The founder of encrypted email service Proton has said the company would fight the Australian online safety regulator in court if forced to weaken encryption under proposed standards.
The eSafety commissioner, Julie Inman Grant, has proposed cloud and messaging service providers should detect and remove known child abuse material and pro-terror material “where technically feasible” – as well as disrupt and deter new material of that nature.
The eSafety regulator has stressed in an associated discussion paper it “does not advocate building in weaknesses or back doors to undermine privacy and security on end-to-end encrypted services”.
But privacy and security groups argue the draft standards, as written, could allow the eSafety commissioner to force companies to compromise encryption to comply.
Switzerland-based Proton is one of 350 signatories – including Mozilla and Tor Project – to an open letter to Inman Grant raising concerns about the proposal and urging “against creating standards that would force encrypted services to implement such scanning measures as they would create an unreasonable and disproportionate risk of harm to individuals and communities”.
Andy Yen, the founder and chief executive of Proton, told Guardian Australia the proposed standards “would force online services, no matter whether they are end-to-end encrypted or not, to access, collect, and read their users’ private conversations”.
“These proposals could not only force companies to bypass their own encryption, but could put businesses and citizens at risk while doing little to protect people from the online harms they are intended to address,” he said.
He said having the standards apply only “where technically feasible” wouldn’t provide legal safeguards for encryption. Yen said if the draft standards weren’t changed before being introduced, Proton would fight them.
“We didn’t change our product or break encryption in Iran, or in Russia, and we won’t in Australia either,” he said. “However we have no intention of leaving Australia. Should we receive an enforcement notice to break end-to-end encryption we would be prepared to fight it in the courts.”
A spokesperson for the eSafety commissioner said Inman Grant welcomed feedback on the draft standards – including on the technical feasibility exception.
“This feedback will assist eSafety to consider whether refinements are required before the standards are finalised,” the spokesperson said.
They pointed to the associated discussion paper which “clearly states that the standards do not require service providers to design systematic vulnerabilities or weaknesses into encrypted services”.
Five other industry safety codes come into effect on Saturday covering social media, internet service providers, equipment providers, hosting services and apps.
“Having mandatory and enforceable codes in place, which put the onus back on industry to take meaningful action against the worst-of-the-worst content appearing on their products and services, is a tremendously important online safety milestone,” Inman Grant said.
Feedback on the draft standards is open until 21 December.