Category Archives: Cybersecurity

The wrong end of the stick!

Posted on by
Reply

In a typical knee-jerk and censorial reaction, Australia’s Federal Parliament has recently approved legislation that will attempt to ban anyone under the age of 16 from accessing social media.

Knee-jerk, because the legislative process was rushed, with barely a 24 hour public consultation period. The policy itself was only aired less than 6 months earlier, and was not part of the Labor Government’s election manifesto in 2022.

Censorial, because Australia has a long history of heavy-handed censorship. I still recall when I lived in Adelaide in 1970 (aged 10), broadcasts of the children’s TV series, “Do Not Adjust Your Set” were accompanied by a “Mature Audience” rating – the same series which I had watched when it was first broadcast in the UK in 1967 during the tea-time slot!

As yet another example of government not understanding technology, the implementation details have been left deliberately vague. At its simplest, the technology companies behind the world’s most popular social media platforms (to be defined) will be responsible for compliance, while enforcement will likely come from the eSafety Commissioner (to be confirmed).

The Commissioner herself was somewhat critical of the new policy on its announcement, but has since “welcomed” the legislation, albeit with significant caveats.

From the perspective of both technology and privacy, the legislation is a joke. Whatever tools are going to be used, there will be ways around them (VPN, AI image filters…) And if tech companies are going to be required to hold yet more of our personal data, they just become a target for hackers and other malicious actors (cf. the great Optus data breach of 2022).

Even the Australian Human Rights Commission has been equivocal in showing any support for (or criticism of) the new law. While the “pros” may seem laudable, they are very generic and can be achieved by other, more specific and less onerous means. As for the “cons”, they are very significant, with serious implications and unintended consequences for personal privacy and individual freedoms.

Of course, domestic and international news media are taking a keen interest in Australia’s policy. The Federal Government is used to picking fights with social media companies (on paying for news content), tobacco giants (on plain packaging) and the vaping industry (restricting sales via pharmacies only), so is probably unconcerned about its public image abroad. And while some of this interest attempts to understand the ban and its implications (here and overseas), others such as Amnesty International, have been more critical. If anything, the ban will likely have a negative impact on Australia’s score for internet freedom, as assessed by Freedom House.

The aim of reducing, mitigating or removing “harm” experienced on-line is no doubt an admirable cause. But let’s consider the following:

  • On-line platforms such as social media are simply reflections of the society we live in. Such ills are not unique or limited to Facebook and others. Surely it would be far better to examine and address the root causes of such harms (and their real-world manifestations) rather than some of the on-line outcomes? This feels like a band-aid solution – totally inappropriate, based on the wrong diagnosis.
  • When it comes to addressing on-line abuse and bullying, our politicians need to think about their own behaviour. Their Orwellian use of language, their Parliamentary performances, their manipulation of the media for personal grandstanding, and their “calling out” of anything that does not accord with their own political dogma (while downplaying the numerous rorts, murky back-room deals and factional conflicts that pass for “party politics”). I can’t help thinking that the social media ban is either a deflection from their own failings, or a weird mea culpa where everyone else is having to pay the price for Parliamentary indiscretions.
  • A blanket “one size fits all” ban fails to recognise that children and young people mature and develop at different rates. Why is 16 seen as the magic age? (There are plenty of “dick heads” in their 20s, 30s, 40s etc. who get to vote, drive, reproduce and stand for public office, as well as post on social media…) From about the age of 12, I started reading books that would probably be deemed beyond my years. As a consequence, I by-passed young adult fiction, because much of it was naff in my opinion. Novels such as “Decline and Fall”, “A Clockwork Orange” or “The Drowned World” were essential parts of my formative reading. And let’s remember that as highly critical and critically acclaimed works of fiction, they should neither be regarded as the individual views of their authors, nor should they serve as life manuals for their readers. The clue is in the word “fiction”.
  • Children and young people can gain enormous benefits from using social media – connecting with family and friends, finding people with like-minded interests, getting tips on hobbies and sports, researching ideas and information for their school projects, learning about other communities and countries, even getting their daily news. Why deny them access to these rich resources, just because the Federal Government has a dearth of effective policies on digital platforms, and can’t figure a way of curbing the harms without taking away the benefits (or imposing more restrictions) for everyone else?
  • In another area of social policy designed to address personal harm, Governments are engaging with strategies such as pill-testing at music festivals, because in that example, they know that an outright ban on recreational drugs is increasingly ineffective. Likewise, wider sex, drug and alcohol education for children and young people. Draconian laws like the under-16 social media ban can end up absolving parents, teachers and other community leaders from their own responsibilities for parenting, education, civic guidance and instilling a sense of individual accountability. So perhaps more effort needs to go into helping minors in how they navigate social media, and improving their resilience levels when dealing with unpleasant stuff they are bound to encounter. Plus, making all social media users aware that they are personally responsible for what they post, share and like. Just as we shouldn’t allow our kids to cycle out on the street without undertaking some basic road safety education, I’d rather see children becoming internet savvy from an early age – not just against on-line bullying, but to be alert to financial scams and other consumer traps.
  • Finally, the new Australian legislation was introduced by the Labor Government, and had support from the Liberal Opposition, but not much from the cross-benches in the Senate. So it’s hardly a multi-partisan Act despite the alleged amount of public support expressed. It may even be pandering to the more reactionary elements in our society – such as religious fundamentalists and social conservatives. For example, banning under-16s from using social media could prevent them from seeking help and advice on things like health and reproductive rights, forced marriage, wage theft, coercive relationships and domestic violence. Just some of the unintended consequences likely to come as a result of this ill-considered and hastily assembled piece of legislation.

