Skip to Content

Stuff that’s been on our minds...

Karmabunny Blog

Web Tales, Episode 1: web privacy and online user authentication

Posted in Podcast

Listen to Stitcher

Web Tales: web design & development, a small agency perspective podcast

This week on episode 1 the Karmabunny crew chat about:

The questionable usability of a popular ecommerce navigation pattern, Josh's favourite new feature in Android Lollipop and what Jana thinks of her early Google Inbox experiences.

In our big topic we discuss:

  • Darren's unfortunate brush with identity theft
  • Changes to the Australian Privacy Act that came in to play earlier this year
  • The current state of user authentication methods

Websites referenced in this episode:

The Chat

The Pre-amble

Darren: Welcome to Tales from the Warren, Episode 1: Web Design and development, a small agency perspective. My name is Darren. I am, I guess, the boss of this small agency who does website design and development.

What we aim to do with this podcast is to discuss, I suppose, the everyday goings-on running a small web design agency. Everything from design, to code, to client relationships. Everything that just occurs to us that we find interesting, and we hope that folks out there find interesting, too.

Let me just introduce everyone. Again, I"m Darren. And-

Jamie: I'm Jamie, I'm a programmer and a project manager.

Jana: I'm Jana, I'm a front-end designer and developer.

Josh: And I'm Josh, a programmer.

Darren: And this part of Karmabunny that you're listening to now are pretty much the vocal part of Karmabunny. The only ones willing to get on-air, as such. There are others, and they may appear every now and again, but we'll have to crank the mic sensitivity up a lot so that you can hear them.

Josh: They're the strong, silent type.

Darren: I don't know about strong silent type, but they're certainly the silent type. But they're certainly invaluable in the Karmabunny organization. I don't want to diminish their importance, but in terms of-

Josh: Just too focused on HTML and CSS.

Darren: That's right. In terms of their willingness to communicate with the outside world, that is where they're somewhat lacking, I suppose. But you know-

Jana: Lack of enthusiasm.

Darren: To each his own. Because, you know, perhaps we're, you know, extroverts.

Josh: Perhaps.

Darren: Not necessarily. All right, so, how's your week so far, guys? Anything, anyone have any comments that they're excited about, about what's happened so far this week?

Jamie: Interestingly enough, just preparing for this podcast, and fiddling around trying to make some 8-bit music. I've developed quite a astonishing appreciation for what the composers were doing at the '80s and '90s game development era. Because-

Darren: Yeah, it's great, isn't it?

Jamie: It's astonishingly difficult to use such limited resources and come up with something that sounds [00:02:00] as good as it did.

Darren: Yeah. Yeah. 8-bit music's awesome. IGN occasionally have an 8-bit radio thing. They'll play a whole bunch from old games. And when you listen to it, the layers, and how much stuff is going on, it's just [flooring 00:02:14] It's awesome.

Jamie: Yeah. You've got nothing to work with. Absolutely nothing. The creativity's astonishing.

Darren: Yeah, yeah. Fantastic.

Jana: Well, it's great for podcasts. But I found this amazing social media chart, which you can find at It's just hundreds and hundreds--it's way more than you would ever expect. And it talks about the various types of conversation, or learning, or this sort of thing. It's really interesting, sort of-

Darren: It's like, all the different types of social media you can possibly get into.

Jana: Yeah. And sort of the breakdown of what they're good for--I mean, you know, it even covers things like Wikipedia, and Wikia, and Flickr, and ... You know, obviously, the obvious ones like Facebook and Twitter.

It's really interesting, the different breakdowns, and the uses that each of them have.

Darren: That's making you excited right now?

Jana: Well, it's, it's an interesting-

Darren: I'm looking at that, and that just terrifies me.

Jana: Yeah, well the, yeah. That's the excitement-slash-terror.

Josh: Well, it's not as exciting is what I did on the weekend.

Darren: Which is?

Josh: Move a lot of soil.

Darren: Soil?

Josh: Soil.

Darren: Oh. How much soil are we talking?

Josh: Lots of soil.

Darren: Are we talking-

Josh: A small mountain.

Darren: A tiny mountain?

Josh: Yes.

Darren: A hill.

Josh: A small hill.

Darren: Oh. Given that you live in the hills. I know there's lots of hills around. You didn't remove a hill altogether, did you?

Josh: No, we just moved the hill.

Darren: Okay. Why?

Jamie: Yeah. An [entire time 00:03:36]

Josh: We wanted to flatten the carport so we can pave.

Darren: Hmm. And that involved moving a hill.

Josh: It did. Because the house is on a hill.

Darren: Wow.

Josh: Yeah.

Darren: And how's your physique? How's your body, how're you holding up?

