New livestreaming legislation fails to take into account how the internet actually works


File 20190404 131404 ctpebk.jpg?ixlib=rb 1.1
The new laws could mean internet service providers could end up being forced to surveil the activities of users.
from www.shutterstock.com

Andre Oboler, La Trobe University

In response to the live streamed terror attack in New Zealand last month, new laws have just been passed by the Australian Parliament.

These laws amend the Commonwealth Criminal Code, adding two substantive new criminal offences.

Both are aimed not at terrorists but at technology companies. And how that’s done is where some of the new measures fall down.




Read more:
Livestreaming terror is abhorrent – but is more rushed legislation the answer?


The legislation was rushed through with neither consultation nor sufficient discussion.

The laws focus on abhorrent violent material, capturing the terrorist incident in New Zealand, but also online content created by a person carrying out a murder, attempted murder, torture, rape or violent kidnapping.

The laws do not cover material captured by third parties who witness a crime, only content from an attacker, their accomplice, or someone who attempts to join the violence.

The aim is to prevent perpetrators of extreme violence from using the internet to glorify or publicise what they have done. This will reduce terrorists’ ability to spread panic and fear. It will reduce criminals’ ability to intimidate. This is about taking away the tools harmful actors use to damage society.

What the legislation aims to do

Section 474.33 of the Criminal Code makes it a criminal offence for any internet service provider, content service or hosting service to fail to notify the Australian Federal Police, within a reasonable time, once they become aware their service is being used to access abhorrent violent material that occurred or is occurring in Australia. Failing to comply can result in a fine of 800 penalty units (currently $128,952).

Section 474.34 makes it a criminal offence for a content service or hosting service, whether inside or outside Australia, to fail to expeditiously take down material made available through their service and accessible in Australia.

The criminal element of fault is not that the service provider deliberately makes the material available, but rather that they are reckless with regards to identifying such content or providing access to it. Reckless, however, has been given a rather special meaning.

What we’ve got right

There is a clear need for new laws.

Focusing on regulating technology services is the right approach. Back in 2010 when I first raised this idea it was considered radical; today even Mark Zuckerberg supports government regulation.




Read more:
Zuckerberg’s ‘new rules’ for the internet must move from words to actions


We’ve moved away from the idea of technology companies of all types being part of a safe harbour that keeps the internet unregulated. That’s to be welcomed.

Penalties for companies that behave recklessly – failing to build suitable mechanisms to find and remove abhorrent violent material – are also to be welcomed. Such systems should indeed be expanded to cover credible threats of violence and major interference in a country’s sovereignty, such as efforts to manipulate elections or cause mass panics through fake news.

Recklessness as it is ordinarily understood – that is, failing to take the steps a reasonable person in the same position would take – allows the standard to slowly rise as technology and systems for responding to such incidents improve.

Also to be welcomed is the new ability for the eSafety Commissioner to issue a notice to a company identifying an item of abhorrent violent material and to demand its removal. When the government is aware of such content, there must be a way to require rapid action. The law does this.

Where we’ve fallen down

One potential problem with the legislation is the requirement for internet service providers (ISPs) to notify the Australian Federal Police if they are aware their service can be used to access any particular abhorrent violent material.

As ISPs provide access for consumers to everything on the internet, this seeks to turn ISPs into a national surveillance network. It has the potential to move us from an already problematic meta-data retention scheme into an expectation for ISPs to apply deep packet inspection monitoring of everything that is said.




Read more:
Australians accept government surveillance, for now


Content services (including social media platforms such as Facebook, YouTube and Twitter, and regular websites) and hosting services (provided by companies such as Telsta, Microsoft and Amazon through to companies like Servers Australia and Synergy Wholesale) have a more serious problem.

