In the wake of the Australian eSafety Commissioner’s first evaluation of compliance with the country’s Social Media Minimum Age (SMMA) law, emphasis has been given to “safety by design.” This principle underpinned establishment not just of the regulations but also the scope, nature, and culture of the regulatory body itself.
For the eSafety Commissioner, Safety by Design (SbD) is a normative and policy framework whereby digital platforms are asked to anticipate, detect, and eliminate harms before they occur through ex ante product design, governance, and operational processes rather than relying on ex post retrofitting of safeguards after an issue has arisen. Its three fundamental principles are service provider responsibility, user empowerment and autonomy, and transparency and accountability.
According to the commissioner, service provider responsibility presumes that “the burden of safety should never fall solely on the user.” The potential risks of online interactions should be assessed up front and “active steps [taken] to engineer out potential misuse, reducing people’s exposure to harms.” User empowerment and autonomy presume that “the dignity of users is of central importance” and that design features and functionality should preserve fundamental consumer and human rights. To combat abuses of users’ dignity and rights, platforms and services “need to engage in meaningful consultation with diverse and at-risk groups, to ensure their features and functions are accessible to all.” Transparency and accountability are “hallmarks of a robust approach to safety,” not only providing assurances that platforms and services are “operating according to their published safety objectives, but also assist[ing] in educating and empowering users about steps they can take to address safety concerns.”
To contextualize SbD, the Commissioner has drawn on the analogy with playground safety regulations. Online environments are framed as “digital playgrounds,” and SbD is the equivalent of designing safe physical play spaces rather than relying only on warning signs or blaming children (or their parents) for injuries. If the equipment is designed with safety at the forefront, then harms will not occur.
SbD led to the SMMA being operationalized with the platforms themselves being responsible for identifying and communicating the steps necessary to prevent individuals under age 16 from having accounts. Under the law, the commissioner then determines whether the steps are reasonable. Relying only on a user’s self-declared age is insufficient; further steps to ascertain the user’s age are required, although the platforms determine what these will be. In its compliance report, the commissioner concludes that insufficient steps are being taken by at least five of the 10 named platforms, and the regulator is seeking further information and explanations of observed behaviors and outcomes.
While SbD objectives are laudable, the question is whether the approach is feasible for regulating users and uses that were not core features of the platforms concerned.
Social media platforms were not designed to be digital playgrounds for children. Platform creators did not initially include technical features preventing users under a certain age from holding accounts because such features impinge on the empowerment and autonomy of the majority of their users, impugning their dignity (and on their privacy) by requesting age verification before establishing an account.
This first begs the question of the extent to which platforms should be accountable for eliciting information about age and conducting the trade-offs between the needs, preferences, rights, and dignities of a vast array of different user groups in the design stage, when harm attends only to a subset of users. In the playground analogy, should the equipment be designed to be resilient to adult misuse simply because adult misuse can be anticipated, despite the presence of warnings that adults are not the intended users? If use of the platforms proves sufficiently harmful to one specific and identifiable user group, then surely explicit (and strictly policed) prohibitions should be imposed at that point (with some obligations also on users and their caregivers) rather than relying on design principles alone?
Second, the presumption that platform creators are sufficiently foresighted to know precisely what harms will be caused before taking the service to market overlooks the fact that for any novel creation, both the creator and users generally learn together what outcomes emerge. All effective regulations have come from learning by doing. Safety matting wasn’t engineered into the first playgrounds erected. And learning can equally reveal flaws in safety equipment design. Only after observing the harms incurred in real-world environments by overconfident children who learned to play in artificially safety-engineered playground environments have we come to recognize that too much safety can sometimes be as harmful as too little.
SbD is anchored in a world of engineering certainty that defies the complex realities of outcomes coproduced by platforms and their users. Just as with playgrounds, the burden of online safety regulation should never fall solely on the platform.