A data breach is the process in which an organization or a company faces data loss of some important confidential information or it comes in the contact of unauthorized access or disclosure of data which is supposed to be hidden, such as when a customer’s personal data is lost or stolen, a database center storing all the information is hacked or that important information is mistakenly given to the wrong person, published by OAIC’s website.
The healthcare sector reported the most cases of a data breach at 85, which accounted for almost a fifth of all notifications, stated by OAIC in the biannual report.
According to researched and observations conclusion is that malicious or criminal attacks (48 cases) were the main source of breaches within the healthcare sector, from previous reports it is observed that such data breaches are results of human error which is a “significant shift”.
Thirty-one (31) cases are reported as cyber incidents, e.g., phishing attacks and ransomware.
There was a total of 446 data breaches registered in the first six months of 2021 including all the sectors in healthcare, such as finance, legal, accounting and management, insurance, and the government. This shows a 16% downfall as compared to the July-December 2020 period. Most notifications were made in March.
Malicious or criminal attacks were the leading source of breaches, making up 289 or 65% of the total notifications. The most common type of personal information compromised in breaches is contact information.
5,000 individuals or less almost 93% are affected by data breaches, on the other hand, 100 people or less almost 65% are encountered data breaches.
CS Pro we providing Medical IT Solutions, We are the best IT Company in Australia call us and secure your system from cyber attacks. We ensure that your computers and servers fulfill the RACGP computer security guidelines.
We are a partner of Stay safe online and all our solutions are recommended by them. We operate 24/7.
Sophos Rapid Response has discovered that keeping close tabs on the account credentials in your organization should always be a top priority. Sophos Rapid Response is a 24/7 service that helps organizations to quickly identify and neutralize active threats.
The company reached out to Rapid Response to get help with a Nefilim (also known as Nemty) ransomware attack in which more than 100 systems were impacted. Sophos’ Intercept X endpoint protection has no problem detecting and stopping Nefilim. Unfortunately, the customer did not have this protection in place. Nefilim ransomware, like virtually all major ransomware, replaces the original files with encrypted versions, making recovery impossible without either the decryption key or a recent backup.
The Rapid Response team sprang into action as soon as they were contracted by the customer, loading Sophos security onto all the systems it could access, ensuring all necessary protections were turned on for systems that already had Sophos installed, and digging for clues as to how and when the intrusion began and what might have been stolen.
By the time of Sophos’ standard “kick-off” call to describe the process of the Rapid Response team and gather context around the evidence uncovered so far, the team had already singled out user accounts that had been taken over and compiled a general timeline of the attack.
The team determined the attacker had compromised an admin account with high level access about one month before launching Nefilim ransomware. Or more accurately, the attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.
“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” Peter Mackenzie, manager for Rapid Response, said. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
Based on Sophos intelligence, the Rapid Response team knew the threat actors behind Nefilim ransomware commonly gain initial access either by exploiting vulnerable versions of Citrix or Remote Desktop Protocol. In this case, the adversary exploited vulnerable Citrix software, gained access to the admin account, then stole the credentials for a domain admin account using Mimikatz.
During Sophos’ initial kick-off call, the Rapid Response team relayed which admin account had been compromised in the initial intrusion, and asked the customer: Whose account was it? The answer: the account belonged to an individual who had sadly passed away around three months before the attacker’s first move.
Apparently, the account was kept active because there were services that it was used for, meaning the Rapid Response team had to discern which activities from that account were legitimate and which were malicious.
“The malicious activities were often in the middle of the night for the customer’s local time,” Mackenzie said. “We were able to work out some of the movements in the account based on when they occurred and when the commands were being performed.”
If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.
Mackenzie noted far fewer accounts need to be a domain admin than most people think.
“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. This isn’t true and it’s dangerous,” Mackenzie said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”
Mackenzie added that alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows. A previous case that Rapid Response was called in on proved this point.
In this particular case, an attacker gained access to an organization’s network, created a new user, and added that account to the domain admin group in Active Directory. No alerts were set off, so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups.
Mackenzie told the customer they were lucky the attack was so visibly destructive and easily noticed.
“If they hadn’t done that, how long would they have had domain admin access to the network without the customer knowing?”
