Information Technology

We are all much more reliant on the internet and online services than ever before. And while this has brought benefits — it’s easy and convenient to buy from a website compared with having to visit a store, for example — there are also additional risks that need to be considered.

Special Report

The Future of Money

From blockchain and bitcoin to NFTs and the metaverse, how fintech innovation is changing the future of money.

Read More

The bad news is that while the rise of online shopping and banking has made life easier for us, it has also made conducting fraud much simpler — and in the worst case scenario, a cyber criminal could gain access to your personal finances simply by stealing your username and password. One of the most common methods cyber criminals use to steal usernames and passwords for bank accounts is phishing attacks, where they’ll send an email — or an SMS message — claiming to be from a bank or retailer.  SEE: A winning strategy for cybersecurity (ZDNet special report)The aim of the attack is to trick the victim into clicking on a phishing link, and one of the ways to drive victims towards this is by using fear or doubt. For example, the message could claim that a transaction or purchase has been made with a request to click the link to investigate further.Often, the attackers will design a fake version of the bank’s website. If the unlucky recipient of the fake message is tricked into entering their username and password, it is then in the hands of the attackers. Banks are not the only entities that can be impersonated in this way — it can also be retailers, government agencies or pretty much anyone else. The aim is to get access to your details by any means.”Throughout the coronavirus pandemic, we’ve seen a range of topical scam campaigns — from bogus missed delivery texts to offers of fake vaccine appointments. In addition to using these hooks, cyber criminals can take information from social media to target individuals with tailored, convincing-looking scams,” says Sarah Lyons, deputy director for economy and society at the UK’s National Cyber Security Centre (NCSC). 

Beyond this threat, there’s also the hackers who aim to infect victims’ devices with banking trojan malware, which monitors the user’s computer or smartphone for activity to do with financial transactions and sends all the relevant information back to the attackers. Attackers will often trick victims into downloading malware, once again with either phishing links or fake and infected versions of popular software, and even malicious apps hidden in popular mobile app stores.  In order to avoid falling victim to cyberattacks that are targeting financial information, the NCSC recommends maintaining good cyber hygiene across online accounts in order to keep them as secure as possible.  This approach includes using a strong, separate password for each online account and turning on multi-factor authentication — both will make it much more difficult for attackers to breach accounts.Users should also take care with what they click on and limit the personal information they post on public social media accounts — as that information could be exploited to help identify accounts they have or conduct social-engineering attacks.  “We can reduce the likelihood of being targeted with convincing phishing emails by taking extra care when using social media. Minimising the amount of our personal information shared on social media and enabling privacy settings keeps us secure,” says Lyons.  

ZDNet Recommends

Banks and other services will often send alerts about suspicious activity on accounts — paying attention to these alerts can help keep accounts secure, but users should also be wary as cyber criminals build their own versions of these alerts to trick people into providing information.  If you have suspicions about alerts like this, it’s a good idea to contact the bank directly by using the contact details on their official website to report them. In the event it turns out you’ve fallen victim to a phishing email, you should change your passwords immediately, as well as changing the passwords on any accounts that might use the same password. If you’ve lost money as a result of cybercrime, you should report the loss to your bank and also to the police.  As for malicious apps, these can use clever tricks to bypass the security screening designed to keep them out of app stores, often posing as commonly used or high-profile applications. They can remain in app stores for months at a time before being uncovered and removed, although not before being downloaded, in some cases by hundreds of thousands of victims. Users should be wary when downloading apps. Checking reviews can give an indication if something is wrong. Often, people who’ve lost out to cyber criminals after downloading the app will mention that this has been the case, while reviews could also suggest that the application is fake if it doesn’t work as advertised.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened While these basic security recommendations can apply to many online services, a new area of interest for criminals is cryptocurrency. The rise of cryptocurrency, especially high-value cryptocurrencies like Bitcoin, means that cyber criminals are increasingly focusing their attention on this new area. Cryptocurrency is harder to trace than traditional finances and the decentralised nature of the ecosystem means that if your cryptocurrency is stolen, it is unlikely to be returned in the way ‘traditional’ finances can be returned by your bank in the event of your falling victim to fraud.That reality means storing cryptocurrency securely is vital, especially as the growth in popularity means it’s becoming an increasingly popular target for cyber criminals — it’s reported that $7.7 billion worth of cryptocurrency was stolen in 2021 alone. “As cryptocurrency is in the news more — and as people know about it more as it becomes more valuable — the attackers flock to it,” says Christopher Budd, senior threat labs communications manager at cybersecurity company Avast.  Much of the advice for keeping your online bank accounts secure also applies to cryptocurrency: use strong passwords, use multi-factor authentication and be wary of phishing emails and other scams. But there are additional measures that need to be considered. Many users will opt to keep their cryptocurrency in a crypto exchange, allowing them to easily buy, sell and trade different cryptocurrencies. The rise of cryptocurrency means that many different exchanges have emerged. While relying on a professional service to help store and secure your cryptocurrency might seem like the best option at first, there are also potential risks.  In the same way criminals will target banks and retailers to steal money and credit card information, crypto exchanges are a high-profile target for cyber criminals who want a big pay day — and there have been instances of hackers walking away with hundreds of millions of dollars worth of cryptocurrency in successful attacks targeting the exchanges themselves.  Much like banking and retail, it’s almost impossible that an organisation can guarantee assets are 100% secure, but there’s a greater chance that an established exchange will have better protocols in place than a newcomer with little background information online. Cryptocurrency users should also be mindful that one of the best ways to ensure cryptocurrency is securely stored is if they’ve put the appropriate protections in place themselves. An exchange may claim to have special security features to keep users secure, but if the user isn’t able to examine or operate these features themselves, then it might be worth considering a different option. “You don’t do yourself any benefit if you get something that has supposedly great security, but you don’t know how to use it,” says Budd. “Having a good, old-fashioned deadbolt lock that you know how to use on your house is more effective than a $100,000 security system that you don’t know how to use.”At the very least, cryptocurrency users who want to store their assets in a crypto exchange should look for one that allows multi-factor authentication — and they should also apply multi-factor authentication to the email address tied to the account as an additional barrier. For those who feel that storing their cryptocurrency in an exchange that could be targeted by attackers is too much of a risk, there’s the option of storing cryptocurrency on their own devices.  It could be tempting to keep complex crypto-authentication keys in a document in order that they can be easily accessed, copied and pasted when the need arises. However, this carries risks because if your username and password for your cloud documents are compromised, the key is waiting for the cyber criminal who has accessed your account.  Even if the document is stored offline, there’s the chance it could be accessed if an attacker manages to infect your PC with malware. In this case, using traditional methods could be the best way to keep assets safe: writing the key down and storing it safely in your home.What’s important here is ensuring that your device is as secure against attacks as possible – multi-factor authentication should be applied to accounts, passwords should be complex enough to not be breached in brute-force attacks – and the same password shouldn’t be shared among different accounts, because if attackers can steal it from one service, they could attempt to use the same password against other accounts linked to your email address.SEE: Variant of Phorpiex botnet used for cryptocurrency attacks in Ethopia, Nigeria, India and moreIf you buy cryptocurrency, it needs to be stored in a crypto wallet and there are two key forms of wallet. Users can choose to use one or both of them to store their cryptocurrency. Both have advantages and disadvantages.A hot wallet is a cryptocurrency wallet that’s always connected to the internet, and linked to public and private keys, which an individual can use to easily and conveniently send and receive cryptocurrency. However, the always-on connection to the internet could potentially leave these wallets vulnerable to being hacked.Cold storage is when cryptocurrency is kept offline, with hardware, physical keys and PINs or passwords used to keep the crypto secure. These hardware wallets are designed to prevent hacking and are only accessible when plugged into your computer.This second form of wallet is the more secure way to store cryptocurrency, although it is much less convenient, requiring the user to store a separate physical device.And much like traditional banknotes, any device with cryptocurrency on it should be stored in a safe place where it can’t be lost or stolen.  MORE ON CYBERSECURITY More

After a major cyberattack brought key systems of Brazil’s Ministry of Health (MoH) to a halt, the department has reported all its platforms are back online.

According to a statement released by the MoH on Friday (14), most systems have been reestablished following a cyberattack in early December 2021, including ConecteSUS, which holds COVID-19 vaccination data. However, some systems still need to be recovered, and the deadline for completing the work is this coming Friday (21). As a result of the cyberattack, crucial data on the pandemic, including cases, deaths and vaccination data, was unavailable for nearly a month. This meant that, for example, institutions that rely on government data on COVID-19 to monitor the local developments around the virus could not access the information they need since early December 2021. Hospital managers also reported challenges introduced by the lack of access to data in aspects such as planning for new beds and purchasing medicines as well as hiring professionals.However, Rodrigo Cruz, executive secretary at the MoH, insisted there was no loss of information or a healthcare data blackout. “The Ministry continued to receive and disseminate data [since the cyberattack], especially the data relating to the [COVID-19] pandemic. This information was and continues to be easily accessible on our website through our newsletters and epidemiological bulletins,” he said. The attackers used legitimate access credentials to access the national healthcare data network. Cruz noted that this cloud-based database feeds systems, including those relating to the pandemic management, meaning there was no need for any sophisticated cyberattack techniques. Responsibility for the attack was claimed by the Lapsus$ Group, which said 50TB worth of data had been extracted from the MoH’s systems and subsequently deleted.The MoH secretary confirmed the attackers were able to access other MoH systems and deleted COVID-19 data, as well as systems. “These are not off-the-shelf systems that can be erased and reinstalled with a CD or a USB stick. When the system is deleted, it has to be rebuilt since it is customized and built specifically for the Ministry of Health,” he noted.Cruz added the first challenge was to ensure that no data had been compromised, then rebuild the systems so that the MoH could receive the data produced by cities and states. He pointed out, all systems have had their data capture processes established.

According to the Brazilian Ministry of Health, all the department’s access credentials have been updated, and access control processes have been improved. In addition, the cyber risks and vulnerabilities of the main MOH systems have been assessed. A data protection committee has also been created as part of the department’s action plan to deal with the fallout of the cyberattack. Questioned about the possibility of the involvement of civil service staff in the occurrence, Brazilian health minister Marcelo Queiroga said, “if there was any sabotage, it was not on the ministry’s part”. He added criminals orchestrated the attack, and the Federal Police are investigating it. More

Microsoft has shown off a new measure for admins to protect web-browsing users on Chromium-based Edge from zero days, which are previously unknown software flaws. The latest Edge beta introduces a new browsing mode in Edge “where the security of your browser takes priority”. For admins who fear web-based attacks on desktop systems via the browser, this feature gives them the option to “mitigate unforeseen active zero days”. Enabling this mode can be configured, so that important sites and line-of-business applications “continue to work as expected,” according to Microsoft’s release notes. 

The security-focused Edge mode, spotted by Bleeping Computer, brings several Windows exploit mitigation technologies into play, including Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG). SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseWindows 10’s ACG helps thwart web attacks that attempt to load malicious code into memory by ensuring only properly signed code can be mapped into memory.ACG and CFG were key motivations behind Microsoft’s move last year to introduce Edge Super Duper Secure Mode, which turns off Edge’s Chromium JavaScript just-in-time (JIT) compiler to allow those exploit mitigations, as well as Intel’s Control-flow Enforcement Technology (CET), to work. The JIT compiler is part of the Chromium V8 JavaScript engine’s processing pipeline, but Windows features like ACG were incompatible with JIT compiling. “This feature is a huge step forward because it lets us mitigate unforeseen active zero days (based on historical trends). When turned on, this feature brings Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Content Flow Guard (CFG) as supporting security mitigations to increase users’ security on the web,” Microsoft explains. 

