November 29, 2024

The Weekly Cybers #46

A massive week for digital policy, including social media age bans for under-16s, new cybersecurity laws, a call for national AI regulation, and even — finally! — updates to the Privacy Act.

The Weekly Cybers #46 | 29 November 2024

Welcome

For a newsletter that’s “a personal look at what the Australian government has been saying and doing in the digital and cyber realms”, this week has been like crack to a baby.

The biggest rush was the new law to ban under-16s from social media, and yes it was definitely passed in a rush.

There’s also new cybersecurity laws, a whole bunch of changes to the Privacy Act which we’ve been waiting for for four years, a call for national AI regulations — but no longer a misinformation law.

Australia’s under-16 social media ban is now law

The biggest story, or at least the one that’s scored all the global attention, is of course the rushed passing of the Online Safety Amendment (Social Media Minimum Age) Bill — so rushed that parliamentary staffers have yet to compile and post the final consolidated text.

We had a lot about the ban for under-16s last week, and there’s plenty of commentary elsewhere. You may have noticed. So today I’ll mostly stick to what’s actually in the new laws as passed on Friday morning, rather than what the politicians are saying.

• The Online Safety Act now has a new concept, an age-restricted social media platform in section 63C, which is defined differently from the term social media service in section 13.

• Despite criteria being set out for what’s in and what’s out, the communications minister can simply declare something to be such a platform, or not be such a platform.

The criteria for an age-restricted social media platform are: (i) the sole purpose, or a significant purpose, of the service is to enable online social interaction between 2 or more end-users; (ii) the service allows end-users to link to, or interact with, some or all of the other end-users; (iii) the service allows end-users to post material on the service; (iv) such other conditions (if any) as are set out in the legislative rules.

• No matter what the minister or anyone else has been saying, the law does not specifically list any platforms or even any types of platforms. It’s entirely down to what the minister, or any future minister, might decide in their legislative rules.

• The key sentence is that a platform can be listed as age-restricted “if the Minister is satisfied that it is reasonably necessary to do so in order to minimise harm to age-restricted users”. They have to seek advice, but in the end it’s still down to their feelpinion.

• Even if a platform fits the criteria for being age-restricted the minister can decide it isn’t, based on the vibes of it.

• The eSafety Commissioner is empowered to “formulate, in writing, guidelines for the taking of reasonable steps to prevent age-restricted users having accounts with age-restricted social media platforms”.

• What constitutes “reasonable steps” is still to be determined, in part through the age assurance trials which haven’t even started yet, and which will report in about six months.

• Platforms can’t demand you use the government digital ID, myID, or any other government-issued identification material. However they can choose to offer that as a method, provided they also offer other methods which are “reasonable in the circumstances”.

• All under-16s are banned, even if their parents would like to allow them access.

• Every social media user will have to prove they’re not under 16, of course. This affects everyone.

• On the other hand, the law is about creating accounts. There’s nothing to stop you viewing whatever content is public.

• The law will come into force within 12 months of assent, a change from at least 12 months. After that date the laws must be reviewed within two years.

Meanwhile, independent MP Zoe Daniel introduced the Online Safety Amendment (Digital Duty of Care) Bill, which would implement a risk-based approach that was actually recommended by the Joint Select Committee on Social Media and Australian Society — whereas age bans were not.

Even more on the social media age ban

Some random highlights from the thousands of words that have been written this week.

• There’s some good summaries at the Guardian and ABC News, and doubtless at other places too but I don't have time to read everything.

• At the Guardian, Josh Taylor answers the question: “If so many experts oppose a social-media age ban, why is the government intent on rushing it through?”. Meanwhile Anthony Albanese denies the rush is about an early election.

• The Coalition says that enforcing the social media ban will be their “number one priority” if elected next year.

• There’s a vast amount of expert commentary at Scimex.

ALL THIS STUFF IN PODCAST FORM: Digital rights enthusiast Justin Warren will be joining me to talk about all the digital things that have been happening lately, plus whatever else comes to mind. Look for The 9pm Edict in your podcast app from Thursday 5 December.

Cybersecurity act sets IoT standards, mandates ransomware reporting

While everything else was going on, a bunch of new cybersecurity legislation was passed.

The new laws include: mandatory reporting of ransomware attacks; security standards for “connectable products”, by which they mean internet of things (IoT) devices; protection of information provided during cybersecurity investigations; and the creation of a Cyber Incident Review Board.

There’s a decent summary at InnovationAus.

Industry responds with mixed feelings.

For all the details you’ll need to check out the Cyber Security Bill and its friend the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill.

Goodbye to the misinformation bill

The government has dumped its misinformation bill. It had been rejected by the Coalition, the Greens, and some crossbench senators, meaning there was no way it was going to pass.

The Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill had also been opposed by legal experts, human rights and civil liberties organisations, and of course media companies.

The final report of the Senate committee looking at the legislation includes a lengthy lament.

“Some of the views put forward to the committee were deeply polarising, and some were highly offensive. Some expressed concerns at the claims they had heard about the bill rather than the actual content of the bill... On this occasion, while there is widespread agreement on the issue, we have not found agreement on the solution. While many members of this Parliament have worked constructively on this issue, others have placed their political positioning ahead of compromise and community safety.”

So far there’s no indication of what might happen next.

Senate report recommends national AI regulation

In a week when too much digital policies barely enough, the Senate Select Committee on Adopting Artificial Intelligence has called for “whole-of-economy, dedicated legislation to regulate high-risk uses of AI”.

There’s a dozen more recommendations, which I haven’t had time to think about.

The Guardian chose to highlight that Amazon, Google, and Meta are “pillaging culture, data and creativity” to train AI.

You might like to check out the full report for yourself.

IF YOU FIND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded, and this week it look quite some time. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip. Or just forward this email to others who might like it.

Also in the news, yet more new laws

Well, there’s three more which are relevant to this humble newsletter.

• Parliament passed a major review of Australia’s privacy laws, the Privacy and Other Legislation Amendment Bill, which has been four years in the making. There’s a lot there, so I may return to it next week.

• The Surveillance Legislation (Confirmation of Application) Bill passed. As we explained last week, this legitimises the evidence gathered during Operation Ironside against the AN0M encrypted network. There’s further commentary at Seriously Risky Business.

• The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill passed, it being part of the cybersecurity legislation package mentioned above.

Also in the news, some other things

• Hardware megalith Bunnings wants to keep scanning your face (archive) even though they were told it breaches privacy laws.

• The Privacy Commissioner has found that Master Wealth Control Pty Ltd (DG Institute) and Property Lovers Pty Ltd were scraping data to target vulnerable people for their make-money-fast investment schemes, something she said was “unlawful and interfered with the privacy of individuals”. “Both companies have been linked to Ms Dominique Grubisa and provided similar training courses to members of the public with a focus on property investment.”

• From Cyber Daily, news that mortgage broker Finsure has confirmed a “cyber incident” affecting almost 300,000 customers and brokers.

• Also, data on 47,000 Telstra employees is up for sale on a popular hacking forum.

• Australia Connect, a consortium of Google Cloud, NEXTDC, SUBCO, Vocus, and state and local governments, is building two new subsea cables to Christmas Island and thence to Singapore and the US.

• The independent national security legislation monitor, Jake Blight, has said he’ll open an inquiry next year into the official definition of terrorism, which is unchanged since the 9/11 attacks.

Elsewhere

• “Australian and Philippine authorities have conducted a major raid at a scam centre in Manila, arresting hundreds of people allegedly linked to a transnational romance scam racket,” reports Information Age.

• UNESCO says six in ten online influencers don’t check their facts, and calls for “urgent” fact-checking training.

Inquiries of note

• Treasury is looking for feedback on the Consumer Data Right rules, specifically the scope for bank lending and banking data. Submissions close 24 December. Happy Christmas.

• There’s a Senate inquiry into the Scams Prevention Framework Bill 2024. Submissions close 9 January 2025.

• There’s also an inquiry into the Health Legislation Amendment (Modernising My Health Record—Sharing by Default) Bill 2024. Submissions close 10 January 2025.

• Plus there’s all those we listed last week.

What’s next?

Parliament is now on its long summer break until Tuesday 4 February 2025. Committee work continues, but there’s nothing directly relevant to this newsletter in the coming week.

DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.

---

The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).

If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.

If you find this newsletter useful, please consider throwing a tip into the tip jar.

This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.