Detection and IoCs
Nefilim ransomware is detected in Sophos Endpoint Protection under the definition Troj/Ransom-GDN.
Additional indicators of compromise have been published to the SophosLabs Github.
Nefilim group Tactics, Techniques, and Procedures (TTPs)
The common Tactics, Techniques and Procedures (TTPs) of the group(s) that operate Nefilim ransomware have often utilized Citrix vulnerabilities or Remote Desktop Protocol (RDP) to gain initial entry into victim environments by exploiting public facing applications MITRE ATT&CK T1190.
In this case, the Rapid Response team discovered vulnerable versions of Citrix software on customer systems. Although it is unclear what vulnerability was exploited, the installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to 1 Critical (CVE-2019-11634) and 4 High rated CVE vulnerabilities (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283) which may have been exploited in order to gain initial access to the target network.
Once in, the threat actor also used Remote Desktop Protocol (RDP) logins to maintain access to the initial admin account used in the attack. On the network, the threat actor used Mimikatz, which allows the threat actors to reveal the credentials stored on the system, to compromise a domain admin account.
The Rapid Response investigation uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance, and enumerate the network.
The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data.
The Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.
Checklist for secure account access management
Only grant the access permissions needed for a specific task or role
Disable accounts no longer needed
If you need to keep an account active after the original owner has left the organization, implement a service account and deny interactive logins
Carry out regular audits of Active Directory: Active Directory Audit Policies can be set to monitor for admin account activity or if an unexpected account is added to the domain admin group
Have a robust security solution in place, ideally with anti-ransomware technologies such as that featured in Intercept X
Documents reveal how the Australian Federal Police made use of Clearview AI — a controversial facial recognition technology that is now the focus of a federal investigation.
At least one officer tested the software using images of herself and another member of staff as part of a free trial.
In another incident, staff from the Australian Centre to Counter Child Exploitation (ACCE) conducted searches for five “persons of interest”.
According to emails released under Freedom of Information laws, one officer also used the app on their personal phone, apparently without information security approval.
Based in New York, Clearview AI says it has created a tool that allows users to search faces across a database that contains billions of photos taken, or “scraped”, without consent from platforms such as Facebook and Instagram.
The company provoked outrage in January, when the New York Times revealed the extent of its data collection and its use by law enforcement officials in the United States.
The AFP initially denied any ties to Clearview AI before later confirming officers had accepted a trial.
An agency spokeswoman said a “limited pilot of the system” was conducted to assess its suitability in combatting child exploitation and abuse.
She did not comment on questions from the ABC regarding whether the trial was approved and conducted appropriately by officers.
Last week, the Office of the Australian Information Commissioner (OAIC) announced an investigation into Clearview’s use of scraped data and biometrics, working with the UK’s Information Commissioner’s Office (ICO).
AFP initially denied using Clearview AI
The AFP acknowledged in April that members of the ACCE had undertaken a free trial of Clearview’s facial recognition services, but the extent of its use by officers remained unclear.
No formal contract was ever entered into.
“The use by AFP officers of private services to conduct official AFP investigations in the absence of any formal agreement or assessment as to the system’s integrity or security is concerning,” Labor leaders, including Shadow Attorney-General Mark Dreyfus, said in a statement at the time.
The new cache of AFP documents shows officers accessed the Clearview AI platform from early November 2019.
Tests of the tool undertaken using images of AFP staff and several “persons of interest” are detailed in the agency’s response to questions issued by the information commissioner as part of the office’s inquiries.
However, the agency said it did not know how many actual searches officers undertook, because the AFP’s access to Clearview AI was now restricted.
An executive briefing note claims Clearview AI was used operationally only once to locate a suspected victim of imminent sexual assault.
“To date no Australian personal information has been successfully retrieved through the Clearview platform,” the briefing also states.
The use of Clearview AI appears to have caused concern within the agency — and in some cases, officers appear to query whether the tool has been formally approved.
In December 2019, one officer asks if “info sec” (information security) had raised any concerns about the use of Clearview AI.
In response, another officer responds they “haven’t even gone down that path yet”, revealing that they’re “running the app” on their personal phone.
