Privacy concerns with scanning apps for illicit content

Attempts to tackle child sexual abuse material and pro-terror content could do more harm than good, tech organisations and rights activists warn.

Australia's e-safety commissioner has outlined measures in a draft paper for online safety standards, including a requirement for digital services to scan for such material to remove, disrupt and deter it.

Internet browser developer Mozilla and the privacy-focused Tor Project are among more than 40 groups that co-signed a letter voicing concerns over the proposed measures.

Signatories of the letter released on Wednesday agree illegal content must be regulated, but say these "client-side" scanning approaches do not offer safeguards for end-to-end encrypted services that are specifically used for their privacy and safety benefits.

"Client-side scanning fundamentally undermines encryption's promise and principle of private and secure communications and personal file storage," the letter said.

Scanning could introduce surveillance of emails and texts, messages and video communications, gaming, dating services and online storage on apps like iMessage, WhatsApp, Signal, some parts of Skype and Telegram.

"Proceeding with the standards as drafted would signal to other countries that online safety is somehow counterposed to privacy and security."

Among the co-ordinators of the letter is Australian non-profit Digital Rights Watch, whose head of policy Samantha Floreani says these measures allow for the monitoring of material that might otherwise never leave a user's device.

"(This) pushes the reach of surveillance across the boundary between what is shared and what is private," she said.

"Because this would happen at a population level, it creates dangerous capability for mass monitoring and surveillance."

Client-side scanning has questionable effectiveness and poses a significant risk of false positives, the letter said, while weakening online safety by increasing vulnerability to security threats for all users.

"Scanning technologies are deeply flawed," the letter stated.

The eSafety Commissioner released a statement about these concerns on Tuesday, claiming it does not expect companies to break end-to-end encryption and there is no such requirement in the draft standards.

But Ms Floreani says these sentiments are not reflected in the paper.

"We are calling for that intention to be clearly stated in the legal instrument to better protect the privacy, security and ultimately the safety of all internet users," she said.

The eSafety Commissioner also said other practical methods could enable companies with encrypted services to reduce risk, like scanning non-encrypted elements such as names and pictures on profiles and group chats.