The below open letter was written by EFA chair John Pane to Australia’s eSafety Commissioner about the proposed Online Industry Standards for Relevant Electronic Services (‘RES’) and Designated Internet Service (‘DIS’) Codes.
Background
The Board and membership of EFA are strongly concerned about elements of the proposed Industry Standards for RES and DIS Codes. In particular we are deeply worried by the potential for undermining the privacy, safety and security of encrypted communications and cloud file storage for internet users.
EFA acknowledges the severity of harm caused by the dissemination of child sexual abuse material (‘CSAM’), pro-terror material and other forms of illegal content. We support strong regulation to ensure platform accountability, the empowerment of users as well as the protection of digital privacy and other human rights, welfare, security and safety for all individuals.
EFA Response
EFA recognizes that it is essential for governments, with the support of industry, to take effective steps to regulate the spread of illegal content. It is also equally essential that such regulatory approaches do not disproportionately and unnecessarily lead to the creation and exacerbation of other serious societal and individual harms at the expense of our inherent human and digital rights. Such an outcome would create a surveillance state which treats all online users as ‘suspects first’ and not citizens with inherent human and digital rights. Further, it would make a trusted, safe and secure online environment untrustworthy, unsafe and vulnerable to both bad actors and further regulatory overreach.
The eSafety Commissioner has proposed two draft Industry Standards under the Online Safety Act (Cth) 2021. Taken together, these standards apply to a broad range of services that people use every day including email, text and instant messaging, video communications, online gaming, dating services, and online file storage.
Undermining of Privacy Enhancing Technology
In a context in which cybersecurity risks are continually increasing, our privacy laws remain inadequate and not fit for purpose by not keeping pace with technology.
The proposed Industry Standards are both Orwellian by design and effect. The safety, rights and wellbeing of individuals, communities and their willingness to engage in digital services all depend on the security and privacy capabilities provided by online service providers, of which end to end encryption – a “Privacy Enhancing Technology” – is a key foundational capability.
Undermining this capability increases the risk of harm, diminishes trust in online service providers, disproportionately impacts vulnerable user groups and can be incredibly detrimental to the digital economy and peoples’ participation therein.
Both of the draft Industry Standards include a range of proactive detection obligations on digital service providers to scan content in order to detect, remove, disrupt and deter CSAM and ‘pro-terror’ content. There are no specific safeguards for end-to-end encrypted services that people rely on for security, privacy and safety, as content on such platforms cannot be accessed by any third party, including the service provider, at any stage of the communication/storage process. This degree of privacy, safety and security is fundamental to individuals trusting both the platform and service provider.
Client Side Scanning and Use of Artificial Intelligence
The draft Industry Standards specifically reference the use of artificial intelligence technologies to detect and remove objectionable or unlawful content. Such approaches, when deployed on a device, are commonly referred to as ‘client side scanning.’ These methods have been widely criticised by privacy and security researchers, digital rights advocacy organisations and human rights groups around the world. (See, for example, this open letter in response to the EU’s proposed Child Sexual Abuse Regulation, signed by over 450 scientists and researchers:
Client side scanning technologies remain deeply flawed because they: have questionable effectiveness; contain a high risk of false positives; increase vulnerabilities to security threats and attack – thereby weakening online safety for all users – and enable the ability the government or regulator of the day to expand use of such systems to scan other categories of content in the future
Internet safety advocates and child rights groups have emphasised the importance of looking at other methods to enhance online safety for children and minimise the dissemination of CSAM, and how encryption works to protect the rights of children.
EFA is strongly supportive of this position.
Inconsistent Positioning on Client Side Scanning
The eSafety Commissioner has publicly stated that it supports privacy and security, and does not advocate building in weaknesses or back doors to undermine end-to-end encrypted services.
But client-side scanning fundamentally undermines encryption’s promise and principle of private and secure communications and personal file storage. When considering the specific language concerning the obligation for client side scanning in the two Industry Standards the position taken by the eSafety Commissioner seems both contradictory and a non sequitur.
EFA’s Request
EFA and its members strongly urge the eSafety Commissioner against creating standards that would force certain encrypted service providers to implement such scanning measures as they would create an unreasonable and disproportionate risk of harm to all individuals and communities who participate in these on-line services. It effectively treats all citizens as suspects and diminishes the integrity and trustworthiness of multiple digital ecosystems.
Australia is a leader in the field of online safety policy making, and this position comes with responsibility in shaping the norms and direction of international internet governance and regulation. Proceeding with the two Industry Standards as drafted would signal to other countries that online safety is somehow counterposed to privacy and security, when the opposite is true. Privacy and online safety are not zero sum propositions.
EFA’s Recommendations
EFA strongly supports global efforts to prevent and reduce the dissemination of CSAM and pro-terror material. However, the track record of this approach shows it has not had the success predicted and erodes the privacy, safety and security of the broader population and potentially also vulnerable sub-populations.
EFA considers that other holistic approaches and methodologies outside of technology driven solutions must be pursued first. This includes:
- More CSAM research
- Acting on existing research that calls for easier reporting as a priority
- Ensuring that any attempt to reduce dissemination of CSAM and pro-teror material must not minimise awareness of the circumstances that the content is created and released online
- Providing greater education to the public, especially for parents and children
- Introducing well designed regulation for platforms operating in the digital adult entertainment industry which promote material termed as “teen” , “barely legal” or “young” or host similarly themed live streaming services.
- Ensuring future regulatory obligations for online platforms include requirements to have sufficient resourcing and tooling to identify CSAM and pro-terror material and report it to relevant legal authorities.
To ensure the continued privacy, safety and security of the entire Australian online community and that online services remain trustworthy we strongly urge the eSafety Commissioner to amend the two proposed Industry Standards by removing any express or implied obligation to undertake client side scanning or circumvent end to end encryption in online services. We further urge the Australian Government to openly commit to world leading practices for the ongoing protection and strengthening of encryption, privacy and digital security for all Australian citizens.
Yours sincerely,
John Pane
Chair
Electronic Frontiers Australia
Support EFA’s call: Scrap client-side scanning, champion end-to-end encryption, and demand Australia leads in global privacy and security standards
Image credit: iStock