Fireside chat with Australian eSafety Commissioner Julie Inman Grant

Interviewed by Matt Nguyen, the Digital Governance and Rights Lead within the Technology and Public Policy team at the Tony Blair Institute.

Fireside chat from our Responsible Tech Summit: Improving Digital Spaces held at the Consulate General of Canada in New York on May 20th. Find the full event overview here.

Key Takeaways

  • Safety by design is key.

  • We are not going to regulate our way out of online harms.

  • Design and regulation must be thoughtful and willing to change and adapt.


Quotes

  • “This [safety by design] is putting the responsibility back. It’s having companies from the leadership, from the top down, prioritize safety, build it in at the frontend and now we have the basic online safety expectations.”

  • “I don’t think we’re going to regulate our way out of online harms, and so these protective services are bolstered by prevention on the front end.”

  • “We need to use a harms-based, risk-based and outcomes-based lens rather than thinking that we’re going to put a bunch of data scientists and engineers into all the companies and figure out how their algorithms are tweaking algorithms”

  • “Every law is going to have to fit its local context”

Matt Nguyen: Before I begin though I think something that Canada and Australia share is a long history of indigenous culture. Australia has the longest, continuous, surviving culture in the world and specifically around online safety, these issues impact those communities the most and so before I begin as traditional our country…I want to acknowledge traditional owners of lands that we work on back home [Australia] although I don’t work there anymore

Julie Iman Grant: And I come from the Land of the Gadigal people of the Eora Nation and I’d like to pay my respects to their elders, past, present, emerging.

Matt Nguyen: Yeah and likewise and so that should set the stage for a very interesting conversation.

Q & A

Matt Nguyen: There’s a lot of regulation coming to the fray now around online safety; particularly, in the UK and the EU. I know that across the Atlantic there’s also murmurs of the same thing happening. Australia’s done this for a really long time, so I’d love to hear a bit about your experience doing that and if there’s a specific angle or approach that Australia has that’s unique that could be lessons learned?


Julie Iman Grant: Spent 22 years in the technology industry working at Microsoft, Twitter, and Adobe. Often people call, refer to me as the poacher, turned gamekeeper because now, I regulate the companies. And you know, I was an abject failure in terms of being that safety antagonist inside the company and getting them to do the right thing, so I brought the concept of safety by design to Microsoft 10 years ago and I kind of got the, “oh now, Julie, you know we’re becoming an enterprise company. We’re not going to own a social media company (LinkedIn) and how does fixing personal harms really help the bottom line?” 

And I just thought, wow, we really need some cultural change here. I’ve had a great career here. I’m done, and then I went to Twitter and I don’t talk to you about what I saw every single day, but I will say that I joined Twitter and I think most of us joined the tech sector because we believed in the power of technology for doing good and that’s why we were there. And when you can see that it’s being weaponized and misused, or that your leadership isn’t taking safety seriously, it’s incredibly demoralizing and it’s very hard to defend.

And what I saw joining this company that was meant to help serve as a great leveler and a democratizer and speak truth to power is that you can promote voices, but if you don’t protect them, then you’re actually leading to the suppression of voices; particularly, vulnerable voices an so of course, we know that those who are indigenous or Torres Strait Islander who identify as LGBTQI  have disabilities are three times more likely to experience targeted online abuse rooted in misogyny, racism, homophobia, harassment, you name the list of horribles, we know they all manifest online. There’s the disinhibition effect and frankly, people have been able to do it with relative impunity. And I think until now, I think we’re really reaching a tipping point. 

So that was a long way of saying, I am Australia’s E-Safety Commissioner and we were set-up in 2015 as the Children’s E-Safety Commissioner. And the story is a little bit interesting. There was Australia's Next Top Model – a personality named Charlotte Dawson, who was very open about some of her mental health issues. She spent a lot of time on Twitter; she probably didn’t engage in the a way that was very self-protective and she had a nervous breakdown; she came back on Twitter and people were telling her to take her own life almost incitement to suicide and tragically she did. So while I was interviewing at Twitter to run their trust and safety, public policy, and philanthropy, and it was referred to as the “Twitter Suicide.”

