Eliana Willis

Image: Google
Google last week announced extending its COVID Card feature to Australia, allowing Android users to access vaccination information on their device. Google said it worked with Services Australia to give “a convenient and secure way to view, save, and show your vaccination status and information, straight from your smartphone”.The information will show in the vaccination passport once a second dose has been administered.According to Google, vaccine information is only stored on the user’s device and not stored by Google.  However, when adding the certificate to Google Pay, users are prompted to confirm they agree to their data being stored offshore.”If you add your COVID-19 digital certificate to Google Pay, others with access to this device will be able to view the certificate. It’s your responsibility to keep your certificate secure,” the prompt says.”By selecting ‘Accept’, you provide consent for the Australian government to share the information contained in your COVID-19 digital certificate with Google for Google Pay who will store it on servers outside of Australia.

“A copy of your certificate may also be stored on servers outside of Australia if you have other cloud applications stored on your device to backup your data.”When asked about the storing of data offshore, Services Australia said the COVID-19 digital certificate would be entirely optional for Australians. “Once provided to the individual, it is their choice as to how they use and store it,” a spokesperson for Minister Linda Reynolds told ZDNet. “This includes accessing the certificate via government apps, or downloading it to their phone, or storing it in their digital wallet.”The spokesperson confirmed the certificate was accessible without using the digital wallet storage option.”We know Australians are increasingly using digital wallets so people can choose to store their certificate in this way, if it suits them,” they continued. “Users are informed that the Apple or Google digital wallet utilises offshore storage before agreeing to use the service.”In its Secure Cloud Strategy, the Digital Transformation Agency (DTA) said entities operating in Australia must comply with Australian Privacy Principles (APP) when storing data on Australians. “The Privacy Act does not prevent an Australian Privacy Principle (APP) entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement,” it said. When asked if it had any concerns with the certificate information being stored offshore, the DTA said it was a question for Services Australia. Google is also yet to return a comment.Users can access their vaccination certificate via the Express Plus Medicare app or via the Medicare portal of the MyGov website, with the option to select “view your COVID-19 digital certificate” and “Save to Phone” to do just that.”For added convenience, you can access your vaccine information even when you’re offline, which means you do not need mobile or Wi-Fi connection,” Google added. “If you have the Google Pay app on your Android phone, you can also access the certificate from the same place where you access your other cards and other passes.”Every time a user accesses their certificate, they will be asked for the password, PIN, or biometric method that has been set up.As of 9pm AEST 8 August 2021, there were just over 4,700 active cases of COVID-19 in Australia, with a total of 36,330 cases since January 2020. Stay-at-home orders continue to be in place around the country, with a majority of the population of New South Wales under lockdown since June 25.In a bid to speed up the process of checking into venues and managing check-in history, the NSW government on Monday announced a new COVID-19 check-in card, as well as updates to the Service NSW app.Minister for Digital and Customer Service Victor Dominello said customers would soon be able to register for a COVID-19 check-in card which they could present to supermarkets and other essential retail businesses to scan as a faster and safer way to complete the self-service webform check-in or paper sign-in currently used by customers without a smartphone.Customers can download and print their COVID-19 check-in card or have a plastic card mailed to them. Their contact details will be  stored within the QR code, which will prepopulate the webform when scanned by the business. As the Service NSW app gives users the option for face biometrics to be used when logging in — a task made difficult with mandatory mask requirements — the government has also extended the log-in period to four hours.   MORE COVID IN AUSTRALIACOVIDSafe uploaded 1.65m ‘handshakes’ and was only used by NSW and VictoriaThe Australian government says its COVIDSafe app identified 2,827 potential close contacts from 37,668 encounters in NSW and Victoria. Only 17 cases in NSW were identified separately to manual contact tracing efforts, however.Auditor finds WA Police accessed SafeWA data 3 times and the app was flawed at launchWA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.Australia pins clearer idea of who got vaccinated on new portalMore than 100 days since Australia’s vaccine rollout started, the federal government is launching a portal that will provide information on who exactly has received the jab. More