Josh: It's not handling it very well.

Darren: So it'd be like, a couple of days since that?

Josh: Yes, it is.

Jana: Yes. Prime pain time.

Darren: They say two days, two days after that is when you feel it, they say.

Josh: Yeah, I was pretty sore yesterday. I might be [00:04:00] past that today, but there could be a second wind of pain.

Darren: Yeah, okay. This could be getting into, you know, boredom time for our listeners. So let's-

Josh: It's true.

Darren: Given that we may have some one day. So let's move on to-

Josh: The news.

The News

Accordion and tab design

Darren: Well, I've got a couple things. There was an article I read about form usability that was an excellent article, an excellent read. It was on a blog called*. And I'll, we'll put a link in the notes. And it's, basically discusses the pitfalls of, I guess, assumptions that can be made when you use tabs, or inline accordions, especially for ecommerce sites.

It sort of, I think a lot of the time we see things like inline accordions, which is where you might have an ecommerce process. Start at the top, little accordion collapses, opens up the next panel. Little accordion collapses, opens up the next panel. And then you might have a similar process with tabs, where you start at tab one, go to tab two, et cetera.

But there was a lot of--in the testing there's a lot of confusion from users about what was actually happening when they hit save. Was it saving all steps in the accordion? Was it saving all steps in the tabs? Or was it just saving that step? There was a lot of, I guess, people who weren't quite sure what was happening in the process, were continually clicking back and forth, just to check to see if their first part was still there and saved.

So yeah, it's interesting. I guess that I, personally, had always assumed that that was a really cool way of going, and that it felt really intuitive. But I suppose like anything, it comes back to what sort of feedback you're giving the user, as to whether they understand the process.

Jana: Well, I've definitely felt that confusion. That, oh, if I do this, is that going to save everything or not? And that's-

Josh: Can I safely click on another tab? Can I ...

Jana: Yeah. The tab thing is--because often you think that it will save, [00:06:00] and then it doesn't. And you're just like, oh my God. It's really painful.

Jamie: It's also a bit of a bother. I mean, I'm slightly OCD when I'm putting in my payment details. I get to one step, and I think, oh, did I put that in right? So I'll go back and make sure I've put the right card details in, or it's been approved properly, occasionally.

With things like accordions, and whatever, you lose the whole payment process. You go back to the start, you just can't do it. And I know certainly, a lot of people I know are probably more OCD when it comes to payments than I am, and create a lot of problems in the inability to go back and just see the basic step before.

Darren: Well, it did actually remind me--it's a different process altogether from buying. But within our CMS we have, often, modules with multiple tabs.

Josh: Yeah, for the settings and stuff.

Darren: And we've got that issue where, essentially, they're all just tabs behind JavaScript. And if you make changes within three tabs and then hit save, it saves all the changes that you've made, within all three of those tabs.

But I'm not sure, in retrospect, whether that's actually a very-

Josh: Whether our clients know that.

Darren: Yeah. Whether that's actually unintuitive, or whether people actually understand. I know that we've had clients that have called me up saying, “it keeps on saying that I've got some invalid data in this form after I've hit save...” And they don't realise that the invalid data is on a tab that they don't have open at that point. Because each, you know, each tab has a separate set of fields. It does make me think that we need to maybe reconsider how we're using those tabs.

I think one thing that I think probably makes sense from a user perspective, in a step-through process, is to make it clear that it is a step-through process. Like, there is step one, tick, that is done. Step two, tick, that is done. And so when you're hitting save, you're essentially signing off that part of the process.

I sort of feel like, maybe, if you had a tabbed interface, or an inline accordion interface, [00:08:00] maybe that would be the best approach, to make it really clear that, you know, you've completed that step.

Josh: Of course, the clearest way to indicate that step one was finished and step two started is page reload.

Darren: Yeah, page reload, because-

Josh: Half a second of white screen indicates something has happened.

Darren: Yeah. Well, front-end developers hate page reloads because they're sort of ugly. But sometimes that is the best way to make people understand.

Josh: That's a clear message.

Jana: But even like, to go back to the tabs example, is like--you think, oh, okay. So just having one save button is best, it's less clicks. But really, if you just had a save for each tab, and it saved that particular data at the time, then that's also-

Darren: That feels clunky from a design standpoint, to have multiple save buttons for each. Like, you know, it's not that they'll always be on the screen at the same time, but--rather than having just one beautiful save button that's always in the one location.

Jana: Yeah.

Darren: But it probably is the most intuitive process.

Jana: Yeah, yeah. Because it's obvious. It's like, oh okay. So this save button is inside this tab. That's for this tab.

