recalled, [individual] was charged with violating articles 5, par. 1, letter a), 6, par. 1, letter a) of the Regulation and art. 130 of the Code, since the sending of promotional communications via e-mail was found to have been carried out without the consent of the interested parties. Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of payment of a sum of €5,000.00 (five thousand) equal to 0.025% of the maximum statutory sanction of €20 million should be applied."
I've heard it called "law of unintended consequences" and "cobra effect".
When intentional, this is Regulatory Capture. Per https://www.investopedia.com/terms/r/regulatory-capture.asp :
> Regulation inherently tends to raise the cost of entry into a regulated market because new entrants have to bear not just the costs of entering the market but also of complying with the regulations. Oftentimes regulations explicitly impose barriers to entry, such as licenses, permits, and certificates of need, without which one may not legally operate in a market or industry. Incumbent firms may even receive legacy consideration by regulators, meaning that only new entrants are subject to certain regulations.
A system with no regulation can be equally bad for consumers, though; there's a fine line between too little and too much regulation. The devil, as always, is in the details.
HOWEVER: I'm not sure how you would get access to the CSAM hash database if you're were starting a new online image hosting service.
The requirements to sign up for IWF (the defacto UK CSAM database) membership are:
- be legally registered organisations trading for more than 12 months;
- be publicly listed on their country registration database;
- have more than 2 full-time unrelated employees;
- and demonstrate they have appropriate data security systems and processes in place.
Cloudflare have a free[1] one but you have to be a Cloudflare customer.
Am I missing something, or does this make it very difficult to start up a public facing service from scratch?
From the linked document above: "You need to keep a record of each illegal content risk assessment you carry out", "service providers may fully review their risk assessment (for example, as a matter of course every year)"
And links to a guidance document on reviewing the risk assessment[1] which says: "As a minimum, we consider that service providers should undertake a compliance review once a year".
[1] https://www.ofcom.org.uk/siteassets/resources/documents/onli...
You have to keep accounts if a business even if not incorporated. A company has to keep accounts if it has any assets (e.g. a domain) or any financial transactions (e.g. paying for hosting)
You will also probably have to file a tax return. You have to keep a register of shareholders.
In fact if definitely not making a profit a standard ltd might be simpler (or maybe a company limited by guarantee) then a CIC as all a CIC does it add restrictions and extra regulation https://assets.publishing.service.gov.uk/media/5a7b800640f0b...
tl;dr: This is a myth.
There is no incentive to the consumer to purchase a vehicle with worse fuel economy.
There USED to be an incentive, 30-40 years ago.
It is not 1985 anymore.
The gas guzzler tax covers a range of fuel economies from 12.5 to 22.5 mpg.
It is practically impossible to design a car that gets less than 22.5 mpg.
The Dodge Challenger SRT Demon 170, with an 6.2 L 8 cylinder engine making ONE THOUSAND AND TWENTY FIVE horsepower is officially rated for 13 mpg but that's bullshit, it's Dodge juicing the numbers just so buyers can say "I paid fifty-four hundred bucks gas guzzler tax BAYBEE" and in real-world usage the Demon 170 is getting 25 mpg. Other examples of cars that cannot achieve 22.5 mpg are the BMW M2/M3/M4/M8, the Cadillac CT5, high-performance sports sedans for which the gas guzzler tax is a <5% price increase. ($5400 is 5% of the Demon 170 price, but 2-3% of what dealers are actually charging for it.)
The three most popular vehicles by sales volume in the United States are: 1. The Ford F-150, 2. The Chevy Silverado, and 3. The Dodge Ram 1500.
The most popular engine configuration for these vehicles is the ~3L V6. Not a V8. A V6.
Less than 1/4th of all pickup trucks are sold equipped with a V8.
According to fueleconomy.gov every single Ford, Chevrolet, and Ram full-size pickup with a V6 would pay no gas guzzler tax.
Most V8s would be close, perhaps an ECU flash away, to paying no gas guzzler tax. The only pickups that would qualify for a gas guzzler tax are the high-performance models-- single-digit percentages of the overall sales volume and at those prices the gas guzzler tax would not even factor into a buyer's decision.
People buy trucks, SUVs, and compact SUVs because they want them and can afford them.
Not because auto manufacturers phased out cars due to fuel economy standards. Not because consumers were "tricked" or "coerced". And certainly not because "the gubmint" messed things up.
They buy them because they WANT them.
