The Claim
“Told myGov users to downgrade the security on their account when travelling overseas, which is when security risks are highest.”
Original Sources Provided
✅ FACTUAL VERIFICATION
The core claim is TRUE. In December 2015, the Australian government's myGov Twitter account (@myGovau) actively encouraged users to "turn off your myGov security codes" before traveling overseas [1]. The myGov portal posted messages with "cute pictures encouraging holidaymakers to 'turn off your myGov security codes' so that 'you can spend more time doing the important things'" [1].
The reasoning behind this advice was practical: Australian tourists often swap their Australian SIM cards for local ones while traveling, which would prevent them from receiving SMS-based security codes [1]. The system used SMS-based two-factor authentication (2FA) at the time, sending one-time codes via text message to complement regular passwords [1].
When criticized on Twitter by security professionals for advising users to downgrade security precisely when they face higher risks (open hotspots, internet cafes), myGov responded that users who turned off security codes would "still need to securely sign in with secret questions & answers" [1].
Missing Context
Important context the claim omits:
Technical limitation, not malicious intent: The advice stemmed from a genuine technical limitation - SMS-based 2FA requires cellular reception on the registered number. Travelers with local SIMs wouldn't receive Australian SMS messages [1].
myGov was very new: The myGov portal had only launched in May 2013 [2]. The platform was still developing its security architecture and had not yet implemented app-based authentication methods that would have solved this problem.
Limited scope of protection: When the claim says "security codes," it refers specifically to SMS-based 2FA - not all security measures. Users still required passwords and secret questions [1].
Timing context: This occurred in December 2015 during the holiday travel season - the advice was positioned as helping travelers avoid being locked out of their accounts while abroad [1].
Source Credibility Assessment
Ars Technica is a reputable technology journalism outlet with strong technical credibility [3][4][5]:
- Rated as "Reliable, Analysis/Fact Reporting" by Ad Fontes Media with a "Middle category of bias" [3]
- Media Bias/Fact Check found no "overt bias" in political coverage [4]
- Biasly.com gives Ars Technica a 2% Center bias score [5]
- The specific article was written by Andrii Degeler, a contributing reporter with a master's degree in Journalism [1]
The article itself is factual reporting based on publicly available Twitter posts from the official myGov account. There is no evidence of partisan bias in this particular piece - it is technical/cybersecurity reporting that would apply regardless of which party was in government.
Labor Comparison
Did Labor do something similar?
Search conducted: "Labor government myGov digital security policy two-factor authentication equivalent"
Finding: Not directly applicable - myGov was launched in May 2013 under the Gillard Labor government [2]. The December 2015 incident occurred during the Abbott/Turnbull Coalition government, but the platform itself was created and launched by Labor. The SMS-based 2FA system that caused this problem was implemented during the platform's early development (2013-2015).
Historical context: The Department of Human Services (DHS) administered myGov during this period. The advice came from the departmental Twitter account, not from a Minister or political office. The myGov platform's technical architecture and security decisions were operational matters managed by public servants rather than political appointees [2].
Labor's broader digital record: Both major parties have faced cybersecurity criticism. The myGov incident reflects a period when Australian government digital services were still maturing - something that began under Labor and continued under the Coalition.
Balanced Perspective
The full story:
The December 2015 incident represents a genuine cybersecurity misstep by the myGov platform administrators. Security experts correctly criticized the advice because:
- Travelers using public WiFi and internet cafes face elevated security risks
- Disabling 2FA removes an important protection layer precisely when it's most needed
- Secret questions are significantly less secure than 2FA (answers can often be guessed or researched)
However, there are mitigating factors:
- Technical limitation: The advice addressed a real usability problem - travelers with local SIMs would be locked out of their accounts if 2FA remained enabled
- Departmental decision: This was an operational decision by myGov/DHS staff, not a government policy directive
- Platform immaturity: myGov was still developing (launched just 2.5 years prior); modern alternatives like authenticator apps weren't yet implemented [2]
- Response to feedback: When criticized, myGov attempted to explain the alternative authentication measures available [1]
Not unique to Coalition: This type of security-usability trade-off is common across governments. The incident reflects organizational learning about balancing security with accessibility - a challenge all governments face. The platform continued operating under both parties with ongoing security improvements.
TRUE
7.0
out of 10
The claim is factually accurate. The myGov platform did advise users to disable two-factor authentication when traveling overseas in December 2015. This was indeed poor security advice given that travelers face heightened cybersecurity risks abroad. However, the context is important: this was a departmental operational decision addressing a genuine technical limitation (SMS delivery to foreign SIMs), not a government policy directive. The advice was widely criticized by security professionals at the time, and the incident reflects the immaturity of government digital services in 2015 rather than a unique Coalition failing.
Final Score
7.0
OUT OF 10
TRUE
The claim is factually accurate. The myGov platform did advise users to disable two-factor authentication when traveling overseas in December 2015. This was indeed poor security advice given that travelers face heightened cybersecurity risks abroad. However, the context is important: this was a departmental operational decision addressing a genuine technical limitation (SMS delivery to foreign SIMs), not a government policy directive. The advice was widely criticized by security professionals at the time, and the incident reflects the immaturity of government digital services in 2015 rather than a unique Coalition failing.
Rating Scale Methodology
1-3: FALSE
Factually incorrect or malicious fabrication.
4-6: PARTIAL
Some truth but context is missing or skewed.
7-9: MOSTLY TRUE
Minor technicalities or phrasing issues.
10: ACCURATE
Perfectly verified and contextually fair.
Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.