Image: Getty Images
The Australian Electoral Commission (AEC) has gone to tender for an “end-to-end” digital ballot scanning solution, hoping to have something in place for the 2021/22 election.Specifically, the AEC said it requires a solution to digitise all Senate ballot papers, which includes capturing the preferences and metadata, completed in a federal election. “It is estimated this will be in the order of 16 million ballot papers for the 2021/2022 event and will grow by 5 to 10% for each federal electoral event after that,” it adds in the market notification published over the weekend. “Given the size and complexity of the project and operational phase, the AEC’s preference is to purchase an end to end solution.”Senate ballot paper digitisation must be completed by no later than 27 calendar days after election day and the first ballot papers will be available for scanning from the Tuesday after election day. The Senate ballot papers must be processed in the state for which the Senate ballot paper has been returned.”The process for the digitisation of Senate ballot papers will start once the division has finished their processing of the Senate ballot papers,” it said. “AEC is open to solutions as suggested by the provider as to the location(s) of the digitisation solution in each state and territory.”As detailed in the market notification, the successful provider must design, develop, test, build, implement, and support an accurate and secure digitisation solution for the AEC to facilitate the count of Senate ballot papers for an electoral event in compliance with the Commonwealth Electoral Act 1918.The solution must be able to process and export the data from approximately 16 million ballot papers within 27 days from election day.

As part of the end-to-end mandate, the provider will be responsible for the development and implementation of the solution, including project management, business analysis, design, and build. The digitisation solution, the AEC said, must protect all data when it is at rest and when it is in transit, and adhere to all security requirements as outlined by the Australian Cyber Security Centre (ACSC).The AEC in 2018 handed Fuji Xerox Businessforce a two-year, AU$27 million contract to provide a ballot scanning system for the then-upcoming federal election. The solution was a “very similar” solution to the one used for the 2016 federal election, which the Australian National Audit Office (ANAO) called out for lacking on the security front.In particular, the ANAO said AEC ditched compliance with Australian government IT security frameworks and said insufficient attention was paid to assuring the security and integrity of the data generated both during and after operation, as the focus was on delivering a Senate scanning system by polling day — 12 weeks out from the election.AEC commissioner Tom Rogers said he was satisfied with the risks that the AEC accepted ahead of its go-live.  One of the concerns raised with Rogers was that Fuji Xerox Businessforce was handed the contract not through conducting a public tender, but rather the AEC used an existing standing deed of offer with Fuji Xerox.During Senate Estimates in May, Rogers was questioned on the ballot scanning process.”The process is that data is manually entered, and that’s matched with the automated process,” he said. “All paper is scanned when it first arrives, and, from that image, which is an image, that data is then entered, and then the data from the scan is then compared with that to make sure that they match. Where they don’t match, we undertake further processes.”It captures an image, Rogers said, and that image is then presented to the data entry operator, who enters the data from that image.”At the same time, the data-capture process — as part of capturing the image — is then compared with that manual process. Where that matches, that’s taken to be an accurate match and it’s included in the count. Where it doesn’t match, we undertake further processes,” he continued. The AEC was asked about its security posture at the Senate Estimates prior, with Rogers dismissing the proposal to allow a non-government researcher to conduct a security audit on its systems.At the time, he said the AEC works with a range of partners, including the ACSC, and that the agency has had its internal code audited and checked to assure that its systems are running smoothly.Closing day for indication of interest is 16 August 2021.See also: Australian Electoral Commission wants VR but thankfully only for educationThe Department of Foreign Affairs and Trade (DFAT) has also approached the market this week, seeking the delivery of a threat intelligence platform and cyber threat intelligence services.”The procurement is to include strategic, operational, and tactical cyber threat intelligence products/services to be integrated into the provided Threat Intelligence Platform, to allow the department to detect and manage threats posed by malicious actors against the government sector and the department itself; enable the department to search, explore, and investigate threats and vulnerabilities, including its IP addresses, domains, brands, supply chain or technology stack; and request custom threat intelligence products on an ad hoc basis,” it wrote in the request for quote.For the threat intelligence platform, DFAT is seeking a vendor to provide a service, either cloud-based or on-premise, for the purposes of ingesting cyber threat intelligence feeds, with the intention of using it for the management of cyber threat intelligence. The tender closes 27 August 2021.LATEST FROM CANBERRA More

