It’s worth making whatever kind of submission you can manage for this. The page even specifically notes: “Due to the short timeframe of this inquiry, the committee would appreciate submissions being limited to 1-2 pages.”
This bill will affect all users of social media in Australia, and may have a particularly negative effect on Fediverse platforms (like Lemmy and Mastodon) which are operated by individuals or small organisations that may not have the resources to implement age verification.
Here is my submission - please feel free to edit it and make your own based on it…
My rather long submission
For the reasons set out below, I believe that the bill, as it currently stands, would be a significant net negative for all Australians. In my submission, I will set out some more effective alternatives. I would strongly urge the committee to reject this bill in its present form.
Here are some problems with the bill:
Negative impact on children The bill would prevent children from being able to use many services that form a positive part of their life and education.
While the bill inserts ss63C (6)©, which provides for specific services to be exempted by regulation, there are two problems: 1. It requires individual services to be exempted, not entire classes of services. This means that it is not a scalable solution for new and emerging services; if anything, it would create an anti-competitive moat around larger services. 2. Without significant exemptions provided under regulations, the liberties of children will be significantly restricted, and so certain exemptions should be legislated rather than being left for regulation.
Examples of positive content that could be captured includes educational applications, educational games for children that include player interactions, and email applications.
This problem could be partly ameliorated by exempting the following classes of services in the bill: 1. Any service which has rules, enforced by moderators or content scanning technology, that all content posted must be appropriate for children. 2. Any service for which a purpose is education or the exchange of factual information.
Another problem is that the target of the bill is ‘having accounts’. There is no provision for the fact that there may be different features between accounts. For example, consider a digital newspaper service that allows for accounts for children, which can read the news, and accounts for adults, which can additionally comment socially on the news and read the comments of others (effectively, a modern continuation of the long-standing tradition of letters to the editor). This implementation would be no different for children than if the social features didn’t exist; however, the bill, as written, does not recognise that different accounts may have different access. Ambiguity will drive chilling effects The bill is very ambiguous in its effects. As a new bill, there would be no relevant case law. When coupled with a large civil penalty, the likely effect is that providers, especially smaller ones, will err on the side of caution, having a chilling effect on the Australian Internet industry. For example: The bill inserts section 63C(1)(a), which provides a series of sub-subclauses i-iv, separated by semicolons. After the last of these semicolon separated clauses, the word “or” appears. It is therefore ambiguous as to whether age-restricted social media platform means a service that meets either subclause 63C(1)(b), or ALL of subclauses 63©(1)(a)(i) to 63©(1)(a)(iv), or if it is an age-restricted social media platform if it meets any one of 63©(1)(a)(i), (ii), (iii), (iv) or 63©(1)(b). Another major source of ambiguity is the usage of the term “a significant purpose”. There is no guidance provided as to what criteria should be applied for assessing if a purpose is significant. In addition, the bill uses the language “reasonable steps to prevent” without defining what steps are, or are not reasonable. Negative privacy impact on all Internet users The bill would have a profound negative impact on privacy on the Internet for all users. Given the lack of clarity over what “reasonable steps” are, it is likely that providers could, out of an abundance of caution, interpret it to mean requiring users to upload a copy of an identity document, possibly coupled with facial recognition technologies. While the bill inserts section 63F and purports that this will protect privacy, this provision is unlikely to offer meaningful privacy protection. There is an exemption for when the information is disclosed “with the consent of the individual”. However, there is nothing preventing service providers from making that consent a condition of accessing their service. They would argue that consent is voluntary (users can just not use the service), informed, specific and unambiguous (they could explain this term) and current (they could allow revocation of consent, with revocation of access to the service as a consequence). The power imbalance between large services and users is heavily skewed in favour of the service; they are often gatekeepers to key aspects of people’s social and professional lives due to network effects. I am sure service providers would like nothing more than to be able to link people to their real identities, so as to track them across sites for more targeted advertising. The reason most (apart from Facebook) do not demand proof of identity now is because it would create friction and reduce conversions for them. However, if they are required to create this friction anyway, from their perspective they might as well use the information, and so would use their unequal bargaining power to get the consent they need. An additional problem is that this would normalise providing highly sensitive information such as identity documents to sites that do nothing more than provide minor social networking features. This would increase the credibility of malicious overseas sites asking for such documents, and allow them to then use those documents for fraud (hence undermining counter-terrorism financing and anti-money laundering protections). Furthermore, it would increase the risk of data breaches impacting Australians. Regulated industry participants, such as Medibank and Telstra, have been forced to collect sensitive identity information, and this has directly impacted the privacy of many Australians. Extending the need to collect sensitive information to a much wider group of Internet services would drastically increase the scope of this problem. If the committee does make the ill-advised decision to continue with this bill, one way to mitigate the effects would be as follows: 1. The federal government should adequately fund the creation of an online age verification service. 2. The service should allow members of the public to verify their identity, free of charge, and obtain a short-lived token (with no persistent unique person identifier attached) containing a cryptographically signed attestation that their age is higher than a set number (which must be 21 or lower). 3. The service should allow for age verification tokens to be either displayed on screen, or sent automatically on to a site (without a requirement that the site register, agree to terms or pay a fee) - so that the user is not obliged to reveal the sites they are using to the government, nor reveal their identity to the service. 4. The usage of the service (including the option to paste in a valid token) should be required for age-restricted services, so that they have no incentive to require the uploading of an identity document. Negative impact on new market players The bill, as written, would entrench a significant competitive advantage to larger players, harming competition. Providing proof of identity is an action that is high friction, and requires significant trust. The net effect of this is that it would create a barrier to entry to new players, who have not yet built up a base of trust. Users might be willing to, for example, play a game with social features, and create a pseudonymous account on it, but the stakes are so much higher if they have to upload a copy of their passport or drivers licence. This would have a substantial chilling effect on the creation of new services targeting Australian users. This impact would be even more profound for non-commercial services (for example, fediverse services, games created by hobbyists, and community information and social networking services), who typically do not have the budgets to invest in creating identify verification technologies, or paying a fee per verification. There is already far too much consolidation towards a few big players due to network effects, and this has a negative impact on society, and allows those players to implement algorithmic decisions that have an outsized impact on society; these businesses often optimise over what is best for their revenues, rather than what is best for society. Many of the problems of harm to children that this bill is attempting to solve are actually a consequence of consolidation, and this bill will make the problem worse. An alternative: Increase investment in education A much better alternative to the bill would be to increase investment in reaching and educating children and parents on safe online interaction. This could include educating parents not to allow children to have unsupervised device access, and education on critical thinking with regard to content on the Internet. An alternative: Require metadata on social media Another alternative approach, which would complement the above, would be to simply require that social media features be identifiable by machines through the inclusion of appropriate metadata (in accordance with a standard to be set by regulation). This would allow parents to install parent control applications which read the metadata and block access to sites at the client in accordance with policies set by parents or caregivers.
A well thought out and considered response. And thank you for sharing.
I eventually chopped down my response to:
🖕
Yo, kind sir/ma’am are doing gods work. Such an epic and well reasoned submission.