Australia’s privacy watchdog repeatedly warned that the government’s $6.5 million teen social media ban tech trial was overstating how the technology used was protecting people’s privacy, given it hadn’t been tested or assessed against Australian privacy law.
The people behind the trial ignored most of those warnings and continued to include the inflated language in the final report, including terms like “privacy-preserving” and “privacy by design”.
As scrutiny grows over how the teen social media ban is working in practice, these unaddressed concerns from an independent regulator cast doubt on the findings of the controversy-plagued trial used by the federal government to justify ploughing ahead with the social media minimum age policy.
Emails obtained by a freedom of information request show how the Office of the Australian Information Commissioner (OAIC) told the organisers of the Age Assurance Technology Trial (AATT) that their reports used inflated privacy language that couldn’t be supported by the trial’s own methodology.
The AATT was commissioned by the Department of Communications and run by the UK-based Age Check Certification Scheme to test the technologies that would be used to implement Australia’s teen social media ban. The government heralded the trial as proof that age assurance could work in Australia.
But from the earliest stages, the OAIC raised concerns about how the trial characterised its own findings.
Get the best of Startup Daily straight to your inbox
Want to know the latest in startup news? Subscribe to our daily news and analysis coverage on what’s happening to ANZ startups, investors and the broader ecosystem. And best of all, it’s FREE!
By continuing, you agree to our Terms & Conditions and Privacy Policy.
In feedback sent to the trial organisers in late April last year about its preliminary findings released before the full report was published, the OAIC warned that terms like “privacy-preserving”, “appropriate data-handling practices” and “no evidence of exploitative data practices” were too broad and not calibrated to Australian privacy law.
“Our view is that technologies that involve the handling of personal information cannot be claimed as inherently ‘privacy-preserving’ or ‘appropriate’ in the Australian context without applying the APPs,” the OAIC wrote, referring to Australia’s Privacy Principles established in the Privacy Act.
‘Privacy by design’ misleading
The OAIC noted that a comprehensive privacy assessment against the Privacy Act had not been conducted as part of the trial, despite being proposed in the evaluation proposal, and asked the final report to explicitly state this.
It also requested the removal of “privacy by design”, a term used by the regulator in its legal guidance that the trial did not consider when testing the tech.
Further, it asked the organisers to stop claiming the trial had “embedded regulatory oversight” — inaccurate, the OAIC said, given its role was limited to providing feedback as an external stakeholder.
Then, in July, the OAIC was provided a copy of the draft final report for review. It responded with its most muscular feedback yet:
“Our overarching concerns remain regarding the conclusive references to privacy and language in the report that overstates the privacy evaluation that has taken place in the Australian context.”
The OAIC also separately briefed officials at the Department of Communications about its concerns with the trial’s privacy language, some of the emails obtained by Crikey suggest.
When the final report was published by the AATT, the trial’s organisers had incorporated a handful of changes recommended by the privacy regulator: adding a vague legal disclaimer buried in one section of the 1,000-page report, removing the OAIC from a list of bodies that it claimed had conducted “pre-publication checks and clearances”, and deleting a paragraph that claimed collaboration with the OAIC on ethics oversight.
The regulator’s core concerns, however, were unaddressed. The trial’s final report continued to use “privacy by design”, “privacy-preserving” and “privacy-respecting” throughout. The claim about “embedding regulatory oversight at the participant-facing level” — the exact sentence the OAIC asked to be deleted — stayed in.
Where the OAIC had asked the report to state plainly that a comprehensive privacy assessment or “technical testing for protection of privacy” had not been done, the final report included a single sentence saying that it not provide “any kind of clearance” — framing the limitation around a legal accreditation rather than the complete absence of privacy testing in the trial other than asking companies about it.
Australian Privacy Commissioner, Carly Kind. Image: Private Media
Concerns ‘noted’
A spokesperson for the AATT said that the trial was supposed to test whether age-check technology worked: “Our scope did not include a full audit of compliance with the Australian Privacy Principles but where we had any concerns, these were noted in our reports,” they said.
The spokesperson added that the trial’s independent ethics panel had “advised the Trial Team to be transparent that privacy was only assessed through vendor interviews”.
The spokesperson did not answer questions about why it ignored the privacy regulator’s pleas not to use overstated language, why its plans to assess against Australian privacy standards were ditched, or why it did not work with the regulator through its trial.
The group selected by the government to run the trial, the Age Check Certification Scheme, is an organisation that provides documentation for age-assurance technology providers.
Its founder and CEO, Tony Allen, who served as the AATT’s project director, sits on the executive committee of the lobby group for companies that sell this tech, the Age Verification Providers Association (AVPA). The AVPA executive director Iain Corby also worked on the trial. The AVPA put out media releases during the trial “welcoming” its report and responding to its coverage in the media.
When asked in June last year, Allen rejected the notion that this entanglement with the companies that he was charged with testing was a conflict of interest, instead saying their involvement was a “deliberate strategy to engage the age verification industry”.
The OAIC declined to comment on the correspondence. The office instead pointed to new age-assurance guidance it published in March this year, which tells organisations they must conduct their own privacy impact assessments when deploying age-assurance services.
Liberal senator and Shadow Communications Minister Sarah Henderson told Crikey that it was “unacceptable that the Information Commissioner’s concerns fell on deaf ears.”
She accused Wells of misleading Australian parents over the social media ban that is “riddled with defects”, citing the trial’s own data of high error rates for one provider’s facial analysis tool.
“Revelations the government failed to address the tech trial’s inflated privacy claims further undermines confidence in the social media ban,” Henderson said.
‘Privacy washing’
John Pane, the chair of Electronic Frontiers Australia, who resigned from the AATT’s advisory board last August, told Crikey the FOI documents confirmed his earlier warnings.
“The AATT testing of privacy controls was extremely superficial and not fit for purpose, with the end result having all the attributes of textbook ‘privacy washing’,” Pane said.
The trial inferred privacy capabilities “simply by reading participants’ externally facing privacy policies” rather than conducting technical assessments, he said.
Privacy was not the only gap in the trial’s remit. The AATT excluded testing of how teenagers might circumvent age checks, a decision questioned repeatedly by its own advisory board.
The eSafety Commissioner’s first compliance report on the ban, published in March, found close to seven in 10 parents whose children were on major social media platforms said their kids were still on there after the ban.
Communications Minister Anika Wells’ office referred questions to the department.
A department spokesperson said the trial “found age assurance can be done in a private and secure manner” and pointed to the report’s disclosure about not doing a “conformity assessment with Australian law”.
The spokesperson said social media platforms and age-assurance providers “have a responsibility to ensure they are complying with Australian laws, including the Privacy Act“.
- This article first appeared on Crikey. You can read the original here