An NBN FttN node getting a Nokia line card installed
Image: Corinne Reichert/ZDNet
The Australian Competition and Consumer Commission (ACCC) began proceedings in Federal Court on Monday against the nation’s three biggest telcos: Telstra, Optus, and TPG. The consumer watchdog is alleging the trio made false representations to consumers over being able to test lines to determine the maximum speed on fibre-to-the-node connections, notify the customer of test results, and offer remedies if a line was performing below the speed the telco sold it as. The ACCC also said it was alleging that the trio “wrongly accepted payments” from customers for NBN plans when they could not receive promised speeds. It has put the number of impacted customers in the “hundreds of thousands” range. The watchdog said the telcos did not have “adequate systems” in place to complete the speed tests, notifications, and remedies process. “Telstra, Optus and TPG each promised to tell consumers within a specific or reasonable timeframe if the speed they were paying for could not be reached on their connection. They also promised to offer them a cheaper plan with a refund if that was the case,” ACCC chair Rod Sims said. “Instead, we allege, they failed to do these things, and as a result many consumers paid more for their NBN plans than they needed to.” The statements made by the telcos were on telco websites and emails from the start of April 2019 to the end of April 2020 for Telstra and TPG, and covering calendar year 2019 for Optus.

The investigation kicked off after Telstra self-reported parts of its conduct to the ACCC. “It is important that internet providers like Telstra, Optus and TPG give their customers accurate information so they can make an informed choice about the service that best suits their needs and budget,” Sims said. “We are pleased that Telstra, Optus and TPG have promised to compensate consumers even before the court case is finalised.” The ACCC said it would be asking the court for orders including declarations, injunctions, pecuniary penalties, publication orders, and the implementation of compliance programs. TPG said in a statement it would be “making things right” with its impacted customers who never received a maximum attainable speed notice. “For the oversight, we are sorry,” a company spokesperson said. “There were two key contributing factors to this issue. The first was failure by NBN Co to provide timely and accurate speed information to TPG Internet. The second was anomalies in TPG Internet’s legacy processes in place since 2017, and these have been fixed post-merger.” TPG added its intent was not to avoid obligations, and of its 2 million customers, “only a small percentage” did not receive information. OAIC opens investigation into Optus White Pages privacy breach The Office of the Australian Information Commissioner (OAIC) has opened an investigation into Optus, following concerns the company breached the data of individuals by publishing their information in the White Pages. The OAIC is investigating Singtel Optus Pty Ltd (Optus) under the Privacy Act 1988. It said the investigation follows preliminary inquiries by the OAIC into data breaches involving publication of Optus customer details in the White Pages, when individuals had asked for their details not to be published. “The public disclosure of personal information against the wishes of individuals may have the potential to cause harm,” it wrote. In 2019, Optus confirmed that customer details were published on Sensis White Pages. Around 50,000 customers were told by the telco that their name, address, mobile, and home phone numbers were published. Optus at the time said around 40,000 were new customers who already listed. “The majority of the affected customers’ details were already listed with Sensis prior to joining Optus,” a spokesperson told ZDNet at the time. “As a priority, Optus arranged for Sensis to remove customer details from their online website directory, operator-directory assistance, and any future printed editions of directories.”The company said it had “notified and apologised” to impacted customers.   The breach was discovered by Optus during a routine audit of 10 million customers. The OAIC accepted an enforceable undertaking from ARC Mercantile back in 2016 following a breach of personal customer data which occurred when an ARC employee posted a spreadsheet of customers owing money to Optus on Freelancer.com. “Optus takes the protection of customer data and privacy seriously,” an Optus spokeswoman told ZDNet in a statement at the time. On Friday, Australian Information Commissioner and Privacy Commissioner Angelene Falk had her post extended for another three years. “Since her appointment in 2018, Ms Falk has effectively led the Office of the Australian Information Commissioner,” a statement from Australia’s Attorney-General said. “She has worked to increase the Australian public’s trust and confidence in the protection of personal information by promoting the understanding of privacy issues and effectively resolving privacy complaints and investigations.” RELATED COVERAGE More

The Australian government has prepared a set of draft rules that requires the likes of social media companies to adhere to if they want to provide a service down under. While failure to comply with reporting requirements could see the provider slapped with a AU$555,000 fine, the draft rules also build in encryption-busting expectations.Australia’s eSafety Commissioner from January will have sweeping new powers afforded to her under the Online Safety Act 2020. Such powers include oversight of new set of Basic Online Safety Expectations (BOSE) that sets out a series of demands for big tech.These expectations [PDF] will apply to service providers including social media; “relevant electronic service of any kind”, such as messaging apps and games; and other designated internet services, such as websites.Under the proposed Draft Online Safety (Basic Online Safety Expectations) Determination 2021, it is expected the provider would have to take reasonable steps to ensure safe use. This includes the “core” expectation that the provider of the service will take reasonable steps to ensure that end-users are able to use the service in a safe manner.The provider is expected to minimise the availability of cyberbullying material targeted at an Australian child, cyber abuse material targeted at an Australian adult, a non-consensual intimate image of a person, class 1 material, material that promotes abhorrent violent conduct, material that incites abhorrent violent conduct, material that instructs in abhorrent violent conduct, and material that depicts abhorrent violent conduct.The expectations also boast additional expectations, such as that the provider of the service will take reasonable steps to proactively minimise the extent to which material or activity on the service is or may be unlawful or harmful.

Reasonable steps that could be taken, the document said, could be through the development or implementation of processes to detect, moderate, report, and remove material or activity on the service that is or may be unlawful or harmful.In the case of a service or a component of a service, such as an online app or game, that is used by children, the company must ensure the default privacy and safety settings are robust and set to the most restrictive level.The draft BOSE also designate that those involved in providing the service, such as employees or contractors, are trained in, and are expected to implement and promote, online safety. The company must also continually improve safety in its tech and ensure that assessments of safety risks and impacts are undertaken, and safety review processes are implemented, throughout the design, development, deployment, and post-deployment stages for the service.The rules, however, as currently drafted, mandate that if the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful.See also: Apple child abuse material scanning in iOS 15 draws fireThe government also wants providers to prevent anonymous accounts from being used to deal with material, or for activity, that is or may be unlawful or harmful.It proposes the service could have processes that prevent the same person from repeatedly using anonymous accounts to post material, or to engage in activity, that is unlawful or harmful, and introduce the requirements to verify identity or ownership of accounts.Australia’s eSafety Commissioner will have the power to order tech companies to report on how they are responding to these harms and issue fines of up to AU$555,000 for companies and AU$111,000 for individuals if they don’t respond.Also provided under the legislative instrument are expectations regarding reports and complaints.The provider of the service will be required to have clear and readily identifiable mechanisms that enable end-users to report and make complaints about material provided on the service. The companies will be required to keep records of complaints or reports for five years.eSafety will be backed to receive information requests from providers within 30 days around complaints it has received, removal notice compliance, and measures the provider takes to make their space safe.The provider would also be required to appoint a designated contact for the purpose of the Act.The Bill allows the responsible minister, currently Paul Fletcher, to determine the details of these expectations by legislative instrument. The minister may also determine that the expectations apply to specific services.As such, the government has prepared a consultation paper [PDF] and is accepting submissions until 15 October 2021.HERE’S MOREAustralia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.eSafety says tweeting commissioner will not qualify as a formal Online Safety Act requestThe Office of the eSafety Commissioner has said the Twitter dispute that the incumbent has found herself in this week is part of the advice the office provides and that tagging the commissioner will not qualify as a formal request under the new Online Safety Act.Protecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse. More

