MEGAN LEE (ML)

Welcome to this SGM. Firstly, I would like to acknowledge we are meeting on the land of Whadjuk Noongar people, and the Whadjuk people are the spiritual custodians of this land, and continue to practice their values, beliefs and traditions.

The agenda for today – I will be acting as chair, if anyone has a problem with me being chair, as per regulations. I think we will be fine.

Just to let you know the Guild Council (GC) has passed a media policy which includes filming Special and Annual General Meetings (SGMs, AGMs respectively). The filming will not be livestreamed, it will be up publicly within seven days and we will only be filming the speaker’s chair.

For any of you who are livestreaming, please be conscious that some people will not want to be filmed, so do not pan around the room. Just focus on what is happening up here and be respectful of other people in the room.

The purpose of this SGM, as submitted to the Guild Secretary, is as follows.The purpose of the SGM will be to discuss the recent security vulnerability discovered in the Guild website, which expose the personal details of over 1000 Guild members; how the UWA Student Guild responds to this vulnerability; and how the Guild can improve in the future.

I will say the Guild staff have been working with the submitter of this SGM request with the information provided and which we will speak about today.

Do we have any declarations of potential or perceived conflicts of interest? No? Great.

Moving into Item 3: motions on notice. We will read out those motions and the mover and seconder will have the right to speak. As the chair I will abide by the standing orders of all GCmeetings. I also have a vote and a casting vote as well.

Motion 3.1: The UWA Student Guild will immediately conduct a security audit on the website hosted at uwastudentguild.com and publish a report for the next General Meeting.

Moved by Ryan Oakley.Seconded by Chris Scherini.

Ryan Oakley (RO): On the 24th February it was discovered on the Guild contained the phone numbers and emails of over 1000 students on their webpage. This data was embedded in the html of the webpage. The decision on the part of the [software] developer was an example of gross negligence. It should have been easy to spot during the creation of the webpage this common vulnerability. Concerning the gross negligence of the developer, I think it is appropriate for the Guild to audit the security of this website. I think it is necessary the findings of the audit are distributed to members of the Guild to assure them their data is safe with the Guild. I have deliberately left the implementation of this policy to the Guild. There are many options available, such as recruit some computer science students or hire a code making consultancy. However the Guild chooses to implement its policy, it is clear the negligence of the 3rd party developer has put the Guild in a difficult position, not of their own making. I want to make it clear the purpose of this motion and the other motions I have submitted today is to help improve the Guild. The way it helps cybersecurity data which is a vulnerability. I do not hold any single person responsible for this. I think this was a failing of the institution as a whole, due to a lack of processes for student reps and staff to follow.

ML: Thank you. I now call the seconder, Chris Scherini to the floor.

Chris Scherini (CS): I do not have much to add to Ryan’s speech. It is just simply a security audit and presenting the findings to an OGM so students know what is happening, and to improve the Guild.

ML: Now the order of business will follow as we will have questions and clarifications. This is not entering into substantive debate on how this will be run. This is if you have questions on anything contained in the motion, that is, seeking further clarification.

Jack Looby (JL): I would like to know how much this will cost. Will this be worth the cut of the SSAF funding?

RO: It will very much range from free, if you get computer science students to consult, to very expensive, if you get a 3rd party consultancy. In my opinion, get some computer science students interested in security. I am not one of them, but there are computer science students with a background in cybersecurity, by doing anything from lecture bashing [UWA cybersecurity units], reaching out to lecturers of these units, et cetera

Tony Goodman (TG): Just a clarification, you would have to go through a 3rd party. We cannot have a security breach and be worried about students’ security then have a student access the information. I appreciate the intent to have students involved, but in order to respond to a security breach you would be better off to bring someone else in. You cannot rely on students to access the data and do an analysis because you do not run an organisation like that. You will have to put some money into it, if that is the will of the GC. The same time, I would encourage you to get computer science students to talk to you about the new website, *indecipherable*, Chloe Jackson, Kelvin, and the students already looking at building the new website. *indecipherable* Yes Jack I would say you would have to find budget for that.

ML: There are two parts to that. We are conducting a user experience review of our website, which we would love to have students be a part of, have students contributing to that, because students are the ones using that, along with our student reps and staff. But I think, as a council, I am not out of turn saying I would prefer to have professionals conduct the security audit of our site. I don’t know how to turn on a computer, but I am sure there are computer science students out there who are more technically competent than I am. As a professional organisation, I think it is important we get professionals to build our website, so we can pay a 3rd party consultancy to look at it.