In January, after the media began reporting about Clearview AI, another member of staff notes “there should be no software used without the appropriate clearance”.
The emails also show some bemusement internally at public claims the AFP was not using the tool, with one officer commenting: “Maybe someone should tell the media that we are using it!”
“Or should we stop using it since everyone is raising the issue of approval,” another replies, with a smiley face emoji.
“Interesting that someone says we aren’t using it when we clearly are,” another employee from the ACCCE wrote on January 21.
Officers were directed to cease all access as of January 22, 2020 — four days after the New York Times story was published.
Clearview AI was founded by Australian businessman Hoan Ton-That.
In the documents, he appears to contact an AFP officer personally via email in December 2019 — introducing himself and asking them how they found the tool.
In a statement, Dr Ton-That said Clearview would cooperate with the UK’s ICO and Australia’s OAIC.
“Clearview AI searches publicly available photos from the internet in accordance with applicable laws,” he said. “It’s powerful technology [and] is currently unavailable in UK and Australia.”
Shortly after Mr Ton-That’s December message, an AFP officer wrote in an email that they had run a mugshot through the Clearview system and “got a hit for [the suspect’s] Instagram account”.
“The [facial recognition] tool looks very good,” they wrote.
Microsoft’s LinkedIn was sued by a New York-based iPhone user on Friday for allegedly reading and diverting users’ sensitive content from Apple’s Universal Clipboard application.
According to Apple’s website, Universal Clipboard allows users to copy text, images, photos, and videos on one Apple device and then paste the content onto another Apple device.
According to the lawsuit filed in San Francisco federal court by Adam Bauer, LinkedIn reads the Clipboard information without notifying the user.
LinkedIn did not immediately respond to Reuters request for comment.
According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users’ Universal Clipboard content, after Apple’s latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying “pasted from Messages.”
“These “reads” are interpreted by Apple’s Universal Clipboard as a “paste” command,” Bauer’s lawsuit alleged.
A LinkedIn executive had said on Twitter last week that the company released a new version of its app to end this practice.
Developers and testers of Apple’s operating system iOS 14 found that LinkedIn’s application on iPhones and iPads “secretly” read users’ clipboard “a lot,” according to the complaint.
The lawsuit seeks to certify the complaint as class action based on alleged violation of the law or social norms, under California laws.
According to the complaint, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple’s Universal Clipboard timeout.
Australia’s privacy watchdog will probe the personal information handling practices of Clearview AI after several policing agencies admitted to having used the controversial facial recognition tool.
The Office of the Australian Information Commissioner (OAIC) on Thursday opened a joint investigation into the software with the United Kingdom’s Information Commissioner’s Office (ICO).
The tool, which is targeted at law enforcement agencies, is capable of matching images with billions of others from across the internet, including social media, to find persons of interest.
As part of the probe, OAIC and its overseas counterpart will look at Clearview AI’s “use of ‘scraped’ data and biometrics of individuals”, as well as how it manages personal information more broadly.
“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment,” the OAIC said in a brief statement.
“In line with the OAIC’s privacy regulatory action policy, and the ICO’s communicating our regulatory and enforcement activity policy, no further comment will be made while the investigation is ongoing.”
The investigation follows preliminary enquiries by OAIC earlier this year after the tool was revealed to have been used by 2200 law enforcement agencies globally, including the Australian Federal Police and the Queensland, Victoria and South Australia police forces.
While the four policing agencies initially denied that the software had been used, the AFP and Victoria Police have since been forced to admit to having briefly trialled the tool from late 2019.
The AFP confirmed in answers to questions on notice that seven officers from the Australian Centre to Counter Child Exploitation had used the tool to conduct searches after being sent trial invitations from Clearview AI.
Victoria Police, similarly, confirmed in a freedom of information request that several officers from the Joint Anti-Child Exploitation Team had run more than 10 searches using the tool after signing up.
Both agencies stressed that Clearview AI had not been adopted as an enterprise product and that no formal commercial agreements had been entered into.
The NSW government has set up a cyber security vulnerability management centre in Bathurst, which will start operating next month.
The centre will be operated by Cyber Security NSW, the new name given to what was formerly the Office of the Government Chief Information Security Office.
It will provide the NSW government with an increased awareness of vulnerabilities in internet-facing services and assets,” Customer Service Minister Victor Dominello said in a statement.
“It will deliver a vital, sector-wide risk management capability and is critical to ensuring enhanced monitoring of at-risk government systems, as well as early identification and remediation of known vulnerabilities.
“Early detection of vulnerabilities and the ability to report them to the relevant agencies and departments is essential to improving our cyber security.”
The government added that the centre “will provide ongoing and automated vulnerability scanning across departments and agencies, and as capability develops, other services will be introduced.”
The centre is the first of its kind in NSW and will employ eight Bathurst-based cyber security staff.
It will also see Cyber Security NSW work in partnership with UpGuard “to provide the NSW Government with greater capabilities to detect and manage internet-facing vulnerabilities and data breaches.”
The centre’s establishment comes as the NSW government prepares to invest $240 million into cyber security over the next three years.
It also comes as news reports emerge of the state government being a major target of a potentially state-based attack.
When it launched, COVIDSafe was marketed as Australia’s ticket out of lockdown, so long as everyone downloaded it.
“If you want to go outside when the sun is shining, you have got to put sunscreen on. This is the same thing,” Prime Minister Scott Morrison said at the time.
Two months on, state and territory health departments are yet to declare the app has identified any people exposed to COVID-19 who weren’t already found by traditional contact tracers.
And as the app’s technical challenges have been revealed, public health experts are questioning whether the app is a distraction from the “real work” of controlling coronavirus.
It’s too early to provide a verdict, but it is common for technologies to be presented as “our knights in shining armour” during a pandemic, according to Julie Leask, a public health and infection disease specialist at Sydney University.
It’s human to see something we can hold, something that’s tangible, as more helpful than “the more invisible human behaviours and public health capacities that are still at the heart of our control of [COVID-19]”, she said.
A Health Department spokesperson said all its communications about COVIDSafe highlight the app as just one important tool in controlling COVID-19.
“Communication clearly places the app alongside the need for physical distancing, good hygiene and the importance of staying at home if unwell (and getting tested),” she said.
The risk of complacency
As the country faces a spike of cases in Victoria, some public health experts are concerned the Government’s comparison of the app to sunscreen could make Australians complacent.
Often the hardest thing for people to change about their health is their behaviour, according to Adam Dunn, who leads biomedical informatics and digital health at the University of Sydney.
“It’s much easier to prescribe someone medication … than convince them to completely change their lifestyle,” he said.
While a simple technical solution to the coronavirus lockdown is an attractive idea, it’s not so easy.
Holly Seale, a senior lecturer at UNSW’s School of Public Health and Community Medicine, said focusing on the app’s benefits to the individual may have raised expectations beyond what is technologically possible.
Instead, Dr Seale suggested public health campaigns should focus on its collective benefit to the contact-tracing process.
Today the “Stay COVID free and do the 3” catchphrase is used in advertisements, a Health Department spokesperson said, to encourage Australians to download the app as well as maintain hygiene and distancing.
And the Government is speaking about it less often. In the two weeks after launch, the Prime Minister Scott Morrison mentioned COVIDSafe in 14 press conferences, interviews and media releases that are transcribed on his website. He’s mentioned it just once in the past two weeks.
A technical quick fix
A technical solution to the coronavirus lockdown is an attractive narrative — and one both the Government and many parts of the media ran with.
But Dr Leask said caution was necessary, especially as the public was presented with little evidence for the app’s effectiveness.
“As the saying goes, with every complex problem there’s a solution that’s simple, clear and usually wrong,” she said.
Modelling released today by the public health think tank the Sax Institute suggests a second wave of COVID-19 infections in Australia is likely if social-distancing measures and testing decline.
The research found that in this scenario, the COVIDSafe app could help curb the number of infections.
But this modelling makes some assumptions: that uptake of the app reaches more than 60 per cent of the Australian population, and that the app works as it is intended to.
Sax Institute senior simulation modeller Danielle Currie said that while COVIDSafe had not reached these targets yet, the modelling was reason for optimism.
“What our work shows is that using the app and promoting it widely is worthwhile, assuming that there are technological improvements. This should give the Government confidence to continue its pushing,” she said.
