Encryption

These safety standards lack safeguards: Australia must protect encryption

To protect the privacy and security of people in Australia, the eSafety Commissioner must amend the new draft industry standards. Through an open letter, Access Now, Digital Rights Watch, and the GEC Steering Committee, along with over 600 signatories, are urging the Commissioner to introduce safeguards for end-to-end encrypted services in the recently published Online Safety Codes.

Access Now strongly cautions against the proposed mandate for proactive detection and removal of content, commonly called “client-side scanning,” on messaging and cloud services in the recently released drafts for Relevant Electronic Services Standard and Designated Internet Services Standard under the Online Safety Act. These measures would result in indiscriminate surveillance and render encrypted platforms incapable of fulfilling their promise of privacy and security.

Encryption is the most powerful defence people have against rising surveillance, cyberattacks, and data breaches. Undermining encryption in Australia violates people’s rights and leads to more harm than good. The text in Australia’s online draft industry standards that allow proactive detection or ‘client-side scanning’ dangerously enables generalised surveillance. It will effectively erode encryption, a crucial tool for privacy, safety, and free expression, on which people in Australia and around the globe rely. Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now

Client-side scanning technologies are deeply-flawed, violate individual privacy and security, and have been criticised internationally by researchers. By undermining encryption, such measures, which have questionable effectiveness, also cause harm, including for those that the standards seek to protect

Obligations to proactively scan private content on personal devices and cloud also contravene the pro-privacy goals reflected in the ongoing review of Australia’s Privacy Act 1988 and Australian government’s response to the Attorney General’s Department (AGD) Privacy Act Review Report.

Australia’s draft standards on online safety slam the door on the government’s attempt at demonstrating global privacy leadership and reforming surveillance laws. Australian authorities cannot claim to protect the rights of people while also proposing an instrument that actively undermines cybersecurity by threatening encryption. Raman Jit Singh Chima, Asia-Pacific Policy Director at Access Now

The eSafety Commissioner’s office must honour their statement to safeguard privacy and digital safety by incorporating categorical protections for end-to-end encrypted services. The Online Safety Act must not enforce a one-size-fits-all approach without consideration for the security offered by encrypted services and what it means for people in Australia, and beyond.