Chris Culnane

About

I am a Lecturer in the School of Computing and Information Systems at the University of Melbourne.

I completed my PhD at the University of Surrey, before continuing as a Research Fellow there for 6 years. In May of 2016 I moved to Melbourne, Australia, to take up a Research Fellow position at the University of Melbourne.

During my time at Surrey I was the technical lead on the SuVote project to design, develop, and deploy an end-to-end verifiable electronic voting system in the 2014 state election in the State of Victoria, Australia. The entire system has been made open source and all documents relating to the design have been publicly released. Further details on my work in electronic voting and the SuVote project are below.

More recently I was part of the team that discovered weaknesses in the anonymisation of the Australian Government MBS/PBS dataset release. The dataset consisted of a 10% sample of Australian Medicare billing records over a 30 year period.

Research Interests

My research interests are focussed around information security, with a particular interest in verifiable electronic voting. My research is generally applied, and I am particularly interested in the implementation of secure systems that take theory and put it into practice.

More recently I have been working in Data Privacy, looking at the weaknesses of de-identification and the related problem of re-identification.

Previously I have taken an interest in Augmented Reality an how it can be used to improve engagement in the arts. I have been involved in a number of projects, including the development of an Augmented Reality Android App for use in Art Galleries and to display light drawings within an outdoor art installation.

My PhD was in digital watermarking, in particular the watermarking of text documents in a manner that was robust to printing and scanning. I developed a watermarking technique that would allow the authentication of documents after being printed out and than scanned back in. I maintain an interest in this area as well.

A full list of my publications is available on Google Scholar

Further details about my areas of research are available below:

• Electronic Voting
• Data Privacy
• Applied Crypto

Electronic Voting

My research in verifiable electronic voting has contributed to the development of an end-to-end verifiable election system. The design, development, testing and integration of that system constituted a two and a half year project, for which I was the technical lead. It culminated in the deployment of the system in the 2014 State Election in the State of Victoria, Australia. The entire system is open source and available from: https://bitbucket.org/tvsproject.

In 2016 I made a submission to the Victorian State Parliament Electoral Matters Committee Inquiry into Electronic Voting, and appeared as a witness before the committee. I was also part of a joint submission to, and appeared before as a witness, the Federal Joint Standing Committee on Electoral Matters inquiry into the Australian Federal Election 2016.

Data Privacy

Recent work with Ben Rubinstein and Vanessa Teague has looked at weaknesses in the de-identification of datasets, in particular the MBS/PBS dataset released by Department of Health. Further details of our work is available, along with analysis of some of the fallout (Op-ed), and our submission to the Senate Inquiry into the proposed Re-Identification amendment to the Privacy Act.

We also made a submission to the Productivity Commission's Inquiry into Data Availability and Use.

I am continuing to work in this area, with a number of active projects

Applied Crypto

I've created a repository containing an open source framework for developing and understanding threshold cryptographic protocols. It contains an abstract communication and storage framework, as well as a protocol framework, to allow new and existing protocols to be rapidly prototyped, without needing to spend time implementing communication and storage classes. It is still very much a work in progress, and as such should not be used for production systems.

A publicly accessible ShareLaTex document provides descriptions of the currently implemented protocols. A further document describes the communication framework.

In the media

Some links to media stories covering our research:

• Data Privacy
  • Deanonymisation of MBS/PBS release: Our release
    • Department of Health Press Release
    • The Register
    • The Guardian
    • IT News
    • ABC News
    • Computer World
    • The Age
    • CSO
    • Huffington Post
    • Gizmodo
    • ZDNet
    • The Saturday Paper
  • Privact Act - Re-identification Amendment Our Response, Our SMH Op-ed, Our Submission to Senate Inquiry
    • Press Release from Attorney General
    • The Register
    • ZDNet
    • Crikey (Paywall)
    • Computer World
    • The Register
• Electronic Voting
  • Australian Senate Electronic Counting Our release
    • The Register
  • vVote - Verifiable Electronic Voting in Victoria Press release
    • Computer World

Engagement

As part of our work we have performed a number of engagement activites, including talks, seminars, expert panels, and consultancy. Further details of these activies are below.

Seminar on MBS/PBS Re-Identification - Open Knowledge Melbourne

We gave a seminar for Open Knowledge Melbourne on the issues surround de-identification and re-identification, following the MBS/PBS re-identification. The seminar also covered the challenges of protecting privacy when making data open.

Submissions to Inquiries

I have been a part of the following submissions to State and Federal Inquiries:

• submission to the Senate Inquiry into the proposed Re-Identification amendment to the Privacy Act.
• submission to the Productivity Commission's Inquiry into Data Availability and Use.
• submission to, and appeared before as a witness, the Federal Joint Standing Committee on Electoral Matters inquiry into the Australian Federal Election 2016.
• submission to the Victorian State Parliament Electoral Matters Committee Inquiry into Electronic Voting, and appeared as a witness before the committee.

Transport for NSW

We were tasked with reviewing the de-identification protocol for the Transport for NSW Opal data release. Our report is available to download from arXiv.

Projects

The following are a current list of possible student projects:

Distributed Personal Data Storage

Exploring and building a proof of concept for a distributed personal data storage system. Such systems are being proposed as a way of improving privacy by redefining the problem from data sharing to data access, empowering the user to have fine grained control of the consent and usage of their data via a user friendly platform. There are a number of open questions in this space:

• How can fine grained consent be obtained from a user without overwhelming them?
• How can legally required access, e.g. ATO access to tax data, be maintained whilst still providing user control?
• How to design and implement a general secure storage mechanism, permitting storage of all different types of data, which also allows distributed access in an efficient and secure manner?

• Solid
• diaspora*
• openpds

Evaluating Re-Identification Risk

Many datasets are released as de-identified data, however, numerous examples have shown the fragility of the de-identification process. This project aims to look at how de-identified datasets can be automatically evaluated to provide a more accurate calculation of re-identification risk. Whilst conceptually simple, it rapidly becomes computationally infeasible in large datasets. This project will look at evaluating ways of approximating the risk and building tools to calculate it.
Further Reading:

• Broken Promises of Privacy:Responding to the Surprising Failure of Anonymization
• Health Data in an Open World