Under the new laws, if content is online at the time a notice is issued by the eSafety Commissioner, the legal presumption will be that the company was behaving recklessly at that time. The notice is not a demand to respond, but rather a finding that the response is already too slow. The relevant section (s 474.35(5)) states (emphasis added) that if a notice has been correctly issued:

…then, in that prosecution, it must be presumed that the person was reckless as to whether the content service could be used to access the specified material at the time the notice was issued

While the presumption can be rebutted, this is still quite different from what the Attorney General’s press release (dated 4 April 2019) claimed:

… the e-Safety Commissioner will have the power to issue notices that bring this type of material to the attention of social media companies. As soon as they receive a notice, they will be deemed to be aware of the material, meaning the clock starts ticking for the platform to remove the material or face extremely serious criminal penalties.

As the law is written, the notice is more of a notification that the clock has already run out of time. It’s like arguing that the occurrence of a terrorist act means “it must be presumed” the government was reckless with regards to prevention. That’s not a fair standard. The idea of the notice starting the clock would in fact be much fairer.

Under this law, a content service provider can be found to have been reckless and to have failed to expeditiously remove content even if no notice was ever issued. In some cases that may be a good thing, but what was passed as law, and what they say they intended, don’t appear to match.




Read more:
Why we need to fix encryption laws the tech sector says threaten Australian jobs


Hosting services have the worse of it. They provide the space on servers that allows content to appear on the internet. It’s a little like the arrangement between a landlord and a tenant. With hosting plans starting from around $50 a year, there’s no margin to cover monitoring and complaints management.

The new laws suggest hosting services will be acting recklessly if they don’t monitor their clients so they can take action before the eSafety Commissioner issues a notice. They just aren’t in a position to do that.

A lot still needs to be done

As it stands, only the expeditious removal of content or suspension of a client’s account can avoid the new offence. The legislation does not define what expeditious removal means. There is nothing to suggest the clock would start only after the service provider becomes aware of the content, and the notice from the eSafety Commissioner doesn’t start a clock but says a response is already over due.

This law is designed to apply pressure on companies so they improve their response times and take preemptive action.

What’s missing too is a target with safe harbour protections, that is, a clear standard and a rule that says if companies can meet that standard they can enjoy an immunity from prosecution under this law. That would give companies both a goal and an incentive to reach it.




Read more:
Technology and regulation must work in concert to combat hate speech online


Also missing is a way to measure response times. If we can’t measure it, we can’t push for it to be continually improved.

Rapid removal should be required after a notice from the eSafety Commissioner, perhaps removal within an hour. Fast removal, for example within 24 hours, should be required when reports come from the public.

The exact time lines that are possible should be the subject of consultation with both industry and civil society. They need to be achievable, not merely aspirational.

Working together, government, industry and civil society can create systems to monitor and continually improve efforts to tackle online hate and extremism.

That includes the most serious content such as abhorrent violence and incitement to violent extremism.

Trust, consultation and goodwill are needed to keep people safe.The Conversation

Andre Oboler, Senior Lecturer, Master of Cyber-Security Program (Law), La Trobe University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Livestreaming terror is abhorrent – but is more rushed legislation the answer?



File 20190401 177178 1cjkc2w.jpg?ixlib=rb 1.1
The perpetrator of the Christchurch attacks livestreamed his killings on Facebook.
Shutterstock

Robert Merkel, Monash University

In the wake of the Christchurch attack, the Australian government has announced its intention to create new criminal offences relating to the livestreaming of violence on social media platforms.

The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Bill will create two new crimes:

It will be a criminal offence for social media platforms not to remove abhorrent violent material expeditiously. This will be punishable by 3 years’ imprisonment or fines that can reach up to 10% of the platform’s annual turnover.

Platforms anywhere in the world must notify the Australian Federal Police if they become aware their service is streaming abhorrent violent conduct that is happening in Australia. A failure to do this will be punishable by fines of up to A$168,000 for an individual or A$840,000 for a corporation.

The government is reportedly seeking to pass the legislation in the current sitting week of Parliament. This could be the last of the current parliament before an election is called. Labor, or some group of crossbenchers, will need to vote with the government if the legislation is to pass. But the draft bill was only made available to the Labor Party last night.

