A report built on evidence, not speculation
On July 14, 2026, Australia's eSafety Commissioner published its third Basic Online Safety Expectations (BOSE) transparency report, assessing how Apple, Meta, Google, Microsoft, Snap, Discord and WhatsApp detect and prevent child sexual exploitation and abuse. The headline finding is not that these companies do nothing — several have shipped proactive detection and grooming-identification tools since the last round. It is that the specific technique needed to catch the fastest-growing harm in this category, scripted sexual extortion, exists and sits largely unused.
Sextortion offenders work from recognisable scripts: the same coercive phrases, deployed at scale, across thousands of approaches to teenagers and young adults. eSafety says platforms could deploy language-analysis models to catch these patterns the way spam filters catch phishing templates, and mostly aren't. Commissioner Julie Inman Grant put it bluntly: "we have provided these platforms with evidence of how their services are being colonised by criminals to devastating impact, with clear guidance on how to stem the abuse... we haven't seen adequate responses, despite the technology being readily available," as reported by TheNextWeb.
The Apple asymmetry
Apple is the report's sharpest case study. Its Communication Safety feature already scans on-device for nudity sent to child accounts without breaking end-to-end encryption — a genuinely privacy-preserving piece of engineering. But per 9to5Mac's review of the findings, eSafety says Apple isn't extending that same on-device pattern-matching logic to the coercive scripts that precede extortion attempts on iMessage, and relies overwhelmingly on users reporting abuse after the fact rather than detecting it as it happens. The report also flags that iMessage, alongside WhatsApp, Discord and Google Messages, lacks a clear, dedicated reporting pathway for sexual extortion or child abuse — a UX failure that is cheaper to fix than any detection model.
The scale is real. eSafety received over 2,000 sextortion complaints in the six months from July to December 2025 alone, with young men aged 18–24 the most frequently affected group, and more than one in ten Australians aged 16–18 reporting they had experienced sextortion, over half of them before turning 16, according to Cyber Daily's coverage.
Steelmanning the mandate
The case for pushing platforms harder here is genuinely strong, and it deserves to be stated plainly before any pushback. Sextortion is not an ambiguous harm requiring difficult judgment calls about political speech or satire — it is criminal coercion with a recognisable linguistic fingerprint, and the companies eSafety is naming already run comparable pattern-detection for spam, scams and terrorist content. If Meta, Google, Snap, Discord and Microsoft can build grooming-detection tools, as the report acknowledges they partly have, the marginal cost of extending that infrastructure to extortion scripts is small relative to the harm prevented — measured here in real psychological and financial damage to teenagers. A regulator naming specific gaps at specific companies, backed by its own evidence of harm, is doing exactly what evidence-based regulation should look like: not banning a technology, but publishing a comparative scorecard and letting reputational and commercial pressure do the rest.
Why the mechanism, not just the mandate, matters
That is also the reason this report is a better model than most content-moderation regulation on offer globally. eSafety's transparency notices, issued under section 56(2) of the Online Safety Act 2021, compel platforms to answer honestly about their practices, with civil penalties attached to non-response — not to adopt a specific scanning architecture eSafety designs for them. That distinction matters enormously. The EU's long-running fight over a mandatory client-side scanning regime for CSAM has repeatedly run into the objection that indiscriminate message-scanning, even for a cause as unimpeachable as child protection, risks building permanent surveillance infrastructure into encrypted channels that governments will be tempted to repurpose. eSafety's approach sidesteps that trap: it names the gap, cites the harm, and leaves the engineering choice — including whether to mirror Apple's own privacy-preserving, on-device precedent — to the company.
That restraint should not be mistaken for toothlessness, but it does mean the pressure here is reputational rather than a compliance mandate with a deadline. Four reports were planned in this series; the fourth will be the real test of whether public naming moves Apple and its peers or whether eSafety escalates toward the civil-penalty powers Australia's Online Safety Act already gives it. For now, the right response from platforms is the obvious one: extend proven, narrowly-scoped detection to a well-defined criminal pattern, and give users an actual button to report it. Regulators pushing companies to use tools they already possess, against a harm with a clear behavioural signature, is proportionate regulation working as intended — a bar that broader content-scanning mandates elsewhere in the world have consistently failed to clear.