Microsoft quietly enabled Edge Super Duper Secure Mode in the stable release of Edge in November, allowing users to toggle between ‘balanced’ and ‘strict’ modes, depending on how much users trust a given site.   The browser update, version 98.0.1108.23 in the Microsoft Edge beta channel, also adds a custom primary password option. This option adds another layer of privacy and helps prevent unauthorized users from using saved passwords to log on to websites. Custom primary password allows users to use a custom string of their choice as their primary password. After it’s enabled, users will enter this password to authenticate themselves and have their saved passwords auto-filled into web forms. More

The UK government has announced a crackdown on cryptocurrency-related adverts that could be considered misleading.

On Tuesday, the Exchequer said that legislation is due to be proposed to force cryptocurrency and crypto services, in general, to adhere to existing financial advertising laws. Cryptocurrencies and crypto assets continue to increase in popularity. The UK government & HMRC have worked to create and enforce taxation rules – with UK holders now expected to pay capital gains tax on their trades – but outside of the legal arena, the general public is still exposed to adverts that may lure individuals into investing into products without fully understanding them.  According to the treasury, while approximately 2.3 million UK residents are thought to hold some form of crypto asset, “some users may not fully understand what they are buying.” Adverts that promise speculative, lucrative gains, Initial Coin Offerings (ICOs), token sales, and marketing that is considered unfair or misleading may all come under the new legislation, which will mirror what the Financial Conduct Authority (FCA) already imposes for financial products.  The promotion of cryptocurrency and other crypto assets will need to meet the same standards as stocks, shares, insurance, and other financial services.  Research conducted by the FCA in 2021 estimates that the average amount held by UK investors is £300 ($408) in cryptocurrencies. Roughly half of those surveyed said they would buy more in the future, and approximately the same number of participants said they know “they will make money at some point.” 

The UK government says that bringing crypto into line could reduce the risk of consumers being mis-sold products.  “This will balance the desire to encourage innovation with the need to ensure that crypto asset advertisements are fair, clear, and not misleading,” the treasury said. “The Government’s decision to bring these types of advertisements into the scope of regulation will mitigate the risks of consumer harm, ensuring people have the appropriate information to make informed investment decisions.” Rishi Sunak, the current  Chancellor of the Exchequer, said that while crypto represents new “opportunities,” it is up to the government to stop adverts that promote misleading messages.  “We are ensuring consumers are protected, while also supporting innovation of the crypto asset market,” Sunak added. The government intends to introduce secondary legislation to amend the Financial Promotion Order, granting the FCA the power to regulate crypto-based adverts and ensure that crypto services are authorized to promote products in the future.  The UK’s Advertising Standards Authority (ASA) has previously ruled against companies including crypto.com and eToro for promoting their services through adverts considered to be misleading.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A VPN service used by criminals to distribute ransomware, malware and facilitate other forms of cybercrime has been taken offline following a coordinated international operation by police. As part of the joint action by Europol, Germany’s Hanover Police Department, the FBI, the UK’s National Crime Agency (NCA) and others, the 15 servers used by the VPNLab.net service have been seized or disrupted, rendering it no longer available.

ZDNet Recommends

Europol said multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution. Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  SEE: A winning strategy for cybersecurity (ZDNet special report) Europol said that VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as $60 per year. The service also provided double VPN, with servers located in many different countries. “This made VPNLab.net a popular choice for cyber criminals, who could use its services to carry on committing their crimes without fear of detection by authorities,” the agency said. Cyber criminals also used the service to deploy malware while avoiding detection by authorities – but now the servers have been seized, law enforcement is investigating customer data in an attempt to identify cyber criminals and victims of cyberattacks. Europol hasn’t disclosed which forms of malware and ransomware the VPN service was being used to distribute.