Digital Identity – Wallets are the key?

Posted on by
Reply

A few months ago, I wrote about trust and digital identity – the issue of who “owns” our identity, and why the concept of “self-sovereign digital identity” can help resolve problems of data security and data privacy.

The topic was aired at a recent presentation made by FinTech advisor, David Birch (hosted at Novatti) to an audience of Australian FinTech, Blockchain and identity experts.

David’s main thesis is that digital wallets will sit at the centre of the metaverse – linking web3 with digital assets and their owners. Wallets will not only be the “key” to transacting with digital assets (tokens), but proving “identity” will confirm “ownership” (or “control”) of wallets and their holdings.

The audience felt that in Australia, we face several challenges to the adoption of digital identity (and by extension, digital wallets):

1. Lack of common technical standards and lack of interoperability

2. Poor experience of government services (the nightmare that is myGov…)

3. Private sector complacency and the protected incumbency of oligopolies

4. Absence of incentives and overwhelming inertia (i.e., why move ahead of any government mandate?)

The example was given of a local company that has built digital identity solutions for consumer applications – but apparently, can’t attract any interest from local banks.

A logical conclusion from the discussion is that we will maintain multiple digital identities (profiles) and numerous digital wallets (applications), for different purposes. I don’t see a problem with this as long as individuals get to decide who, where, when and for how long third parties get to access our personal data, and for what specific purposes.

Next week: Defunct apps and tech projects

 

 

Trust in Digital IDs

Posted on by
Reply

Or: “Whose identity is it anyway?”

Over the past few years, there have been a significant number of serious data breaches among among banks, utilities, telcos, insurers and public bodies. As a result, hackers are able to access the confidential data and financial records of millions of customers, leading to ransomware demands, wide dissemination of private information, identity theft, and multiple phishing attempts and similar scams.

What most of these hacks reveal is the vulnerability of centralised systems as well as the unnecessary storage of personal data – making these single points of failure a target for such exploits. Worse, the banks and others seem to think they “own” this personal data once they have obtained it, as evidenced by the way they (mis)manage it.

I fully understand the need for KYC/AML, and the requirement to verify customers under the 100 Points of Identification system. However, once I have been verified, why does each bank, telco and utility company need to keep copies or records of my personal data on their systems? Under a common 100 Points verification process, shouldn’t we have a more efficient and less vulnerable system? If I have been verified by one bank in Australia, why can’t I be automatically verified by every other bank in Australia (e.g., if I wanted to open an account with them), or indeed any other company using the same 100 Points system?

Which is where the concept of Self-Sovereign Identity comes into play. This approach should mean that with the 100 Points system, even if initially I need to submit evidence of my driver’s license, passport or birth certificate, once I have been verified by the network I can “retrieve” my personal data (revoke the access permission), or specify with each party on the network how long they can hold my personal data, and for what specific purpose.

