The Weekly Cybers #22
A proposed social media ban for under-16s dominates the news this week. Also, a My Health Record audit, updates on eSafety and robodebt, and much more.
Welcome
I’m surprised, but also not surprised, that the idea of banning young people from using social media is still a live news story. Indeed, it’s now a bipartisan chest-beating exercise in Canberra.
The ban will therefore almost certainly happen, at least in some form.
Meanwhile the administration of My Health Record contacts has been hit with an audit, there’s a reminder that the Basic Online Safety Expectations apply to a lot more than the social media giants, and everything from a ChatGPT bot advising an organisation’s board to some robodebt governance action.
Bipartisan support for under-16 social media ban
The Australian marked it an “exclusive” but I thought we knew this already. Albo supports the proposed social media bans for young people.
Anthony Albanese says a total ban on under-16s from accessing social media is a “good way to go” in curbing the serious online harms impacting children, declaring that Peter Dutton was just playing “catch up” by promising to legislate such a ban within the first 100 days of the Coalition taking office.
Meanwhile opposition leader Peter Dutton said it was “inconceivable” for the giants to allow 13-year-olds on their platforms.
(“You keep using that word. I do not think it means what you think it means,” Mr Dutton.)
The article also quotes Alastair MacGibbon, Australia’s first eSafety Commissioner when it was specifically just for children, and now chief strategy officer at CyberCX.
“I applaud politicians for actually starting to talk about taking action on something that I think deep down most people in the public have wanted a stance on for a while,” he said.
But the technology doesn’t exist (yet?)
MacGibbon said that the technology “still has a long way to go”.
Indeed, this week The Conversation published Age verification for pornography access? Our research shows it fails on many levels, a well-referenced summary of a new paper at Big Data & Society. It’s worth reading.
Over at Crikey, Cameron Wilson used an AI selfie ageing tool to buy a knife. Josh Taylor has further analysis at the Guardian. And there’s even commentary over at Scimex, the Science Media Exchange.
So in summary, the social media ban now has bipartisan support. The communications department will run its pilot, which is about 18-year-olds and porn, not 13-year-olds and social media. It will produce ambiguous results, so a ban using age assurance technology will go ahead even though actual experts know it won’t work.
My Health Record procurement slammed in audit
Procurement processes at the Australian Digital Health Agency (ADHA), which oversees My Health Record (MHR), were rated as “largely fit for purpose” in only one of four areas investigated by the Australian National Audit Office (ANAO). The others, not so much.
In its audit report published in Wednesday, ANAO found that there had been “poor procurement planning and failure to observe core elements of the Commonwealth Procurement Rules”, that identification and assessment of commercial risk had been “limited”, and that the conduct of limited tender processes had been “deficient”.
ADHA had approved additional payments of $699 million to Accenture in its role as the MHR National Infrastructure Operator (NIO) through contract variations.
The NIO contract was first executed with Accenture Australia Holdings Pty Ltd (Accenture) on 27 June 2012 for a total value of $47 million to 30 June 2014. As at February 2024, arrangements with Accenture totalled $746 million for MHR NIO services between 2012 and 2025.
Still ADHA managed to claim back $1.04 million, so I guess it all balances out.
ANAO was also concerned about ADHA’s management of conflicts of interest.
There is a policy relevant to managing gifts and benefits which lacked specificity but has been improved. Chief Executive Officer (CEO) gifts and benefits declarations are not always timely.
ADHA agreed with all but one of ANAO’s recommendations. The recommendation to conduct an open tender for the NOI past 30 June 2025, when Accenture’s current contract expires, was merely “agreed in principle”.
ALSO FROM ANAO: A performance audit of the Digital Reform of the Agricultural Export Systems. One rating of “largely affective” and three ratings of “partly effective”.
Update: Basic Online Safety Expectations
We reported last week that the new Basic Online Safety Expectations (BOSE) had been published, although a new consolidated version has yet to appear.
A friend of the newsletter has reminded us that BOSE doesn’t just apply to social media services but also to any “relevant electronic service” as defined in section 13A of the Online Safety Act 2021.
To cut through the repetitive language of sub-section (1), that includes all services that allow communication via email, instant messaging, SMS, MMS, or chat; any service that allows users to play games with other users; and any service the minister cares to add in.
A definition in section 5 says that “service” includes a website. So yes, BOSE applies to a lot more than just the social media giants.
The only exemption, in section 13A(2), is “if none of the material on the service is accessible to, or delivered to, one or more end-users in Australia”.
As previously reported, a Statutory Review of the Online Safety Act 2021 is currently under way. Submissions close on 21 June, which is exactly one week away.
Update: Big win for robodebt transparency
We reported last week how transparency campaigner and friend of the newsletter Justin Warren scored a major victory in the Federal Court in his long-running FOI battle over the business case for what is now called robodebt.
Since then the Guardian published more details.
Justin posted his own lengthy commentary on the judgment on Mastodon. This paragraph stood out for me.
