The Australian government is currently considering draft online safety standards that threaten to undermine the use of end-to-end encryption, putting security and privacy of Internet users at greater risk.
The eSafety Commissioner has proposed two draft industry standards under the Online Safety Act. Both draft standards include a range of proactive detection obligations on digital services to scan content in order to detect, remove, disrupt and deter illegal content. However, as these standards have no specific safeguards for end-to-end encrypted services that people rely on for privacy and safety, end-to-end encrypted services will be forced to undermine the security and privacy of their services in order to comply. Contrary to the goals of the standards, this will leave everyone less safe online.
The Australian online safety codes must ensure the protection of privacy and security of Internet users, and the use of end-to-end encrypted services.
Join the Steering Global Encryption Coalition Steering Committee (The Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla), Access Now, and Digital Rights Watch in calling on the eSafety Commissioner to protect the privacy and safety of all users by protecting end-to-end encrypted services.
Dear Commissioner Inman Grant,
We the undersigned organisations and individuals urge you to protect the privacy and security of communications and cloud file storage for internet users.
We acknowledge the severity of harm caused by the dissemination of child sexual abuse material (CSAM) and other forms of illegal content, and we support strong regulation to ensure platform accountability, the empowerment of users as well as the protection of their rights and safety. It is essential that governments, with the support of industry, take effective steps to regulate the spread of illegal content. It is also essential that such approaches do not also disproportionately lead to the creation and exacerbation of other harms, and adopt best practices in international policy making.
The eSafety Commissioner has proposed two draft industry standards (1) under the Online Safety Act. Taken together, these standards apply to a broad range of services that people use every day including email, text and instant messaging, video communications, online gaming, dating services, and online file storage. In a context in which cybersecurity risks are rising, the safety, rights, and wellbeing of individuals and communities rely on the digital security and the privacy of these services.
Both draft standards include a range of proactive detection obligations on digital services to scan content in order to detect, remove, disrupt and deter CSAM and ‘pro-terror’ content. There are no specific safeguards for end-to-end encrypted services that people rely on for privacy and safety, as content on such platforms cannot be accessed by any third party, including the service provider, at any stage of the communication/storage process. Hashing and artificial intelligence technologies are specifically referenced to detect and remove objectionable content. Such approaches, when deployed on a device, are commonly referred to as ‘client side scanning.’ These methods have been widely criticised by privacy and security researchers, digital rights advocacy organisations and human rights groups around the world. (2) Internet safety advocates and child rights groups have emphasised the importance of looking at other methods to enhance online safety for children and minimise the dissemination of CSAM, and how encryption works to protect the rights of children. (3) Scanning technologies are deeply flawed because they: have questionable effectiveness; contain a high risk of false positives; increase vulnerabilities to security threats and attack – thereby weakening online safety for all users – and enable the ability to expand use of such systems to scan other categories of content in the future. (4)
The eSafety Commissioner has publicly stated that it supports privacy and security, and does not advocate building in weaknesses or back doors to undermine end-to-end encrypted services. (5) But client-side scanning fundamentally undermines encryption’s promise and principle of private and secure communications and personal file storage. We urge the Commissioner against creating standards that would force encrypted services to implement such scanning measures as they would create an unreasonable and disproportionate risk of harm to individuals and communities.
Australia is a leader in the field of online safety policy making, and this position comes with responsibility in shaping the norms and direction of international internet governance and regulation. Proceeding with the standards as drafted would signal to other countries that online safety is somehow counterposed to privacy and security, when the opposite is true.
We strongly urge the eSafety Commissioner to amend the proposed industry standards to ensure the protection of privacy and security, and urge the Australian Government to commit to the ongoing protection and strengthening of encryption, privacy and digital security.
1) See two draft industry standards: https://www.esafety.gov.au/industry/codes/standards-consultation
2) See, for example, this open letter in response to the EU’s proposed Child Sexual Abuse Regulation, signed by over 450 scientists and researchers: https://docs.google.com/document/d/13Aeex72MtFBjKhExRTooVMWN9TC-pbH-5LEaAbMF91Y/edit
3) See, for example, ‘Privacy and Protection: A children’s rights approach to encryption,’ Child Rights International Network, 19 January 2023, which concludes technologies including client-side scanning is akin to breaking encryption by compromising its aims, and points to other underutilised safety mechanisms such as user reporting, https://home.crin.org/readlistenwatch/stories/privacy-and-protection; and ‘Chat Control or Child Protection?’ Ross Anderson, Foundation for Information Policy Research, October 2022 which notes alternative methods to tech solutionism to enhance safety, https://www.cl.cam.ac.uk/~rja14/Papers/chatcontrol.pdf.