Dr Currie said the app could still prove to be helpful in places like Victoria where there are outbreaks.
“If there’s not many cases, the app won’t pick it up. But if we do get a lot — and the model suggests we might — it could be very helpful,” she said.
The other options
So, could the time, millions of dollars and effort spent on COVIDSafe have been invested elsewhere instead, to better effect? There’s no single answer.
As a behavioural researcher, Dr Leask would like more funding for public health research — how to provide better messaging for communities where English is not their first language, for example.
And in Dr Dunn’s view, Australia would have benefited from more communication about contact tracers and the work they do, as well as more financial support for such teams overall.
For others, masks are the issue of the day. Epidemiologist Mary-Louise McLaws, who advises the World Health Organization (WHO), hopes Australian authorities implement firm guidelines on face masks, because currently the Government doesn’t recommend them.
The WHO initially said healthy people did not need to wear masks but later revised its advice, recommending their use whenever social distancing was impossible.
“[The Government] should be telling people to wear a mask on public transport in or outside of hotspots. It really stands to reason that they should be enforcing masks in some situations,” Dr McLaws said.
Lidia Morawska, who is an expert in aerosol science at the Queensland University of Technology, is frustrated the potential airborne transmission of COVID-19 has been overlooked by authorities.
She makes the case for concrete guidelines on ventilation of high-traffic venues like restaurants, cafes and churches so people aren’t at risk from potentially infected particles lingering in the air.
If the cafe you’re sitting in for a few hours doesn’t know much about the science of air movement, which is pretty likely, this could be problematic, Dr Morawska said.
“We need investment in proper guidelines about ventilation to protect people indoors from infection transmission,” she said. “Researchers have been calling for this since SARS-CoV-1.”
There’s still much to learn about aerosol transmission of COVID-19. The WHO has acknowledged its danger in clinical settings, but is waiting for more peer-reviewed research to assess its risk in other environments.
In the end, Dr Leask believes Australia’s best solutions for controlling COVID-19 remain those that have proven their worth time and again.
“Looking back, you can’t beat good old-fashioned public health … when you don’t yet have a vaccine or a treatment that’s established as being really effective,” she said.
The Australian Government is aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.
A range of tactics, techniques and procedures are being used to target multiple Australian networks. It’s important that Australian companies are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.
What your IT managers can do
The ACSC has produced the a technical advice for Information Technology managers.
The advice includes the following mitigation strategies to help reduce the risk of compromise to your systems:
1. Prompt patching of internet-facing software, operating systems and devices
All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.
2. Use of multi-factor authentication across all remote access services
Multi-factor authentication should be applied to all internet-accessible remote access services, including:
A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.
Alphabet Inc’s Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.
Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.
It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.
“Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.
The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.
If someone used the browser to surf the web on a home computer, it would connect to a series of websites and transmit information, the researchers found. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.
“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.
After this story’s publication, Awake released its research, including the list of domains and extensions.
All of the domains in question, more than 15,000 linked to each other in total, were purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication.
Awake said Galcomm should have known what was happening.
In an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
Fogel said there was no record of the inquiries Golomb said he made in April and again in May to the company’s email address for reporting abusive behavior, and he asked for a list of suspect domains.
After publication, Fogel said the majority of those domain names were inactive and that he would continue to investigate the others.
The Internet Corp for Assigned Names and Numbers, which oversees registrars, said it had received few complaints about Galcomm over the years, and none about malware.
While deceptive extensions have been a problem for years, they are getting worse. They initially spewed unwanted advertisements, and now are more likely to install additional malicious programs or track where users are and what they are doing for government or commercial spies.
Malicious developers have been using Google’s Chrome Store as a conduit for a long time. After one in 10 submissions was deemed malicious, Google said in 2018 it would improve security, in part by increasing human review.
But in February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered a similar Chrome campaign that stole data from about 1.7 million users. Google joined the investigation and found 500 fraudulent extensions.
“We do regular sweeps to find extensions using similar techniques, code and behaviors,” Google’s Westover said, in identical language to what Google gave out after Duo’s report.
New technology that could help alert people who have been in close contact with someone who has COVID-19 is being tested to determine if it will work in Australia.
