About
I am an independent researcher and cyber security & privacy consultant, currently based in the UK. Up until the end of 2019 I was a lecturer in cyber security & privacy at the University of Melbourne.
I am an Honorary Fellow in the School of Computing and Information Systems at the University Melbourne, Australia, and a Visiting Lecturer in the Department of Computing at the University of Surrey, UK.
I occasionally blog at StateOfIt.com
I completed my PhD at the University of Surrey, before continuing as a Research Fellow there for 6 years. In May of 2016 I moved to Melbourne, Australia, to take up a Research Fellow position at the University of Melbourne, subsequently becoming a Lecturer in November 2017.
During my time at Surrey I was the technical lead on the SuVote project to design, develop, and deploy an end-to-end verifiable electronic voting system in the 2014 state election in the State of Victoria, Australia. The entire system has been made open source and all documents relating to the design have been publicly released. Further details on my work in electronic voting and the SuVote project are below.
More recently my research has focussed on Data Privacy and Cyber Security. Some key outputs are:
- Preprint short article on Contact Tracing Apps for the Medical Journal of Australia
- Law in Context: Misconceptions in Privacy Protection
- Re-Identification of the Myki data release consisting of smart ticketing records in Victoria, Australia
- Re-Identification of the Australian Government MBS/PBS dataset release.
- FinFuture White Paper on the future of personal finance in Australia
- Options paper for the Australian Bureau of Statistics
- Vulnerabilities in the use of similarity tables in combination with pseudonymisation to preserve data privacy in the UK Office for National Statistics' Privacy-Preserving Record Linkage
Key Outputs
Tracking, tracing, trust: contemplating mitigating the impact of COVID-19 through technological interventions
Preprint paper with (Kobi Leins and Ben Rubinstein) on some of the issues with contact tracing apps and how they fit within privacy and legal requirements.
- Preprint on the Medical Journal of Australia
Misconceptions in Privacy Protection and Regulation
A paper with Kobi Leins for Law in Context on the misconceptions in privacy protection and regulation. Looking at how incorrect definitions are contributing to the repeated failures of de-identification. We show why the definitions that are widely used in both official advice and academic papers, are incorrect, and this error leads to incorrect evaluation of privacy protection, leading to often trivially easy re-identification in longitudinal data sets.
- Open Access Paper available from Law in Context
Myki Re-Identification
In mid 2018, Public Transport Victoria (PTV) released a data set containing the touch-on and touch-off events for 15 million de-identified Myki cards, Melbourne’s contactless smart card ticketing system.
We (myself, Ben Rubinstein, and Vanessa Teague) were able to re-identify ourselves, a co-traveller and a member of the Victorian Parliament.
- A summary article is available on the Pursuit
- A more detailed academic write-up is available on ArXiv
MBS/PBS Re-Identification
In 2016, the Australian Federal Government released a 10\% sample of Australia's Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) billing records. The data set consisted of the full 30 year records for 10\% of the population.
We (myself, Ben Rubinstein and Vanessa Teague) demonstrated the weaknesses in the de-identification of the dataset by initially recovering SupplierIDs, and subsequently showed the risk of patient re-identification as well.
- A summary article is available from Pursuit
- A follow-up article on the fallout, also on Pursuit
- Our Op-ed
- Our submission to the Senate Inquiry into the proposed Re-Identification amendment to the Privacy Act.
FinFuture White Paper
In 2019 I was part of a University of Melbourne team that wrote the FinFuture White Paper, which examined the future of personal finance in Australia. Covering everything from regulation of the sector through data privacy and automatic decision making.
- Summary article of Data and Privacy issues on Pursuit
- White Paper and Consumer Research available from The White Paper is available from the University of Melbourne
Options paper for encoding names for data linking at the Australian Bureau of Statistics
In 2016 the ABS publicly said it would use a cryptographic hash function to convert names collected in the 2016 Census of Population and Housing into an unrecognisable value in a way that is not reversible. In 2016, the ABS engaged the University of Melbourne (myself, Ben Rubinstein, and Vanessa Teague) to provide expert advice on cryptographic hash functions to meet this objective.
- Full Report on ArXiv
Vulnerabilities in the use of similarity tables in combination with pseudonymisation to preserve data privacy in the UK Office for National Statistics' Privacy-Preserving Record Linkage
In the course of a survey of privacy-preserving record linkage, we (myself, Ben Rubinstein, and Vanessa Teague) reviewed the approach taken by the UK Office for National Statistics (ONS) as described in their series of reports "Beyond 2011". Our review identifies a number of matters of concern. Some of the issues discovered are sufficiently severe to present a risk to privacy.
- Full Report on ArXiv
Research Interests
My research interests are focussed around information security, with a particular interest in verifiable electronic voting. My research is generally applied, and I am particularly interested in the implementation of secure systems that take theory and put it into practice.
More recently I have been working in Data Privacy, looking at the weaknesses of de-identification and the related problem of re-identification.
Previously I have taken an interest in Augmented Reality an how it can be used to improve engagement in the arts. I have been involved in a number of projects, including the development of an Augmented Reality Android App for use in Art Galleries and to display light drawings within an outdoor art installation.
My PhD was in digital watermarking, in particular the watermarking of text documents in a manner that was robust to printing and scanning. I developed a watermarking technique that would allow the authentication of documents after being printed out and than scanned back in. I maintain an interest in this area as well.
A full list of my publications is available on Google Scholar
Data Privacy
My research in data privacy covers the theory, application, and legal context. Including:
- The practical implementation of privacy protection techniques
- Privacy pen testing - evaluating data sets for re-identification risk prior to, and after release
- The legal context in which privacy protection techniques operate
This continues to be my primary area of research as an independent researcher, with a number of projects ongoing.
Electronic Voting
My research in verifiable electronic voting has contributed to the development of an end-to-end verifiable election system. The design, development, testing and integration of that system constituted a two and a half year project, for which I was the technical lead. It culminated in the deployment of the system in the 2014 State Election in the State of Victoria, Australia. The entire system is open source and available from: https://bitbucket.org/tvsproject.
In 2016 I made a submission to the Victorian State Parliament Electoral Matters Committee Inquiry into Electronic Voting, and appeared as a witness before the committee. I was also part of a joint submission to, and appeared before as a witness, the Federal Joint Standing Committee on Electoral Matters inquiry into the Australian Federal Election 2016.
In 2017 we (myself, Mark Eldridge, Aleksander Essex, and Vanessa Teague) investigated the trust implications of running internet voting systems through TLS Proxies, as occurred in the 2017 State Election in Western Australia. Our paper is available on ArXiv.
Applied Crypto
I've created a repository containing an open source framework for developing and understanding threshold cryptographic protocols. It contains an abstract communication and storage framework, as well as a protocol framework, to allow new and existing protocols to be rapidly prototyped, without needing to spend time implementing communication and storage classes. It is still very much a work in progress, and as such should not be used for production systems.
A publicly accessible ShareLaTex document provides descriptions of the currently implemented protocols. A further document describes the communication framework.
Media
Some links to media stories covering our research:
- Data Privacy
- Deanonymisation of MBS/PBS release: Our release
- Privacy Act - Re-identification Amendment Our Response, Our SMH Op-ed, Our Submission to Senate Inquiry
- Electronic Voting
- Australian Senate Electronic Counting Our release
- vVote - Verifiable Electronic Voting in Victoria Press release
Get In Touch
The easiest way to get in touch with me is via email: website@culnane.org