The Weekly Cybers #21
It’s another week of eSafety! The commissioner’s case against X is dumped, but there’s new Basic Online Safety Expectations, and legislation to ban sexually explicit deepfakes. Plus a big FOI win against robodebt, and much more.
Welcome
For some reason it’s another week packed with eSafety news. The commissioner has dropped her legal action against X, but we have a new version of the Basic Online Safety Expectations, and new legislation to combat sexually explicit deepfakes.
Meanwhile there’s been a big win in the Federal Court in a long-running freedom of information case to obtain the original documents that justified the illegal robodebt.
Other keywords to entice you include Medibank being sued, MediSecure declaring insolvency, a robodebt investigation dumped, and drones — or rather no drones.
eSafety Commissioner drops case against X
The eSafety Commissioner, Julie Inman Grant, has dropped the federal court case against X over tweets containing video of April’s Wakeley church stabbing.
“Free speech has prevailed,” crowed Elon Musk.
According to the Guardian, “eSafety would focus on fighting the AAT [Administrative Appeals Tribunal] review launched by X over the merits of the removal request decision.”
In her full statement, Inman Grant reiterated her position.
Our sole goal and focus in issuing our removal notice was to prevent this extremely violent footage from going viral, potentially inciting further violence and inflicting more harm on the Australian community. I stand by my investigators and the decisions eSafety made.
One paragraph stands out for me:
Most Australians accept this kind of graphic material should not be on broadcast television, which begs an obvious question of why it should be allowed to be distributed freely and accessible online 24/7 to anyone, including children.
Which for me raises (not “begs”) another question: Why is the standard being pursued for social media the same as that for broadcast television?
The short answer is “Because that’s how the law is structured”. A slightly better answer might be to put that question on the table in the current review of the Online Safety Act 2021.
I’m not saying I know the answer, but I do suspect that the social and cultural place of social media in 2024 is not the same as broadcast television’s was when the Broadcasting Services Act 1992 was written.
New Basic Online Safety Expectations published
As foreshadowed and explained last week, new rules for online services have now been published as Online Safety (Basic Online Safety Expectations) Amendment Determination 2024, along with an explanatory memorandum — although currently it’s only available as a set of amendments rather than a consolidated document.
The first item is an additional expectation.
6(2A) The provider of the service will take reasonable steps to ensure that the best interests of the child are a primary consideration in the design and operation of any service that is likely to be accessed by children.
There’s also major new sections relating to generative AI and “recommender systems”, more specific reporting requirements, and a requirement to implement “appropriate age assurance mechanisms” and “continually seeking to develop, support or source, and implement improved technologies and processes for preventing access by children to class 2 material”.
Those last two are interesting given that, as Information Age reminds us:
Australia is a long way from deciding which tools will be used to limit children’s access to adult material online, while the nation’s eSafety Commissioner said it’s unlikely that age bans for social media access will happen any time soon.
New law to ban sexually explicit deepfakes
Attorney-General Mark Dreyfus introduced the Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 this week, which would create new criminal offences to ban the sharing of non-consensual deepfake sexually explicit material.
In his press release he says:
This Bill will strengthen existing Commonwealth Criminal Code offences, and introduce a new aggravated criminal offence to target those who use technologies to artificially generate or alter sexually explicit material (such as deepfakes) for the purposes of non-consensual sharing online.
The bill dumps the previous definition of “private sexual material” and instead bans “using a carriage service to transmit sexual material without consent”, whether it’s real or not.
There’s also a new definition of what counts as “sexual material” which I’ll leave you to read for yourself. See the new text for section 474.17A(1)(c).
I note, however, that it bans material which “depicts, or appears to depict” this activity, which could lead to some interesting discussions in the Federal Court.
The new penalties are up to six years imprisonment for transmitting such material without consent, or seven years for repeat offenders or for the creation or alteration of the material.
At this stage the bill has not yet been spun out for committee review.
Federal Court win for robodebt transparency
Transparency campaigner and friend of the newsletter Justin Warren scored a major victory in the Federal Court today in a battle over robodebt freedom of information that’s been running for seven and a half years.
The documents at the centre of the case include early business plans produced by the then Department of Human Services — now Services Australia – to justify the unlawful robodebt scheme.
In its judgment, the full bench of the court ruled that Warren had been denied procedural fairness by the Administrative Appeals Tribunal (AAT).
It also clarified the law on the use of the cabinet document exemption, which is often used to deny access to documents.