4) For further detail on the risks of client side scanning see: ‘Fact Sheet: Client-Side Scanning’, Internet Society 24 March 2020, https://www.internetsociety.org/resources/doc/2020/fact-sheet-client-side-scanning/; and ‘Bugs in our Pockets: The Risks of Client-Side Scanning,’ 14 October 2021, https://arxiv.org/abs/2110.07450.
5) See ‘Updated Position Statement: End-to-end encryption ,’ October 2023 https://www.esafety.gov.au/sites/default/files/2023-10/End-to-end-encryption-position-statement-oct2023.pdf; and ‘Australia releases new online safety standards to tackle terror and child sexual abuse content,’ The Guardian, 20 November 2023, https://www.theguardian.com/australia-news/2023/nov/20/australia-esafety-standards-new-2023-targets-child-content-terrorism-detection.
Sincerely,
The undersigned organizations and individuals
Organizations
Access Now
Africa Media and Information Technology Initiative (AfriMITI)
ARTICLE 19 Assembly Four
Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI)
Betapersei SC
Blueprint for Free Speech
Center for Democracy and Technology
Centro Latinoamericano de Investigaciones Sobre Internet (CLISI)
Digital Rights Watch
eclectic.engineering P/L
Electronic Frontiers Australia
Fabiano Law Firm
Fight for the Future
Fusion Party Australia
Global Partners Digital
Hello Code Pty Ltd
Internet Association of Australia
Internet Australia (Internet Society of Australia)
Internet Freedom Foundation
Internet Society
Internet Society Ghana
Interpeer Project
IT-Pol Denmark
JCA-NET(Japan)
LGBT Technology Partnership
Mozilla
NAPWHA
Open Rights Group
OPTF
Privacy & Access Council of Canada
Proton
Seraf Inc.
Signal
Signal Labs
Superbloom (previously known as Simply Secure)
The Ruffle Technology Company
The Sizzle
The Tor Project Tuta
Individuals
Affiliations listed for identification purposes only
Romney Adams
Zafer Saeed A Ahmad
Michael Airey
Shane Alderton
Pat Allan
Jamie Allen
Toby Allen
Shereen Almagzoub
Robert Amos
Leroy Anderson
brian anderson
Thomas Anderson
Matt Andrews
Ambrose Andrews
Sherry Armstrong
Tommaso Armstrong
Reginald Ashman
Michael Astle
Daniel Axtens
Jade B
Ramon Baba
Katherine Back
nicola badran
Melanie Bakewell
Veronica Ball
Paora Balzer
Nic Barbaro
Marcus Barczak
Jason Barker
Chris Barry
Hamish Bassett
Lyn Barwick
Alana Becker
Stuart Begg
Bradley Bell
Toni Bentley
Michel Bergeron
Jordan Bertasso
Benjamin Beshara
Fares Bessrour
Stuart Biggs
Christopher Biggs
Michelle Black
Adam Blackhall
David Blackwell
Julie Blackwell
Cees Boekel
Oliver Boermans
Luke Boner
Matthew Boniface
Andrew Bonte
Pieter Bos
Sarah Botham
Constantine Bourlioufas
Jarah Bowman
Nicholas Boyle
Sean Boys
Marcie Breen
Philip Briggs
han broekman
Gregor Brown
John Brown
Alannah Brown
Vin Brown
Damion Brown
Sam Buckberry
Jon Burdach
Rollin Burford
Phil Burg
Donald Burgess
Richard Burke
Julianna Burke
Sam Burnett
Adrian Burns
Brodie Burns-williamson
Angela Cadwallen
Peter Caffin
Carlos Calero
Evan Cameron
John Cameron
Leigh Carey
Michael Carino
Madeline Carlier
Clancy Carr
Jayden Carslake
Georgina Carson
Graham Castles
Matthew Cengia
Travis Charlton
Paul Cheshire
Sishoon Chow
James Clark
Aidan Clarke, Principle DevOps Evangelist, Atlassian
Brady Clarke
Denise Clarke
Tim Cleaver
Jake Cleland
Daniel Clibborn
Phillip Cochrane
Garth Coghlan
Trevor Collins
Josephine Colson, Head of Marketing, Cremorne Digital Hub
