These are short quotes from some of Stephen’s speeches and articles.

Home » Library » Quotes


  • “Privacy is less about what is done with information than what is not done with it.” [In Nature magazine, 26 March 2015 “Data protection: Big data held to privacy laws, too”]
  • “Today’s social IDs are issued by providers that don’t really know who we are, and are used by services that don’t really care.”
  • “Google is to privacy as MacDonalds is to dieting”.
  • “The big informopolies hire Privacy Officers for the same reasons that big tobacco companies employ oncologists”.
  • “The password is probably the only technology in history where its efficacy (security) is inversely proportional to its usability. Passwords must be hard to use to be secure.”
  • “The password was designed in the 1960s by technicians, for technicians.”
  • “In public — the real world public — no one can hear you whisper. There’s a paradox: public can be private. The public-private dichotomy [in privacy] is false. For there’s also an important technicality. Information privacy law doesn’t much mention ‘the public domain’. It’s irrelevant. Privacy of personal information should be maintained regardless of where that information was collected.”
  • You’ve heard of the “Bart Simpson Defence”: I didn’t do it! Nobody saw me do it!! You can’t prove a thing!!! Biometrics advocates have gone through a similar sequence when faced with the question of whether templates can be reverse engineered: “It can’t be done! I’ve never seen it done! Well anyway, it wouldn’t matter if it was done!”

“Facebook backdown sends a warning to all data diggers” (2010)

An article by Julian Lee, Marketing Editor for the Sydney Morning Herald, on the pitfalls of overdoing the exploitation of marketing data, June 18, 2010.

On the propensity of Facebook and Google to farm data:

  • “They don’t know what they are looking for until they find it. It’s like they are prospecting and they come across a goldmine and they look around and see that there are no mineral rights claimed here. So they just take the stuff, put it away and figure out how it might be of use down the line.”

Op-ed: “An uphill battle for online privacy” (2010)

From Stephen’s Sydney Morning Herald op-ed of 17 Februay 2010:

  • “The erosion of privacy suits the agendas of many but anyone asserting that ‘privacy is dead’ is trying to sell you something, be it ideology or a new pair of runners.”
  • “Even if Facebook is not just a fad, how should we extrapolate from adolescent risk taking to sober privacy law making? We don’t let 21 year old P-platers set road safety policy, and we shouldn’t let them set privacy policy either.”
  • “When people say “information wants to be free” they’re not just talking about cost, but friction, too. Information is a super-fluid.”
  • “The complacency of technologists and the easy contempt shown for principled privacy advocates means we face an uphill battle to retain control over our own affairs.”
  • “Privacy advocates tend tragically to be caricatured as extremists, hippies or paranoiacs. They’re regarded with suspicion, given the misconception that if you haven’t done anything wrong, you’ve got nothing to hide. Privacy is far more complex than that; it’s not just about secrecy, it’s about control.”
  • “Facial recognition may work perfectly in the movies but in real life biometrics are riddled with errors, with false alarms usually running at 1 or 2 percent. It would be only a matter of time before a data mining computer suggested I was in the wrong place at the wrong time. The march of progress means the onus of proof will increasingly fall on the falsely accused to explain themselves.”

We take more care we car keys than we do with our digital identities (2009)

  • “We take a lot more care with car keys. My car has got a modern key that you cannot duplicate at the locksmith; you have to take it back to the manufacturer. It has an engine immobiliser and all of these electronics and smarts. But electronic service providers are still very timid about authentication. They are very timid that authentication technologies will compromise convenience. Convenience trumps all else at the moment. We have got ourselves into a situation where, believe it or not, the cost of identity fraud every year far exceeds the cost of car theft.”

From Stephen’s testimony to the House of Representatives Cybercrime Inquiry, 9 Oct 2009.

Suspension of disbelief when online (2009)

  • “Suspension of disbelief when browsing lies at the heart of many of the safety problems we’re now seeing. Inevitably we lose our bearings in the totally synthetic World Wide Web. We don’t even realise it, we’re taken in by a virtual reality, and we become fatally vulnerable to social engineering”.

From the blog entry “How to trust in the Internet when nothing there is real?” 14 Jan 2009.

Cyber-criminals’ X-Ray Vision (2008)

  • “The Internet has given criminals x-ray vision into almost everyone’s banking details, and perfect digital disguises with which to defraud online merchants.”
  • “There are opportunities for crime now that are quantitatively and qualitatively radically different from what went before. In particular, because identity data is available by the terabyte and digital data shows has no respect for originals versus copies, identity takeover is child’s play.”

From “Many hands make security work”, Online Banking Review, Oct-Nov 2008.

Privacy and the young (2008)

  • “It’s said that Generation Y don’t care about their privacy. I don’t actually believe that’s true but even it was, so what? We don’t let 18 year old males set road safety policy, and I don’t think we should let them guide privacy policy either.”

