The Weekly Cybers #35
What a week! A burst of legislation from privacy to misinformation to hate speech, an anti-scam “plan”, Meta gets caught out, and much more.
Welcome, and what a huge week!
The government delivered a blast of legislation this week, none of which had been listed on the draft legislation program. Clearly some announceables were needed.
There’s the long-overdue Privacy Act reform, laws meant to address misinformation and disinformation and publishing hate speech, and even an exposure draft for an anti-scam plan.
And we also discovered what in some ways comes as no surprise, the fact that Facebook and Instagram posts became fodder for Meta’s AI program.
Finally, an updated Privacy Act
The long-awaited reform of Australia’s Privacy Act 1988, the first major set of changes since it was first passed in the second half of last century, finally made it to parliament this week.
Behold, the Privacy and Other Legislation Amendment Bill 2024.
There are some good bits. There’s finally a statutory tort for serious invasion of privacy, something that’s been in the pipeline for more than a decade, for example.
But as UNSW’s Katharine Kemp writes, “the new bill doesn’t touch most of the substantive principles in our privacy law”, leaving them stuck in what was largely a pre-internet age.
“It continues to leave Australians at the mercy of rampant tracking, targeting and profiling by data brokers, major retailers, rental platforms and data-matching firms. Catastrophic data breaches flow from poorly regulated data practices — and we’re still not protected.”
And while the government says this is the “first tranche” of reform, we won’t see an actual timetable until after the election some time next year. Maybe some more will happen before then, maybe not. I guess it depends on the focus groups.
InnovationAus has a similar analysis, writing that it won’t deliver on the most ambitious recommendations of the 2022 review. And at Guardian Australia, Paul Karp reckons Australia’s privacy laws are still lagging behind.
The missing recommended changes include “a new right for individuals to ask companies to delete their personal information, a removal of the current carve-out of privacy law for small businesses, and a shift away from using ‘implied consent’ to collect data”.
New privacy law to outlaw doxxing
The bill would also criminalise doxxing, the malicious release of personal information, with a maximum penalty of seven years' jail.
But as Kemp writes:
“The introduction of a doxxing offence will not broadly improve the way organisations treat our personal data. Most privacy harms are not caused by the publication of personal details that is ‘menacing or harassing’ under criminal law.”
Curiously, even the ad industry is disappointed, calling for a clear timeline so they can work towards whatever changes they’ll need to make to the way they collect data and use it for personalisation.
Finally, misinfo and disinfo legislation
When Elon Musk calls the Australian government “fascists” then you know they’re probably on the right track — at least partially.
Under new laws the Australian Communications and Media Authority (ACMA) would be given powers to pressure tech companies to crack down on misinformation and disinformation on social media platforms.
“[ACMA] would have additional information-gathering, record-keeping, code registration and standard-making powers that would allow them to ensure social media platforms are meeting their obligations. If the platforms do not comply, they could be slapped with a range of penalties, including a maximum fine of 5% of their global revenue.”
Those penalties are in line with level of fines the EU hands out from time to time.
There’s some good things about the bill, the Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024.
Originally government and political campaigning material would be exempt, but no longer.
Also, the threshold for being problematic is “serious harm... that has significant and far-reaching consequences for the Australian community or a segment of the Australian community; or severe consequences for an individual in Australia”.
There are exemptions for parody or satire, “reasonable dissemination of content for any academic, artistic, scientific or religious purpose”, or “professional news content”.
That last one means, paraphrased roughly, any news content that’s already covered by a code of conduct, such as the rules of the Commercial Television Industry Code of Practice for commercial TV.
This does mean, however, yet another legal definition of journalism which is different from those in other laws — and which continues to be about who the person is rather than whether or not they were genuinely committing acts of journalism.
It’s also worth noting the weasel words of “pressuring” the tech companies to crack down.
The bill does not give ACMA the power to order individual content takedowns. Rather, it requires the platforms to have transparent content moderation processes, a risk assessment plan relating to misinformation and disinformation, and a “media literacy plan”, and keep a variety of records.
ACMA only becomes involved and starts handing out penalties if there’s a failure to follow all the process stuff.
Given the widespread perception that ACMA takes a wet-lettuce approach to regulating the broadcast media, for example, one might wonder whether they will be any more effective against the much larger and richer global internet giants.
Mainstream news can still push misinformation
According to Professor Daniel Angus from QUT’s Digital Media Research Centre, the bill ignores expert advice and doesn’t go nearly far enough.
For a start, there’s that exemption for “professional news content”.
“This is a problem because some mainstream media outlets such as Sky News are prominent contributors to the spread of misinformation. Notably this has included climate change denial, which is a widespread and pressing problem. The bill does not include climate misinformation in its scope.”
There’s also a distinction between misinformation, which is spread by accident, and disinformation, which is spread deliberately.
“This distinction isn’t helpful or necessary. That’s because intent is very hard to prove — especially as content gets reshared on digital platforms. Regardless of whether a piece of false, misleading, or deceptive content is spread deliberately or not, the result is usually the same.”
Meanwhile, soon-to-retire government minister Bill Shorten has responded to Musk.
“‘Elon Musk has more positions on our free speech than the Kama Sutra,’ he told the Today show on Friday. ‘When it’s in his commercial interests, he is the champion of free speech, when he doesn’t like it, he’s going to shut it all down.’”
Thanks for that image, Bill.
FINDING THIS NEWSLETTER USEFUL? It’s currently unfunded, so do please consider throwing in a tip.
