Expect more web regulation after Apple’s photo move

Opinion: When I started in tech journalism more than a decade ago in 2010, I revealed that the federal government was considering introducing metadata retention. The changes meant select data about Australians’ web histories would be stored and logged for two years.

The controversial laws were shelved by Labor when it was in power but eventually, after a change of government and a further push by law enforcement, a bill was passed in 2015. The wedge needed to push a hesitant Labor opposition into supporting them was the December 2014’s Lindt Cafe siege in Sydney’s CBD.

“Your chances that your data will be viewed by law enforcement is low,” AFP Assistant Commissioner Tim Morris said at the time. “Those with nothing to hide have nothing to fear.”

This was despite law enforcements agencies making more than 300,000 applications for our metadata each year, without a warrant.

Since then, we’ve seen Canberra, at the request of police, spy agencies and intellectual property rights holders, chip away at the lack of regulation of multiple internet technologies.

This has included requiring assistance to pry open encrypted smart devices or scrambled messages; blocking of websites to do with pirated movies or music; restricting access to Interpol’s “worst of the worst” list via a then relatively unused telecommunications law (sub-section 313 of the telco act), to a present debate on critical infrastructure and whether the government should be given the power to allow its spy agencies to take control of computer networks of companies it deems manage such infrastructure (in the event of a cyber intrusion or to defend against one).

A separate bill currently before Parliament would give more powers to federal police and the Australian Criminal Intelligence Commission to access computers and networks of those suspected of conducting criminal activity online. This has prompted concerns about innocent people who might get swept up in it and a perceived lack of proper judicial oversight.

As part of the new ‘Identify and Disrupt’ bill, new network activity warrants would allow authorities to hack into devices and networks of groups of individuals suspected of taking part in criminal activity online when their identities are not known. A new warrant would also allow the disruption of data through modification and deletion “to frustrate the commission of serious offences”, and new account takeover warrants would also be introduced.

Amid all this, we’ve also seen multiple cases of abuse of data by law enforcement. The check-in apps each state has been using during the COVID pandemic? Queensland thought it’d be a great idea to use that data to investigate a reported theft of an officer’s gun and Taser from a regional pub despite assurances it would only be used for contact tracing purposes.

Where there’s data, the temptation by third parties to access it will always be there.

The same state government also used metadata to access the private information of cadets to determine whether they were sleeping with one another or faking sick days.

Queensland – I’m not sure what it is about this state and privacy – was also among the first to start taking advantage of the data trail left behind by smart public transport travel cards, not just to find criminals, but to track down witnesses of crimes who may not necessarily wish to talk.

Back in 1997, former US president Bill Clinton said the internet “should be a place where government makes every effort … not to stand in the way, to do no harm”. But he hastened to add that “a hands-off approach to electronic commerce must not mean indifference when it comes to raising and protecting children.”

This brings me to Apple’s latest move – to identify photos uploaded to its online storage service iCloud that match against known child abuse imagery.

It has all the hallmarks of being a smartly designed technology and does seem to have been created with some privacy mechanisms in mind. For example, it uses a “hashing” algorithm of known abuse material to identify imagery on people’s accounts and will only then alert Apple reviewers when an undisclosed threshold of images is reached.

But it rightly has privacy advocates worried about what could come next. What starts off as a technology trained to search for a “worst of the worst” list of images could soon become used to search for other types of content stored on people’s phones. Another feature allows parents to have naked or sexually explicit imagery blurred on a child’s phones.

“All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children’s, but anyone’s accounts,” the Electronic Frontiers Foundation wrote. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change.”

Apple says it will reject government advances, but laws are laws.

Scope creep seems to be one of the main concerns often raised by privacy advocates, but one which is frequently ignored by politicians, rarely addressed properly in legislation and often relegated to explanatory memorandums that describe a bill and its “intention”.

One example of website blocking scope creep is Australia’s tertiary regulator, which is now seeking telcos to restrict access to a site allegedly used by students for cheating. Blocking now also extends to “illegal” online gambling sites. Since the ACMA made its first blocking request in November 2019, 263 illegal gambling websites have been blocked.

What I think all of this signals is that we’re entering a new age of the internet where further regulation will become commonplace, and corporations will be leaned on by governments to enact new policies rather than governments necessarily creating new laws to force change.

We have seen this already with YouTube, Twitter and Facebook enacting bans following the spread of misinformation and online conspiracies. Rather than following laws, the companies are attempting to meet community and government standards and expectations. It’s voluntary regulation without new laws.

Mostly, I think changes that encroach more on an individual’s privacy will become accepted, especially if convenience continues to be a priority over privacy.

But will users boycott Apple over its latest photo move? Probably not. Until trust is broken or there’s a further erosion of their privacy, they won’t. But by then it might be too late.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories