The Weekly Cybers #76
Australia’s social media age restrictions are in the news again, the Qantas data breach wasn’t so “sophisticated” after all, and much more.
11 July 2025
Welcome
It’s not often that digital policy is in the headlines for weeks at a time, but that’s exactly what’s happening with the Australian government’s ongoing battle with the social media giants.
There’s further news that the age assurance tech trials might not be all they’re cracked up to be — although we’re still being told to wait for the final report later this month.
The eSafety Commissioner has released more data supporting her claims.
And that Qantas data breach turns out to have hinged on a single phone call. “Sophisticated attack” indeed!
Mixed message from age assurance tech trial
News expands to fill a vacuum, so of course the government’s battle for social media age restrictions is in the headlines again this week.
To recap, we were assured three weeks ago that “Age assurance can be done in Australia and can be private, robust and effective,” or so said the organisation running the tech trials, the Age Check Certification Scheme (ACCS).
But some observers, including some of the project’s own stakeholder advisory board, had their doubts. Wait until you see the final report, said ACCS.
Well, Crikey has now seen a draft of that report, and the experts have even greater concerns.
“They worry that its broad declarations are not backed up by evidence, that the results are based on surprisingly limited testing, and that the evidence provided suggests that age-check technologies may not be as ready as suggested,” reports Crikey.
When asked about various figures in the report, the trial director Tony Allen said he “did not recognise the numbers that you are quoting” and that any reporting with those figures “will be false if these are the numbers you are quoting”.
Watch this space.
eSafety Commissioner releases contested YouTube research
The eSafety Commissioner has released the report Digital use and risk: Online platform engagement among children aged 10 to 15.
Among the headlines figures are that 71% had encountered content associated with harm, 52% had been cyberbullied, 24% had experienced online sexual harassment, and 14% had experienced online grooming-type behaviour.
YouTube was the most commonly used platform — although the government has said repeatedly that it may not be included in the age restrictions — but is far from being the most hazardous to kids.
Meanwhile, YouTubers have pushed back, particularly since the platform told them the age restrictions could “impact you, your channel, your audience and the broader creator community”.
eSafety’s next report, Connected, curious, cautious: Children’s engagement in the digital world, is due for release in August.
The age restrictions net spreads to search engines
It kinda sneaked through, but at the end of June the eSafety Commissioner introduced rules forcing age checks for search engines.
As ABC News reported, from 27 December Google and Microsoft will have to use some form of age-assurance technology on users when they sign in, or face fines of almost $50 million per breach.
The rules are part of three of the nine codes submitted to eSafety by the online industry, “creating safeguards to protect children from exposure to pornography, violent content, and themes of suicide, self-harm and disordered eating”, according to the commissioner’s media release.
“The three include a code relating to search engine services, as well as codes covering enterprise hosting services and internet carriage services such as telcos,” said eSafety Commissioner Julie Inman Grant.
She has asked the industry to make further changes across some of the codes, including to strengthen protections around AI companions and chat bots to ensure these provide “vital and robust protections”.
“We are already receiving anecdotal reports from school nurses, that kids as young as 10 are spending up to five hours a day with AI chatbots, at times engaging in sexualised conversations and being directed by the chatbots to engage in harmful sexual acts or behaviours,” she said.
Meanwhile, social media service Bluesky is rolling out age verification in the UK. The UK’s Online Safety Act requires platforms with adult content to implement age verification by 25 July.
“Sophisticated” Qantas attack just a phone call?
So you know that data breach from a Qantas call centre we mentioned last week? It was a “sophisticated” attack, right? I mean, they always are.
Well, is making a single phone call “sophisticated”? Sure, the attackers did their research so the call sounded convincing, but at the core of it they still just phoned in, asked for access, and were given it — and 5.7 million customers’ data was stolen.
Qantas has been contacting affected customers, who’ve had different data stolen depending on who they are.
For many, the data was their name, Qantas Frequent Flyer number, and their membership tier. But for others it included everything from their date of birth and physical addresses to their Chairman’s Lounge membership data ($), should they be so lucky, and even their meal preferences.
Qantas says they’ve been contacted by a potential threat actor, which seems a little late in the process. The data has already bolted.
IF YOU’VE FOUND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip.
Also in the news
- The government’s expert adviser on antisemitism, Jillian Segal, has released her plan to combat antisemitism, which would include monitoring media organisations old and new “to avoid accepting false or distorted narratives”. This story is more adjacent to the business of the newsletter rather than a core item, but it certainly has the potential to make an impact.
- Well spotted, Karen Middleton. The recent machinery of government changes which moved the Australian Federal Police and ASIO out of the Attorney-General’s Department and back to Home Affairs highlight a long delay in federal electronic surveillance reforms. I won’t try to summarise it here. You should read it for yourself. The background is all in the review, Reform of Australia’s electronic surveillance framework.
- For those of you really into the machinery of government, here’s the updated ministry list and guide to responsibilities.
- The Reserve Bank of Australia has kicked off tests of 19 pilot cases which are intended to lead to a wholesale central bank digital currency (CBDC).
- You’ve probably already seen this one: Elon Musk’s chatbot Grok repeatedly praised Hitler and even referred to itself as “MechaHitler”.
- Australian doctors have called for a clampdown on social media influencers allegedly glamorising poker machines.
- “Nursing student Mark McLauchlin says Murdoch University has falsely accused him of using AI to complete an assessment,” reports ABC News. “He says he used a grammar checking tool the university recommended to complete the assignment, but the university has knocked back multiple appeals of its decision.”
- Also from ABC News, “GPs and hospitals are turning to AI scribes, so how does it work and what are the risks?”
- “Home internet and mobile connectivity are now considered essential by the vast majority of Australians,” says the Australian Communications Consumer Action Network (ACCAN). “Price is the number one factor when choosing a plan, yet few people are actively checking the market for a better deal.”
- The Australian Cyber Security Centre (ACSC) has new guidance for small businesses to protect your devices and accounts.
- From The Conversation, “Does AI actually boost productivity? The evidence is murky.”
NEW PODCAST: Any moment now, Donald Trump might cancel AUKUS, the massive defence agreement which among other things would see Australia buying eight nuclear-powered submarines. We still don’t know what’s happening. But do we need it? Sam Roggeveen head of the Lowy Institute’s International Security Program, thinks not. Listen to The 9pm AUKUS and the Echidna with Sam Roggeveen, under The 9pm Edict in your podcast app of choice.
Elsewhere
- US digital rights group Electronic Frontier Foundation (EFF) has investigated software used by police to generate incident reports which they allege automatically deletes evidence of when AI was used.
- A person unknown has used an AI-generated voice to impersonate Marco Rubio, the US Secretary of State, in calls to three foreign ministers and two American officials.
- From WIRED, “People are using AI chatbots to guide their psychedelic trips”. What could possibly go wrong?
- Friend of the newsletter Justin Warren, a known digital rights enthusiast, has posted his musings on the new book The AI Con.
Inquiries of note
Nothing new yet. Patience, Butterfly.
What’s next?
Parliament is scheduled to return on Tuesday 22 July, which is now just a week and a half away. Are you getting excited?
DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber security newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.