Eliana Willis

Meta and Twitter have called for Australia’s federal government to review the effectiveness of the country’s digital platforms regulation in light of the passing of the Online Safety Act, along with anti-trolling and online privacy laws currently being under consideration.Both tech giants made these demands in submissions to the Select Committee on Social Media and Online Safety, with Twitter writing that the committee should conduct a review of the online safety space in Australia one-year from its initial report, which is due next month. The Select Committee on Social Media and Online Safety was established late last year to inquire into the practices of major technology companies and consider evidence relating to the impact social media platforms have on the mental health of Australians. The committee’s inquiry was approved by the federal government with the intention of building on the proposed social media legislation to “unmask trolls”.Twitter said the recent passing of the Online Safety Act and the government’s federal probe only running for three months is not enough time to effectively implement digital platforms legislation.”With the range of factors that need to considered to holistically advance online safety, we therefore ask for the timeline be extended for the Select Committee Inquiry into Social Media and Online Safety to allow for the effective introduction and implementation of the Online Safety Act 2021 (Cth) and to ensure meaningful consultation with the community,” Twitter wrote to the committee.Meta, meanwhile, wrote in its submission that the federal government should make statutory reviews of new digital platforms legislation mandatory to ensure they are effective and fit-for-purpose, specifically pointing to the “significant amount of new legislation that has been passed”.

“Policymakers should be alive to the risk of overlapping, duplicative or inconsistent rules across different laws,” Meta said.Digital Industry Group Inc (DiGi), the Australian industry group advocating for tech giants, including Facebook, Google, TikTok, and Twitter, shared a similar sentiment in its submission to the parliamentary committee. In its submission, DiGi wrote that proposed regulatory measures, such as making age verification mandatory on social media platforms, have been put in the limelight without any legislative notice. It said that given the unprecedented implications of age verification of Australians on a range of digital services, it said wider consultation must first take place if it were to be implemented.DiGi added that the slew of new laws could result in overlap, and recommended that the federal government consider streamlining online safety legislation into a singular Online Safety Act.Parliamentary committee hears testimony of death and rape threats on social mediaDays after these submissions were publicly released, Australian television presenter Erin Molan appeared before the committee yesterday morning. During her appearance, she testified that trolls have faced no recourse for sending her death and rape threats on social media platforms.”These are sent directly to me on platforms that I use professionally,” Molan told the Select Committee on Social Media and Online Safety, when explaining how she received threats that were directed at herself and her daughter.”It was almost impossible to get help and you almost feel silly. As I said, the personal impact of this on people and we’ve seen people take their lives, we’ve seen kids try to take their lives. We’ve seen so many lives ruined by this kind of behaviour.”She also told the committee that the work performed by social media platforms, such as Facebook and Twitter, to assist police in certain instances are “not that effective” in preventing trolling behaviour on social media platforms and that victims often feel powerless in reporting online abuse.In light of this, Molan called for the eSafety commissioner’s powers to be expanded as well as for legislation to be introduced to put more accountability on social media platforms.”[Big tech] generate a ton of money and with that comes responsibility. They, of course, have the responsibility to ensure their platforms are a safe space because every workplace in the country needs to ensure that, within their walls, it is a safe place for their employees, but they won’t do it. Unless there are laws that punish them for not doing it, why would they do it?” Molan told the committee.University of New South Wales sociology associate professor, Michael Salter, who also appeared before the committee, told the committee that Molan’s experience of feeling powerless in preventing online abuse was a common occurrence, especially among children.”It’s actually really hard to get [children] to tell an adult in their life … so this is a really complex situation. There is work to do here in Australia, to think about how we develop a holistic response to children in order to target their unique needs and vulnerabilities,” Salter said.Salter also testified to the committee about instances when YouTube’s algorithm created playlists of children dancing and performing gymnastics that are only visible to paedophiles. He explained that as the playlists are not shown to non-paedophile communities, YouTube’s detection and reporting of inappropriate behaviour response can be ineffective.”Having basic safety expectations built into platforms from the get-go is not too much to expect from an online service provider,” Salter added.Aussie free-to-air channels want law requiring smart TVs to feature them prominentlyAustralia’s free-to-air television networks have called for the federal government to introduce laws that would make it a requirement for smart TV manufacturers to feature them prominently on TV systems and remotes.”Legislating a prominence framework is the only way to guarantee that Australian audiences will be able to continue to discover and easily access free-to-air content no matter how, when, or where they choose to find it,” said industry body Free TV said, which represents networks such as Seven, Nine, and Ten.The call for new legislation was made as part of its submission to the inquiry on social media and online safety.In demanding these laws, the industry body said continued access to local news provided by Free TV members is reliant on these services being prominent and easy to find on modern TVs and related devices. It explained that the design of smart TVs and remotes have given preferential treatment to streaming services, such as Netflix, Disney+, and Amazon Prime, and made it harder for Australians to access free-to-air television.”TV manufacturers and operating system developers increasingly exert control over which options are displayed to consumers, directing viewers to those services that can pay the highest price for preferred placement on the home screen,” Free TV wrote in its submission.”This means that decisions about whether free, licensed terrestrial services, together with broadcast video on-demand apps will be readily available to Australian viewers, and if so on what terms, are increasingly being made in boardrooms in Japan, South Korea, and the US.”Free TV also claimed that TV manufacturers see themselves as distributors and expect a “clip of the ticket” or some form of payment for providing access to services.Addressing the topic of harms arising from social media, FreeTV said it supported the government’s proposal of anti-trolling legislation, which would reduce the defamation risk for its members and reallocate it to social media platforms.”While the Anti-Trolling Bill is still under consideration, media companies continue to be legally responsible for this material. It will be important, in final drafting of the Anti-Trolling Bill, to ensure that social media services cannot contract-out of legal liability,” FreeTV said.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527Updated at 12:00pm, 19 January 2022: added information about FreeTV Australia’s submission.RELATED COVERAGE More