The Toyota RAV4 is the 4th most popular car in the US. The Corolla is the 13th most popular. They are built on the same platform and dimensionally, the Corolla is actually very slightly larger except for height. They both come with the same general ballpark choices in engines. The gas guzzler tax only applies to the Corolla, but that doesn't matter because they both would be exempt. People don't freely choose the RAV4 over the Corolla because of fuel economy they buy it because the Corolla has 13 cubic feet of cargo capacity and the RAV4 has 70 cubic feet.
And before anyone says that the gas guzzler tax made passenger cars more expensive, passenger cars can be purchased for the same price adjusted for inflation they could be 50 years ago, but people don't want a Mitsubishi Mirage, which is the same price as a vintage VW Beetle (perennial cheapest new car from the 1960s) and better in every quantifiable metric, they want an SUV.
What may be true is that there is a national policy to keep fuel prices as low as possible, for a myriad of reasons, with one side effect of that policy being that it has enabled people to buy larger less fuel-efficient cars.
I do not believe it is auto manufacturers who are pushing for this policy. I believe it is the freight and logistic market. The auto market is valued at $4 billion, the freight and logistics market is $1,300 billion. GM and Ford are insignificant specks compared to the diesel and gasoline consumers of the freight and logistics firms (who have several powerful lobbies).
https://www.thetruthaboutcars.com/2017/08/v8-market-share-ju...
https://www.irs.gov/pub/irs-pdf/f6197.pdf (gas guzzler worksheet)
https://developers.cloudflare.com/cache/reference/csam-scann...
It seems that some people are convinced that the benefits of having strangers interact with each other are not worth the costs. I certainly disagree.
That wasn't the one I was thinking of, to be honest.
I'd have thought you would be mentioning the latest ball of WTF: "Online Safety Amendment (Social Media Minimum Age) Bill 2024".
According to the bill, HN needs to identify all Australian users to prevent under-16's from using it.
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
Sketchy large employers like G4S responded by setting up tens of thousands of "Mini umbrella companies" [1] with directors in the Philippines, each company employing only a handful of people - allowing G4S to benefit from the £4,000 discount tens of thousands of times.
Sadly, exempting small operations from regulation isn't a simple matter.
He was recently interviewed about that book on the New Books Network:
<https://newbooksnetwork.com/michael-g-vann-the-great-hanoi-r...>
Audio: <https://traffic.megaphone.fm/LIT1560680456.mp3> (mp3)
(Episode begins at 1:30.)
Among the interesting revelations: the rat problem was concentrated in the French Quarter of Hanoi, as that's where the sewerage system was developed. What drained away filth also provided an express subway for rats. Which had been brought to Vietnam by steamship-powered trade, for what it's worth.
(That's only a few minutes into the interview. The whole episode is great listening, and includes a few details on the Freakonomics experience.)
In particular, Merton notes:
Discovery of latent functions represents significant increments in sociological knowledge .... It is precisely the latent functions of a practice or belief which are not common knowledge, for these are unintended and generally unrecognized social and psychological consequences.
Robert K. Merton, "Manifest and Latent Functions", in Wesley Longhofer, Daniel Winchester (eds) Social Theory Re-Wired, Routledge (2016).
<https://www.worldcat.org/title/social-theory-re-wired-new-co...>
More on Merton:
<https://en.wikipedia.org/wiki/Robert_K._Merton#Unanticipated...>
Unintended consequences:
<https://en.wikipedia.org/wiki/Unintended_consequences#Robert...>
Manifest and latent functions:
<https://en.wikipedia.org/wiki/Manifest_and_latent_functions_...>
You need to do a risk assessment and keep a copy. Depending on how risky things are, you need to put more mitigations in place.
If you have a neighbourhood events thing that people can post to, and you haven't had complaints and generally keep an eye out for misuse, that's it.
If you run a large scale chat room for kids with suicidal thoughts where unvetted adults can talk to them in DMs you're going to have a higher set of mitigations and things in place.
Scale is important, but it's not the only determining factor. An example of low risk for suicide harm is
> A large vertical search service specialised in travel searches, including for flights and hotels. It has around 10 million monthly UK users. It uses recommender systems, including for suggesting destinations. It has a basic user reporting system. There has never been any evidence or suggestion of illegal suicide content appearing in search results, and the provider can see no way in which this could ever happen. Even though it is a large service, the provider concludes it has negligible or no risk for the encouraging or assisting suicide offence
An example for high risk of grooming is
> A social media site has over 10 million monthly UK users. It allows direct messaging and has network expansion prompts. The terms of service say the service is only for people aged 16 and over. As well as a content reporting system, the service allows users to report and block other users. While in theory only those aged 16 and over are allowed to use the service, it does not use highly effective age assurance and it is known to be used by younger children. While the service has received few reports from users of grooming, external expert organisations have highlighted that it is known to be used for grooming. It has been named in various police cases and in a prominent newspaper investigation about grooming. The provider concludes the service is high risk for grooming
Then you will see that a forum that allows user generated content, and isn't proactively moderated (approval prior to publishing, which would never work for even a small moderately busy forum of 50 people chatting)... will fall under "All Services" and "Multi-Risk Services".