RO: Under the regulations *indecipherable*

TG: If you allege there is a security breach, and the goal is to protect students. If you bring a 3rd party in, they are putting their authority and credibility onto that website, rather than a few students. Students will put in a lot of time and effort in, which is great, but you will not be placing any accountability on them.

RO: In some ways it depends on your definition of a business. There are many students on campus who run businesses.

ML: This is moving more into debate. I am calling for any more questions or clarifications.

Leigh Tyers (LT): I am interested more in the particulars of the leaked information, I should say, rather than the breach. When was the first date you found the information?

RO: That is a complicated answer. I first discovered on the 24th [February] there was a vulnerability. But a week before then I knew there was too much information on the website.

LT: I am only asking because on the 27th February, after there was a post on Facebook about it. I am assuming it was you.

RO: Yes

LT: I immediately went to check if my phone number was on it – I couldn’t see it. I found out that at least, on the 27th, somewhere between 6pm and 10pm, only students from late-2013 and late-2014 were affected.

RO: I am glad you pointed that out, because, I was notified twice by the Guild on that day. First time, it was a change to the code, the second time, they deleted almost all of the data, but not some of it. When I posted, I had not yet checked or verified what the Guild had said. By that point, most of the data had been removed.

ML: Does that answer your question?

LT: Yes, mostly.

ML: Vinuri?

VinuriGajanayake (VG): In the process of this audit, how long do you think the website will be inaccessible to students and clubs who try to fill out EMPs during this time?

RO: The motion has now been amended [so the site will not need to be taken down during the audit]. Theoretically the site can be copied to another machine, so it will remain exactly the same.

Student 1 (S1): Just to clarify, we are confident all of the leaked information we know about is now no longer leaking on the website? Not any other information that might be out there, but the stuff you knew about?

RO: Yes, none of the personal information is there. There is some meta-information still there, but that is not to do with any persons.

Michael Barblett (MB): You talk about personal details – names, phone numbers, and emails. How is that different from data that is sold by companies on a regular basis now? I do not see that as private details.

RO: The issue is, it is worse than data sold to a customer, as it is public. Also the Guild has a privacy policy so they don’t sell your data. It is entirely possible your data is being sold, but not by the Guild. And when it is sold it isn’t made public, there are agreements around this.

MB: Maybe public selling isn’t the right analogy. Your email is something that is so out there. Anyone can get the university emails – anyone can use your first name-dot-your last name @student… That is an email for a person. Your mobile number is just like a home number, that you can look up in the white pages.

RO: It is true, but there is other information like the contextual information. For example, if someone searched “gay” and saw someone running a gay event, they could send [the organiser] an angry email. Also some people use their personal or work email. With that said, looking up phone numbers in the white pages, it is really the context of the information, websites like the White Pages are structured such that you can’t pull them easily. While this *indecipherable*

Student 2 (S2): Clarification on that – the White Pages is a system you can opt-out of, this is not one you can opt-out of. If your details are put up there, there is no way of, as it stood, there was no way to prevent them.

ML: I will say though, that is very true, very valid point but an EMP - while this is very unfortunate and the Guild staff are working very hard to make sure that this is fixed - an event management plan is a public document, anyone can walk into Guild, say “I would like to see x club’s EMP” and we are required to give it to them. That is just for your own understanding. That is what an event management plan is. You as a public event holder are making yourself public contact person, leader for that event, who is therefore responsible for anything that happens in relation to that event. That is either pre-event, if something is going on and one of our staff needs to contact the event manager, that is why we ask for that information.Then retrospectively if something goes wrong at an event and any of you think that was because they didn’t appropriately plan or anticipate a potential risk, you can go to the Guild offices or the University, and ask to see that exact EMP. You can then access that person’s information, for those of you who don’t understand how an EMP works and what kind of document that is. It is very different to something like a special consideration form where you sign a declaration that the University cannot contact anyone that you are providing the information for on the document because of that privacy. An EMP is different from something like that.

Are there any other questions or clarifications on this motion?

Student 3 (S3): How long would a security audit take?

RO: That depends on the implementation, that is why it is not stipulated in the motion.

Taylor Home (TH): Is there a particular reason why, when an EMP is submitted, the fact that these are made public isn’t clear at the time? I wasn’t concerned about my own personal information because that is already available through my own club. I went through and double checked, and even where it says tick the terms and conditions, there is no direct link to any section, it doesn’t directly state this information can be made public or anything like that.

