The Weekly Cybers #79
Even more about Australia’s social media age restrictions including the actual rules, a little on the UK’s efforts, plenty of new legislation, and much, much more.
1 August 2025
Welcome
It’s a big one this week, thanks to the social media age restrictions — something which affects every single internet user in Australia. Naturally I’ve written a bunch on that.
With the second Albanese government gearing up there’s also a lot of new legislation: intelligence oversight, payment systems, deepfake child abuse material.
And there’s more than 20 more stories from Australia and around the world. Enjoy.
Australian families, Albo has your back
We finally have the legislative rules that will determine which platforms are in and which are out of the age restriction regime come December — unless the minister decides to just add or delete platforms based on the vibes of it all.
Prime minister Anthony Albanese began Wednesday’s press conference with a solid kick to the emotionals, introducing three parents who’d lost their teenagers to suicide — two after long-running eating disorders, one after comprehensive bulling both online and offline, all taking their own lives.
One even carried an urn containing his dead daughter’s ashes.
“We want Australian parents and families to know that we’ve got your back,” Albanese said. “We know this is not the only solution, and there’s more to do, but it will make a difference.”
Most of the press conference was rhetoric. I’ll skip the rest of it.
Over at the Guardian, Josh Taylor has a great explainer, but let’s also dig into it a bit.
What is an age-restricted social media platform?
So back in November, a new section 63 of the Online Safety Act 2021 added a new definition, age-restricted social media platform:
(i) the sole purpose, or a significant purpose, of the service is to enable online social interaction between 2 or more end-users; (ii) the service allows end-users to link to, or interact with, some or all of the other end-users; (iii) the service allows end-users to post material on the service; (iv) such other conditions (if any) as are set out in the legislative rules...
That last bit means the communications minister can add in any service they like. There’s also a bit which says a platform can be excluded from the rules on ministerial whim.
Note that this is quite separate from the definition of a social media service used elsewhere in the Act and defined in section 13. Yes, there’s two categories of online thing, and a thing can be in either category, or both, or neither.
What we got this week was the Online Safety (Age-Restricted Social Media Platforms) Rules 2025, which sets out...
Classes of services that are not age-restricted social media platforms: (1) For the purposes of paragraph 63C(6)(b) of the Act, electronic services in each of the following classes are specified: (a) services that have the sole or primary purpose of enabling end-users to communicate by means of messaging, email, voice calling or video calling; (b) services that have the sole or primary purpose of enabling end-users to play online games with other end-users; (c) services that have the sole or primary purpose of enabling end-users to share information (such as reviews, technical support or advice) about products or services; (d) services that have the sole or primary purpose of enabling end-users to engage in professional networking or professional development; (e) services that have the sole or primary purpose of supporting the education of end-users; (f) services that have the sole or primary purpose of supporting the health of end-users; (g) services that have a significant purpose of facilitating communication between educational institutions and students or students’ families; (h) services that have a significant purpose of facilitating communication between providers of health care and people using those providers’ services.
Despite all the news headlines saying that YouTube now comes under the rules and LinkedIn doesn’t, it’s important to note that the rules do not mention any specific services by name. That decision is down to the eSafety Commissioner.
I’m guessing that the platforms named by the minister in press conferences will now be chatting with their lawyers — although the commissioner has already named a few informally.
The Explanatory Memorandum (PDF) discusses how the sole, primary, or significant purpose of a platform is intended to be understood:
“[R]egard should be had to, amongst other things, the features and functions of the platform; how these features and functions are deployed and how they influence user engagement, behaviour and experiences, and the actual, rather than simply stated, use of the platform,” it says.
“The platform’s espoused objectives may also be relevant, but should be given less weight than the platform’s features and functions and user experiences, and cannot be considered in isolation from other factors. This is because the way a particular service classifies or markets itself may or may not reflect community understanding and usage, and may not be consistent across various contexts or forums.”
The memorandum also includes some background information that is, in essence, the sales pitch for the rules, as well as some discussion of the “targeted stakeholder consultation” that took place in February and March. Note that there was no public consultation. You can read all that for yourself.