This way, each party on the network does not need to retain a copy of the original documents. Instead, my profile is captured as a digital ID that confirms who I am, and confirms that I have been verified by the network; it does not require me to keep disclosing my personal data to each party on the network. (There are providers of Digital ID solutions, but because they are centralised, and unilateral, we end up with multiple and inconsistent Digital ID systems, which are just as vulnerable to the risk of a single point of failure…)

But of course, banks etc. insist that not only do they have to ask for 100 Points of ID each and every time I open an account, they are required to retain copies or digital versions of my personal data. Hence, we should not be surprised by the number of data hacks we keep experiencing.

The current approach to identity in banking, telcos and utilities is baffling. Just a few examples I can think of:

1. In trying to upgrade my current mobile phone plan with my existing provider, I had to re-submit personal information via a mobile app (and this is a telco that experienced a major hack last year, resulting in me having to apply for a new driver’s license). If I have already been verified, why the need to ask for my personal data again, and via a mobile app?

2. I’ve lived at my current address for more than 5 years. I still receive bank statements intended for the previous occupant. I have tried on numerous occasions to inform the bank that this person is no longer living here. I’ve used the standard “Return to Sender” method, and tried to contact the bank direct, but because I am not the named account addressee or authorised representative, they won’t talk to me. Fair enough. But, the addressee is actually a self-managed superannuation fund. Given the fallout from the Banking Royal Commission, and the additional layers of verification, supervision and audit that apply to such funds, I’m surprised that this issue has not been picked up the bank concerned. It’s very easy to look up the current registered address of an SMSF via the APRA website, if only the bank could be bothered to investigate why the statements keep getting returned.

3. I have been trying to remove the name of a former director as a signatory to a company bank account. The bank kept asking for various forms and “proof” that this signatory was no longer a director and no longer authorised to access the account. Even though I have done this (and had to pay for an accountant to sign a letter confirming the director has resigned their position), if the bank had bothered to look up the ASIC company register, they would see that this person was no longer a company officer. Meanwhile, the bank statements keep arriving addressed to the ex-director. Apparently, the bank’s own “systems” don’t talk to one another (a common refrain when trying to navigate legacy corporate behemoths).

In each of the above, the use of a Digital ID system would streamline the process for updating customer records, and reduce the risk of data vulnerabilities. But that requires effort on the part of the entities concerned – clearly, the current fines for data breaches and for misconduct in financial services are not enough.

Next week: AI vs IP  

 

Monash University Virtual Demo Day

Posted on by
Reply

Last week I was invited to participate in a Virtual Demo Day for students enrolled in the Monash University Boot Camp, for the FinTech, Coding and UX/UI streams. The Demo Day was an opportunity for the students to present the results of their project course work and to get feedback from industry experts.

While not exactly the same as a start up pitch night, each project presented a defined problem scenario, as well as the proposed technical and design solution – and in some cases, a possible commercial model, but this was not the primary focus. Although the format of the Demo Day did not enable external observers to see all of the dozen-plus projects, overall it was very encouraging to see a university offer this type of practical learning experience.

Skills-based and aimed at providing a pathway to a career in ICT, the Boot Camp programme results in a Certificate of Completion – but I hope that undergraduates have similar opportunities as part of their bachelor degree courses. The emphasis on ICT (Cybersecurity and Data Analytics form other streams) is partly in response to government support for relevant skills training, and partly to help meet industry requirements for qualified job candidates.

Industry demand for ICT roles is revealing a shortage of appropriate skills among job applicants, no doubt exacerbated by our closed international borders, and a downturn in overseas students and skilled migration. This shortage is having a direct impact on recruitment and hiring costs, as this recent Tweet by one of my friends starkly reveals: “As someone who is hiring about 130 people right now, I will say this: Salaries in tech in Australia are going up right now at a rate I’ve never seen.” So nice work if you can get it!

As for the Demo Day projects themselves, these embraced technology and topics across Blockchain, two-sided marketplaces, health, sustainability, music, facilities management, career development and social connectivity.

The Monash Boot Camp courses are presented in conjunction with Trilogy Education Services, a US-based training and education provider. From what I can see online, this provider divides opinion as to the quality and/or value for money that their programmes offer – there seems to be a fair number of advocates and detractors. I can’t comment on the course content or delivery, but in terms of engagement, my observation is that the students get good exposure to key tech stacks, learn some very practical skills, and they are encouraged to follow up with the industry participants. I hope all of the students manage to land the type of opportunities they are seeking as a result of completing their course.

Next week: Here We Go Again…