Finally, Meta admits to feeding your posts to AI
It took some digging by a parliamentary committee before they admitted it, but yes, Meta has used Australians’ public Facebook and Instagram posts to feed its AI model, both text and photos, with no option to opt out.
Also, people in other countries.
Except Europe. Meta was worried it’d be illegal there, so Europeans can opt out.
After questioning by Labor senator Tony Sheldon and Greens senator David Shoebridge this week, Meta’s global privacy director Melinda Claybaugh finally fessed up.
Ms Claybaugh added that accounts of people under 18 were not scraped, but when asked by Senator Sheldon whether public photos of his own children on his account would be scraped, Ms Claybaugh acknowledged they would.
What about data from previous years of users who were now adults, but were under 18 when they created their accounts? She didn’t know.
BONUS LINK: I spoke about those last two stories on ABC Radio’s RN Drive on Thursday: New disinformation laws, Meta taking your data for AI. Note that I got something wrong. The misinformation exception for political material has been dropped, not continued.
Albo says the kids social media ban will happen
It’s rolling out quickly, which means it’ll definitely happen with care and professionalism and be totally based on evidence.
On Sunday, South Australia announced that it’s moving ahead with its own war on social media. New laws would make the platforms themselves responsible for any under-14s found there, and under-16s would need parental consent.
Their justification is a massive report (PDF) by former High Court chief justice Robert French which even includes a draft bill.
Then on Monday, prime minister Anthony Albanese vowed to introduce a bill to create a national ban on children on social media this year. He didn’t specify a minimum age, but he wouldn’t object to it being 16.
Tender issued for age assurance technology trial
The specifics of the proposed ban will come once the communications department has finished its trial of age assurance technology — or rather its contractor has.
A tender has been issued which confirms that the government will be looking at age assurance technologies including age estimation based on face biometrics — which is to say, guessing — as well as age verification through the use of some sort of credential.
The tender documents specify two goals: determining whether someone is 18 years or older; and for the 13 to 16 age range, determine the user’s age.
The first is about porn. The second is about social media.
As BiometricUpdate.com wrote:
“Technologies considered for the latter age group will include biometric age estimation, along with email verification and device-level mechanisms. For content restricted to those 18 and older, the government wants to trial double-blind tokenised attribute sharing, as well as credit cards.”
Trials elsewhere have shown the problems.
Albo yearns for an imaginary childhood
On Wednesday, Albanese pushed his social media bans in Murdoch tabloid the Herald Sun in a curiously titled piece, We want children to have their childhood.
I want young Australians to grow up playing outside with their friends, on the footy field, in the swimming pool, trying every sport that grabs their interest, discovering music and art, being confident and happy in the classroom and at home. Gaining and growing from real experiences, with real people. We want children to have their childhood. We want parents to have peace of mind.
Because nothing bad ever happens outside, right?
In that article Albanese mentions the child protection charity Alannah & Madeline Foundation, but they reckon an age ban is irrelevant.
“‘It might actually create more harm,” [chief executive Sarah Davies] said. ‘It’s not that raising the age is a bad thing; it’s just it’s completely irrelevant to the drivers and causes of the risks and the harms that children and young people face online.’”
As that Guardian Australia piece just linked to notes, the Australian Association of Psychologists says all this is “a distraction from the real issues at hand”, which is about making social media safer.
“The chief executive of Headspace, Jason Trethowan, said banning access to social media was ‘a blunt instrument that may have unintended consequences.’”
And as QUT’s Professor Axel Bruns and I discussed in our recent podcast, Albanese may well be pushing all this because both News Corp and Essential’s polling says the majority of Australians support a social media age ban, even though there seems to be little other evidence in favour.
Scimex has a lot more expert reaction.
Also in the news
- The Criminal Code Amendment (Hate Crimes) Bill 2024 was finally introduced, although it’s missing a more general ban on such things as inciting hatred, serious contempt, revulsion, or severe ridicule.
- Assistant treasurer Stephen Jones says that banks and social media platforms who fail to meet anti-scam obligations will be forced to pay compensation to victims and face fines of up to $50 million.
- The Australian Public Service Commission has released the report on its Centralised Code of Conduct Inquiry into the robodebt affair. In a statement by the commissioner it has been confirmed that no public servants have been or will be sacked despite 97 breaches of the code of conduct.
- SBS has commissioned a docudrama about robodebt to air in 2025.
- In a typically wry lede from Julian Bajkowski at The Mandarin, “The Australian Signals Directorate has been brought in to sniff test an Australian National Audit Office examination of Defence’s IT security.”
Elsewhere
- From Publicis Sapient, The future of digital identity in Australia and their annual Digital Citizen Report, the latter being behind a regwall. As The Mandarin reports, “A third of lower-income Australian households need help finding or using online government services”.
- Adelaide company Fivecast is using an AI web crawler to help Five Eyes nations monitor the web to detect insider threats.
- Kids in families with too much screen time struggle with language skills. Add in a low income and parental stress and you’ve got childhood behaviour problems.
Inquiries of note
- That scam prevention proposal mentioned above? Treasury has released some exposure draft legislation for this Scams Prevention Framework. Submissions close 4 October.
- The Joint Committee of Public Accounts and Audit has launched an inquiry into the use and governance of AI systems by public sector entities. Submissions close 25 October.
What’s next?
Parliament continues this Monday 16 September, but only the Senate.
According to the Senate’s draft legislation program there’s nothing of interest for us, but then this week’s program didn’t mention all this new legislation either.
And on Thursday 19 September the Senate Select Committee on Adopting AI will be tabling its report.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.