And here’s even more on the social media age restrictions
- From Leo Puglesi, the youthful managing director of 6 News Australia, “The more governments try to restrict social media use, the more young people will find ways to get around it”.
- YouTube says it’ll use AI to guess users’ ages in the US.
- From The Conversation, “Should YouTube be included in Australia’s social media ban for kids under 16? We asked 5 experts”.
- If the government’s aim is to reduce the risks to teenagers’ mental health, maybe they should’ve put money in the Budget.
Meanwhile, there’s the UK’s Online Safety Act
Last Friday the UK went live with its own internet age-gating as part of its Online Safety Act.
- Pornography sites are reporting an extra five million age checks a day and a surge in VPN use.
- As of Thursday night Australian time, VPNs made up 4 out of 5 most-downloaded apps on Apple's App Store.
- The Register explores how VPNs can easily bypass the restrictions, and why banning VPNs wouldn’t work anyway.
I’ll have more on the UK experience next week.
Four intelligence agencies to get more oversight
The government’s Strengthening Oversight of the National Intelligence Community Bill 2025 will bring four additional agencies under the purview of the Inspector-General of Intelligence and Security (IGIS) and Parliamentary Joint Committee on Intelligence and Security (PJCIS): the Australian Criminal Intelligence Commission (ACIC), and the the Australian Federal Police (AFP), the Australian Transaction Reports and Analysis Centre (AUSTRAC), and the Department of Home Affairs.
There’s a lot of detail in the 97-page bill, including amendments to 15-odd further acts to make sure everything joins up, but at a first skim it seems like a good idea.
Defence hackers not liable for inadvertent privacy breaches
Schedule 3 of the bill is interesting. According to the Explanatory Memorandum, it’s meant to provide “an exemption from civil or criminal liability” for defence officials if, when conducting legitimate defence operations, they inadvertently interfere with someone’s rights to privacy under Article 17 of the Article 17 of the International Covenant on Civil and Political Rights (ICCPR).
Article 17: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.
As I understand it — and remember I am not a lawyer — this means that if the Australian Defence Force is doing a bit cybering against some foreign target and they inadvertently breach an individual’s privacy, or cause a cyber problem inside Australia, individuals are not personally liable. Provided they’ve d=followed proper process, that is.
All this takes up three pages of the bill. If anyone has a proper analysis of this, please let me know.
Also in the news
- ASIO has disrupted 24 “major espionage and foreign interference” operations in three years, said intelligence chief Mike Burgess in a major speech this week. It’s worth reading the whole thing for some fascinating details.
- Australia’s spy systems need reforming, according to a new report from the Australian Strategic Policy Institute (ASPI). As The Nightly reported, “when young intelligence officers join, some discover an unexpected problem: their office computers and software are less powerful than the personal mobile phones banned from their desks”.
- Encrypted messaging app Signal has said it may withdraw from Australia if the government pushes for backdoor data access.
- X tried to argue in the full Federal Court that an eSafety Commissioner takedown notice wasn’t valid because it was served to Twitter Inc, and that company ceased to exist when everything became X. They lost. As the Guardian reported, “X has several concurrent court cases running against eSafety. The X loss today means, barring a high court appeal, the case eSafety brought in the federal court seeking a fine of up to $610,500 can now proceed”.
- Atlassian co-founder Scott Farquhar reckons Australia could be major data centre hub for South-East Asia, although why you wouldn’t do that in Singapore to reduce latency time is beyond me. Check his full address to the National Press Club.
- “The Department of Veterans' Affairs (DVA) is preparing to pilot artificial intelligence to help manage a growing caseload of 82,645 ex-service personnel seeking financial support,” reports iTnews.
- That DVA trial will use the new GovAI platform. The Mandarin says that prioritises safety and ethics.
- Crypto and online casino billionaire Ed Craven is investing millions to build an Australian ChatGPT, reports the Financial Review.
- Something for the oldies out there: “A Melbourne-based tech businessman has revived the Ansett brand as an ‘AI-powered’ online travel agency,” reports Cyber Daily.
- I’m sure this will come as a shock: AI doesn’t get sarcasm in non-American varieties of English.
- The US has gutted its climate data-gathering programs, which in turn threatens Australian forecasting.