This means I would be required to do all the following:
1. Individual accountable for illegal content safety duties and reporting and complaints duties
2. Written statements of responsibilities
3. Internal monitoring and assurance
4. Tracking evidence of new and increasing illegal harm
5. Code of conduct regarding protection of users from illegal harm
6. Compliance training
7. Having a content moderation function to review and assess suspected illegal content
8. Having a content moderation function that allows for the swift take down of illegal content
9. Setting internal content policies
10. Provision of materials to volunteers
11. (Probably this because of file attachments) Using hash matching to detect and remove CSAM
12. (Probably this, but could implement Google Safe Browser) Detecting and removing content matching listed CSAM URLs
...
the list goes on.
It is technical work, extra time, the inability to not constantly be on-call when I'm on vacation, the need for extra volunteers, training materials for volunteers, appeals processes for moderation (in addition to the flak one already receives for moderating), somehow removing accounts of proscribed organisations (who has this list, and how would I know if an account is affiliated?), etc, etc.
Bear in mind I am a sole volunteer, and that I have a challenging and very enjoyable day job that is actually my primary focus.
Running the forums is an extra-curricular volunteer thing, it's a thing that I do for the good it does... I don't do it for the "fun" of learning how to become a compliance officer, and to spend my evenings implementing what I know will be technically flawed efforts to scan for CSAM, and then involve time correcting those mistakes.
I really do not think I am throwing the baby out with the bathwater, but I did stay awake last night dwelling on that very question, as the decision wasn't easily taken and I'm not at ease with it, it was a hard choice, but I believe it's the right one for what I can give to it... I've given over 28 years, there's a time to say that it's enough, the chilling effect of this legislation has changed the nature of what I was working on, and I don't accept these new conditions.
The vast majority of the risk can be realised by a single disgruntled user on a VPN from who knows where posting a lot of abuse material when I happen to not be paying attention (travelling for work and focusing on IRL things)... and then the consequences and liability comes. This isn't risk I'm in control of, that can be easily mitigated, the effort required is high, and everyone here knows you cannot solve social issues with technical solutions.
A forum that isn't proactively monitored (approval before publishing) is in the "Multi-Risk service" category (see page 77 of that link), and the "kinds of illegal harm" include things as obvious as "users encountering CSAM" and as nebulous as "users encountering Hate".
Does no-one recall Slashdot and the https://en.wikipedia.org/wiki/Gay_Nigger_Association_of_Amer... trolls? Such activity would make the site owner liable under this law.
You might glibly reply that we should moderate, take it down, etc... but we, is me... a single individual who likes to go hiking off-grid for a vacation and to look at stars at night. There are enough times when I could not respond in the timely way to moderate things.
This is what I mean by the Act providing a weapon to disgruntled users, trolls, those who have been moderated... a service providing user generated content in a user to user environment can trivially be weaponised, and it will be a very short amount of time before it happens.
Forum invasions by 4chan and others make this extremely obvious.
> What may be true is that there is a national policy to keep fuel prices as low as possible, for a myriad of reasons, with one side effect of that policy being that it has enabled people to buy larger less fuel-efficient cars.
Yes. Americans have always had cheap fuel and it's shaped the entire society around it.
But: https://www.inf.ed.ac.uk/teaching/courses/seoc2/1996_1997/ad...
Any bureaucracy evolves, ultimately, to serve and protect itself. So the populist boss snips at the easy, but actually useful parts: Social safety nets, environmental regulations, etc. Whereas the core bureaucracy, the one that should really be snipped, has gotten so good at protecting itself that it remains untouchable. So in the end the percentage of useless administratium is actually up, and the government, as a whole, still bloated but even less functional. Just another "unintended consequences" example.
We'll see if Argentina can do better than this.
Not true: Section 179 [0]. Luxury auto manufacturers are well-aware of this [1] and advertise it as a benefit. YouTube et al. are also littered with videos of people discussing how they're saving $X on some luxury vehicle.
> Not because consumers were "tricked" or "coerced". ... They buy them because they WANT them.
