The federal government’s online safety reforms will lead to “widespread cybersecurity risks” comparable to the infamous Ashley Maddison data leak and may see “the work of one arm of government undoing the work of another”, according to a number of leading global tech firms.
In submissions to the Department of Home Affairs’ consultation on strengthening Australia’s cybersecurity regulations and incentives, a number of the biggest tech firms in the world urged the federal government to take a whole-of-government approach to reforms and regulations, and consolidate cyber policy in one portfolio with a dedicated minister.
This would assist in determining the impact of various policies on cybersecurity, the organisations argued, pointing to the potential consequences of the initiatives housed in the recently passed Online Safety Act.
The online safety reforms include efforts to block underage individuals from accessing online pornography through potential digital identity age verification, an update to the restricted access system declaration to cover a wider range of companies, and the Basic Online Safety Expectations (BOSE) for large tech firms.
A draft version of the BOSE requires tech firms to take “reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful”, and to take “reasonable steps” in regards to their encrypted services.
Industry group DIGI, whose members include the likes of Facebook, Apple, Google, Twitter and eBay, said these reforms would likely lead to tech firms being forced to collect more data on their users, leading to an increased risk of a cyber attack.
“It is our initial assessment that these two initiatives encourage the widespread collection of age data, potentially even identity verification documentation such as drivers’ licences. This runs counter to the universally accepted privacy best practice of data minimisation; data minimisation is also a key principle of the Consumer Data Right,” the DIGI submission said.
The organisation said that such reforms could lead to a similar event to the Ashley Madison data breach in 2015, which saw the leaking of highly sensitive information used to blackmail individuals.
“DIGI predicts that this potential increase in data collection for all websites, and the sensitive nature of the data being collected, will cause widespread cybersecurity risks to a whole range of websites in Australia, reminiscent of the 2015 Ashley Madison data breach in the United States,” the submission said.
“It is a reasonable prediction that similar widespread attacks, intended to publicly shame through personally identifiable data, may occur if these reforms progress as currently proposed.”
In a recent interview with InnovationAus, eSafety Commissioner Jule Inman Grant acknowledged concerns that requiring identity verification to access some online content would raise the risk of data breaches, and the individual companies shouldn’t be responsible for this.
“If you don’t balance the privacy, the security and the safety imperatives, it’s not going to work. If you’re creating a honeypot of really sensitive information, it’s not going to work,” Ms Inman Grant told InnovationAus.
The big tech advocacy group also slammed the government’s targeting of encrypted services, saying this contradicts its simultaneous efforts to improve cybersecurity across the economy.
“There are fundamental impracticalities and impossibilities in relation to services detecting and addressing encrypted material; if this becomes law, a result could be the weakening of encryption, which is crucially important to ensuring adequate levels of cybersecurity across a wide range of services,” DIGI said.
“Not evaluating the online safety reform program for how it might serve to weaken Australia’s cybersecurity is an enormous oversight; if this is not addressed, it may see the work of one arm of government undoing the work of another. This is not an effective use of public resources.”
One way to help ensure these issues don’t arise in the future would be to appoint a dedicated cybersecurity minister and consolidate responsibilities to one portfolio, DIGI argued.
“It is not clear today where the responsibilities for Australians’ cybersecurity lie across government, as many departments consider elements of it to fall under their remit. In light of this, it therefore is not apparently clear to industry nor individuals which government department would be the lead or appropriate port of call for enquiries relating to cybersecurity,” the submission said.
“In order to assist in creating this clarity and to elevate the importance of cybersecurity within government, we would welcome the reintroduction of a Cyber Security Minister. Such a minister can develop expertise on these issues, act as an advocate within government for cybersecurity and assist in the coordination of efforts across different departments.”
This was backed by Google in its own submission to the Home Affairs consultation.
“Google would welcome consolidation of the multiple statutes that address cybersecurity that are overseen by a number of different portfolios. Multiple legislative frameworks managed by different agencies creates confusion and risks alienating businesses from engaging with these frameworks,” the Google submission said.
Do you know more? Contact James Riley via Email.
Why do people insist on using acronyms that are registered brands? BOSE, HCF (Hosting Certification Framework)…