Adrian Cook
Greg Cooper
Steel Cooper
Erica Corr
Sean Corrigan
Lachlan Costigan
Tavishe Coulson
Neill Cox
Rob Craig
Andrew Crane
Petar Crnomarkovic
Brian Crowley
Owen Curteis
James Cutler
Adam D’Alessandro
Simon Daigle
Andreas Dalman
Maria Dancuk
Bruce Davie, co-founder and publisher, Systems Approach, LLC
Shaun deans
Stephen Dedman
Mark Delany
Quincy Denham
Marcus Denny
Andrew Dent
Nakul Deshmukh
Deon Deszcz
Mark Devenish
Marco Di Leo
Andy Do
Rebecca Dominguez
Mark Dorset
Kim Dowling
Iain Dowling
Andrew Downing
Nick Doyle
wojtek dr
Craig Drewer
Darcy Driscoll, Software Engineer, Professionals Australia
Gareth Dunstone
Peter Dutch
Odin Dutton
Tim Edwards
Megan Edwards
Alex Egan
Steve Evans
Elisa Ewer
Ryan Fearnall
zev feldman
Matt Fenn
Edoardo Ferrero
John Ferrero
Lucas Ficarra
Mathew Fidge
Ben Finney
Samantha Floreani
Tara Force
Linda Ford
joseph frawley
Chris Fredericks
Nick Freeland
Neville Fryar
Nancy Gabauer
Josh Gardner
Charles Gascoigne
Stephen Gentle
Darren Gibbs
Beau Gieskens, Software Engineer
Christopher Giffard
Kevin Gil
Evan Gilbert
wayne gipters dj
Chery Gladman
Callum Glennen
Matthew Godfrey
Hollie Goik
Daniel Gomes
Jason Goroncy
Jarrah Gosbell
Daniel Govier
Nathan Grant
Angus Gratton
Aaron Graves
Taylor Greig
Matthew Gretton
Michael Grey
Joao Grilo
Nick Grundy
Michał Grygierzec
Jon H
Robin Haeusler
David Geoffrey Hall
Mark Halliwell
Damian Halloran
Simon Handfield
Mark Hansen
Tracy Hawes
Brad Hayes
Ric Hayman
Paige Headington
Virginia Heal
James Hebden
Natalie Hendry
Nicholas Henry
Mark Henry
Menno Hess
adrian hewitt
Adam Hickey
Ben Hickleton
Brendan Hidetake
Allen Higginbottom
Andrew Hill
Christopher Hocking
Lindsay-Leigh Hocking
Joshua Hodkinson
Stephan Holle
Lindsay Holmwood
Michael Honey
O Hooper
Kevin Hsueh
Robert Hudson
Baden Hughes
Scott Humphries
Allan Hunt
Dirk Hunter
Michael Hurren
John Hussey
Mark Hutton
Patrik Hyytiäinen
Sam Ibrahim
Steven Impson
Jett Jackson
Alexandra James
Trevor Jenke
Joshua Jennings
Mark Johnson
Jerrie Johnston
Jacob Johnston
Martin Jones
Nivin Jose
Rowan K
Kaan Karaoglu
Tace Kelly
mark kerr
Dave Kerr
Monique Kerr
Alex Kesik
Alex Keynes
Garth Kidd
Marian Kiely
Stephen King
Brayden King
Nazar Kirama
Amy Kirwan
Mariusz Klochowicz
Matthew Kobayashi
Thea Koutsoukis
Luke Kowald
Nathan Kowald
Sebastian Krapf
Matthew Krins, Cyber Security Teacher, Box Hill Institute
Erin Kruck
Michael kruck
Neville Kruck
Rod Kruse
Myles Kunzli
Henry L
Bob Lacey
Angus Ladyman-Palmer
Basil Lambert
Kim Langer
Wendy Langer
Sean Lanigan
Robin Lao
Paul Latoszek
Chun Ming Lau
Mark Lauer
Jon Lawrence
Jamie Le
River Leah
Arron Lee
Ryan Lester
Ben Lever
Peter Lewis
Peter Lieverdink
Dylan Lindgren
Eric Lindsay
Kate Linton
Hugo Lisiecki
Grant Lockwood
John Logan
Chris Lovell
Alma Lucas
Robert Lugton
Simone Lymbery
Tamara Macadam
Sean Mackedie
Keelan Macpherson
Mary Macrae
Peter Maddox
Robert Madell
Darren Major
James Man
Diana Mangion
Trevor March
Tim Marriage
Debra Marriott
Kara Martin
Tom Marwick
Michelle Masterd
John Mautz
David Mazzei
Robert McAlavey
Laurie McAnulty
Joseph McCrossin
Caitlin McGrane
Jamie McGuire
Gregory McIntyre
Craig McIntyre
Courtney McKenzie
John McKinsey
Sam McLeod
greg mcleod
Amy McMurtrie
Dion Meade
Kim Meagher
Vincent Mellor
Mathias Ménard
Eli Mendez
Chris Menz
Dale Miller
Owen Miller
Joseph Miller
Eddie Miller
James Milne
Charles Mok
Dee Mooney-Pursell
Lily Moor
DAmien Moore
