The eSafety Commissioner of Australia, Julie Inman Grant, has proposed draft industry standards under the Online Safety Act that read similar to the UK Online Safety Bill and the EU Commission's Chat Control proposal. The aim of the proposed standards are to detect, remove, disrupt and deter known child abuse material (CSA) and pro-terror material "where technically feasible" - a very similar wording has been used in the UK Online Safety Bill. This new regulation comes only years after the Australian surveillance bill of 2021 that already gives a lot of power to the authorities to request data.
While eSafety regulator Inman has stressed that the proposal "does not advocate building in weaknesses or back doors to undermine privacy and security on end-to-end encrypted services", the threat is imminent.
The Australian proposal does not include any specific safeguards for end-to-end encrypted services. It is highly likely that Australia will try to force encrypted services to undermine the security and privacy of their services in order to comply.
Contrary to the goals of the Australian eSafety standards, this will leave everyone less safe online.
That's why we, together with Mozilla, the Tor Project, Fight for the Future and many other companies, organizations and individuals, are going to send an open letter to the Australian eSaftey Regulator demanding the protection of privacy and security of Internet users which ultimately includes secure end-to-end encryption.
The letter is open for individuals as well: Sign on now!
There's also public consultation on the eSafety proposal open until December 21st so go ahead and make your voice heard!
Dear Commissioner Inman Grant,
We the undersigned organisations and individuals urge you to protect the privacy and security of communications and cloud file storage for internet users.
We acknowledge the severity of harm caused by the dissemination of child sexual abuse material (CSAM) and other forms of illegal content, and we support strong regulation to ensure platform accountability, the empowerment of users as well as the protection of their rights and safety. It is essential that governments, with the support of industry, take effective steps to regulate the spread of illegal content. It is also essential that such approaches do not also disproportionately lead to the creation and exacerbation of other harms, and adopt best practices in international policy making.
The eSafety Commissioner has proposed two draft industry standards under the Online Safety Act. Taken together, these standards apply to a broad range of services that people use every day including email, text and instant messaging, video communications, online gaming, dating services, and online file storage. In a context in which cybersecurity risks are rising, the safety, rights, and wellbeing of individuals and communities rely on the digital security and the privacy of these services.
Both draft standards include a range of proactive detection obligations on digital services to scan content in order to detect, remove, disrupt and deter CSAM and ‘pro-terror’ content. There are no specific safeguards for end-to-end encrypted services that people rely on for privacy and safety, as content on such platforms cannot be accessed by any third party, including the service provider, at any stage of the communication/storage process. Hashing and artificial intelligence technologies are specifically referenced to detect and remove objectionable content. Such approaches, when deployed on a device, are commonly referred to as ‘client side scanning.’ These methods have been widely criticised by privacy and security researchers, digital rights advocacy organisations and human rights groups around the world. Internet safety advocates and child rights groups have emphasised the importance of looking at other methods to enhance online safety for children and minimise the dissemination of CSAM, and how encryption works to protect the rights of children. Scanning technologies are deeply flawed because they: have questionable effectiveness; contain a high risk of false positives; increase vulnerabilities to security threats and attack – thereby weakening online safety for all users – and enable the ability to expand use of such systems to scan other categories of content in the future.
The eSafety Commissioner has publicly stated that it supports privacy and security, and does not advocate building in weaknesses or back doors to undermine end-to-end encrypted services. But client-side scanning fundamentally undermines encryption’s promise and principle of private and secure communications and personal file storage. We urge the Commissioner against creating standards that would force encrypted services to implement such scanning measures as they would create an unreasonable and disproportionate risk of harm to individuals and communities.
Australia is a leader in the field of online safety policy making, and this position comes with responsibility in shaping the norms and direction of international internet governance and regulation. Proceeding with the standards as drafted would signal to other countries that online safety is somehow counterposed to privacy and security, when the opposite is true.
We strongly urge the eSafety Commissioner to amend the proposed industry standards to ensure the protection of privacy and security, and urge the Australian Government to commit to the ongoing protection and strengthening of encryption, privacy and digital security.
Africa Media and Information Technology Initiative (AfriMITI)
Blueprint for Free Speech
Center for Democracy and Technology
Centro Latinoamericano de Investigaciones Sobre Internet (CLISI)
Digital Rights Watch
Fight for the Future
Hello Code Pty Ltd
Internet Freedom Foundation
Internet Society Ghana
The Ruffle Technology Company
The Tor Project
and over 350 individual signers