Govt’s online safety expectations target encryption

Denham Sadler
National Affairs Editor

Big Tech firms will be required to take “reasonable” steps to address unlawful or harmful content on their encrypted services under the federal government’s draft online safety expectations.

Following the passage of the Online Safety Act, which comes into effect from 23 January next year, the government will introduce the Basic Online Safety Expectations (BOSE) for large social media firms such as Facebook.

The BOSE comprises core and additional expectations for these companies related to cyber-bullying of children, cyber-abuse of adults and unlawful and harmful digital content, with new reporting requirements and fines for a lack of compliance.

Under the expectations, the eSafety Commissioner will be able to request reports from the tech firms on their compliance with the expectations, and can issue fines of up to $555,000 if they don’t respond. The Commissioner can also publicly name the Big Tech firms that don’t comply with the expectations.

Big Tech firms will be required to take action against emerging risks such as “volumetric attacks” involving “digital lynch mobs” that target individuals with abuse.

“We will always fight to protect all Australians, but especially children, from online harm and we expect big tech to step up and deliver on these expectations,” Communications Minister Paul Fletcher said.

Communications Minister Paul Fletcher with eSafety Commissioner Julie Inman Grant (right)

The BOSE include an expectation that the social media firms take reasonable steps in regards to encrypted services, including to take “reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful”.

The federal government has been targeting encrypted communications services for several years, with the passing of the highly controversial Assistance and Access Act in late 2018. The BOSE measure appears directly targeted at Facebook, with the company owning encrypted messaging app WhatsApp and having plans to make end-to-end encryption default across all of its messaging services by next year.

An additional expectation around anonymous accounts is also being considered in the BOSE, such as a requirement to prevent the same person repeatedly using anonymous accounts to target individuals, and even requiring verification of identity to create an account.

The BOSE include that social media firms have to take “reasonable steps to ensure users are able to use the service in a safe manner” by “proactively minimising the extent to which material or activity on the service is, or may be, unlawful or harmful”.

“Generally, service providers that can demonstrate they have the necessary capabilities, skills, processes, systems and scalable solutions to proactively detect and respond to online harms occurring on their service would likely meet these expectations,” the draft BOSE said.

Social media companies are also being asked to cooperate with each other on the safe use of their platforms, including working together to detect high-volume, cross-platform attacks and sharing information on unlawful or harmful content.

Along with taking reasonable steps to minimise the provision of material such as cyber-bullying of children, cyber-abuse of adults and non-consensual intimate images, the companies will also have to prevent access by children to class 2 material such as that rated as R18+.

This could be done through the use of technology to prevent the accessing of this content, or through age assurance mechanisms and child safety risk assessments.

Users should also be able to access clear and readily identifiable mechanisms to report and make complaints about material online, information about a platform’s terms of use and guidance on making a complaint to the eSafety Commissioner.

Big Tech firms will be required to keep information on reports and complaints received for at least five years under the new rules, and will be given 30 days to provide a report to the Commissioner once it is requested. A specific individual will also have to be designated by the tech firms to act as the contact person for actions under the Online Safety Act.

The eSafety Commission will be able to ask for information regarding compliance with the BOSE, periodic reports on decisions made under it and to issue civil penalties for a lack of compliance. The Commissioner will also have the power to make public statements about the performance of the big tech firms under the BOSE.

“It is intended that the expectations, reporting to the commissioner and public statements will provide much needed transparency about the level of harm occurring on services used by Australians and help to drive improvements in online safety practices by industry,” the expectations said.

The government is accepting submissions on the BOSE until 15 October.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories