The Weekly Cybers #20
eSafety dominates the news this week. There’s also a new National Robotics Strategy, news of recent hacks, and a glorious new government excuse for not doing things.
Welcome
For some reason eSafety is dominating the news again this week. This has riled me up, as you’ll soon see.
We’ve also got a new National Robotics Strategy, more on the MediSecure hack, a new hack at Ticketmaster, and a raft of relevant news.
We’ve even got a new government excuse for when things don’t get done. Glorious!
When too much eSafety is barely enough
Yes, that’s a callback to Roy and HG. Citing two blokes who are now in their 70s is perhaps a bit too retro. However the number of news stories relating to online safety this week amazes me, and I’m going to kick off with an opinion piece.
Basic Online Safety Expectations updated
Under Australia’s Online Safety Act 2021 there’s a thing called Basic Online Safety Expectations (BOSE), delegated legislation which provides more detail about what the online services are meant to be doing.
This week communications minister Michelle Rowland announced an update, the thrillingly titled Online Safety (Basic Online Safety Expectations) Amendment Determination 2024.
At the time of writing the full text has yet to be posted on that link. However most of the items listed in the press release seem innocuous enough: consider safety in the design and operation of generative AI, same for “recommender systems”, and requiring companies to be able to provide a breakdown of the number of users in Australia into adults and children.
But I find one of the new requirements curious:
Ensuring that the best interests of the child are a primary consideration in the design and operation of any service likely to be accessed by children [my emphasis].
On the surface this seems fair enough. Who wants to see children come to harm, right? But this isn’t a requirement for most other public spaces.
Take roads and footpaths. Children are certainly likely to access them. But we don’t wrap entire streets in protective mechanisms for children. Instead, we teach children how to take care of themselves, and we expect them to be accompanied by responsible adults where necessary. The primary consideration, however, is generally the smooth flow of motor traffic.
Nor do we line rivers and creeks with pool fencing, install padding at the bottom of staircases, or put strong language and adult concept filters around cafe tables.
The rhetoric of online safety often says that we should have the same laws and obligations online as we have offline. But far too often the internet is portrayed as an inherently dangerous place, somehow more dangerous than the physical world, and yet one where children should be free to roam unattended — and that the government should do the parenting.
[Update 4 June 2024: The document has now been published as Online Safety (Basic Online Safety Expectations) Amendment Determination 2024, along with an explanatory memorandum. I’ll go through it next week.]
In the other five eSafety stories...
- Things are getting ever more interesting in eSafety Commissioner vs X Corp in the Federal Court: Electronic Frontier Foundation (EFF) and the Foundation for Individual Rights and Expression (FIRE), both US-based organisations, have been granted the right to take part. Expect more tactical shenanigans in the lead-up to the main trial on 24–25 July.
- The Commissioner is still arguing that X should block access via VPN to the Wakeley church stabbing video.
- The government’s trial of online age assurance technologies will not involved the social media platforms.. The communications department will just be having a bit of a play with the technology. Or, more likely, a contractor will.
- Meanwhile the eSafety Commissioner has accused Apple and Google of financial motives for not removing Reddit and X from their app stores for hosting pornography in violation of their own policies. How dare for-profit corporations have “financial motives”! More seriously, this seems as silly as accusing Bunnings of having financial motives for continuing to sell hammers which might be used in an assault or housebreaking. Or paint which government officials might huff.
- Apparently there’s a thing called the Global Online Safety Regulators Network. In a joint statement (PDF) last week, eight nations agreed to synchronise their content restriction, user surveillance, corporate disclosure, and other online oversight powers: Australia, Fiji, France, Ireland, Korea, Slovakia, South Africa, and the UK.
Australia versus The Socials in podcast form
In recent weeks the Australian government has opened multiple fronts in its war against the social media giants. So for my podcast The 9pm Edict I decided to speak with Justin Warren, “consultant, freedom of information tragic, hexagon enthusiast, and creator of the CyberRating™ labelling scheme”.
In The 9pm Dream Cheese of Digital Tyranny with Justin Warren — don’t think about the title too much — we discuss the MediSecure data breach, Australia’s new Digital ID laws, the pilot of online age assurance technology, calls to ban young people from using social media, eSafety Commissioner vs X Corp in the Federal Court, censorship more generally, and much more.
Just look for The 9pm Edict in your podcast app of choice.
Australia gets a National Robotics Strategy
The thing to remember about a modern government strategy document is that it usually isn’t an actual strategy — not in the conventional sense that it sets out a clearly-defined set of measurable goals, and a series of concrete steps to achieve those goals, perhaps with intermediate targets and a set of alternative actions to be taken should they not be met.
No, a modern government strategy document is generally a glossy brochure which highlights what is already happening, thereby giving the impression that the government knows what it’s doing, prefaced with a set of hand-waving statements about the importance of the subject at hand.
And so the 66-page National Robotics Strategy was released this week.
Vision: Australian industries are responsibly developing and using robotics and automation technologies to strengthen competitiveness, boost productivity and support local communities.
Translation: In the future there will be robots doing things, somehow.
There’s four goals.
- National capability: Australia has a strong, collaborative robotics and automation ecosystem that is recognised for its strengths, has a thriving domestic market and exports globally.
- Increasing adoption: Australian industries are supported to integrate robotics and automation technologies into their operations in ways that benefit Australian workers and communities.
- Trust, inclusion and responsible development and use: Robotics and automation technologies designed and adopted in Australia are safe to use alongside Australian workers, and are secure and inclusive by design.
- Skills and diversity: Australians from all backgrounds contribute to and benefit from the development and adoption of robotics and automation.
That’s a lot of feel-good words, but no concrete detail. And while we can drill down into the sub-headings — they’re really headings rather than goals — once more there’s nothing measurable. And there’s no timelines.
In the capability-building section, for example, there’s “indicators of success” such as “growth in the size of Australia’s robotics industry” and “growth in employment in Australia’s robotics industry”. But what are these growth targets? Dunno.
None of this matters, of course.
The important thing about a National Robotics Strategy is that you have one.
Growth in employment in Australia’s robotics industry is probably something that will happen no matter what the government does, simply because in the future there’s likely to be more robots. Same for most of the rest of it.
If the targets aren’t measurable, no one can say you didn’t meet them. You can “delivery on” such a strategy with mere activity, rather than results.
Support local communities, you say? Yeah, we had a program for that. We spent $24 million. Mission accomplished.
Even if the targets were measurable, will anyone ever go back and cross-check how things went? In what Crikey’s Bernard Keane once called the perpetual present of political journalism, the answer is no.
Well then. I’ve just written more words on the National Robotics Strategy than it deserves. Still, I recommend downloading the document to check out the gorgeous photos of some cool robots you might not have seen before.
“Whatever, mate, that was ages ago”
A delightful phrase has been appearing in dozens of newly published government responses to committee reports and inquiries from years ago:
“The Government notes this recommendation. However, given the passage of time since this report was tabled, a substantive Government response is no longer appropriate.”
As the Guardian explains, “Senate statistics show more than 300 reports from as far back as 2002 have never had a final response from the government of the day.”
The Albanese government has said it’ll try to do better, and is clearing the decks.
But it’s worth reading the Guardian piece to see which reports will presumably never be responded to, including those relating to “A Certain Maritime Incident” (the children overboard affair), and allegations of maltreatment at the Nauru and Manus concentration camps.
560M Ticketmaster customers’ data for sale
Hacker collective ShinyHunters reckons it has 1.3 terabytes of data from Ticketmaster and its parent company Live Nation, which it’s selling for US$500,000.
“560 million customers full details (name, address, email, phone),” ShinyHunters said in its post. “Ticket sales, event information, order details.”
Although Risky Biz News says maybe not.
ABC News says Home Affairs is on the case. I feel reassured.
As an aside, Live Nation/Ticketmaster is being hit with an anti-trust lawsuit by the US Justice Department.
Little new news on the MediSecure hack
An analysis by Cyberknow suggests that the data posted for sale is genuine, but it’s possibly being posted by a single threat actor without any infrastructure, rather than an established ransomware gang.
If they were operating within a ransomware system they would have negotiation support and a data leak site to post a threat to the victim. It appears from the limited information that this is not a traditional ransomware extortion shakedown and it begs to wonder [sic] if there was any negotiation or extorting attempt between the threat actor and MediSecure.
Home Affairs minister Clare O’Neil says MediSecure is taking an “unacceptably long time” to confirm how much data has been compromised. Clearly she’s desperate for an announceable when properly-done forensics takes time.
MediSecure’s request for government financial support has been denied.
Are you finding this newsletter useful?
Please do forward it to a friend or otherwise spread the word. Seeing the subscriber numbers steadily increasing is good for my self-esteem.
You might also, should you wish, throw a few bucks into the tip jar. I’m not being paid for this, y’see.
Also in the news
- The National Archives and the Office of the Australian Information Commissioner (OAIC) have called for more open government.
- The Australian government is using drones to track immigration detainees once they’ve been released, somehow.
- The legislation to replace the Administrative Appeals Tribunal (AAT) with a new Administrative Review Tribunal (ART) was passed. As The Mandarin explains, the ART will have a “merit-based hiring process” for tribunal members, “with the intention of restoring public faith in the institution”. As attorney-general Mark Dreyfus said, “as many as 85 former Liberal MPs, failed Liberal candidates, former Liberal staffers and other close Liberal associates” had been appointed to the AAT without any merit-based selection process.
- “The Department of Home Affairs is seven years old (formed in late 2017) but across five core capability measures its maturity rating is still ‘developing’,” reports The Mandarin. It’s all in the Capability Review (PDF). As iTnews highlighted, more than 40% of its business systems have already reached end-of-life, and there’s around 480 of them. The most recent technology strategy to be endorsed by the department is four years old.
- Privacy Commissioner Carly Kind has admitted that the OAIC’s investigation into TikTok, saying there was “no clear and obvious breach of Australian privacy law”, relied on information provided by TikTok itself, rather than conducting its own technical tests.
- A union survey has found that government tech workers are bullied, underpaid, and looking for a new job. Indeed, as The Mandarin has previously reported, for IT developers there’s a pay gap of around $100,000 a year the between public and private sectors.
- The $17 million to help small businesses adopt AI announced by Ed Husic on Tuesday was already announced in December, reports SmartCompany. “It also echoed similar plans from the Morrison government, but with a third of the budget.”
- I forgot to mention this last time: Australia has signed the Seoul Declaration on Artificial Intelligence.
- “The federal government’s ambassador for gender equity in STEM is being wound up, with existing functions to be slotted into other programs,” reports InnovationAus.
- Australia’s National Cyber Security Coordinator, Lt Gen Michelle McGuinness, says Australia needs a cybersecurity “slip, slip, slap’ moment. Remember Sid the Seagull?. Before you mock this anti skin cancer campaign, it was so successful that now more than one in three Australians has a vitamin D deficiency.
- And also at InnovationAus, this week’s most amusing headline: Labor and Coalition are two cheeks of the same arse on IT.
Inquiries of note
I thought we might see some new inquiries announced this week, but no.
Elsewhere
- Optus has lost its appeal to keep secret the Deloitte forensic report into its massive 2022 data breach. Optus had claimed it was protected by legal privilege. Justice Jonathan Beach said yeah nah. And as Risky Biz News noted, there’s now similar precedents in Canada and the US that cybersecurity incident response and forensic reports are not protected legal documents.
- “Australia is getting a new digital mental health service. Will it help? Here’s what the evidence says.”
- “Research commissioned by Australia Post shows nearly three-quarters (73%) of people have received scam messages about fake delivery tracking and postal services, and another 27% say they have been scam victims suffering financial loss or identity theft,” reports The Mandarin.
- “What does AI mean for Australian democracy? And what can we do about it?” Zoe Jay Hawkins from ANU’s Tech Policy Design Centre has some recommendations, including a coordinated national approach to “the relationship between AI and democracy”.
- “Alphabet Inc’s Google is building out the first undersea fiber [sic] optic cable that will directly connect Africa with Australia, helping to shore up internet access in one of the least-connected parts of the world,” reports Bloomberg.
From the archive
Maybe there’s already too much about eSafety this week, and maybe too much opinion from me, but I can’t help but link to something I wrote in 2021.
- Why Australia's Online Safety Act is an abdication of responsibility. “It's the government's actual job to protect our rights and freedoms, but when it comes to online it simply can't be bothered.”
One might be tempted to add: not just online.
What’s next?
The House of Representatives continues Monday to Thursday this week. It’s also another week of Senate Estimates hearings, and here’s the program.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.