As a result of the investigation, more than 100 businesses have been identified as at risk of cyberattacks and law enforcement is working directly with them in an effort to mitigate any potential compromise. “The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre (EC3). “Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches,” he added. The disruptive action against VPNLab took place on 17 January 2022 and involved authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom, along with support from Europol. “One important aspect of this action is also to show that, if service providers support illegal action and do not provide any information on legal requests from law enforcement authorities, that these services are not bulletproof,” said Volker Kluwe, chief of Hanover Police Department, which led the take down. “This operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands,” he added. The action represents the latest international operation by law enforcement agencies targeting cyber criminals and the services they use to facilitate attacks, and comes days after Russian authorities said they arrested members of the REvil ransomware gang.
MORE ON CYBERSECURITY More

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.The World Economic Forum’s new report, The Global Cybersecurity Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

ZDNet Recommends

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn’t result in significant disruption. SEE: A winning strategy for cybersecurity (ZDNet special report) However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cybersecurity.This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.One of the reasons this cybersecurity gap exists is because chief information security officers (CISOs) and other cybersecurity personnel often feel they’re not consulted. That gap means security is sometimes sacrificed in the name of efficiency or cost, which can have dire consequences down the line.

For example, take the challenge of ransomware – something that the WEF report suggests that 80% of cybersecurity leaders class as a “danger” and “threat” to public safety, not just to their own organisations.Many ransomware attacks are successful because cyber criminals are able to exploit vulnerabilities in networks that could have been rendered harmless if standard security recommendations were followed – for example, applying two-factor authentication, having backups in place or applying cybersecurity updates.However, businesses can be reluctant to spend money on these areas or the personnel required to ensure that they are rolled out correctly, seeing it as a cost instead of an investment that will prevent additional money having to be spent further down the line. It’s often the case that it’s only when a business falls victim to a cyberattack that the boardroom really starts paying attention to cybersecurity.”The best and most resilient company is the one that has been breached already,” Algirde Pipikaite, cybersecurity strategy lead at the World Economic Forum, told ZDNet. “Because they actually understand the importance of preventing a breach, or – if they are breached – a quick recovery.”But waiting to be breached in order for the boardroom to pay attention to cybersecurity isn’t a realistic or desirable option. And there are options that those responsible for cybersecurity can take in order to help boost the cyber resilience of their enterprise.One of those options is to ensure that cybersecurity issues can be brought to the board in plain language. Sometimes, the technical nature of some elements of cybersecurity can be overwhelming for people who don’t deal with it day in and day out. Explaining security threats and issues in plain language could go a long way towards closing the cap between the board and the security team.But it’s also vital that cybersecurity teams are also aware of how the business operates, what operations are most important and which assets should be prioritised – and an ongoing dialogue with executives is key to a successful partnership. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseOne way to get both teams together and encourage this sort of dialogue could be the use of table-top exercises to practice cyber-incident response. This could heighten awareness of potential issues for both business and security teams, enabling both to feel included in the decision-making process. There are also the practical benefits of the organisation learning how it would react to to a ransomware attack or other cyber incident, so in the event of a real incident, there’s a plan in place that can be followed.”The best way to bring these two communities together is to run a table-top exercise, having your incident response plan and running it in practice,” said Pipikaite.”The worst is if you get attacked and that’s your first time actually trying to resolve a situation while trying to understand it,” she added.MORE ON CYBERSECURITY More

The NSW Electoral Commission (NSWEC) has announced it will not use the iVote system again until “extensive reconfiguration and testing” is undertaken.During local elections last month, an unknown number of voters were unable to cast a vote due to the state’s iVote online voting system suffering a failure for a portion of the voting period. In the immediate aftermath, the NSWEC attributed the iVote online voting system failure to a higher-than-expected elector load, with around 650,000 people using the system during the local elections last month.”Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said at the time.Just before the year wrapped up, the state’s electoral commissioner revealed the iVote system failure during the state’s local elections last month may have materially impacted councillor elections in Kempsey, Singleton, and the City of Shellharbour.  Providing another update yesterday, the electoral commissioner John Schmidt said the iVote system would not be used until the issues experienced last month were rectified. The NSWEC said it was still undertaking a comprehensive review and analysis of the root cause of the problem that surfaced on the iVote system.Schmidt explained that there is currently no backup support available to enable iVote to be offered at state or local government by-elections in the near future, and that the NSWEC would focus on preparing the system for use at the 2023 state general election.  The electoral commissioner also said he was still going ahead with seeking a court declaration about the validity of the results in three councillor elections. The election declaration, if approved, would mean the currently elected councillors for the impacted councils would serve in the interim.