- The recent data breach from Clive Palmer’s political parties highlight the privacy risks for political parties, which hold plenty of personal information but are exempt from the Privacy Act.
- The CSIRO-run science magazine COSMOS has been caught running made-up quotes in what are almost certainly AI-assisted articles. In any event, CSIRO will be closing down COSMOS at the end of the year.
- From The Conversation, “Big tech says AI could boost Australia’s economy by $115 billion a year. Does the evidence stack up?”.
- There’s some interesting research from the au Domain Administration (auDA) in their report * Digital Lives of Australians*, but I’ve only skimmed it so far.
- Back in June, Privacy Commissioner Carly Kind spoke at the launch of Privacy Awareness Week. IIS Partners has some analysis of what she said, which I only found this week.
IF YOU’VE FOUND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip.
Elsewhere
- The recent violence on the Thai-Cambodian border is in part linked to cyber-scam slave camps.
- From the New York Times, “AI researchers are negotiating $250 million pay packages. Just Like NBA stars” (gift link).
- From Fortune, “Silicon Valley’s billions of dollars on AI haven’t actually generated a return yet. Here’s why most companies should embrace ‘small AI’ instead”.
- From the Carnegie Endowment for International Peace, “The Iran-Israel war signals the emergence of a new wave of AI-generated propaganda that relies on synthetic videos and images to spread competing narratives”.
NEW: Legislation of note
When a bunch of new legislation is introduced in parliament but I don’t have time to cover it all in detail, I’ll split it out into this section.
- Independent MP Kate Chaney introduced the Criminal Code Amendment (Using Technology to Generate Child Abuse Material) Bill 2025, which would criminalise downloading the technology for creating such material, as well as collecting data to train the AI models. There would be defences of doing this for “public benefit” — which is defined narrowly to mean for law enforcement and justice, and for “conducting scientific, medical or educational research that has been approved by the AFP Minister in writing”.
- The new Electoral Legislation Amendment (Electoral Communications) Bill 2025 from independent Zali Steggall seeks to ban inaccurate and misleading election to a material extent, including digitally modified material and deepfakes. Digitally altered material would have to be labelled. She also wants to remove the so-called “media blackout” that bans electoral or referendum advertising in the last three days of voting.
- A similar bill was introduced in the Senate by independent David Pocock, Electoral Legislation Amendment (Electoral Communications) Bill 2025 (No. 2).
- The Treasury Laws Amendment (Payments System Modernisation) Bill 2025. The guts of it seems to be extending the definition of payment system to make sure it captures new payment systems such as buy now pay later (BNPL), cryptocurrency transfers, and all the intermediaries in the value chain — including digital wallets, passthrough services (such as ApplePay and Google Wallet), and even “services that facilitate or enable the exchange of messages, which could include payment instructions, authorisation messages and token keys”.
Inquiries of note
- Home Affairs has launched a consultation on “developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy”. There’s a discussion paper. Submissions close 29 August.
- The Independent National Security Legislation Monitor (INSLM) is going to review the definition of a “terrorist act” in section 100.1 of the Criminal Code Act 1995, unchanged since 2002. An issues paper will be released at an event in Canberra Monday 11 August. You’ll have about 10 weeks to make written submissions.
- The Whistleblower Protection Authority Bill 2025 has been spun out for a committee inquiry. It’s due to report back by 29 August, so you’ll have to be quick with your submissions. This bill was introduced back in February by senators David Pocock and Jacqui Lambie.
- The Parliamentary Joint Committee on Law Enforcement has resumed its inquiry into the capability of law enforcement to respond to cybercrime.
NEW: This week’s recommended news digest
As promised last week, I’m going to start listing some of the news digests which cover what is more traditionally seen as “tech news”. Changing the plan slightly, though, I’ll mention just one each week.
Today I’ll plug the Daily Cyber and Tech Digest from the Australian Strategic Policy Institute’s Cyber, Technology and Security Program. It incudes stories from around the world relating to cybersecurity, critical technologies, foreign interference, and disinformation. And it’s free.
What’s next?
Parliament is now taking a break until 25 August. As usual I’ll keep an eye on the calendar for anything else of interest.
DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber security newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.