It also spurred a petition to the government, where people said, “enough is enough. Government needs to get involved”, but what the government of the time decided to do, and the ICT Minister at the time, was Malcolm Turnbull who was a technology entrepreneur and eventually, became our prime minister, was to start with the most vulnerable. We had a kernel, we had an online content scheme that dealt with child sexual abuse materials and pro-terrorist content. 

Because we have such laws and have had them in place for 20 years, 99.97 percent of the illegal and harmful content we’re dealing with is domiciled overseas, so we’re the hotline, like Netmec or IWF or the C3P for Australia. I’m one of the few that sit within a government agency with regulatory powers behind them, but we also, set up the world’s first and still, only youth cyber bullying scheme, and so the way that works is if a child is being seriously cyberbullied, which is defined as threatening, harassing, intimidating, or humiliating. We know of course that cyberbullying is insidious because it doesn’t stop at the school gate. It does tend to be peer-to-peer, but it follows the child into their home. It’s invasive and it's pervasive; it’s very visible to a child and they’re friends, but very hidden to adults.

And so the idea is if they report to the platform and that isn’t taken down because that is fundamentally their responsibility. It’s also the most expeditious way to get that harmful content taken down and we want that taken down quickly. If that doesn’t happen, they can come to us, or a parent or an educator, every time somebody reports to us at esafety.gov.eu, it triggers a regulatory investigation. We have a legislative threshold; we work cooperatively with the companies; we have 90 percent compliance rates in terms of getting serious cyberbullying content taken down; we also, have powers to find perpetrators or platforms or to issue removal notices and a range of remedial powers, so this is just a way of saying, we started small and narrow, and with the most vulnerable. And then, we added regulatory schemes, so then I was given…

I was asked to set up the revenge port scheme and I said no, I’m not going to call it revenge porn. That’s inherently victim blaming. Let’s call it what it is, image-based abuse. We set that up for all Austrailians and we have an 85 percent success rate in terms of getting intimate images and videos taken down from thousands of websites and platforms and image boards all over the world. With the Christchurch atrocity, we were given very potent powers around preventing the livestreaming of terrorist activities torture, murder, child chap, and even the ability to compel the ISPS to block websites in the event of a crisis event. We have never used those powers and I think that’s a really important thing. You need to use fairness, proportionality, discretion and how you use the powers. And while I have punitive powers, my primary consideration is providing harms alleviation services and we know that people, when they come to us, are distressed, so we try and get the content taken down and we’ll use what powers we have for the situation, but we’ll also, put them in touch with mental health services; we’ll adjudicate some conflicts and…

We’ve got seven years of rich data in terms of how platforms have been weaponized. We see the trends as they’re happening around…you would think it was Easter 2020. We saw a 600 percent increase in sexual extortion reports that came into our office, which came into IBA, and then identified four different sexual extortion scams that were happening at once, plus we were locked down and digital intimacy tools were being used and that went wrong.

So in any case we’ve got this data, so we know how the trends are happening; we also know what the systematic and process failures are, so we’ve been given a very board set of powers that have just come into place in January, where we’re taking a systems and process approach very much like the EU and UK are doing in terms of really targeting those systemic failures, whether it’s failing to identify the mass creation of fake imposter accounts; whether it’s lifting the hood and asking these companies, “what are they actually doing to detect signals when cross-platforms volumetric attacks are happening?” And you know, attacking an indigenous woman in particular, or how they’re preventing the recidivism of bad actors onto their platforms. We have to surface this stuff because we’re getting too much PR spin. We can name and shame, and then we’ve got some industry codes that are mandatory around proactive detection and removal of what we call, class one content. 

So we’re seeing a convergence with the approach that the UK and the EU is taking. The last thing I’ll say here is I don’t think we’re going to regulate our way out of online harms, and so these protective services are bolstered by prevention on the front end. We’ve done a tremendous amount of research into measuring behavioral change over time and we are seeing change with youth people, for instance. Engaging in; help seeking behaviors utilizing conversation controls and technologies, but then also, developing specialized programs, like for women who are experiencing domestic and family violence. 