The declaration will not be a determination that these three elections are valid more generally, however, the NSWEC previously noted.”Finalising the Supreme Court proceedings, completing the iVote system review, and implementing any remediations and improvements, are critical to ensuring the problems that occurred at the December local government elections do not occur again,” the NSWEC said.”In light of the above, the Electoral Commissioner is of the view that it is neither feasible nor appropriate to approve the use of iVote again until those actions are completed.”Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, has repeatedly warned of the flaws within the iVote system.”Every serious investigation of iVote found serious problems,” Teague tweeted last month in light of the most recent iVote failure.Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC have often downplayed. RELATED COVERAGE More

The Office of Australian Information Commissioner (OAIC) has called for more data accountability measures across the board in light of the Attorney-General’s Department (AGD) seeking consultation for its review of the Privacy Act. The AGD began its review into the country’s Privacy Act at the end of 2020 as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry, which found the laws needed to be updated to adequately protect consumers and their data. Among those measures [PDF] recommended by the OAIC is a central obligation to collect, use, and disclose personal information fairly and reasonably for entities under the scope of Australia’s Privacy Principles (APP). The OAIC envisions this would entail providing consumers with the right to erasure, meaningful consent through requiring them to be properly and clearly be informed about how their personal information will be handled, and the right to notification when their personal information is collected.Information Commissioner Angelene Falk said the introduction of such accountability measures would raise the standard of data handling to help prevent harms and remove the privacy burden from consumers.”Establishing a positive duty on organisations to handle personal information fairly and reasonably will require them to take a proactive approach to meeting their obligations, as they are best equipped to consider the impacts of the complex information handling flows and practices of their business,” she said.The OAIC has also recommended for APP entities to be prohibited from taking steps to re-identify information that they collected in an anonymised state unless it is for research involving cryptology, information security, and data analysis.In terms of when entities should notify consumers when their personal information is collected, the OAIC recommends that this should occur when there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, or when information is re-identified.

The commissioner also wants to see banning of practices such as profiling, online personalisation, and behavioural advertising using children’s personal information, inappropriate surveillance or monitoring of an individual through audio or video functionality of the individual’s mobile phone or other personal devices, commercial use of automated biometric identification systems, and personal information scraping from online platforms.When it comes to enforcing these measures, the OAIC has said it would like its regulatory powers to be expanded through the creation of more types of civil penalties. The agency explained that an expanded range of penalties would mean that there is more likely to be a suitable penalty for an infringement, regardless of the extent of its severity. “We have recommended changes to the Privacy Act enforcement framework to give the OAIC a greater range of effective tools to uphold the law and respond to emerging threats in a proportionate and pragmatic way,” Commissioner Falk said.”This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings.In recommending additional civil penalties, it also wants to overhaul how the OAIC attains orders for civil penalties when it comes to cases of serious or repeated interference with privacy by an entity. According to the OAIC, the current Privacy Act imposes unnecessary thresholds that the OAIC must demonstrate before orders for civil penalties can be made by the courts.It has also recommended that the Federal Court be given the express power to make any orders it sees fit when it comes to Privacy Act contraventions.”Allowing the Court to make the same orders as the Commissioner under section 52 [of the Privacy Act] will promote clarity and certainty for APP entities and allow the Commissioner to pursue, and the Federal Court to order, tailored remedies that are more appropriate for a particular matter,” the OAIC said. The AGD’s consultation is occurring alongside its other consultation on the exposure draft of the Online Privacy Bill. The Online Privacy Bill is looking to introduce a binding online privacy code for social media and certain other online platforms as well as stronger penalties and enforcement measures.Cracking down on tech has been big on the federal government’s agenda as late, with the Prime Minister three months ago saying social media platforms are a “coward’s palace” and that they would be viewed as publishers if they are unwilling to identify users that post foul and offensive content.The interim report comes off the heels of Australia announcing various initiatives in recent months to address issues residing in social media platforms and cyber. In December alone, Australia announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, and proposed anti-trolling laws. RELATED COVERAGE More