Citizen Lab
The International Olympic Committee has defended China’s MY2022 Olympics app following a report from Citizen Lab that found serious privacy issues with the platform.All attendees of the 2022 Olympic Games in Beijing need to download and use the app, but Citizen Lab released a report on Monday that said a “simple but devastating flaw” allows the encryption protecting users’ voice audio and file transfers to be “trivially sidestepped.”

According to Citizen Lab, passport details, demographic information, and medical/travel history in health customs forms are also vulnerable. Server responses can be spoofed, allowing an attacker to display fake instructions to users, according to the report.The MY2022 app also allows users to report “politically sensitive” content and includes a censorship keyword list involving topics like Xinjiang and Tibet. Citizen Lab noted that the app may violate Google’s Unwanted Software Policy, Apple’s App Store guidelines, and China’s own laws and national standards pertaining to privacy protection. Google and Apple did not respond to requests for comment. The report caused widespread outrage, since the thousands of people at the games will have no choice but to download the app if they want to represent their country. In comments to ZDNet, the International Olympic Committee defended the app and downplayed the severity of the issues discovered by Citizen Lab.

A spokesperson justified the app’s security holes by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.””Therefore, a closed loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed loop environment,” the IOC said.The IOC also defended the app by saying it received approval from the Google Play store and the App Store.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“The user is in control over what the ‘My2022’ app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install ‘My 2022’ on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead,” the IOC claimed. “The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”Ron Deibert, director of Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy, told ZDNet that the IOC’s comments do not address the serious security vulnerabilities the organization discovered and reported. “To date, the app vendor has not either. In fact, the app vendor has not responded at all to our vulnerability disclosure, and the latest version of the app, unfortunately, still includes the vulnerabilities,” Deibert noted. “The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks.”DW was the first to report on the vulnerabilities, and many news outlets noted that the US, UK, Australia, and Germany have urged their citizens to leave all of their personal devices and laptops at home over concerns that they will be hacked or monitored by the Chinese government both during the games and once they go home. The Dutch Olympic Committee has already banned its citizens from bringing their devices to the games. Some experts said the vulnerabilities would also give criminal hackers a way to steal sensitive personal information. The Beijing 2022 organizing committee, however, told USA Today that personal information collected by Beijing 2022 “will not be disclosed unless the disclosure is necessary.” “Information of accredited media representatives will only be used for purposes related to the Olympic and Paralympic Winter Games,” the Beijing 2022 organizing committee said. The games begin on February 4.  More

More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information. Emsisoft noted that while the numbers are still high, the 77 local governments attacked represents a decrease compared to 2020 and 2019, both of which saw 113 governments hit. 

