Updates from Paul Spain
NZ COVID Tracer app: Going Soft, Going Late?

NZ COVID Tracer app: Going Soft, Going Late?

Last night the NZ COVID Tracer app was released on Apple’s App Store and the Google Play store (for Android). Naturally I installed it and took a look around.

Firstly, let’s just say that I’m really pleased that the Ministry of Health has decided to support having contact tracing technology in the hands of citizens in the form of the NZ COVID Tracer app. However, if I look critically at the app, there are some aspects that are disappointing:

  • Initial functionality is limited to scanning a QR code at premises you visit – however, none of around 20 or destinations I checked with this afternoon were displaying a QR code compatible with the app. Those I asked advised they’d not heard from any government entity (Ministry of Health or Ministry of Business Innovation & Employment) regarding getting registered with a QR code for the app.
  • There is no functionality to manually document locations you’ve visited – for instance those without a QR code, or those you visited before installing the app (this seems essential for an app that is being promoted as keeping a record of the places you go)
  • The app is buggy right now (I experienced issues with signup and with logging into the app)
  • The app isn’t available for those who have their app store login linked to other countries (unlike most NZ banking apps, etc which can be downloaded even if your account is linked to the United States Google Play store for instance)
  • There’s no Bluetooth tracking capability as used in apps installed by millions of people in Australia and Singapore. As Singapore shared details of how they did this a long time ago and Australia delivered this weeks ago it should have been easy to incorporate it from the get go rather than offering up an indication this will come in June.

To sum up this app release, it doesn’t seem to line up with the “Going hard and going early” approach the government has touted – it feels a little more like: “Going soft and going late.”

There is enough to make the initial app useful soon and it will no doubt be downloaded by a lot of people. Plus, it’s fair to say that apps in other countries haven’t been as successful as many hoped they would be, so New Zealand coming late to the game has an advantage of learning from shortcomings elsewhere.

Fortunately, apps can be quickly modified, improved and updated. I am trusting that Ministry of Health have just got this initial version of the NZ COVID Tracer app into the hands of the public after a short development cycle with the goal of improving it rapidly over the days and weeks ahead.

Ransomware – it is rapidly getting nastier

Ransomware – it is rapidly getting nastier

Ransomware is a form of malware or computer virus that demands a ransom from its target – and unfortunately for everyone but the cyber criminals – it’s impact is increasing – both in New Zealand, and around the world.

In the past, the cyber criminals behind ransomware might block access to your data if you didn’t pay up. Though with a recent enough backup you could avoid paying the ransom. In recent months however, the ransoms have shot through the roof and some cyber criminals will release your private data to the world  if you refuse to pay the ransom in the timeframe they demand.

Most ransomware victims are small businesses with it recently suggested that 1 in 5 small businesses have been hit. So why are so many organisations getting hit with ransomware? I think it comes down to apathy, there’s a feeling that “it won’t happen to us” within a lot of firms who refuse to invest in cyber security. It reminds of the early days of PCs and Macs, most people didn’t back up their data. But slowly that changed as everyone had an incident where they something important, and from that point on, they started taking backups seriously.

When I first started raising concerns about Ransomware publicly about 7 years ago, most organisations that were hit would receive a ransom demand of perhaps a few hundred dollars. In recent months those paying ransoms have seen their average pay out pass $180,000. This is around 10 times what it was at the beginning of 2019.

Add to that examples, such as ExecuPharm – who had their confidential and private data leaked to the internet (everything from emails, to drivers license numbers and credit card details) following a ransomware attack and the impact of getting hit be cyber criminals is getting nastier by the day.

What should a Small Business in New Zealand do?

If you’re not sure how secure your organisation is then now might be exactly the time to get a Cyber Security audit so you can minimise the risks. In the immediate term, have your IT team review:

  • Security surrounding any remote access to your network
  • How up-to-date your software is
  • Your password security (is anybody using the same password on more than one system?) and use of multifactor authentication (much the same as what your bank demands)

If you’re not sure of your security state, then consider investing in Cyber Security audit – a basic cyber security audit can run as low as $1500 for a small business in New Zealand.

Moving NZ Business forward – with Digital Payments

Moving NZ Business forward – with Digital Payments

Many small-medium businesses in New Zealand right now are being forced to look for digital solutions to their challenges. In some cases it’s necessary as there are few other options to operate during the COVID-19 era, in others this pushing forward probably should have come much earlier but the current era is forcing a move by businesses who wish to attract new business.

Fresh approaches to transacting can simply being contactless payments using exiting EFTPOS and credit card terminals – in other cases it will be a fresh approach to transacting via E-Commerce.

Tap to Pay
Many businesses with an EFTPOS payment terminal will be able to have contactless payments turned on if they don’t already. This facilitates transactions through a physical credit card (Visa payWave or MasterCard PayPass) in addition payments via Apple Pay, Google Pay and Fitbit Pay on smartphones and wearable devices such the Apple Watch and Fitbit.

