mark nottingham

How to Run an Australian Web Site in 2024

Monday, 27 November 2023


A while back, the eSafety Commissioner declined to register the proposed Industry Codes that I’ve previously written about. Now, they’ve announced a set of Industry Standards that, after a comment period, will likely be law.

If you run an online service that’s accessible to Australians, these Standards will apply to you. Of course, if you don’t live here, don’t do business here, and don’t want to come here, you can probably ignore them.

Assuming you do fall into one of those buckets, this post tries to walk through the implications, as a list of questions you’ll need to ask yourself.

I’m going to try to focus on the practical implications, rather than “showing my work” by deep-diving into the text of the standards and supporting legislation. This is based only upon my reading of the documents and a miniscule dollop of legal education; if there are things that I get wrong, corrections and suggestions are gladly taken. Note that this is not legal advice, and the Standards might change before they’re registered.

Does the Standard Apply to Your Service?

The first question to answer is whether your service is covered by the Online Safety (Designated Internet Services – Class 1A and Class 1B Material) Industry Standards 2024.

The short answer is “yes, even that one.”

A Designated Internet Service (DIS) is one that allows “end-users to access material using an Internet carriage service.” This is a very broad definition that explicitly applies to Web sites. For simplicity, the remainder of this article will assume your service is a Web site, even though other information services can be a DIS.

In a nutshell, if “none of the material on the service is accessible to, or delivered to, one or more end-users in Australia”, your site is exempt. Otherwise, it’s covered (unless one of the other Codes or Standards takes precedence; see below).

So whether you’re Elon Musk or you have a personal Web site with no traffic, this standard applies to you, so long as it’s available to one Australian person – even if none actually visit. Don’t be fooled by “Industry” in the title. That default page that your Web server comes up with when your new Linux box boots for the first time? Covered. Note that it doesn’t even need to be on the public Internet; things like corporate Intranet sites are covered, as are content-free static sites like those used to park domains.

Given how broadly the legislation and standard are written, combined with how prevalent HTTP and similar protocols are on today’s Internet, it’s also reasonable to say that APIs are covered; there’s no inherent restrictions on formats or protocols in the eSafety standards – in fact, the definition of material in the Act includes “data”.

So, to be safe, any server available on the Internet is covered by the eSafety scheme, so long as it can be accessed by Australians.

Do You Need a Risk Assessment?

Assuming that your site is covered by the Standard, your next step is to figure out whether you need to perform a risk assessment.

Assuming that you’re not running a large commercial web site, a (ahem) “high impact” service (i.e., one that specialises in porn, violent content, and similar), or an AI-flavoured service, there are two interesting categorise that might get you out of performing a risk assessment.

The first is a “pre-assessed general purpose DIS.” You can qualify for this if you don’t allow users in Australia to post any material (including comments), or if posting is “to review or provide information on products, services, or physical points of interest or locations made available on the service.” It’s also OK if they are “sharing […] with other end-users for a business, informational, or government service or support purpose.”1

Does it seem like your site qualifies? Not so fast; that only covers “pre-assessment.” A general purpose DIS is a

website or application that […] primarily provides information for business, commerce, charitable, professional, health, reporting news, scientific, educational, academic research, health, reporting news, scientific, educational, academic research, government, public service, emergency, or counselling and support service purposes.

Unless your site falls cleanly into one of those categories, you don’t have a general purpose DIS.2

The second is an “enterprise DIS.” This is a site where “the account holder […] is an organisation (and not an individual).” Basically, if your users are companies or other organisations and not individual people, you don’t have to do an assessment.

What Does Your Risk Assessment Contain?

Assuming you need a risk assessment (spoiler: you probably do, to be safe), you

 must formulate in writing a plan, and a methodology, for carrying out the assessment that ensure that the risks mentioned in subsection 8(1) in relation to the service are accurately assessed.

The risk referred to is that class 1A or class 1B material will be “generated or accessed by, or distributed by or to, end-users in Australia using the service.” Storage of such material is also included (even if it isn’t accessed).

To answer your next question, class 1A material is “child sexual exploitation material”, “pro-terror material”, or “extreme crime and violence material.” class 1B material is “crime and violence material” and “drug-related material.” There are long definitions of each of these kinds of material in the standard; I won’t repeat them here.