In 2021, ransomware groups targeted smaller counties and towns instead of bigger cities like New Orleans, Baltimore, and Atlanta. Emsisoft theorized that this may have happened because larger cities invested more in cybersecurity following damaging attacks throughout 2019 and 2020. In order to calculate the cost of the damage caused by ransomware incidents, Emsisoft used the estimates from Winnebago County, Illinois CIO Gus Genter, who said in 2019 that the average ransomware incident costs $8.1 million and requires 287 days to recover. Based off those numbers, Emsisoft estimated that the 77 incidents in 2021 amounted to $623.7 million in losses. In addition to the financial losses, at least one incident involved dispatch services that were affected. Nearly half of the 77 incidents led to data breaches.For public educational organizations, there was a small uptick in attacks for 2021. In total, 88 organizations were hit with ransomware attacks, including 62 school districts and 26 colleges or universities. There were 84 attacks on the education sector in 2020. 

Of the 88 educational organizations attacked in 2021, 44 led to data breaches involving the information of both students and employees. While more districts were attacked in 2021, the number of individual schools affected was less than what was seen in 2020. At least 1,043 schools were impacted in 2021 compared to 1,681 in 2020. Last year also saw dozens of ransomware attacks on hospitals and healthcare institutions, with 68 healthcare providers reporting impacts from ransomware in 2021. In total, about 1,203 individual healthcare sites were affected. While more healthcare providers were attacked in 2020, only 560 individual sites were impacted. 

“The providers hit in 2021 included… Scripps Health, which operates 24 locations, including 5 hospitals,” Emsisoft. Scripps Health estimated its ransomware attack cost $112.7 million.Emsisoft noted that while the overall numbers are still high, there are signs of progress. Headline-grabbing attacks on companies like Colonial Pipeline and global meat processor JBS seemed to have kicked the government response to ransomware into high-gear. The Biden Administration initiated several efforts aimed at curbing ransomware activity, and the recent arrests of ransomware actors may indicate that some headway is being made internationally. The Justice Department has been able to recover several ransom payments from ransomware gangs, and some groups have indicated a tacit fear of attacking certain government institutions due to offensive actions taken by US Cyber Command and other governments. Emsisoft ransomware expert Brett Callow, who tracks ransomware incidents affecting public institutions, told ZDNet the US public sector has experienced a very similar number of incidents in each of the last three years, indicating the sector has not done enough to bolster their security despite knowing it is in the crosshairs. “But they may be starting to change. As noted in the report, the size of victim organization seems to have decreased, possibly indicating that bigger organizations have used their bigger budgets to rectify their security shortcomings,” Callow said.”While that would obviously be a good thing, it would still mean that ways would need to be found to help smaller organizations get to where they need to be.” More

We are all much more reliant on the internet and online services than ever before. And while this has brought benefits — it’s easy and convenient to buy from a website compared with having to visit a store, for example — there are also additional risks that need to be considered.

Special Report

The Future of Money

From blockchain and bitcoin to NFTs and the metaverse, how fintech innovation is changing the future of money.

Read More

The bad news is that while the rise of online shopping and banking has made life easier for us, it has also made conducting fraud much simpler — and in the worst case scenario, a cyber criminal could gain access to your personal finances simply by stealing your username and password. One of the most common methods cyber criminals use to steal usernames and passwords for bank accounts is phishing attacks, where they’ll send an email — or an SMS message — claiming to be from a bank or retailer.  SEE: A winning strategy for cybersecurity (ZDNet special report)The aim of the attack is to trick the victim into clicking on a phishing link, and one of the ways to drive victims towards this is by using fear or doubt. For example, the message could claim that a transaction or purchase has been made with a request to click the link to investigate further.Often, the attackers will design a fake version of the bank’s website. If the unlucky recipient of the fake message is tricked into entering their username and password, it is then in the hands of the attackers. Banks are not the only entities that can be impersonated in this way — it can also be retailers, government agencies or pretty much anyone else. The aim is to get access to your details by any means.”Throughout the coronavirus pandemic, we’ve seen a range of topical scam campaigns — from bogus missed delivery texts to offers of fake vaccine appointments. In addition to using these hooks, cyber criminals can take information from social media to target individuals with tailored, convincing-looking scams,” says Sarah Lyons, deputy director for economy and society at the UK’s National Cyber Security Centre (NCSC). 

