Thinking usefully about privacy is the first step, says First Look Media’s security director

Matt Nippert from the NZ Herald caught up with First Look Media’s director of security Morgan Marquis-Boire ahead of this week’s Kiwicon conference in Wellington, where Marquis-Boire is speaking.

Marquis-Boire is a New Zealander who’s been overseas for a number of years working for Google and more recently First Look. First Look publishes The Intercept, led by Glenn Greenwald, Laura Poitras and Jeremy Scahill, which has been reporting on disclosures made by NSA whistleblower Edward Snowden.

Of particular interest to me:

While unwilling to discuss specific threats to First Look, [Marquis-Boire] said his new workplace faced similar issues to other prominent news organisations.

“Twenty-one out of the world’s twenty-five top news organisations have been targeted by state-sponsored attacks.

As a statistic that definitely shows the viability of the press as a target for espionage,” he said.

I also liked his take on how to think about your own online privacy and security:

What do you want to keep private?

Matt Nippert is a Kiwicon speaker himself this year, along with fellow NZ Herald journalist David Fisher, on the subject of:  Hackers and Hacks, or: How I Learned to Stop Worrying and Love the MSM

The notion of trust underpins much of what the media does: Whether readers trust what they read, and whether sources trust journalists not to burn them to the ground. The Rawshark saga – encompassing Gmail and Facebook hacks, Police raids, ministerial resignations, High Court injunctions and meters of quality news stories – gives an insight into how this process functions under conditions of high stress. Based on historic and [obviously sanitised] contemporary experience, this talk will let you know how the code of journalism works, the limits journalists go to to protect sources and how quickly old media can learn new tricks.

I’m very much looking forward to hearing Nippert and Fisher and the rest of the speakers. This will be my first Kiwicon and it looks like a cracker. See you there.



“If you can’t protect it, don’t collect it”

The recent theft of the personal data of 4.5 million patients of a US hospital chain prompted Bloomberg to look at the Top 10 Data Breaches of all time. In their story, they wrote:

The recent attack has gained notoriety for its methods, rather than its size — the hacking group has been prolific in attacking U.S. medical-device companies and drug makers. The chart below shows how the Chinese breach compares with others.

The ranking provides little solace if you’re one of the people whose personal information was stolen and used for identity theft. Yet, with security-software maker Symantec calling this the era of the “mega-breach” and some attacks hitting the nine digits, it’s worth remembering that hackers have many, many other ways to obtain personal information.

Bloomberg included an interactive graphic showing the top 10 data breaches and who did the breaching, which is worth a look. The top three offenders are Malicious Outsider, Accidental Data Loss, and Physical Loss.

Excerpt from Bloomberg’s Data Breaches Over Time interactive graphic

Daniel Solove, Professor of Law at George Washington University Law School and founder of TeachPrivacy, pulled together a few takeaways from the story including:

  • The leading causes of data breaches often involve the workforce mistakes. Malicious outsiders often get in because they trick people through phishing and social engineering.
  • Organizations are collecting and using data faster than they are able to keep it secure.
  • Educate the workforce! Train them once, train them twice, train them thrice. Repeat, repeat, repeat.
  • Read the rest of Daniel Solove’s comments here

The point that most struck home for me was this one:


Here in New Zealand, the Office of the Privacy Commissioner has released a guide for app developers designed to help developers think about what personal details they really need to capture from their users.


The office says:

When apps don’t convey basic information about what the business is collecting personal information for, it’s hard for people to feel confident that their information is being looked after. But when an app developer finds a way to be clear about what is happening, people notice. It’s a way to convey to users that you’re trustworthy, that you know the value of their information and you’ll treat it with respect.

There’s a downloadable pdf of the NEED TO KNOW OR NICE TO HAVE guide, or you can get the gist from the topic page on