Google and Apple have devised a COVID-19 exposure notification system they hope health authorities globally will use to build contract tracing apps and improve existing platforms, like Australia’s COVIDSafe.
It has been offered to governments across the world and so far 22 countries have requested and received access to the technology, including Australia.
“The Digital Transformation Agency and the Department of Health have been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia,” a spokesman for Government Services minister Stuart Robert said.
“That testing is ongoing.”
How does it work?
Apple and Google said the application programming interface (API) was designed to improve local contact tracing efforts and not replace them.
The pair said the technology could address some of the technical difficulties that have plagued contact tracing apps, including Australia’s COVIDSafe.
The API, like COVIDSafe, uses Bluetooth to create a log of other devices that come into close range.
While the government said COVIDSafe worked reliably on launch, Digital Transformation Agency (DTA) chief executive Randall Brugeaud later admitted an iPhone could not always record all the people it came into close contact with due to Bluetooth issues.
“The quality of the Bluetooth connectivity for phones that have the app installed running in the foreground is very good [but] it progressively deteriorates,” he said.
“You get to a point where the phone is locked and the app is running in the background.”
Subsequent software updates to COVIDSafe may have improved these issues, but the DTA is yet to clarify how it has enhanced the performance on iPhones.
“We are continuing the enhancement of the Bluetooth operation of the app on iPhones and it is working as designed,” said Department of Health Chief Information Officer Daniel Keys.
Apple and Google believe that without their assistance, contact tracing apps that rely on Bluetooth may have technical challenges and drain phone batteries.
They also said iPhones and Android phones that have downloaded contact tracing apps cannot easily detect each other without the API.
The technical challenges outlined by the companies suggest the COVIDSafe app is not able to collect all the data it was set out to do.
“Apple and Google cooperated to build … technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones,” a spokesperson for Apple and Google said.
How are the API and COVIDSafe app different?
The COVIDSafe app keeps an encrypted log of everyone who also has the app on their device if they come into close contact with each other, but users cannot access that list.
But Thinking Cybersecurity CEO Vanessa Teague said there is a key difference in how Google and Apple want the data to be shared.
“It’s crucially different in the amount of information that passes through the central authorities,” she said.
Under the COVIDSafe app, health authorities ask permission to access the information about who an infected person has been in contact with and then uses it to notify those people.
Ms Teague said the Apple/Google system would mean health authorities are removed from the process.
While the exact operating details are unclear, it seems that if a person tests positive they can choose to report the diagnosis, which would then send a notification to those who had been in close contact.
“You get a notification on your phone that says you have been in proximity with a person who has tested positive for COVID-19 so then you know, but at that point, the authorities don’t know that you have been potentially exposed,” she said.
Apple and Google would allow public health authorities to decide how to reach exposed individuals for further contact tracing — possibly by asking users to voluntarily share personal details, like a phone number.
But can we even use the API?
While the Department of Health examines whether the API can be used in conjunction with COVIDSafe, Apple and Google have made clear there are restrictions on its use that could complicate any moves by Australia to take up the system.
For example, while health authorities can ask users to share personal information such as a phone number to support contact tracing efforts, the companies’ spokespeople said the app cannot require it.
COVIDSafe currently asks the user to share a name, phone number, and postcode and age range before they can download the app.
Ms Teague said the API will likely fix technology problems associated with COVIDSafe such as Bluetooth connectivity, but the Government may not be inclined to give away the control it has to contact trace.
But she argued that if the Government adopted the API, more Australians could be inclined to sign up.
“That is the key democratic decision to be made,” she said.
“If we want a decentralised app, there will be less information available to a centralised government service.
“But maybe more people will use the app because they will be more willing to do so if that information isn’t being centralised.”
“Or, we could continue to insist on the centralised app knowing some people won’t use it because they don’t want that information shared about them.”
The Government will no doubt be looking to try and find a balance so that it can improve the technology of the app while being able to maintain control of contact tracing.
Health Minister Greg Hunt spoke with Apple’s vice-president for health, Dr Sumbul Desai, to discuss Australia’s health roadmap, which included screening tools and the COVIDSafe app.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.