Beyond this threat, there’s also the hackers who aim to infect victims’ devices with banking trojan malware, which monitors the user’s computer or smartphone for activity to do with financial transactions and sends all the relevant information back to the attackers. Attackers will often trick victims into downloading malware, once again with either phishing links or fake and infected versions of popular software, and even malicious apps hidden in popular mobile app stores.  In order to avoid falling victim to cyberattacks that are targeting financial information, the NCSC recommends maintaining good cyber hygiene across online accounts in order to keep them as secure as possible.  This approach includes using a strong, separate password for each online account and turning on multi-factor authentication — both will make it much more difficult for attackers to breach accounts.Users should also take care with what they click on and limit the personal information they post on public social media accounts — as that information could be exploited to help identify accounts they have or conduct social-engineering attacks.  “We can reduce the likelihood of being targeted with convincing phishing emails by taking extra care when using social media. Minimising the amount of our personal information shared on social media and enabling privacy settings keeps us secure,” says Lyons.  

ZDNet Recommends

Banks and other services will often send alerts about suspicious activity on accounts — paying attention to these alerts can help keep accounts secure, but users should also be wary as cyber criminals build their own versions of these alerts to trick people into providing information.  If you have suspicions about alerts like this, it’s a good idea to contact the bank directly by using the contact details on their official website to report them. In the event it turns out you’ve fallen victim to a phishing email, you should change your passwords immediately, as well as changing the passwords on any accounts that might use the same password. If you’ve lost money as a result of cybercrime, you should report the loss to your bank and also to the police.  As for malicious apps, these can use clever tricks to bypass the security screening designed to keep them out of app stores, often posing as commonly used or high-profile applications. They can remain in app stores for months at a time before being uncovered and removed, although not before being downloaded, in some cases by hundreds of thousands of victims. Users should be wary when downloading apps. Checking reviews can give an indication if something is wrong. Often, people who’ve lost out to cyber criminals after downloading the app will mention that this has been the case, while reviews could also suggest that the application is fake if it doesn’t work as advertised.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened While these basic security recommendations can apply to many online services, a new area of interest for criminals is cryptocurrency. The rise of cryptocurrency, especially high-value cryptocurrencies like Bitcoin, means that cyber criminals are increasingly focusing their attention on this new area. Cryptocurrency is harder to trace than traditional finances and the decentralised nature of the ecosystem means that if your cryptocurrency is stolen, it is unlikely to be returned in the way ‘traditional’ finances can be returned by your bank in the event of your falling victim to fraud.That reality means storing cryptocurrency securely is vital, especially as the growth in popularity means it’s becoming an increasingly popular target for cyber criminals — it’s reported that $7.7 billion worth of cryptocurrency was stolen in 2021 alone. “As cryptocurrency is in the news more — and as people know about it more as it becomes more valuable — the attackers flock to it,” says Christopher Budd, senior threat labs communications manager at cybersecurity company Avast.  Much of the advice for keeping your online bank accounts secure also applies to cryptocurrency: use strong passwords, use multi-factor authentication and be wary of phishing emails and other scams. But there are additional measures that need to be considered. Many users will opt to keep their cryptocurrency in a crypto exchange, allowing them to easily buy, sell and trade different cryptocurrencies. The rise of cryptocurrency means that many different exchanges have emerged. While relying on a professional service to help store and secure your cryptocurrency might seem like the best option at first, there are also potential risks.  In the same way criminals will target banks and retailers to steal money and credit card information, crypto exchanges are a high-profile target for cyber criminals who want a big pay day — and there have been instances of hackers walking away with hundreds of millions of dollars worth of cryptocurrency in successful attacks targeting the exchanges themselves.  Much like banking and retail, it’s almost impossible that an organisation can guarantee assets are 100% secure, but there’s a greater chance that an established exchange will have better protocols in place than a newcomer with little background information online. Cryptocurrency users should also be mindful that one of the best ways to ensure cryptocurrency is securely stored is if they’ve put the appropriate protections in place themselves. An exchange may claim to have special security features to keep users secure, but if the user isn’t able to examine or operate these features themselves, then it might be worth considering a different option. “You don’t do yourself any benefit if you get something that has supposedly great security, but you don’t know how to use it,” says Budd. “Having a good, old-fashioned deadbolt lock that you know how to use on your house is more effective than a $100,000 security system that you don’t know how to use.”At the very least, cryptocurrency users who want to store their assets in a crypto exchange should look for one that allows multi-factor authentication — and they should also apply multi-factor authentication to the email address tied to the account as an additional barrier. For those who feel that storing their cryptocurrency in an exchange that could be targeted by attackers is too much of a risk, there’s the option of storing cryptocurrency on their own devices.  It could be tempting to keep complex crypto-authentication keys in a document in order that they can be easily accessed, copied and pasted when the need arises. However, this carries risks because if your username and password for your cloud documents are compromised, the key is waiting for the cyber criminal who has accessed your account.  Even if the document is stored offline, there’s the chance it could be accessed if an attacker manages to infect your PC with malware. In this case, using traditional methods could be the best way to keep assets safe: writing the key down and storing it safely in your home.What’s important here is ensuring that your device is as secure against attacks as possible – multi-factor authentication should be applied to accounts, passwords should be complex enough to not be breached in brute-force attacks – and the same password shouldn’t be shared among different accounts, because if attackers can steal it from one service, they could attempt to use the same password against other accounts linked to your email address.SEE: Variant of Phorpiex botnet used for cryptocurrency attacks in Ethopia, Nigeria, India and moreIf you buy cryptocurrency, it needs to be stored in a crypto wallet and there are two key forms of wallet. Users can choose to use one or both of them to store their cryptocurrency. Both have advantages and disadvantages.A hot wallet is a cryptocurrency wallet that’s always connected to the internet, and linked to public and private keys, which an individual can use to easily and conveniently send and receive cryptocurrency. However, the always-on connection to the internet could potentially leave these wallets vulnerable to being hacked.Cold storage is when cryptocurrency is kept offline, with hardware, physical keys and PINs or passwords used to keep the crypto secure. These hardware wallets are designed to prevent hacking and are only accessible when plugged into your computer.This second form of wallet is the more secure way to store cryptocurrency, although it is much less convenient, requiring the user to store a separate physical device.And much like traditional banknotes, any device with cryptocurrency on it should be stored in a safe place where it can’t be lost or stolen.  MORE ON CYBERSECURITY More