To be fair, they only want them because they've been made into extremely comfortable daily drivers. Anyone who's driven a truck from the 90s or earlier can attest that they were not designed with comfort in mind. They were utilitarian, with minimal passenger seating even with Crew Cab configurations. At some point – and I have no idea if this was driven by demand or not – trucks became, well, nice. I had a 2010 Honda Ridgeline until a few weeks ago, which is among the un-truck-iest of trucks, since it's unibody. That also means it's extremely comfortable, seats 5 with ease, and can still do what most people need a truck to do: carry bulky items home from Lowe's / Home Depot. Even in the 2010 model, it had niceties like heated seats. I just replaced it last week with a 2025 Ridgeline, and the new one is astonishingly nicer. Heated and ventilated seats, seat position memory, Android Auto / Apple CarPlay, adaptive cruise control, etc.
That's also not to say that modern trucks haven't progressed in their utility. A Ford F-350 from my youth could pull 20,000 lbs. on a gooseneck in the right configuration. The 2025 model can pull 40,000 lbs., and will do it in quiet luxury, getting better fuel economy.
[0]: https://www.irs.gov/publications/p946#idm140048254261728
https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
So, I fully understand why someone would rather shut down their site rather than potentially deal with the legal fallout. Even if the end result is "just getting shut down", that will come after a significant amount of legal troubles, and likely money spent dealing with them.
> 1. Individual accountable for illegal content safety duties and reporting and complaints duties
> 2. Written statements of responsibilities
> 3. Internal monitoring and assurance
> 4. Tracking evidence of new and increasing illegal harm
> 5. Code of conduct regarding protection of users from illegal harm
> 6. Compliance training
> 7. Having a content moderation function to review and assess suspected illegal content
> 8. Having a content moderation function that allows for the swift take down of illegal content
> 9. Setting internal content policies
> 10. Provision of materials to volunteers
> 11. (Probably this because of file attachments) Using hash matching to detect and remove CSAM
> 12. (Probably this, but could implement Google Safe Browser) Detecting and removing content matching listed CSAM URLs
> ...
> the list goes on.
https://projects.fivethirtyeight.com/polls/favorability/dona...
Apparently this isn't:
"Just seven electric-vehicle charging stations have begun operating with funding from a $5-billion US government program created in 2021, marking “pathetic” progress, a Democratic senator said on Wednesday."
https://nypost.com/2024/06/05/business/democratic-senator-bl...
First, #2, #4, #5, #6, #9, and #10 only apply to sites that have more than 7 000 000 monthly active UK users or are "multi-risk". Multi-risk means being at medium to high risk in at least two different categories of illegal/harmful content.
If the site has been operating a long time and has not had a problem with illegal/harmful content it is probably going to be low risk. There's a publication about risk levels here [1].
For the sake of argument though let's assume it is multi-risk.
#1 means having someone who has to explain and justify to top management what the site is doing to comply. It sounds like in the present case the person who would be handling compliance is also the person who is top management, so not really much to do here.
#2 means written statements saying which senior managers are responsible for the various things needed for compliance. For a site without a lot of different people working on it this means writing maybe a few sentences.
#3 is not applicable. It only applies to services that are large (more than 7 000 000 active monthly UK users) and are multi-risk.
#4 means keeping track of evidence of new or increasing illegal content and informing top management. Evidence can come from your normal processing, like dealing with complaints, moderation, and referrals from law enforcement.
Basically, keep some logs and stats and look for trends, and if any are spotted bring it up with top management. This doesn't sound hard.
#5 You have to have something that sets the standards and expectations for the people who will dealing with all this. This shouldn't be difficult to produce.
#6 When you hire people to work on or run your service you need to train them to do it in accord with your approach to complying with the law. This does not apply to people who are volunteers.
#7 and #8 These cover what you should do when you become aware of suspected illegal content. For the most part I'd expect sites could handle it like the handle legal content that violates the site's rules (e.g., spam or off-topic posts).
#9 You need a policy that states what is allowed on the service and what is not. This does not seem to be a difficult requirement.
#10 You have to give volunteer moderators access to materials that let them actually do the job.
#11 This only applies to (1) services with more than 7 000 000 monthly active UK users that have at least a medium risk of image-based CSAM, or (2) services with a high risk of image-based CSAM that either have at least 700 000 monthly active UK users or are a "file-storage and file-sharing service".
A "file-storage and file-sharing service" is:
> A service whose primary functionalities involve enabling users to:
> a) store digital content, including images and videos, on the cloud or dedicated server(s); and
> b) share access to that content through the provision of links (such as unique URLs or hyperlinks) that lead directly to the content for the purpose of enabling other users to encounter or interact with the content.