According to Jacinta Lewin, principal lawyer at Maurice Blackburn Lawyers:
This decision provides much needed clarity on Freedom of Information law and the use of the cabinet document exemption. It is also a case study in perseverance. Robodebt caused significant harm to people who were relentlessly pursued for these false debts. Justin Warren’s attempts to seek answers were relentlessly fought.
The case now goes back to the AAT, or more likely its soon-to-be successor, the Administrative Review Tribunal (ART).
Update 8 June 2024: The Guardian has published more details, and on Mastodon Justin Warren is posting his analysis of the judgment.
Are you finding this newsletter useful?
Please do forward it to a friend or otherwise spread the word. Seeing the subscriber numbers steadily increasing is good for my self-esteem.
You might also, should you wish, throw a few bucks into the tip jar. I’m not being paid for this, y’see.
Also in the news
- The Australian Information Commissioner is suing Medibank over the massive 2022 data breach which exposed the personal information of 9.7 million Australians. In theory the maximum potential fine is around $21 trillion, but obviously that won’t happen.
- Hacked prescription service provider MediSecure has declared insolvency in the wake of their 6.5 terabyte data breach. They had previously asked for government assistance to stay afloat, but that was denied.
QUESTION: I’ve chosen not to list all the data breaches that have been reported recently, such as Ticketek and a certain maker of meat pies, because they tend to get a bit repetitive. But would you like me to include a list each week?
- The National Anti-Corruption Commission (NACC) has dropped its investigation into robodebt players, or rather the six “public officials” referred to it by the robodebt royal commission. It’s worth reading the report at The Mandarin for the full nuances of the NACC’s reasoning, because some of today’s social media frothing about “They’re getting away with it!” misses the mark somewhat. There’s also some solid analysis at the Guardian.
- The government will fight a Federal Court ruling that shredding documents could be a crime. Governments have traditionally shredded paperwork when they lose office to keep them from their opponents and prevent FoI requests, and even when they just shuffle ministers. Justice Natalie Charlesworth ruled against the practice, and the politicians don’t like it. Stay tuned.
- Services Australia is moving its contact centre management from Telstra to Optus later this year.
- “An unnamed Western Australian council has been running its entire IT system from a single physical server, with no vendor agreement on how it could be replaced in a disaster,” reports iTnews.
- I’m always sceptical of “huge costs just to build a website” stories, but it appears that the price comparison site Medical Costs Finder launched in 2019 has spent $24 million but has listed just 20 doctors. At least $17 million of that was about promoting it to doctors, so not the website itself. Still, notch up another government computering failure.
- You know how last week it was reported that the Australian government was using drones to track immigration detainees once they’ve been released? No, it’s not a thing. Apparently they’re just using aerial imagery to check their visa conditions, such as not living near a school or whatever. So, like a map.
Inquiries of note
Once more there’s nothing new that’s relevant to the remit of this humble newsletter.
Elsewhere
- Butts, breasts, and genitals now explicitly allowed on Elon Musk’s X, reports Ars Technica. “It remains unclear if X can detect nonconsensual sex images at scale.” My retort to that is that it’s impossible to detect consent at scale, no matter what the imagery.
- A pro-Russian influence campaign has targeted Australian media outlets, including Australian Associated Press (AAP), The Daily Aus, The Conversation, and the ABC, according to Finnish company Check First.
- From WIRED comes a feature story about the FBI-led sting operation AN0M, the one that involved an encrypted communications app which was actually run by law enforcement. The Australian Federal Police were part of it, but as previously reported, maybe the evidence was gathered illegally.
- This fortnight’s Essential polling included some interesting questions about Australians’ attitudes to AI and social media. It turns out that even among those aged 18–34 some 54% would supporting raising the minimum age for social media use to 16.
PODCAST UPDATE: This week I spoke with Zoe Jay Hawkins, head of policy design at ANU’s Tech Policy Design Centre, about many of the issues listed here. That conversation will appear as an episode of my podcast The 9pm Edict tomorrow, Saturday 8 June. Watch out for it in your podcast app of choice.
From the archive
From the Overland archive not mine, a pertinent reminder when MPs are calling for 100 points of ID to use social media.
- Online anonymity is really important, actually (13 October 2021) by Samantha Floreani.
My thanks to Anthony Agius and his daily newsletter The Sizzle for reminding me of this piece.
What’s next?
Parliament is now on a two-week break and will return on Monday 24 June.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.