Many small business owners I’ve spoken to in recent weeks have had an opportunity to transact online for a long time – but in many cases found it easier to stay with the status quo. Online business and ecommerce can be carried out via a range of mechanisms – including extending their own website, linking to an external payment gateway, or by selling through a marketplace such as Trademe or UberEats which bring a large pool of potential customers.

What’s right for your business or charity?
What is the best approach is will vary – but put some new digital payment mechanisms will be beneficial for many businesses and non-profit organisations. I suggest collaborating with others to settle on an appropriate option quickly – that might involve small-medium business technology experts (such as my team at Gorilla Technology) and also with other friendly business owners and experts in your field.

Recently, I spoke with a business adviser who is fielding many opportunities to provide services. We determined that an online portal where his time could be scheduled and paid for in advance would be hugely beneficial in increasing how many people he could help. By minimising the time overhead with manual invoicing and payments, along with an automated online scheduling service the business would be easier to operate and be more profitable.

In another situation I came across a restaurant owner with limited resources who enabled two options for ordering – one via UberEats which took care of delivery and payments, the other by taking orders utilising Facebook Messenger and then contactless payments with a credit card. In the case of the Facebook ordering, this enabled building a list of customers and fans who can be engaged with on an ongoing basis.

Sharing a Futurist viewpoint with John Campbell on TVNZ Breakfast

Sharing a Futurist viewpoint with John Campbell on TVNZ Breakfast

To kick off 2020 and the new decade, Paul Spain joined John Campbell and Hayley Holt on TVNZ Breakfast on the first episode of the year in order to provide a futurist standpoint on technology and where we are headed in the not too distant future, whilst considering the current state of the play.

Paul continues to be asked to share on the futurist mindset with a broad range of audiences – via mainstream media and at a keynote speaker. You can learn more about Paul’s public speaking – or feel free to get in touch.

Tuia 250 Privacy Breach – Ministry for Culture and Heritage

Tuia 250 Privacy Breach – Ministry for Culture and Heritage

Paul Spain

This morning I was interviewed by on RNZ National programme ‘Morning Report’. After further queries about this breach it seems appropriate to share a little more detail here for those who are interested. In summary, a website ( built by a third party for the Ministry for Culture and Heritage unintentionally made available digital copies of the following documents:

  • 228 passports (209 NZ passports, 19 international passports from Australia, Brazil, Canada, China, Denmark, South Africa, UK, USA)
  • 55 driver licences
  • 36 birth certificates
  • 6 secondary school IDs
  • 5 NZ residential visas

Digital copies of some of these documents are now in the hands of unknown people and there is already a case in which misuse of one of these documents has been attempted. There is risk to all individuals who documents have been compromised – including fraud and identity theft.

How should organisations choose to store digital copies of passports and personal identification?

Choosing how to secure and store this sort of data is a critical organisational decision. It should ideally be directed and signed off by senior staff with both an understanding of the cyber security and the impact of mistake with others data. This might typically include a Chief Information Office (CIO) or a Chief Information Security Officer (CISCO). It seems likely that step didn’t happen in this case – possibly an internal process was missed or lacking in this case. Naturally there is technology for storing personal information within government and businesses that encrypts the data. There are also technologies focused on minimising the risk of the data getting out known as Data Loss Prevention (DLP). In this case it appears the data wasn’t encrypted or protected by DLP software and policy. Organisations that need identification should avoid holding on to this data unnecessarily. If a check can be made quickly without storing copies of documents, that will often cost much less than storing the data due the huge security responsibilities of storing identification documents.

Was the website developer at fault?

It maybe unfair to expect a typical small New Zealand website design firm or website developer to have expertise in how to secure such critical data. This would be different if they were a large technology provider contracted for this job because of their specialist skills in dealing with data of this nature and were contracted specifically to put suitable protections in place.

How should individuals react to requests for copies of their identification documents?

Whenever I’m asked for a digital or paper copy of my identification documents (such as a passport or driver license) i usually look to see if there is an alternative. I understand some organisations need to view this information, but in many cases they should not be storing it. If I’m providing a copy of my passport, I’d prefer to know that data would be immediately destroyed – or that it were protected by an enterprise grade DLP (data loss prevention) system. As I mentioned on Morning Report, dealing with Identification documents is challenging for many organisations now – many ask for copies of Passports and Driver Licenses and choose to store them. Knowing how poor security of this data can be, I often refuse to supply copies of a passport or driver license digitally, and I request paper copies are shredded or returned to me.

Is current legislation around copying personal identification documents adequate?

I haven’t read the related legislation however current practices around copying personal data seem very loose and I believe it’s time the government considered how we reduce further risks.