On the leakage resilience of secure channel establishment

Secure communication channels are typically constructed from an authenticated key exchange (AKE) protocol, which authenticates the communicating parties and establishes shared secret keys, and a secure data transmission layer, which uses the secret keys to encrypt data. We address the partial leakage of communicating parties' long-term secret keys due to various side-channel attacks, and the partial leakage of plaintext due to data compression. Both issues can negatively affect the security of channel establishment and data transmission. In this work, we advance the modelling of security for AKE protocols by considering more granular partial leakage of parties' long-term secrets. We present generic and concrete constructions of two-pass leakage-resilient key exchange protocols that are secure in the proposed security models. We also examine two techniques--heuristic separation of secrets and fixed-dictionary compression--for enabling compression while protecting high-value secrets.

Moments of flux in intermediary liability for copyright infringement

This chapter provides an overview of a recent shift in regulatory strategies to address copyright infringement toward enlisting the assistance of general purpose Internet Service Providers. In Australia, the High Court held in 2012 that iiNet, a general purpose ISP, had no legal duty to police what its subscribers did with their internet connections. We provide an overview of three recent developments in Australian copyright law since that decision that demonstrate an emerging shift in the way that obligations are imposed on ISPs to govern the actions of their users without relying on secondary liability. The first is a new privately negotiated industry code that introduces a 'graduated response' system that requires ISPs to pass on warnings to subscribers who receive allegations of infringement. The second involves a recent series of Federal Court cases where rightsholders made a partially successful application to require ISPs to hand over the identifying details of subscribers whose households are alleged to have infringed copyright. The third is a new legislative scheme that will require ISPs to block access to foreign websites that 'facilitate' infringement. We argue that these shifts represent a greater sophistication in approaches to enrolling general purpose intermediaries in the regulatory project. We also suggest that these shifts represent a potentially disturbing trend towards enforcement of copyright law in a way that does not provide strong safeguards for the legitimate constitutional due process interests of users. We conclude with a call for greater attention and research to better understand how intermediaries make decisions when governing the conduct of users, how those decisions may be influenced by both state and non-state actors, and how the rights of individuals to due process can be adequately protected.

Duty and Control in Intermediary Copyright Liability: An Australian Perspective

In the internet age, copyright owners are increasingly looking to online intermediaries to take steps to prevent copyright infringement. Sometimes these intermediaries are closely tied to the acts of infringement; sometimes – as in the case of ISPs – they are not. In 2012, the Australian High Court decided the Roadshow Films v iiNet case, in which it held that an Australian ISP was not liable under copyright’s authorization doctrine, which asks whether the intermediary has sanctioned, approved or countenanced the infringement. The Australian Copyright Act 1968 directs a court to consider, in these situations, whether the intermediary had the power to prevent the infringement and whether it took any reasonable steps to prevent or avoid the infringement. It is generally not difficult for a court to find the power to prevent infringement – power to prevent can include an unrefined technical ability to disconnect users from the copyright source, such as an ISP terminating users’ internet accounts. In the iiNet case, the High Court eschewed this broad approach in favor of focusing on a notion of control that was influenced by principles of tort law. In tort, when a plaintiff asserts that a defendant should be liable for failing to act to prevent harm caused to the plaintiff by a third party, there is a heavy burden on the plaintiff to show that the defendant had a duty to act. The duty must be clear and specific, and will often hinge on the degree of control that the defendant was able to exercise over the third party. Control in these circumstances relates directly to control over the third party’s actions in inflicting the harm. Thus, in iiNet’s case, the control would need to be directed to the third party’s infringing use of BitTorrent; control over a person’s ability to access the internet is too imprecise. Further, when considering omissions to act, tort law differentiates between the ability to control and the ability to hinder. The ability to control may establish a duty to act, and the court will then look to small measures taken to prevent the harm to determine whether these satisfy the duty. But the ability to hinder will not suffice to establish liability in the absence of control. This chapter argues that an inquiry grounded in control as defined in tort law would provide a more principled framework for assessing the liability of passive intermediaries in copyright. In particular, it would set a higher, more stable benchmark for determining the copyright liability of passive intermediaries, based on the degree of actual, direct control that the intermediary can exercise over the infringing actions of its users. This approach would provide greater clarity and consistency than has existed to date in this area of copyright law in Australia.

A taxonomic approach to understanding managerial ethical decision making approaches of clinically and non-clinically trained healthcare managers in Australia