None of the documents were what I’d call a formal business case in the form I’ve ever been involved with in a variety of enterprise businesses. There were some spreadsheets and some prose, but calling them a “business case” makes them sound way more comprehensive and professional than they actually were.
This is also a good reminder that if you want to make your own FOI requests, the OpenAustralia Foundation’s Right to Know website helps you run the process.
That said, Justin still doesn’t have the documents. This whole case now goes back to the AAT, or more likely its soon-to-be successor, the Administrative Review Tribunal (ART).
Are you finding this newsletter useful? Please do forward it to a friend or otherwise spread the word. Seeing the subscriber numbers steadily increasing is good for my self-esteem.
Also in the news
- The Inspector of the National Anti-Corruption Commission is going to inquire into NACC’s decision not to investigate referrals from the robodebt royal commission, after receiving “nearly 900 individual complaints” about that decision.
- “Defence is set to convert a secret advanced analytics project it has been researching into an actual operational capability.,” reports *iTnews.
- “The Cashless Debit Card was not a welfare policy but a government surveillance policy, according to scholar Shelley Bielefeld,” reports The Mandarin. I bet she cops grief for stating the bleeding obvious. And of course it’s yet another failed attempt to tackle a social problem with blunt technology.
- “The Australian government has announced a partnership with the Australian Financial Crimes Exchange (AFCX), with the National Anti-Scam Centre joining the AFCX’s intelligence loop,” reports Cyber Daily.
- In last week’s edition we noted that the Medical Costs Finder website launched in 2019 spent $24 million to list just 20 doctors. Health minister Mark Butler has of course blamed the previous government for the service “left gathering dust”. “I’ve asked my department for advice on how we can improve the current Medical Costs Finder and transparency,” he said, possibly ignoring the sunk cost fallacy.
- The eSafety Commissioner has called for stronger safeguards on generative AI following the arrest of a student at Bacchus Marsh Grammar School for creating and distributing deepfake images of about 50 female students.
Data breaches and hacks of note
Last week I asked whether people would find a list of the week’s data breaches handy, and two people said yes, so I’ll trial it for a month.
I’ll include breaches of Australian targets or global targets with a significant Australian impact. I won’t pretend it’s exhaustive. Feedback welcome.
- ”Doctors and pharmacists named in a sample of stolen MediSecure data up for sale on the dark web are still waiting to hear from the company,” reports ABC News.
- Panasonic Australia says no data has been stolen after ransomware group Akira claimed that they’d been hacked.
Inquiries of note
Once more there’s nothing new that’s relevant to the remit of this humble newsletter.
Elsewhere
- The Real Estate Institute of New South Wales (REINSW) has “appointed” a ChatGPT bot as a board advisor, supposedly to “enhance decision-making, risk management, and strategic planning. CEO Tim McKibbin keeps referring to the bot’s “memory bank”, perhaps illustrating the recency of his computer knowledge.
- From The Conversation, Satire can spread online as misinformation. Here’s why we still shouldn’t label it. For the avoidance of doubt, that REINSW story is not satire.
- Adobe has released an Australia and NZ edition of the Adobe Future of Trust Study 2024 (PDF). Most people are “optimistic” about generative AI technology, even though they regard misinformation as “one of the biggest threats facing society” and “misinformation and deepfakes will have a significant impact on upcoming elections”. Only 9% say they use GenAI regularly today, but 63% plan to use it more in the year ahead.
- Google reckons AI could add $290 billion in benefits to Australia by 2030 in economic, cyber, and environmental ways. The word “could” is working hard there. Remember to divide by at least seven (because it’s over at least seven years), and note that Australia’s entire GDP is only about $2.6 trillion a year. Still, I admire their creativity.
- X is threatening to take some former Australian employees to court to recover entitlements it claims were overpaid after it bungled the currency conversion from USD to AUD. Apparently in some cases it's up to $70,000.
Please check out my podcast The 9pm Edict
It’s a podcast about things in the news and whatever takes my fancy, and there’s often some fascinating guests.
Last week I spoke with Zoe Jay Hawkins, head of policy design at ANU’s Tech Policy Design Centre. In The 9pm Devilish Deepfakes of Democracy with Zoe Hawkins we talk about the way AI and deepfakes might influence this year’s many elections, the polarisation of the online safety debate, free speech, content classification, and much more.
Look for The 9pm Edict in your podcast app of choice.
And if you like it, please tell your friends and maybe even considering pledging your support to my current crowdfunding campaign, The 9pm Winter Series 2024.
From the archive
Last week we saw calls for all social media users to show ID. It’s a perennial idea that keeps needing to be stamped down.
- Calls to ID social media users is just another Morrison government rush job (11 October 2021). “The government has escalated its war of words against the social media giants, demanding ID for all users. But it’s a strategy that we already know won’t solve the problem.”
It’s yet another case of “We must do something. This is something. Therefore we must do it”.
What’s next?
Parliament is currently on a break and will return on Monday week, 24 June.
It’s only partially relevant to this newsletter, but the Senate inquiry into right-wing extremist movements in Australia is holding a public hearing in Melbourne this Monday 17 June.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.