Image: Apple
On Friday, Apple revealed plans to tackle the issue of child abuse on its operating systems within the United States via updates to iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. The most contentious component of Cupertino’s plans is its child sexual abuse material (CSAM) detection system. It will involve Apple devices matching images on the device against a list of known CSAM image hashes provided by the US National Center for Missing and Exploited Children (NCMEC) and other child safety organisations before an image is stored in iCloud. “Before an image is stored in iCloud Photos, an on-device matching process is performed for that image against the known CSAM hashes. This matching process is powered by a cryptographic technology called private set intersection, which determines if there is a match without revealing the result,” Apple said. “The device creates a cryptographic safety voucher that encodes the match result along with additional encrypted data about the image. This voucher is uploaded to iCloud Photos along with the image.” Once an unstated threshold is reached, Apple will manually look at the vouchers and review the metadata. If the company determines it is CSAM, the account will be disabled and a report sent to NCMEC. Cupertino said users will be able to appeal to have an account re-enabled. Apple is claiming its threshold will ensure “less than a one in one trillion chance per year of incorrectly flagging a given account”. The other pair of features Apple announced on Friday were having Siri and search provide warnings when a user searches for CSAM-related content, and using machine learning to warn children when they are about to view sexually explicit photos in iMessages.

“When receiving this type of content, the photo will be blurred and the child will be warned, presented with helpful resources, and reassured it is okay if they do not want to view this photo. As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it,” Apple said. “Similar protections are available if a child attempts to send sexually explicit photos. The child will be warned before the photo is sent, and the parents can receive a message if the child chooses to send it.”
Image: Apple
Plans labelled as a backdoor Apple’s plans drew criticism over the weekend, with Electronic Frontier Foundation labelling the features as a backdoor. “If you’ve spent any time following the Crypto Wars, you know what this means: Apple is planning to build a backdoor into its data storage system and its messaging system,” the EFF wrote. “Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.” EFF warned that once the CSAM system was in place, changing the system to search for other sorts of content would be the next step. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change,” it said. “The abuse cases are easy to imagine: governments that outlaw homosexuality might require the classifier to be trained to restrict apparent LGBTQ+ content, or an authoritarian regime might demand the classifier be able to spot popular satirical images or protest flyers.” The EFF added that with iMessage to begin scanning images sent and received, the communications platform was no longer end-to-end encrypted. “Apple and its proponents may argue that scanning before or after a message is encrypted or decrypted keeps the ‘end-to-end’ promise intact, but that would be semantic manoeuvring to cover up a tectonic shift in the company’s stance toward strong encryption,” the foundation said. Head of WhatsApp Will Cathcart said the Facebook-owned platform would not be adopting Apple’s approach and would instead rely on users reporting material. “This is an Apple built and operated surveillance system that could very easily be used to scan private content for anything they or a government decides it wants to control. Countries where iPhones are sold will have different definitions on what is acceptable,” Cathcart said. The WhatsApp chief asked how the system would work in China, and what would happen once a spyware crew figured out how to exploit the system. WhatsApp does scan unencrypted imagery — such as profile and group photos — for child abuse material. “We have additional technology to detect new, unknown CEI within this unencrypted information. We also use machine learning classifiers to both scan text surfaces, such as user profiles and group descriptions, and evaluate group information and behavior for suspected CEI sharing,” the company said. Former Facebook CSO Alex Stamos said he was happy to see Apple taking responsibility for the impacts of its platform, but questioned the approach. “They both moved the ball forward technically while hurting the overall effort to find policy balance,” Stamos said. “One of the basic problems with Apple’s approach is that they seem desperate to avoid building a real trust and safety function for their communications products. There is no mechanism to report spam, death threats, hate speech, NCII, or any other kinds of abuse on iMessage.” Instead of its “non-consensual scanning of local photos, and creating client-side ML that won’t provide a lot of real harm prevention”, Stamos said he would have preferred if Apple had robust reporting in iMessage, staffed a child safety team to investigate reports, and slowly rolled out client-side machine learning. The former Facebook security chief said he feared Apple had poisoned the well on client-side classifiers. “While the PRC has been invoked a lot, I expect that the UK Online Safety Bill and EU Digital Services Act were much more important to Apple’s considerations,” he said. Whistleblower Edward Snowden accused Apple of deploying mass surveillance around the globe. “Make no mistake: if they can scan for kiddie porn today, they can scan for anything tomorrow,” he said. “They turned a trillion dollars of devices into iNarcs—*without asking.*” Late on Friday, 9to5Mac reported on an internal memo from Apple that contained a note from NCMEC. “We know that the days to come will be filled with the screeching voices of the minority,” NCMEC reportedly said. Related Coverage More