After a major cyberattack brought key systems of Brazil’s Ministry of Health (MoH) to a halt, the department has reported all its platforms are back online.

According to a statement released by the MoH on Friday (14), most systems have been reestablished following a cyberattack in early December 2021, including ConecteSUS, which holds COVID-19 vaccination data. However, some systems still need to be recovered, and the deadline for completing the work is this coming Friday (21). As a result of the cyberattack, crucial data on the pandemic, including cases, deaths and vaccination data, was unavailable for nearly a month. This meant that, for example, institutions that rely on government data on COVID-19 to monitor the local developments around the virus could not access the information they need since early December 2021. Hospital managers also reported challenges introduced by the lack of access to data in aspects such as planning for new beds and purchasing medicines as well as hiring professionals.However, Rodrigo Cruz, executive secretary at the MoH, insisted there was no loss of information or a healthcare data blackout. “The Ministry continued to receive and disseminate data [since the cyberattack], especially the data relating to the [COVID-19] pandemic. This information was and continues to be easily accessible on our website through our newsletters and epidemiological bulletins,” he said. The attackers used legitimate access credentials to access the national healthcare data network. Cruz noted that this cloud-based database feeds systems, including those relating to the pandemic management, meaning there was no need for any sophisticated cyberattack techniques. Responsibility for the attack was claimed by the Lapsus$ Group, which said 50TB worth of data had been extracted from the MoH’s systems and subsequently deleted.The MoH secretary confirmed the attackers were able to access other MoH systems and deleted COVID-19 data, as well as systems. “These are not off-the-shelf systems that can be erased and reinstalled with a CD or a USB stick. When the system is deleted, it has to be rebuilt since it is customized and built specifically for the Ministry of Health,” he noted.Cruz added the first challenge was to ensure that no data had been compromised, then rebuild the systems so that the MoH could receive the data produced by cities and states. He pointed out, all systems have had their data capture processes established.