From Stephen’s presentation on the Technology Panel at the Inaugural Conference of the Australia-New Zealand Chapter of the International Association of Privacy Professionals (iappANZ), Sydney, August 2008.

Privacy and identity (2008)

  • “It’s high time that we started to treat IDs as seriously as we do car keys. Today our technology neutral stance admits a huge range of authentication techniques – passwords, one time logon generators, key fobs and even biometrics – most of which are known to be seriously deficient. We don’t treat door locks or car locks with such disregard; neither should we treat our digital IDs so casually.”

From Reflections on technology and privacy, Inaugural Conference of the Australia-New Zealand Chapter of the International Association of Privacy Professionals (iappANZ), Sydney, August 2008.

Privacy gaffs (2008)

  • “Scott McNally’s quip that ‘you have no privacy, get over it’ usually tops the list of technologists’ infamous privacy gaffs, but a more insidious viewpoint is actually revealed by a past chair of IBM, Lou Gerstner, who said that ‘Privacy is not a technology issue’. By positioning privacy as being apart from technology, he gave licence to technologists to ignore their own role in privacy, and perpetuated the sad cultural gap between technology and ‘the business’.”

From Reflections on technology and privacy, Inaugural Conference of the Australia-New Zealand Chapter of the International Association of Privacy Professionals (iappANZ), Sydney, August 2008.

Health information at online grocery stores (2008)

  • “Consider the fact that one can buy St Johns Wort online in the herbal remedy section of grocery shopping sites. There is only one use for St Johns Wort: self medication for depression. So the transaction histories of many otherwise innocuous e-commerce servers contain detailed indications of customers’ mental health (or their perceived mental health).”

From Reflections on technology and privacy, Inaugural Conference of the Australia-New Zealand Chapter of the International Association of Privacy Professionals (iappANZ), Sydney, August 2008.

‘Trust’ and ‘identity’ are red herrings in authentication (2001)

  • “Note that [the APEC definition of ‘authentication’] does not have identity as an essential element, let alone the complex notion of ‘trust’. Identity and trust all too frequently complicate discussions around authentication. Of course, personal identity is important in many cases, but it should not be enshrined in the definition of authentication. Rather, the fundamental issue is one’s capacity to act in the transaction at hand. Depending on the application, this may have more to do with credentials, qualifications, memberships and account status, than identity per se, especially in business transactions”.

From “Making Sense of your Authentication Options in E-Business” in the Journal of the Cryptographic Centre of Excellence, PricewaterhouseCoopers, 2001.

On the ‘electronic passport’ metaphor for digital certificates outliving its usefulness (2001)

  • “For years, it was simply assumed that a digital certificate necessarily entailed passport level identity checks. This assumption derived from the longstanding metaphor of certificates as electronic passports – an intuition as to what a certificate might mean. Crucially, the metaphor pre-dates modern e-business!”

From “Problems in Mandating Strong Personal EOI in PKI”, a paper written for the Australian delegation to the 23rd meeting of the APEC Telecommunications Working Group (TEL23); see http://tinyurl.com/strong-EOI-problems.

More on the ‘electronic passport’ metaphor being unhelpful (2000)

  • “[Most] certificate schemes today carry a burden of proof of personal identity, which can be traced back to the original notion of the digital certificate as an ‘electronic passport’. This metaphor has moulded the way we conceive of identity in e-business and has led to a de facto burden of proof that is much higher than it is in the paper world”.

From “Attribute certificates and their limitations”, Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, Nov 2000.

On Digital credentials (1999)

  • “To date we have tended to think of digital certificates as being like electronic passports. … But this is unfortunate because it is more accurate and far more powerful to think of certificates as electronic credentials, specific to the CA’s community of interest.
  • “In the real world, we don’t characterise credentials according to personal identity levels. Rather, we allow different communities or bodies to set their own rules for admission. The legitimacy of those rules [is] the same thing as the authority to issue credentials to, say, lawyers and doctors …”

From “Privacy positive aspects of public key infrastructures”, in Privacy Law and Policy Reporter, 1999.

More on Digital credentials (1998)

  • “[A] law society and a medical registration board might both establish CAs in order to issue digital certificates to their members. If the processes for issuing those certificates are integrated with present registration practices, then the certificates could represent electronic credentials. Thus, an electronic prescription digitally signed by a doctor could be trusted by a pharmacist, if the doctor’s certificate came from the recognised registration board. And likewise a title search digitally signed by a lawyer could be trusted by a home buyer, if the lawyer’s certificate came from a recognised law society. The relying parties in these respective transactions may care little for the actual identities of the signatories; rather, the relying parties need to trust their credentials.”

From “Current issues in the rollout of a National Authentication Framework”, Information Industry Outlook Conference 1998.