I am an independent researcher and cyber security & privacy consultant, currently based in the UK. Up until the end of 2019 I was a lecturer in cyber security & privacy at the University of Melbourne.

I am an Honorary Fellow in the School of Computing and Information Systems at the University Melbourne, Australia, and a Visiting Lecturer in the Department of Computing at the University of Surrey, UK.

I occasionally blog at StateOfIt.com

I completed my PhD at the University of Surrey, before continuing as a Research Fellow there for 6 years. In May of 2016 I moved to Melbourne, Australia, to take up a Research Fellow position at the University of Melbourne, subsequently becoming a Lecturer in November 2017.

During my time at Surrey I was the technical lead on the SuVote project to design, develop, and deploy an end-to-end verifiable electronic voting system in the 2014 state election in the State of Victoria, Australia. The entire system has been made open source and all documents relating to the design have been publicly released. Further details on my work in electronic voting and the SuVote project are below.

More recently my research has focussed on Data Privacy and Cyber Security. Some key outputs are:

Key Outputs

Tracking, tracing, trust: contemplating mitigating the impact of COVID-19 through technological interventions

Preprint paper with (Kobi Leins and Ben Rubinstein) on some of the issues with contact tracing apps and how they fit within privacy and legal requirements.

Misconceptions in Privacy Protection and Regulation

A paper with Kobi Leins for Law in Context on the misconceptions in privacy protection and regulation. Looking at how incorrect definitions are contributing to the repeated failures of de-identification. We show why the definitions that are widely used in both official advice and academic papers, are incorrect, and this error leads to incorrect evaluation of privacy protection, leading to often trivially easy re-identification in longitudinal data sets.

Myki Re-Identification

In mid 2018, Public Transport Victoria (PTV) released a data set containing the touch-on and touch-off events for 15 million de-identified Myki cards, Melbourne’s contactless smart card ticketing system.

We (myself, Ben Rubinstein, and Vanessa Teague) were able to re-identify ourselves, a co-traveller and a member of the Victorian Parliament.

MBS/PBS Re-Identification

In 2016, the Australian Federal Government released a 10\% sample of Australia's Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) billing records. The data set consisted of the full 30 year records for 10\% of the population.

We (myself, Ben Rubinstein and Vanessa Teague) demonstrated the weaknesses in the de-identification of the dataset by initially recovering SupplierIDs, and subsequently showed the risk of patient re-identification as well.

FinFuture White Paper

In 2019 I was part of a University of Melbourne team that wrote the FinFuture White Paper, which examined the future of personal finance in Australia. Covering everything from regulation of the sector through data privacy and automatic decision making.

Options paper for encoding names for data linking at the Australian Bureau of Statistics

In 2016 the ABS publicly said it would use a cryptographic hash function to convert names collected in the 2016 Census of Population and Housing into an unrecognisable value in a way that is not reversible. In 2016, the ABS engaged the University of Melbourne (myself, Ben Rubinstein, and Vanessa Teague) to provide expert advice on cryptographic hash functions to meet this objective.

Vulnerabilities in the use of similarity tables in combination with pseudonymisation to preserve data privacy in the UK Office for National Statistics' Privacy-Preserving Record Linkage

In the course of a survey of privacy-preserving record linkage, we (myself, Ben Rubinstein, and Vanessa Teague) reviewed the approach taken by the UK Office for National Statistics (ONS) as described in their series of reports "Beyond 2011". Our review identifies a number of matters of concern. Some of the issues discovered are sufficiently severe to present a risk to privacy.

Research Interests

My research interests are focussed around information security, with a particular interest in verifiable electronic voting. My research is generally applied, and I am particularly interested in the implementation of secure systems that take theory and put it into practice.

More recently I have been working in Data Privacy, looking at the weaknesses of de-identification and the related problem of re-identification.

Previously I have taken an interest in Augmented Reality an how it can be used to improve engagement in the arts. I have been involved in a number of projects, including the development of an Augmented Reality Android App for use in Art Galleries and to display light drawings within an outdoor art installation.

My PhD was in digital watermarking, in particular the watermarking of text documents in a manner that was robust to printing and scanning. I developed a watermarking technique that would allow the authentication of documents after being printed out and than scanned back in. I maintain an interest in this area as well.

A full list of my publications is available on Google Scholar

Data Privacy

My research in data privacy covers the theory, application, and legal context. Including:

This continues to be my primary area of research as an independent researcher, with a number of projects ongoing.

Electronic Voting

My research in verifiable electronic voting has contributed to the development of an end-to-end verifiable election system. The design, development, testing and integration of that system constituted a two and a half year project, for which I was the technical lead. It culminated in the deployment of the system in the 2014 State Election in the State of Victoria, Australia. The entire system is open source and available from: https://bitbucket.org/tvsproject.

In 2016 I made a submission to the Victorian State Parliament Electoral Matters Committee Inquiry into Electronic Voting, and appeared as a witness before the committee. I was also part of a joint submission to, and appeared before as a witness, the Federal Joint Standing Committee on Electoral Matters inquiry into the Australian Federal Election 2016.

In 2017 we (myself, Mark Eldridge, Aleksander Essex, and Vanessa Teague) investigated the trust implications of running internet voting systems through TLS Proxies, as occurred in the 2017 State Election in Western Australia. Our paper is available on ArXiv.

Applied Crypto

I've created a repository containing an open source framework for developing and understanding threshold cryptographic protocols. It contains an abstract communication and storage framework, as well as a protocol framework, to allow new and existing protocols to be rapidly prototyped, without needing to spend time implementing communication and storage classes. It is still very much a work in progress, and as such should not be used for production systems.

A publicly accessible ShareLaTex document provides descriptions of the currently implemented protocols. A further document describes the communication framework.


Some links to media stories covering our research:

Get In Touch

The easiest way to get in touch with me is via email:  website@culnane.org