October 10, 2025

The Weekly Cybers #88

AN0M sting operation declared legal in Australia, Deloitte refunds part of their $440,000 fee over AI fakery, cops may be given freedom to use abuse images to catch perps, SMS Sender ID Registry rollout starts, and much, much more.

10 October 2025

[CORRECTION: Deloitte will be giving a partial refund of $97,587.11 ($), the cost of their final invoice. $440,000 was the total cost of the AI-riddled report.]

Welcome

We have two interesting examples of the government declaring things legal after there’s disagreement over whether they actually were or not.

The government’s retroactive legislation covering the controversial AN0M sting operation was given a green light by the High Court. And a new bill proposes making Home Affairs’ past handling of people’s mugshots legal too.

In AI news, the big story is that Deloitte will be refunding part of the government spend of $440,000 for a report that was found to have been written with the assistance of AI — ironically about the government’s use of certain algorithms.

And there’s quite a bit more. This week’s edition is already quite long, so I’m sending it now in the hope there won’t be any Friday afternoon specials.

High Court allows AN0M encrypted app sting

The High Court has thrown out out a challenge by two South Australian members of the Comanchero biker gang, who were disputing the use of information gathered against them via AN0M, ABC News reports.

AN0M was an encrypted messaging app used extensively by criminals, but actually run by law enforcement agencies as part of a global sting, Operation Trojan Horse. The Australian Federal Police (AFP) component was named Operation Ironside.

The pair had originally challenged the use of AN0M-gathered evidence.

However the government passed retrospective legislation to declare legal the specific 11 warrants which had been issued in that case, and later introduced more general legislation to make such actions legal in the future.

The latter bill is likely to be passed in the next session of parliament.

International ultraviolence, and drugs hidden in sex toys

Meanwhile, new leaked documents show how the FBI convinced a judge to let its international partners collect a mass of encrypted messages from thousands of phones around the world.

Documents published by 404 Media detail secret oceanic rendezvous, drugs hidden in sex toys and scrap metal, and incidents of extreme violence.

“The FBI secretly took over, backdoored, and ran [AN0M] for years as a tech company popular with organised crime around the world,” wrote 404 Media. It was the largest sting operation ever.

Should the cops be allowed to create and send abuse images?

“Child safety advocates are mixed on a proposal to bolster federal police powers to share child abuse material as part of undercover operations targeting paedophile rings,” reports ABC News.

Apparently the perpetrators are increasingly using end-to-end encrypted chat rooms with “security checkpoints” which demand that new users upload child sexual abuse material before they can become members and access more.

The relevant legislation is the Criminal Code Amendment (Using Technology to Generate Child Abuse Material) Bill 2025.

If passed, it would provide an defence against criminal prosecution for creating and distributing such material if “the person is, at the time of the offence, a law enforcement officer, or an intelligence or security officer, acting in the course of the officer’s duties; and the conduct of the person is reasonable in the circumstances for the purpose of performing that duty”.

The question is whether the cops should be allowed to create and keep their own stash of abuse images and upload them for others to share, because the risks and ethical questions are obvious.

To what extent should cops be able to commit their own crimes to stop others’ crimes?

Deloitte admits to using AI fakery

Consulting firm Deloitte will be partially refunding the government after using generative AI to produce a report riddled with errors.

They’ll be returning $97,587.11 of the total $440,000 price.

The irony is that the report was about “the operational functioning ... against policy and legislation” of an already controversial government system, the Targeted Compliance Framework (TCF) used to penalise welfare recipients who miss their obligations.

Back in July, when the report was first published, Dr Christopher Rudge from the Uni of Sydney noticed, as The Register described it, “fake citations, phantom footnotes, and even a made-up quote from a Federal Court judgment”.

A corrected report (PDF) was quietly uploaded on Friday afternoon.

This week Deloitte was slammed in Senate Estimates, and the company may end up being banned from government contracts.

Deloitte says it had used Azure OpenAI GPT-4o, on an instance hosted by the Department of Employment and Workplace Relations.

It’s therefore reassuring, I guess, that the company is now rolling out Anthropic’s Claude AI system to more than 470,000 employees across 150 countries.

Oh, and the report itself?

“The Review was unable to provide assurance that, in its current form, TCF reliably operates or delivers outcomes that are fully consistent with its legislative and policy objectives,” Deloitte wrote.

“The underdeveloped compliance model embedded in the IT system is driven by punitive assumptions of participant non-compliance, with limited safeguards.”

In other words, cutting to the chase of the 10-page (!) exciting summary of a 237-page report, TCF probably doesn’t work and may not even be legal.

SMS Sender ID Register rollout begins

Organisations that use branded sender IDs in their SMS messages (such as “myGov” or “AusPost”) rather than a phone number will need to register them with their telco provider under new rules published by the Australian Communications and Media Authority (ACMA) this week.

The SMS Sender ID Register is intended to reduce the impact of SMS impersonation scams, with any unregistered sender IDs being replaced with “Unverified”.

The system won’t be in force until 1 July next year, but the rollout starts next week:

• From 15 October 2025 — that’s this coming Wednesday — telcos and electronic message service providers (EMSPs) will need to apply to ACMA if they want to participate in the register and continue to carry messages with sender IDs.
• Between 30 November 2025 and 30 June 2026, businesses and organisations who want to send messages with sender IDs will have to register via their participating telco or EMSP.
• From 1 July 2026, only participating telcos will be able to send SMS and MMS with sender IDs, and unregistered sender IDs will be replaced with the word “Unverified”.

The relevant document for those playing along at home is the Telecommunications (SMS Sender ID Register) Industry Standard 2025, although ACMA has a far more digestible FAQ.

IF YOU FIND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip. Please consider.

Also in the news

• The government has introduced legislation to create a so-called “tell us once” approach to government service delivery, the Regulatory Reform Omnibus Bill 2025. The Mandarin has the background, but the basic idea is that once you inform the government of a change for one system — for example a change of address — it’s then replicated to the others automatically.

• The eSafety Commissioner, Julie Inman Grant, has issued formal removal notices to both X and Meta, asking them to geoblock videos of the assassination of US far-right influencer Charlie Kirk, the murder of refugee Iryna Zarutska, and the beheading of Chandra Mouli Nagamallaiah.

• The eSafety Commissioner has also said that the notorious website 4chan will not be included in the government’s social media age restrictions, probably. “No, it’s really an image board,” Inman Grant told Senate Estimates. It will have to comply with other content regulations, however.

• The Office of the Australian Information Commissioner (OAIC) has published regulatory guidance for privacy for age-restricted social media platforms and age assurance providers. Eight and a half weeks to go!

• Australian Clinical Labs (ACL), the owner of Medlab Pathology, has been hit with $5.8 million in fines for a data breach affecting 223,000 people in February 2022. These are the first civil penalties ordered under the Privacy Act 1988, and these days the fines could have been much higher under amended legislation. There’s some lessons in there for every organisation.

• The vice-chancellor of Western Sydney University, Professor George Williams, has apologised for yet another cyber oopsie after students were sent emails claiming their degrees had been revoked.

• The NSW Reconstruction Authority says that the private information of up to 3,000 people was uploaded to ChatGPT in March by a former contractor.

• OpenAI, the maker of ChatGPT, has signed its first ever Australian government contract. Although it’s only worth $50,000, it does mean they’ve got a foot in the door.

• Australian Catholic University (ACU) has wrongly accused students of using AI to cheat.

• From The Conversation, “Australian teachers are some of the highest users of AI in classrooms around the world”.

• After one year of Google’s AI Overviews in search results, the top news sites are report steep year-on-year declines in monthly audiences, and smaller publishers are warning of lay-offs.

• In the wake of all the Optus Triple Zero failures as detailed last week and the week before, the new Telecommunications Legislation Amendment (Triple Zero Custodian and Emergency Calling Powers) Bill 2025 aims to fix that.

• Optus had used the wrong email address to tell the government about their Triple Zero outage.

• The government introduced the Home Affairs Legislation Amendment (2025 Measures No. 2) Bill 2025 which, among other things, aims to “clarify and modernise provisions” which allow Home Affairs to “collect facial images from persons”, and to “validate facial images that were provided by a person or collected by the Department prior to the commencement of the amendments, including any action taken by the Department in relation to those images”. So it’s another attempt to say, yeah, wherever were just did, it was legal. There’s also some procedural stuff relating to immigration which is outside the scope of this newsletter.

LATEST PODCAST: It’s not about digital policy but it is amusing. It’s a long chat with our Edinburgh correspondent in The 9pm Uncommon Death Adder with David F Porteous, a Scottish author and social researcher. Look for “The 9pm Edict” in your podcast app of choice.

Elsewhere

• Group chat platform Discord says they may have leaked the IDs of 70,000 users following a hack. Hackers breached their instance of Zendesk, a customer service platform, which contained the government IDs of users who’d appealed decisions related to age verification. Did someone say “honeypot”?

• AI is reshaping childhood in China, with AI chatbots being used in both education and childcare.

• China is also punishing “excessively pessimistic” users of social media. The beatings will continue until morale improves.

• Denmark plans to ban under-15s from social media.

• “In an escalating cat-and-mouse game, job hunters are trying to fool AI into moving their applications to the top of the pile with embedded instructions,” reports the New York Times (gift link).

• Gen Z is facing a “job-pocalypse” as global firms prioritise AI over new hires, according to a British Standards Institution study across seven countries. If they’d thought about it a bit longer they’d have realised that “jobsageddon” is a much better word.

• Elon Musk thinks Wikipedia is run by “far-left activists”, whatever that means, so he’s rewriting it to create his own Grokpedia. An early beta will be published in two weeks, he claims.

• The Bank of England has joined the steadily lengthening list of organisations warning of a growing risk that the AI bubble could burst.

• And from The Conversation, Does AI pose an existential risk?. To bubbles, almost certainly.

YET ANOTHER NEW PODCAST, BUT ABOUT MUSIC: My good friend Snarky Platypus and I have posted a fresh episode of Another Untitled Music Podcast. Look for it in your podcast app.

Inquiries of note

• Treasury has released the final report of its Review of AI and the Australian Consumer Law. I missed this one last week because I received the Treasury email shortly after I’d pressed publish.

• Treasury has also released draft legislation for the regulation of payment service providers. Submissions close 6 November.

What’s next?

Parliament is on break again. Both houses return on Monday 27 October for two weeks.

DOES SOMETHING IN THE EMAIL LOOK WRONG? Let me know. If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.

---

The Weekly Cybers is a personal weekly digest of what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).

If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.

If you find this newsletter useful, please consider throwing a tip into the tip jar.

This is not a cyber security newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.