In those cases, technology facilitated abuse is almost ubiquitous, so microtransactions in child custody payments happening over banking services or multiple harassing messages; drones flying over safe houses and cars stalling when a woman leaves more than two miles beyond the perimeter of her home. So all these things are happening now; we’re trying to train frontline service workers to identify and be able to help women and their families and  then on the frontend we’re trying to do what I call proactive and systemic change. What does the threat surface look like for the future and how do we minimize it? We’ve to put the responsibility back on the platforms themselves and this is where safety by design comes in as a regulator. And we sat down with 180 different organizations, including most of the major companies to say, what are the key principles and the actions under it that are going to be meaningful, actionable, and achievable? 

Three pillars: 1) service provider responsibility, 2) user empowerment and autonomy, and then 3) transparency and accountability, but we’re all experiencing a bit of principles fatigue. I think there are lots of principles out there and principles are only useful if they’re implemented so we need to see tangible actions. We went a step further and we’ve built some free interactive risk assessment tools for companies to use. We've had both one for startups and one for enterprises. And they’ve been downloaded in 45 countries, but we’re still not seeing that tangible action. What we’re hoping is to lift the safety standard and help surface up in industry best practice and then, stay ahead of technology trends and we can talk about the metaverse and that defy world and how we probably need to learn the lessons of today to try and shape the future tomorrow. 



Matt Nguyen: Thanks for that. It was a very broad overview of the Australian regulatory scheme. I’m interested in asking, I guess two questions around…I know there’s maybe murmurings of a Canadian online safety thing coming out. UK is in second rating or something like that, I’m looking at the Ofcom guy, and so that’s about to come out and obviously, the DSA is a thing. If you had to pick something that the Australian online safety regulatory approach was better than the other geographies and that Canada might be able to learn from? And one thing that they have done that we haven’t that the Canadians could also learn from, what would that be?

Julie Iman Grant: Sure, well I feel like we’ve been riding in a bit of a Peloton and we’ve been going up Mount Fantu? [13:10] that the long hill, long steep climb, kind of on our own. Lots of drag, lots of resistance without people helping us draft. We’re excited the Irish will probably come on board next. It was interesting being up in Ottawa [Canada] this week because they are talking about building a digital safety commissioner and what I didn’t realize I often lament that the organization I’m at it started with 35 people and this kernel and we’ve grown it into about 200 people and something and that’s very different, but because we started slowly and built trust with the public a government over time, we’re not facing that same kind of onslaught that Canada is facing with this whole idea of if you have an online harms regulator it’s going to create freedom of speech issues and I said, well yeah there’s a difference between freedom of speech and free-for-all and the reason we have complains-based schemes and legislative thresholds is to make clear…I have to prove when somebody reports serious adult cyber abuse to me that there was intent to seriously harm and that is was menacing, harassing, and offensive in all cases.

That’s a really high bar, so really the content that we’re tackling is higher than most of the thresholds of most of the platforms and is really getting that content that veers in into the area of serious online abuse and like I said, you can’t have a free-for-all otherwise you’ll be suppressing speech, so I’d say that the individual complaint schemes are something I think are important because we bridge that inherent power balance that exists between the everyday person and the tech behemoth. So that’s valuable - the insights and intelligence that gives us is valuable. I know that some of the other countries are going to come up with a lot bigger penalties and so they’ll make a bigger impact potentially over time. We’re ramping those up, I think, a little bit more judiciously and slowly. But we’ll look forward to working with these companies because we’ll have powers and abilities that they won’t.

And you know I’m looking at Fred here because I think there’ll be some really important moves that we’ll be able to make and every law is going to have to fit its local context and I’m sure you still have a ways to go. There’s a lot in the UK bill, for example, except the kitchen sink, and so there’s going to be a lot of deliberation and the current legislation may not look like the final.



Matt Nguyen: I’m going to switch tracks for a little bit. I’m really interested in regulatory collaboration outside of the western sphere and I know that the Australian safety office does a bunch of collaborative work in the pacific. And so, I guess my question is over COVID we saw a bunch of content takedown laws being passed in less democratic states and so do you fear that…what’s your opinion on regulatory exports from western countries and how these kinds of laws could be co-opted by other countries and what is the responsibility that entails from a collaborative approach that the five eyes should do more in?