#12 Similar to #11, but without the "file-storage and file-sharing service" part, so only applicable if you have at least 700 000 monthly active UK users and are at a high risk of CSAM URLs or have at least 7 000 000 montly active UK users and at least a medium risk of SCAN URLs.
[1] https://www.ofcom.org.uk/siteassets/resources/documents/onli...
https://wiki.archiveteam.org/index.php/ArchiveBot https://wiki.archiveteam.org/index.php/Wikibot
Those that do whist not seeking financial gain are impacted the most.
Regulatory capture. https://en.wikipedia.org/wiki/Regulatory_capture
My dude, I’m sorry to tell you, but the problem usually is law enforcement. For so many things. You try barely training people who already like beating people up and then give them a monopoly on legal violence.
Btw, the reason the cops were invented in Britain was to put down riots by the populace bc they were so poor[1], and in America it was to divide poor whites and poor blacks and turn the poor whites into slave catchers.[2]
[1] https://novaramedia.com/2020/06/20/why-does-the-police-exist...
[2] https://www.npr.org/2020/06/13/876628302/the-history-of-poli...
There is no choice over number of users.`
Where exactly is this note on size?
Reading the document you gave there seems to be no saying that below a number of users there is no risk or even low risk. There is the paragraph "There are comprehensive systems and processes in place, or other factors which sufficiently reduce risks of this kind of illegal harm to users, and your evidence shows they are very effective. Even if taking all relevant measures in Ofcom’s Codes of Practice, this may not always be sufficient to mean your service is low risk"
Which implies that you must have comprehensive systems and processes in place - what exactly are these systems and their requirements? What happens if the site owner is ill for a week and isn't logged on?
https://russ.garrett.co.uk/2024/12/17/online-safety-act-guid... has a more comprehensive translation into more normal English.
You will need to assess the risk of people seeing something from one of those categories (for speciality forms, mostly low), think about algorithms showing it to users (again for forums thats pretty simple) Then have a mechanism to allow people to report offending content.
Taking proportionate steps to stop people posting stuff in the first place (pretty much the same as spam controls, and then banning offenders)
The perhaps harder part is allowing people to complain about take downs, but then adding a subforum for that is almost certainly proportionate[1].
[1] untested law, so not a guarantee
For comparison imagine there was a new law against SQL Injection. Competent forum operators are already guarding against SQL Injection because they don't want to be owned by hackers. But they likely are not writing down a document explaining how they guard against it. If they were required to make a document which writes down "all SQL data updates are handled by Django's ORM" they might then think "would OfCom think this was enough? Maybe we should add that we keep Django up to date ... actually we're running an 18 months old version, let's sign up to Django's release mailing list, decide to stay within 3-6 months of stable version, and add a git commit hook which greps for imports of SQL libraries so we can check that we don't update data any other way". They are already acting against SQL injection but this imaginary law requires them to make it a proper formal procedure not an ad-hoc thing.
> "What does good forum op record keeping look like?"
Good forum operators already don't want their forums to become crime cesspits because that will ruin the experience for the target users and will add work and risk for themselves. So they will already have guards against bot signups, guards against free open image hosting, guards against leaking user private and personal information. They will have guards against bad behaviour such as passive moderation where users can flag and report objectionable content, or active moderation where mods read along and intervene. If they want to guard against moderators power tripping, they will have logs of moderation activities such as editing post content, banning accounts. There will be web server logs, CMS / admin tool logs, which will show signups, views, edits. They will likely have activity graphs and alerts if something suddenly becomes highly popular or spikes bandwidth use so they can look what's going on. If they contact the authorities there may be email or call logs of that contact, there will be mod messages records from users, likely not all in one place. If a forum is for people dealing with debt and bankruptcy they might have guards against financial scams targetting users of their service such as a sticky post warning users, a banned words list for common scam terms - second hand sales site https://www.gumtree.com has a box of 'safety tips' prominently on the right warning about common scams.
Larger competent forums with multiple paid (or volunteer) employees would likely already have some of this formalised and centralised just to make it possible to work with as a team, and for employment purposes (training, firing, guarding against rogue employees, complying with existing privacy and safety regulations).
Yes I think the new law will require forum operators to do more. I don't think it's unreasonable to require forum operators once a year to consider "is your forum at particular risk of people grooming children, inciting terrorism, scamming users, etc? If your site is a risk, what are you doing to lower the chance of it happening, and increase the chance of it being detected? And can you show OfCom that you actually are considering these things and putting relevant guards in place?".
(Whether the potiential fines and the vagueness/clarity are appropriate is a separate thing).