According to the Brazilian Ministry of Health, all the department’s access credentials have been updated, and access control processes have been improved. In addition, the cyber risks and vulnerabilities of the main MOH systems have been assessed. A data protection committee has also been created as part of the department’s action plan to deal with the fallout of the cyberattack. Questioned about the possibility of the involvement of civil service staff in the occurrence, Brazilian health minister Marcelo Queiroga said, “if there was any sabotage, it was not on the ministry’s part”. He added criminals orchestrated the attack, and the Federal Police are investigating it. More

Microsoft has shown off a new measure for admins to protect web-browsing users on Chromium-based Edge from zero days, which are previously unknown software flaws. The latest Edge beta introduces a new browsing mode in Edge “where the security of your browser takes priority”. For admins who fear web-based attacks on desktop systems via the browser, this feature gives them the option to “mitigate unforeseen active zero days”. Enabling this mode can be configured, so that important sites and line-of-business applications “continue to work as expected,” according to Microsoft’s release notes. 

The security-focused Edge mode, spotted by Bleeping Computer, brings several Windows exploit mitigation technologies into play, including Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG). SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseWindows 10’s ACG helps thwart web attacks that attempt to load malicious code into memory by ensuring only properly signed code can be mapped into memory.ACG and CFG were key motivations behind Microsoft’s move last year to introduce Edge Super Duper Secure Mode, which turns off Edge’s Chromium JavaScript just-in-time (JIT) compiler to allow those exploit mitigations, as well as Intel’s Control-flow Enforcement Technology (CET), to work. The JIT compiler is part of the Chromium V8 JavaScript engine’s processing pipeline, but Windows features like ACG were incompatible with JIT compiling. “This feature is a huge step forward because it lets us mitigate unforeseen active zero days (based on historical trends). When turned on, this feature brings Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Content Flow Guard (CFG) as supporting security mitigations to increase users’ security on the web,” Microsoft explains. 

Microsoft quietly enabled Edge Super Duper Secure Mode in the stable release of Edge in November, allowing users to toggle between ‘balanced’ and ‘strict’ modes, depending on how much users trust a given site.   The browser update, version 98.0.1108.23 in the Microsoft Edge beta channel, also adds a custom primary password option. This option adds another layer of privacy and helps prevent unauthorized users from using saved passwords to log on to websites. Custom primary password allows users to use a custom string of their choice as their primary password. After it’s enabled, users will enter this password to authenticate themselves and have their saved passwords auto-filled into web forms. More

The UK government has announced a crackdown on cryptocurrency-related adverts that could be considered misleading.

On Tuesday, the Exchequer said that legislation is due to be proposed to force cryptocurrency and crypto services, in general, to adhere to existing financial advertising laws. Cryptocurrencies and crypto assets continue to increase in popularity. The UK government & HMRC have worked to create and enforce taxation rules – with UK holders now expected to pay capital gains tax on their trades – but outside of the legal arena, the general public is still exposed to adverts that may lure individuals into investing into products without fully understanding them.  According to the treasury, while approximately 2.3 million UK residents are thought to hold some form of crypto asset, “some users may not fully understand what they are buying.” Adverts that promise speculative, lucrative gains, Initial Coin Offerings (ICOs), token sales, and marketing that is considered unfair or misleading may all come under the new legislation, which will mirror what the Financial Conduct Authority (FCA) already imposes for financial products.  The promotion of cryptocurrency and other crypto assets will need to meet the same standards as stocks, shares, insurance, and other financial services.  Research conducted by the FCA in 2021 estimates that the average amount held by UK investors is £300 ($408) in cryptocurrencies. Roughly half of those surveyed said they would buy more in the future, and approximately the same number of participants said they know “they will make money at some point.” 

The UK government says that bringing crypto into line could reduce the risk of consumers being mis-sold products.  “This will balance the desire to encourage innovation with the need to ensure that crypto asset advertisements are fair, clear, and not misleading,” the treasury said. “The Government’s decision to bring these types of advertisements into the scope of regulation will mitigate the risks of consumer harm, ensuring people have the appropriate information to make informed investment decisions.” Rishi Sunak, the current  Chancellor of the Exchequer, said that while crypto represents new “opportunities,” it is up to the government to stop adverts that promote misleading messages.  “We are ensuring consumers are protected, while also supporting innovation of the crypto asset market,” Sunak added. The government intends to introduce secondary legislation to amend the Financial Promotion Order, granting the FCA the power to regulate crypto-based adverts and ensure that crypto services are authorized to promote products in the future.  The UK’s Advertising Standards Authority (ASA) has previously ruled against companies including crypto.com and eToro for promoting their services through adverts considered to be misleading.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More