What we're here to catch

Products involving children carry the highest risk profile in any assessment. The gaps we find most often: features that let adults contact children without verification, missing age checks, no parental consent process, and AI-generated content with no child safety review.

What makes these gaps so dangerous is that they're usually invisible to the person who built the product. A platform for kids to share artwork, make friends, or access learning can become a place where harm happens, not through bad intentions, but through missing safeguards nobody thought to put in place.

Products built for or deployed in Aboriginal and Torres Strait Islander communities, or any Indigenous community, carry obligations that most technology governance frameworks haven't caught up with yet. Alt-TAB applies the CARE Principles for Indigenous Data Governance and the AIATSIS Code of Ethics to find what's missing.

The most common failures: collecting cultural data, voice recordings, or location information without community consent; AI-generated content that could surface sacred or restricted knowledge; and deployment decisions made without Free, Prior and Informed Consent from the communities involved.

Technology-facilitated abuse covers any product feature that can be turned into a tool for coercive control, stalking, harassment, or image-based abuse. These are usually features built with good intentions: location sharing, device monitoring, private messaging, AI-generated imagery. The harm comes from how they can be used, not how they were designed.

Alt-TAB applies the eSafety Commissioner's Safety by Design framework and the Technology-Facilitated Gender-Based Violence (TFGBV) Industry Guide to find these risks. The gap we see most often: products that assume their users are safe, when some of them aren't, and that haven't thought through what their features look like in a coercive relationship.

Data exploitation covers products that collect more than they need, use data in ways people wouldn't expect, share it with third parties without being upfront about it, or don't give people real control over their own information. In Australia, this triggers obligations under the Privacy Act 1988 and the Australian Privacy Principles.

The consent gaps we find most often: products relying on buried terms-of-service rather than genuine consent, products using third-party AI providers without checking what those providers do with the data, and products collecting sensitive information from vulnerable people without the safeguards those people deserve.

Exclusion by design is what happens when a product simply doesn't work for people with disability, people from culturally and linguistically diverse backgrounds, people with low digital literacy, or people in low-bandwidth environments. These failures are rarely deliberate. They happen when products are built and tested only by people who don't face these barriers.

Alt-TAB's ninth domain applies WCAG 2.2, the Australian Disability Discrimination Act, the CARE Principles, and the Design Justice Network Principles to find these gaps. The finding we see most: products that have never actually been tested with the communities they say they're built for.

Accountability failures happen when nobody is clearly responsible for safety outcomes, there's no plan for when things go wrong, affected people have no way to seek help, and whatever governance exists lives in a document nobody looks at. These failures make every other risk worse, because when something goes wrong, there's no one positioned to act.

The finding we see most often: a contact email is not an accountability structure, and good intentions are not a safety plan. Alt-TAB applies the UN Guiding Principles on Business and Human Rights, the NIST AI Risk Management Framework, and the OECD AI Principles to find where the gaps actually are.

Technology-facilitated gender-based violence (TFGBV) gets checked in every Alt-TAB assessment, regardless of how you answer the domain questions. That's because the risk is almost always invisible to the builder. A fitness app, a smart home controller, a budgeting tool, a messaging platform, any of these can become an instrument of coercive control without a single line of malicious code.

Any product that stores location data, enables communication, controls devices, tracks activity, manages finances, or handles health data is a potential technology-facilitated abuse vector. We apply the eSafety Commissioner's Safety by Design Technology-Facilitated Gender-Based Violence Industry Guide and ask the questions most founders never thought to ask themselves.

Any product that collects personal data gets checked against the ASD Essential Eight Maturity Level 1 as a cybersecurity baseline. Data breaches, weak access controls, unpatched vulnerabilities, and missing incident response plans aren't just technical problems. For products holding sensitive information about vulnerable people, they're harm events.

The gaps we find most: no penetration testing, no multi-factor authentication on backend systems, no data breach response plan, and no alignment with the Australian Signals Directorate's Essential Eight. Cybersecurity is an ethical obligation, not just a technical one.