What can cybernetics tell us about the Optus and Medibank data hacks?

Our Research Fellow Chris Mesiku shares his insights.

News Essays

At the South Australian desert. Photo by Andrew Meares.
At the South Australian desert. Photo by Andrew Meares.

In the last two months, we have been reminded a number of times of the real risk to our personal data, privacy and our ability to control what people know of our identity. First we learned of the Optus data breach followed by the Medibank data breach of the personal and sensitive health data of millions of Australians. When I heard of the Optus breach, I had to check that my provider, – an Optus subsidiary, was not impacted by the breaches. I breathed a silent sigh of relief when I realised they were not impacted. Similarly, the Medibank hack impacted only Medibank and not its numerous business partners. These activities are rightly scary and engender fear in most of us. People are concerned that even if they were not involved in these breaches, there will soon be another similar incident that may well impact on their privacy.

These recent data related incidents put us in an interesting dilemma in which we wish organisations don’t have to hold on to our data or if they do, then we wish they have that data under such a strong security that the data will never be in transit. However, as I will shortly describe, a dataset that has been permanently immobilised will be useless and so it begs the question as to why that data is being collected. The fact of the matter is, currently, for various legislative requirements, organisations and business are required to hold on to customer records for a number of years to provide an audit trial and evidence for future investigations. It is not in our global interest to stop the flow of data: if organisations are made to control and effectively stifle any flow of data, then our data driven march towards the future will grind to a halt. Currently Australia predicts it has the potential to gain from data driven AI at the tune of around 13 trillion dollars.

We can take comfort in what history can tell us about how data flows. Some points in time when technology has allowed data to flow purposefully include smoke signals and the drum signals which are still an important part of cultures today in some parts of the world. Ever since data began to flow in the form of Morse Codes via the telegraph, we initiated the risk of our messages being intercepted and corrupted. Nevertheless, the technology forged ahead. In turn, the lessons learnt in telegraph systems helped in the development of controls and risk mitigation measures for telephone communication data. Our societies have managed to create various ways of communicating through and controlling the systems that are interacting with our telephone systems. While we have not mitigated being hacked via our phone systems, we have become resilient in those risks. These lessons are important in how we think about the future trajectories of these recent data breaches.

From a cybernetics perspective, we get to ask questions around the infrastructure and structure that allow data to flow and cause actions in the world. The traces of purposeful communication and control are exhibited in a variety of layers while the data is at rest or while it is in motion. While it is stored and secured, it is at rest and while it is acting in the world, it is in motion. In order to communicate, there must always be a transfer of information - data must simply flow. For us to use mobile phones to talk with our loves ones, data must be allowed to flow. For us to get the high quality health care that we have come to rely on and appreciate, data must be allowed to flow.

What the Optus and Medibank data hacks have made clear for us is that we must understand the business structures, human structures, technological structures and environments through which data flows while always keeping in mind where there are vulnerabilities and weaknesses in any of those systems and importantly where there could be emergent vulnerabilities. Indeed, within a systems scale, there are emergent properties that cannot be reduced to parts of the system. It might be worth investing time in investigating and producing methods for illuminating these emergent vulnerabilities.

Another lesson a systems lens teaches us is that we need to tell matured data stories. If the stories revolve around whether or not the hackers have released personal data, whether or not the government will impose fines on businesses, whether or not politicians will introduce new privacy bills and so on, we will inevitably continue on unhelpful data trajectories. On the other hand, if we start our data stories from the position that the nature of data is to flow and to have communication is to allow for data flows, news about hacks will contain more than emotive headlines and instead guide the conversation towards possible solutions across the various structures through which data acts as it flows.

Currently, at the School of Cybernetics, we are actively thinking about systemic ways of approaching beneficial data driven interventions for social good. In order for all of us to flourish in a highly connected Australia, we have to tell better stories about data that are less focused on data technology and more about the interaction within and between the techno socioeconomic contexts.

You are on Aboriginal land.

The Australian National University acknowledges, celebrates and pays our respects to the Ngunnawal and Ngambri people of the Canberra region and to all First Nations Australians on whose traditional lands we meet and work, and whose cultures are among the oldest continuing cultures in human history.

arrow-left bars search times