TG: It is probably more on the basis that when you sign up to run an event, as Megan pointed out, you become the public face to it. We wouldn’t, as you said, put it out there. It is more if a local community member has an issue with, say, a big event which has gotten a noise complaint, in order to make that complaint they need to have access to that organisation. Most clubs that are affiliated to the Guild, can still use the Guild, but at the end of the day, are still separate entities. Remember, when you become an office bearer, you are taking on a legal position within the organisation. You put yourself to that event, you are legally the person who has to take responsibility. Guild actually doesn’t take responsibility for the event, we mediate them. That’s what makes UWA such a great location, all these clubs and societies get involved and create their own events. It is down to the people themselves who actually put on the event, and its down to them to take responsibility. The Guild assists in those particular areas and make sure there is training and stuff like that. I think that, there is a necessary for that to be public. The University is in the same boat. They have to be able supply the information as well, if requested.

TH: Just to clarify I mean, for example, not everyone who submits an EMP is an office bearer, they have not signed that Executive Registration Form or anything. Sorry, I will leave it there [for debate section]

ML: I think that is more substantive debate and I think why we’re having this discussion is to say, make [the implications of an EMP] clearer. Realistically though, if you are running a public event you are the public contact person for that event, regardless of whether or not your office bearer status is executive or on the Executive Registration Form. If you are uncomfortable with that, you may need to look internally at your club for who is responsible for EMPs. That is something we can discuss further, moving into debate.

Are there any other questions or clarifications? Be conscious of time, we have two motions to get through.

Student 4 (S4): On the nature of the breach, what is the likelihood?

RO: The likelihood is almost certain. If anyone went to that page wanting to get that data, it is literally downloaded to your computer, if you choose to save the page. With vulnerabilities like this anyone who visits the page is a potential attacker, while other exploits require more sophisticated attacks.

ML: I will close questions and move into substantial debate. I will call for speakers for the motion, seeing none. Speakers against the motion? Seeing none. Alright, groovy.

[Repeating the motion] The UWA Student Guild will immediately conduct a security audit of the website uwastudentguild.com, and will prepare a report for submission at any Ordinary General Meeting.

RO: I would like to say that, it is true that if you run an event, you take responsibility for that, but there is a difference between “your information is made public for everyone” and “you have a procedure by which it is made public.” Also it is true anyone can request *indecipherable* but the big different between that and a [website issue],its all about a question of reasonable accessibility.

ML: Groovy, now we can move to a vote on this motion. The way that this goes is abiding by standing orders only those of you with a slip can vote, and we will call for all those against or abstaining. And all those in favour? All those against? All those abstaining?

Jacob Fowler (JF): In the interest of time, we have 19 minutes of 40 minutes and I would like to vote on these motions. I would like to move a procedural motion to have them en bloc.

ML: Okay, they were not posted, but I will read them out.

Motion 3.2: The UWA Student Guild establishes a process for properly dealing with security vulnerabilities.

Motion 3.3: The UWA Student Guild will establish a cybersecurity policy so that internet services hosted by the UWA Student Guild are reviewed on a regular basis, and the UWA Student Guild complies with the Privacy Act of 1988 and other relevant regulations and laws.

Motion 3.4: The UWA Student Guild will, where possible, contact affected members to inform them that their personal information may be compromised when a data breach or security vulnerability is discovered.

All moved and seconded by Ryan and Chris [respectively]. That was a procedural to hear 3.2, 3.3, and 3.4 all en bloc. Unless there are changes, for an OGM, it should be a simple majority, and you cannot abstain on a procedural, it is for or against. To hear 3.2, 3 and 4 en bloc, all those in favour? And all those against? Groovy. Now we call for the mover Ryan Oakley to take the floor.

RO: I will keep this short. The way that the security vulnerability was handled was messy, *indecipherable* and then there was a lot of general misinformation. The Guild did not take their website down. *Indecipherable* it should be part of the ordinary operation of the Guild to check their website is secure. There are other vulnerabilities in that website, for instance, the version of Apache Webserver the site is on is out of date. Finally, of course, there is contacting students to let them know their data was breached. Obviously every major company does this, not just because they are nice people, but because if you breach your privacy policy like the Guild did, you have to inform the people that you breached the privacy policy – “hey, your information is out there, take whatever precautions you like.”