Julie Inman Grant: I think it’s a really important question. It’s also a really tricky one and I don’t have Yu Ping’s [Yu Ping Chan] diplomatic skills, but you know there are a lot of countries out there that do call themselves democracies, but they'll take a much more blunt force approach and their political speech, or their free speeches, may involve political speech. I mean one thing I can say about our thresholds is that it doesn’t cover political speech and obviously, we’re seeing that happening in Texas [United States], so I don’t know if you consider that a foreign country or not. It’s certainly taking a different approach and we hope that doesn’t go viral. 

We do have to explain that we also have transparency mechanisms. I have the responsibility to report extensively on the types of investigations we’re taking on board. We’ve done about 80,000 regulatory investigations over the course of e-safety. If someone doesn’t like a  decision…I’ve never had a decision or of removing content challenged, but we have systems in place. We have an internal review process; we have a freedom of information act; we have a tribunal; we have an ombudsman, and somebody can take us to the federal court and I think that’s good. So I don’t think there needs to be scrutiny when people talk about taking down content. And having worked for Twitter and set-up…interestingly, when I started Twitter the largest…the fourth largest country in terms of users was Indonesia and we didn’t have a presence. So I spent almost a year engaging with… info and the Indonesian government to try and navigate what that was going to look like.

You know, they want to send us a blacklist of hundreds and hundreds of sites that they didn’t want shown and that’s not how Twitter does things, so it’s tricky and I’m also sympathetic to the companies because we don’t want a regulatory net of different regulatory requirements that’s going to be hard, so one of the thing that we’re talking to the UK and others about is how we build a regulatory network of online safety regulators very much like the DIGI and DPAS have with the global assembly. And right now, we’re also trying to do some capacity building with Fiji. In fact we’re going there next week to help…they’ve got an online safety commissioner; we signed an MOU with the Koreans around digital sex crimes, so we’re looking at where we can collaborate in ways that makes sense and have synergies.

Matt Nguyen: Awesome, I think last question from me to end on a bit  more of a future looking note is, what do you think the approach of a regulator should be around all the emerging tech stuff around AI generated content and around metaverse and more immersive realities?

Julie Inman Grant: Well, I am very focused on that because we know that technology will always outpace policy and the first day I walked into the e-safety office after 22 years in the tech sector, I walked in and I was like, “hi, I don’t do hierarchy”, which is of course, antithetical to most government folks and really I had stunned people. I’m like, “so you do you have a mission? Do you have a vision? Do you have a song? Is it the safety dance?” Anyway, I’m getting carried away, but culturally, it was a very different organization, so over time, I had to build one that was innovative and nimble. And one of the things that we do is we put out tech trends and challenges briefs. The first one we did was on deepfakes about two years ago. And I couldn’t get the mainstream media to even get interested in it and now you can pick up a tech rag and see something about deepfakes, so we’ve done one around end-to-end encryption. We try and make sure it’s balanced and nuanced. 

We’re talking about the benefits of the technology, but also, the risks and then helping mitigate those risks. We just did two last year: one immersive technologies, where we predicted sexual assault by default, Nina Jane Patel…but also, on decentralization and I think this is a great way to say if we’re not thinking and understanding how these technologies, in fact, these paradigm shifts are going to change and adapt our regulation accordingly and make sure that we’re nimble and really thinking thoughtfully, like do we really want to break the blackbox? No, I think if we’re going to look at future generations of regulating, say AI, we need to use a harms-based, risk-based and outcomes-based lens rather than thinking that we’re going to put a bunch of data scientists and engineers into all the companies and figure out how their algorithms are tweaking algorithms, but safety by design to me is key. This is putting the responsibility back. It’s having companies from the leadership, form the top down, prioritize safety, build it in at the frontend and now we have the basic online safety expectations, which basically lay out the duty of care and what we respect the interactive services to be doing as a right to or a license to operate our country. 

Matt Nguyan: Awesome, well thank you so much. Always good to have a perspective from down under.        

Previous
Previous

Responsible Tech Summer Reading List

Next
Next

Creating a tech pipeline aligned with the public interest