This is not the first time that legislation relating to the intersection of technology and law enforcement has been raced through parliament to the consternation of parts of the technology industry, and other groups. Ongoing concerns around the Access and Assistance bill demonstrate the risks of such rushed legislation.




Read more:
China bans streaming video as it struggles to keep up with live content


Major social networks already moderate violence

The government has defined “abhorrent violent material” as:

[…] material produced by a perpetrator, and which plays or livestreams the very worst types of offences. It will capture the playing or streaming of terrorism, murder, attempted murder, torture, rape and kidnapping on social media.

The major social media platforms already devote considerable resources to content moderation. They are often criticised for their moderation policies, and the inconsistent application of those policies. But content fitting the government’s definition is already clearly prohibited by Twitter, Facebook, and Snapchat.

Social media companies rely on a combination of technology, and thousands of people employed as content moderators to remove graphic content. Moderators (usually contractors, often on low wages) are routinely called on to remove a torrent of abhorrent material, including footage of murders and other violent crimes.




Read more:
We need to talk about the mental health of content moderators


Technology is helpful, but not a solution

Technologies developed to assist with content moderation are less advanced than one might hope – particularly for videos. Facebook’s own moderation tools are mostly proprietary. But we can get an idea of the state of the commercial art from Microsoft’s Content Moderator API.

The Content Moderator API is an online service designed to be integrated by programmers into consumer-facing communication systems. Microsoft’s tools can automatically recognise “racy or adult content”. They can also identify images similar to ones in a list. This kind of technology is used by Facebook, in cooperation with the office of the eSafety Comissioner, to help track and block image-based abuse – commonly but erroneously described as “revenge porn”.

The Content Moderator API cannot automatically classify an image, let alone a video, as “abhorrent violent content”. Nor can it automatically identify videos similar to another video.

Technology that could match videos is under development. For example, Microsoft is currently trialling a matching system specifically for video-based child exploitation material.

As well as developing new technologies themselves, the tech giants are enthusiastic adopters of methods and ideas devised by academic researchers. But they are some distance from being able to automatically identify re-uploads of videos that violate their terms of service, particularly when uploaders modify the video to evade moderators. The ability to automatically flag these videos as they are uploaded or streamed is even more challenging.

Important questions, few answers so far

Evaluating the government’s proposed legislative amendments is difficult given that details are scant. I’m a technologist, not a legal academic, but the scope and application of the legislation is currently unclear. Before any legislation is passed, a number of questions need to be addressed – too many to list here, but for instance:

Does the requirement to remove “abhorrent violent material” apply only to material created or uploaded by Australians? Does it only apply to events occurring within Australia? Or could foreign social media companies be liable for massive fines if videos created in a foreign country, and uploaded by a foreigner, were viewed within Australia?

Would attempts to render such material inaccessible from within Australia suffice (even though workarounds are easy)? Or would removal from access anywhere in the world be required? Would Australians be comfortable with a foreign law that required Australian websites to delete content displayed to Australians based on the decisions of a foreign government?




Read more:
Anxieties over livestreams can help us design better Facebook and YouTube content moderation


Complex legislation needs time

The proposed legislation does nothing to address the broader issues surrounding promotion of the violent white supremacist ideology that apparently motivated the Christchurch attacker. While that does not necessarily mean it’s a bad idea, it would seem very far from a full governmental response to the monstrous crime an Australian citizen allegedly committed.

It may well be that the scope and definitional issues are dealt with appropriately in the text of the legislation. But considering the government seems set on passing the bill in the next few days, it’s unlikely lawmakers will have the time to carefully consider the complexities involved.

While the desire to prevent further circulation of perpetrator-generated footage of terrorist attacks is noble, taking effective action is not straightforward. Yet again, the federal government’s inclination seems to be to legislate first and discuss later.The Conversation

Robert Merkel, Lecturer in Software Engineering, Monash University

This article is republished from The Conversation under a Creative Commons license. Read the original article.