Objective To understand differences in the managerial ethical decision-making styles of Australian healthcare managers through the exploratory use of the Managerial Ethical Profiles (MEP) Scale. Background Healthcare managers (doctors, nurses, allied health practitioners and non-clinically trained professionals) are faced with a raft of variables when making decisions within the workplace. In the absence of clear protocols and policies healthcare managers rely on a range of personal experiences, personal ethical philosophies, personal factors and organizational factors to arrive at a decision. Understanding the dominant approaches to managerial ethical decision-making, particularly for clinically trained healthcare managers, is a fundamental step in both increasing awareness of the importance of how managers make decisions, but also as a basis for ongoing development of healthcare managers. Design Cross-sectional. Methods The study adopts a taxonomic approach that simultaneously considers multiple ethical factors that potentially influence managerial ethical decision-making. These factors are used as inputs into cluster analysis to identify distinct patterns of influence on managerial ethical decision-making. Results Data analysis from the participants (n=441) showed a similar spread of the five managerial ethical profiles (Knights, Guardian Angels, Duty Followers, Defenders and Chameleons) across clinically trained and non-clinically trained healthcare managers. There was no substantial statistical difference between the two manager types (clinical and non-clinical) across the five profiles. Conclusion This paper demonstrated that managers that came from clinical backgrounds have similar ethical decision-making profiles to non-clinically trained managers. This is an important finding in terms of manager development and how organisations understand the various approaches of managerial decision-making across the different ethical profiles.

Governance of enterprise Information and Technology: A new core competency for boards of directors

With the level of digital disruption that is affecting businesses around the globe, you might expect high levels of Governance of Enterprise Information and Technology (GEIT) capability within boards. Boards and their senior executives know technology is important. More than 90% of boards and senior executives currently identify technology as essential to their current businesses, and to their organization’s future. But as few as 16% have sufficient GEIT capability. Global Centre for Digital Business Transformation’s recent research contains strong indicators of the need for change. Despite board awareness of both the likelihood and impact of digital disruption, things digital are still not viewed as a board-level matter in 45% of companies. And, it’s not just the board. The lack of board attention to technology can be mirrored at senior executive level as well. When asked about their organization’s attitude towards digital disruption, 43% of executives said their business either did not recognise it as a priority or was not responding appropriately. A further 32% were taking a “follower” approach, a potentially risky move as we will explain. Given all the evidence that boards know information and technology (I&T***) is vital, that they understand the inevitably, impact and speed of digital change and disruption, why are so many boards dragging their heels? Ignoring I&T disruption and refusing to build capability at board level is nothing short of negligence. Too many boards risk flying blind without GEIT capability [2]. To help build decision quality and I&T governance capability, this research: • Confirms a pressing need to build individual competency and cumulative, across-board capability in governing I&T • Identifies six factors that have rapidly increased the need, risk and urgency • Finds that boards may risk not meeting their duty of care responsibilities when it comes to I&T oversight • Highlights barriers to building capability details three GEIT competencies that boards and executives can use for evaluation, selection, recruitment and professional development.

Impact of a new mandatory reporting law on reporting and identification of child sexual abuse: A seven year time trend analysis

Child sexual abuse is widespread and difficult to detect. To enhance case identification, many societies have enacted mandatory reporting laws requiring designated professionals, most often police, teachers, doctors and nurses, to report suspected cases to government child welfare agencies. Little research has explored the effects of introducing a reporting law on the number of reports made, and the outcomes of those reports. This study explored the impact of a new legislative mandatory reporting duty for child sexual abuse in the State of Western Australia over seven years. We analysed data about numbers and outcomes of reports by mandated reporters, for periods before the law (2006-08) and after the law (2009-12). Results indicate that the number of reports by mandated reporters of suspected child sexual abuse increased by a factor of 3.7, from an annual mean of 662 in the three year pre-law period to 2448 in the four year post-law period. The increase in the first two post-law years was contextually and statistically significant. Report numbers stabilised in 2010-12, at one report per 210 children. The number of investigated reports increased threefold, from an annual mean of 451 in the pre-law period to 1363 in the post-law period. Significant decline in the proportion of mandated reports that were investigated in the first two post-law years suggested the new level of reporting and investigative need exceeded what was anticipated. However, a subsequent significant increase restored the pre-law proportion, suggesting systemic adaptive capacity. The number of substantiated investigations doubled, from an annual mean of 160 in the pre-law period to 327 in the post-law period, indicating twice as many sexually abused children were being identified.

Leading Digital Transformation: Building Technology and Information Governance Capability in Boards of Directors and the C-Suite

Information and technology and its use in organisation transformation presents unprecedented opportunities and risks. Increasingly, the Governance of Enterprise Information and Technology (GEIT) competency in the board room and executive is needed. Whether your organization is small or large, public, private or not for profit or whether your industry is not considered high-tech, IT is impacting your sector – no exceptions. But there is a skill shortage in boards: GEIT capability is concerningly low. This capability is urgently needed across the board, including those directors who come from finance, legal, marketing, operations and HR backgrounds. Digital disruption also affects all occupations. Putting in place a vision will help ensure emergency responses will meet technology-related duty of care responsibilities. When GEIT-related forward thinking and planning is carried out at the same time that you put your business strategy and plan in place, your organization has a significantly increased chance of not only surviving, but thriving into the future. Those organizations that don’t build GEIT capability risk joining the growing list of once-leading firms left behind in the digital ‘cloud of smoke’. Those organizations that do will be better placed to reap the benefits and hedge against the risks of a digital world. This chapter provides actionable, research-based considerations and processes for boards to use, to build awareness, knowledge and skills in governing technology-related organization strategy, risk and value creation.