Canberra asks big tech to introduce detection capabilities in encrypted communication

The Australian government has prepared a set of draft rules that requires the likes of social media companies to adhere to if they want to provide a service down under.

While failure to comply with reporting requirements could see the provider slapped with a AU$555,000 fine, the draft rules also build in encryption-busting expectations.

Australia's eSafety Commissioner from January will have sweeping new powers afforded to her under the Online Safety Act 2020. Such powers include oversight of new set of Basic Online Safety Expectations (BOSE) that sets out a series of demands for big tech.

These expectations [PDF] will apply to service providers including social media; "relevant electronic service of any kind", such as messaging apps and games; and other designated internet services, such as websites.

Under the proposed Draft Online Safety (Basic Online Safety Expectations) Determination 2021, it is expected the provider would have to take reasonable steps to ensure safe use. This includes the "core" expectation that the provider of the service will take reasonable steps to ensure that end-users are able to use the service in a safe manner.

The provider is expected to minimise the availability of cyberbullying material targeted at an Australian child, cyber abuse material targeted at an Australian adult, a non-consensual intimate image of a person, class 1 material, material that promotes abhorrent violent conduct, material that incites abhorrent violent conduct, material that instructs in abhorrent violent conduct, and material that depicts abhorrent violent conduct.

The expectations also boast additional expectations, such as that the provider of the service will take reasonable steps to proactively minimise the extent to which material or activity on the service is or may be unlawful or harmful.

Reasonable steps that could be taken, the document said, could be through the development or implementation of processes to detect, moderate, report, and remove material or activity on the service that is or may be unlawful or harmful.

In the case of a service or a component of a service, such as an online app or game, that is used by children, the company must ensure the default privacy and safety settings are robust and set to the most restrictive level.

The draft BOSE also designate that those involved in providing the service, such as employees or contractors, are trained in, and are expected to implement and promote, online safety. The company must also continually improve safety in its tech and ensure that assessments of safety risks and impacts are undertaken, and safety review processes are implemented, throughout the design, development, deployment, and post-deployment stages for the service.

The rules, however, as currently drafted, mandate that if the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful.

See also: Apple child abuse material scanning in iOS 15 draws fire

The government also wants providers to prevent anonymous accounts from being used to deal with material, or for activity, that is or may be unlawful or harmful.

It proposes the service could have processes that prevent the same person from repeatedly using anonymous accounts to post material, or to engage in activity, that is unlawful or harmful, and introduce the requirements to verify identity or ownership of accounts.

Australia's eSafety Commissioner will have the power to order tech companies to report on how they are responding to these harms and issue fines of up to AU$555,000 for companies and AU$111,000 for individuals if they don't respond.

Also provided under the legislative instrument are expectations regarding reports and complaints.

The provider of the service will be required to have clear and readily identifiable mechanisms that enable end-users to report and make complaints about material provided on the service. The companies will be required to keep records of complaints or reports for five years.

eSafety will be backed to receive information requests from providers within 30 days around complaints it has received, removal notice compliance, and measures the provider takes to make their space safe.

The provider would also be required to appoint a designated contact for the purpose of the Act.

The Bill allows the responsible minister, currently Paul Fletcher, to determine the details of these expectations by legislative instrument. The minister may also determine that the expectations apply to specific services.

As such, the government has prepared a consultation paper [PDF] and is accepting submissions until 15 October 2021.

HERE'S MORE

Australia's eSafety and the uphill battle of regulating the ever-changing online realm

The eSafety Commissioner has defended the Online Safety Act, saying it's about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.

eSafety says tweeting commissioner will not qualify as a formal Online Safety Act request

The Office of the eSafety Commissioner has said the Twitter dispute that the incumbent has found herself in this week is part of the advice the office provides and that tagging the commissioner will not qualify as a formal request under the new Online Safety Act.

Protecting women in the cloud: eSafety hopes the Online Safety Act will do just that

The commissioner said a lot of online abuse is rooted in misogyny and intended to silence women's voices. She hopes the new Online Safety Act will go some way to prevent such abuse.