Jason Moore
Jake Moore
Wesley Moore
Tahnee Moore
Bradley Morgan
Patrick Morgan
Alice Morgan
Jeremie Moroney
David Morrell
James Morris
Nicolas Mulder
Kieran Murphy
James Murty
Thomas Nash
Chris Naunton
Noely Neate
Anais Nedermeijer
Lavender Neesham
Chris Neilson
Mark Newton
Ronald Ng
Daniel Nicholls
Toby Nieboer
Earanee Niedzwiecki
Chris Nilsson
Igor Nikitin
Adrian Noblett
Jacqueline Norris-Burnett
Peter Nunn
Nicola Nye
Dylan O’Brien
Marni O’Connell
Daniel O’Connor
Daniel O’Connor
Nicholas O’Dwyer
Naomi O’Sullivan
Fiona O’Connor
Tim O’Keefe
Eric O’Nyme
Alphonce Odhiambo
Martin Oliver
Rebecca Oyomopito
Vasilisa Paderina
Luci Pangrazio
Colin Panisset
Brad Parker
James Parker
James Parkinson
keira Paterson
Tina Patterson
Natalie Pawlus
Tess Peer
Susan Pegg
Jodie Pepper
Scott Percival
Philippe Petit
Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory
Christopher Phillips
Rachel Pickford
Angie Pisani
Anthony Pitt
A R Polack
Ryan Polk, Director, Internet Policy, Internet Society
John Posar
Robert Postill
Charlotte Price
Andrew Price
Leigh Price
David Price
Ed Prism
Shaun Procter
Glen Purkiss
Jackie Radisich
Sumit Rajs
Khen Ramos
Ashlea Randle
Tiago Rangel
Tim Raphael
Eric Rasmussen
Brett Raymond
Brendan Read
Olivier Rehani
J Reiman
Matt Relouw
Dove Rengger-Thorpe
Moshe Reuveni
Ben Reynolds
Michelle Richards
Elaine Richardson
Owen Richardson
Joshua Ridgway
Eamon Rist
Tina Rizza
Davide Rizzo
Ben Robbins
Matthew Roberts
David Robinson
Tom Robson
R Rohde
andrew rossiter
Igor Rozenberg
Sophie Rudolph
Stanley Ruffo
Michael Ruigrok
Simon Rumble
Greg Rush
Chris Russell
Stuart Rutherford
Andrew Sadler
Vignesh Sankaran
Fushia Saulwick
Jurgen Schaub
David Schinazi, Board Member, Internet Architecture Board
Paul Schnackenburg
Vicki Scholes
Sam Schuur
Ben Schwarz
Christopher Scopa
Julia Scott-Stevenson
Hazel Seen
Anker Segal
Alexis Shaw
Chris Shaw
Shane Short
Maddison Sideris
Lachlan Simpson
Ben Sinclair
Mike Sinclair
Tim Singleton Norton
Rob Sison
Geoffrey Skerratt
Josephine Smart
Phillip Smith
James Smith
Michael Smith
Tim Smith
Adam Smith-Platts
Simon Sonter
Eliza Sorensen
Leon Spencer
Ben Staggard
Zahra Stardust
David Stastny
Shimmy Stauber
Janet Stephan
Josh Stephens
Richard Stevenson
Jim Stewart
Brody Stockel
Michael Strasser
Michael Strasser
Iain Stubbs
Ales Sura
Luke Sutton
Katy Swain
Olek Swierczynski
Krishna Tammireddy
William Taylor
Rob Taylor
justine teernstra
Michael Terrington
Maria Terzi
Andre Thomas
Hamish Thorp
James Thurgood
Jon Tjhia
Jon Tjhia
Matt Toohey
Luke Toop
ted tottenham
Matt Trappett
Alexandre Trotel
Martha Tsakalos
Lance Turner
Nicholas Tzimos
Michael Usher
Nicky V
Thomas Van Deun
Gala Vanting
Christian Varga
Michael Velsigne
Loganaden Velvindron, Founding Member, Cyberstorm.mu
Joshua Vermeulen
Karl von Muller
Tim Walker
Kieran Wallace
Kenneth Wallace
maize wallin
Aaron Walters
Paul Warren
Justin Warren
Connor Waterbanks
Declan Watson
Chris Watt
Victoria Watts
Jason Weathered
Craig Weavers
Kayleen White
Simon Whitehead
Phil Whitehouse
Ben Whitmore
Andreas Wilhelm
Lachlan Williams
Dean Williams
Luke Williamson
James Williamson
Joshua Wilson
Ty Wilson-Brown
Joshua Withers
Withheld Withheld
Grant Withington
Greg Wodetzki
Jonathan Wood
Andrew Woodforth
Ron Woods
Sharyn Woods
Vicki Woodward
Simon Wooldridge
Trent Yarwood
Erin Young
Cédric Zeegers-Jourdain
Jackson Zhang
Lorna Zhulan
Justin Zobel