Tech giants and privacy groups have rallied against a proposal to force companies to scan cloud and messaging services for illegal and harmful content in Australia, arguing for changes to protect encryption.
The calls are contained in some of the 50 submissions received by the Office of the eSafety Commissioner during its consultation on the binding standards for designated internet services (DIS) and relevant electronic services (REC).
The standards, which are being developed in the place of industry codes rejected last year, will require digital platforms to scan for child sexual abuse material (CSAM) on file and photo storage services, email services and some partially encrypted messaging services.
Apple has already warned the standards represent a “dangerous global precedent” that could undermine security as there is no explicit assurance that it will not be required to build backdoors into end-to-end encrypted services.
While eSafety has said it will not require the systematic vulnerabilities or weaknesses, this assurance is not reflected in the draft standards, leading to concerns from other tech companies, industry associations and privacy groups in submissions released on Thursday.
The Digital Industry Group (DIGI) in its submission said the standards should include explicit safeguards for encryption that reflect industry codes and laws like the Assistance and Access Act, a recommendation also included in separate statements from its members Google and Meta.
DIGI and Google are also calling for amendments to allow providers to take “reasonable” steps, like the industry codes and Basic Online Expectations (BOSE), given issues with the concept of ‘technical feasibility’.
“A system, process or technology may be ‘technically feasible’, and may also be effective in ‘achieving the objective of the standard’, but for other legitimate reasons may not be reasonable or appropriate to implement for a particular service,” Google said in its submission.
Technical feasibility issues are also different for ephemeral and other emerging online experiences, according to a submission from Meta, which is concerned that the definition included in the standards “only refers to financial considerations”.
“We have concerns that the draft standards may impose obligations, and thus penalties, on service providers that are not technically feasible, including but not limited to encrypted services, new and emerging services and generative artificial intelligence,” Meta said.
Google also said that “unless the standards allow for greater flexibility in how a provider may design its systems, there is real concern that innovation would be stymied, and the ultimate design will not strike the best balance for the safety, security and privacy of its users”.
Similar concerns with the lack of safeguards for end-to-end encryption are also held by Electronic Frontier Australia (EFA), which described the proposed standards as “Orwellian by design and effect”.
“The safety, rights and wellbeing of individuals and communities and their willingness to engage in digital services all depend on the security and privacy capabilities provided by online service providers, of which end to end encryption… is a key foundational capability,” the submission said.
“Undermining this capability increases the risk of harm, diminishes trust in on-line service providers, disproportionately impacts vulnerable user groups and can be incredibly detrimental to the digital economy and peoples’ participation therein.”
EFA said that even without building weaknesses or vulnerabilities, client-side scanning technologies – which by themselves are “deeply flawed” – “fundamentally undermines encryption’s promise and the principle of private and secure communications and personal file storage”.
Digital Rights Watch in a submission similarly said that as the standards currently read, companies will be incentivised to “minimise or undermine their application of encryption, or to implement technologies and processes that undermine the aim of encryption”.
The privacy group is also concerned that automated detection of CSAM and pro-terror material is “extremely difficult” on its own and would “require significant more invasive methods to determine context”.
Google separately said that while it is possible to detect with a “high degree of confidence known CSAM”, known pro-terror content is without a globally accepted definition and is therefore “context dependent”.
“Given existing limitations, we urge eSafety to limit the requirement to detect and remove “known pro-terror” only in those services where content is hosted publicly or is widely distributed or shared,” it said.
Microsoft shared similar concerns in its submission, saying that there is a “risk of over-removal of certain content”, arguing that some material held in cloud storage could be for research or journalistic reasons, with no intent to cause harm.
In response to the submissions, eSafety said it is “closely considering this feedback and any potential amendments that could provide greater clarity to industry participants”, noting that the process was the result of the industry’s decision to “not provide appropriate community safeguards”.
“We recognise these standards will apply to broad industry categories covering a range of services and that they will require differing approaches to detecting and removing illegal content such as CSAM.”
“To that end, the draft standards proposed a technical feasibility exemption for certain obligations. Where exemptions are applied, the draft standards would require providers to take appropriate alternative action.”
A final version of the standards is expected to be tabled for consideration by Parliament later this year.