Your risk assessment must “undertake a forward-looking analysis” of what’s likely to change both inside and outside of your service, along with the impact of those changes. It’s also required to “specify the principle matters to be taken into account”, including eleven factors such as “the ages of end-users and likely end-users”, “safety by design guidance”, AI risks, terms of use, and so forth.

Your risk assessment has to be written down in detail. You must also “ensure that [it] is carried out by persons with the relevant skills, experience, and expertise” – although it’s not yet clear what that means in practice or how it will be enforced.3

What’s Your Risk Profile?

Once you’ve done a risk assessment, you’ll have a risk profile – one of Tier 1, Tier 2, or Tier 3.

Let’s assume your site has no user-generated content, and you only upload very… normal… content– like this site.4 You’re likely to be Tier 3.

If so, congratulations! Your work is just about done. Sections 34, 40, and 41 of the Standard apply to you – basically, the eSafety Commissioner can demand that you provide them with your risk assessment and how you arrived at it. You also have to investigate complaints, and keep records.

If you’re not Tier 3 – for example, you blog about drugs or crime, or you allow user uploads or comments, there are a whole slew of requirements you’ll need to conform to, which are well out of scope for this blog entry (since I’m mostly interested in the impact of regulation on small, non-commercial sites). Tip: get some professional help, quickly.

What Other Standards Will Apply?

Keep in mind that we’ve gone through just one of the proposed Standards above. The other one is about e-mail and chat services, so if you run a mail server (of any flavour – maybe even on your infrastructure?), a chat server (e.g., Prosody, jabberd), or Mastodon server, buckle up.

There are also another set of Industry Codes that cover things like hosting services, app stores, social media, search engines, and operating systems, if you happen to provide one of those.

Keep in mind that if you change anything on your site that impacts risk (e.g., adding a comment form), you’ll need to re-assess your risk (and likely conform to new requirements for reporting, etc.).

What Does Enforcement Look Like?

There are a lot of small Internet services out there – there are a lot of IP addresses and ports, after all. I suspect many people running them will ignore these requirements – either because they don’t know about them, they think they’re too small, that the eSafety Commissioner won’t care about their site, or they’re willing to run the risk.

What is the risk, though?

Section 146 of the Online Safety Act 2021 sets the penalty for not complying with an Industry Standard at 500 penalty units – currently, AU$156,500 (a bit more than US$100,000).

In practice, the eSafety Commissioner is unlikely to come after any site if its content isn’t problematic in their eyes. Whether you want to rely upon that is up to you. Because the legislation and standard don’t have any exemptions for small services – even with limited audiences – you are relying upon their discretion if you don’t have a risk assessment ready for them.

What Do You Really Think?

Improving online safety is an important task that needs more focus from society, and I’m proud that Australia is trying to improve things in this area. I’m critical of the eSafety Industry Codes and now Standards not because of their objective, but because of their unintended side effects.

Both the enabling instrument and this delegated legislation are written without consideration for the chilling effects and regulatory burden they create on parties that are arguably not its target. Requiring professional risk assessment raises costs for everyone, and creates incentives to just use big tech commercial services, rather than self host – leaning us further into things being run by a few, big companies.

Moreover, if a small personal site is distributing child porn or inciting terrorism, they’re not going to be caught because it doesn’t have a properly considered risk assessment ready to produce on demand – the eSafety Commissioner already has a range of other powers they can use in that case. They don’t have the resources to go after the countless small services out there for compliance issues, so all that will remain is the lingering chilling effects of these pointless requirements.

I get that most people will ignore these requirements, and the eSafety Commissioner is presumably relying upon that to give them the leeway to go after the people they need to target. I just think that creating laws that can be applied with so much discretion – where technically everyone is in violation, and the regulator can pick who they prosecute – is a shitty way to run a democracy.

  1. Is it just me, or is “informational” a hole big enough to drive a truck through here? 

  2. Notably, the site you’re reading this on doesn’t clearly qualify for any of them, and so when these codes are registered, I’ll likely be doing a risk assessment (and posting it), even though it doesn’t allow comments any more (because, spam). 

  3. This seems to foretell the establishment of a new industry. 

  4. Although it’s always tempting to write a blog entry that depicts, expresses or otherwise deals with matters of drug misuse or addiction in such a way that the material offends against the standards of morality, decency and propriety generally accepted by reasonable adults to the extent that the material should be classified RC