Darren: I guess it just comes back to one of those things where you see something cool, it feels nice to use, but perhaps you're making an assumption that everybody--because you're a user interface designer, and you see it, it doesn't mean necessarily that everybody is going to think it's [the right process 00:09:15]

Josh: And something like that, CMS, you might want to change the content of three different tabs at once, and have them all save at the same time, because the changes are all sort of, you need them all to publish at once, instead of publishing ...

Jana: Well the, the article that you showed us was--it talks about, you know, going through the page process, of having extra pages, as opposed to the accordion stuff. And it sort of reminded me, there's a psychology website called You Are Not So Smart*, and there was a study on the sunken cost fallacy.

Which, basically, the misconception is that you make rational decisions based on future value of objects and experiences. The truth is that [00:10:00] your decisions are tainted by emotional investments. And the more you invest in something, the harder it becomes to abandon it.

So once you've filled in that email address and name-

Darren: You're in.

Jana: You're--and you hit next. And you're like, oh, well, I just spent that couple of seconds doing that. I might as well just do that extra little bit. And then hit next, and it's like, oh, I just spent those twenty seconds filling out those other bits. So I might as well just do this-

Darren: So now I'm furthering.

Jana: I'm furthering. I might as well just do this last bit. Whereas if you get this big overwhelming form right at the start, then you'll be like, ugh, too hard. And just, like-

Darren: Yeah. It's an interesting one, but-

Jamie: I think one of the other things with tabs and accordions is, wherever you see them on the web in a general context, they're used to display lots of content in one place that you can switch cleanly between. It's open this, open that. You go from one to the other.

And then to use them on a process that is staged is forcing you from A to B, in an order.

Josh: Instead of free opening.

Jamie: Well, that's not how they behave in general implementation anywhere else. That in itself is probably a little confusing for-

Darren: Yeah, that's right. We definitely have used tabs as a user interface element to give people freedom to look at whatever is most relevant to them. And then suddenly we're saying, well, in this case, the tabs are to take a very specific, linear path. And yeah, I can certainly make a--it's quite counter to how tabs are often used.

All right, let's move on. Josh, do you want to talk about twelve of the best new features in Android? And before you do, let's just-

Android Lollipop

Josh: Android Lollipop.

Darren: Android Lollipop, rather. That has just recently come out. And before you do, I'll just say that I am device agnostic, in the sense that I am not tied to any one brand. I now own, as well as a Mac, iMac, and an iPhone, I now own a Windows Surface Pro 3, which I think is a really cool device, and very good for me.

Josh: It is.

Darren: So I am not like, although I love Apple products, I am open to all products. I embrace [00:12:00] all products.

Josh: Well, I think your next phone should be a Galaxy S, personally. That's just my opinion.

Darren: Yes. Well, I do like Android phones, and I'm totally open to an Android phone as my next one. So tell me, is there any significant new features in Android Lollipop?

Josh: They changed [even 00:12:13] notification stuff, that I read about. You can interact with notifications from the lockscreen, and stuff.

This is a good one. Pin apps. If you've got a two-year-old that you want to give, like, a drawing app, she'll keep accidentally closing it, or she'll keep accidentally--she'll accidentally close it, and then she'll make a phone call to someone, like-

Jana: Or she'll do it on purpose.

Josh: Inevitably it'll be your sister that lives in London. You can press a little button, and then the app gets locked, and you can't close it without a code, or something. That's kind of cool.

Darren: So it's like a child-safe thing.

Jana: I did look in there, as well. They had a new, a guest mode. So you can-

Josh: Yeah, that sounds interesting.

Jana: Yeah, it's like, it probably would take a bit to set up, which makes it not so quick. But it's interesting that you could, you know, set it up so you could just hand it over to somebody to borrow without accessing stuff.

Josh: From what I read, you press a--because the tablets all support multiple users, now. So from what I've read, on phones and on tablets, you can now go into guest mode. And then your Gmail and everything gets wiped when you cancel out of guest mode. All of the settings and everything that you might have set up.

Jana: Yeah, cool.

Josh: Like all of your browser history and all of that crap.

Jana: I'm just very particular about my settings and various things, so I'd be going in there and checking what they can do, what they can't do.

Josh: It's pretty desktop computer-ish, isn't it?

Jana: It is a bit. It's interesting.

Josh: It's like, hey, do you need to borrow my phone to check your email? I'll just put it into guest mode for you.

Jana: Yeah. Well, you know, as developers here, it's something we often do. It's like, oh, can I borrow your--because I've got an iPhone. Can we borrow your Android phone to [00:14:00] do whatever.

Josh: Well, if I borrow someone's phone to internet banks or something, I always go into, like, incognito mode. So it's like that, but the person who owns the phone has the control, instead of the person borrowing the phone, so that's kind of cool.

Darren: I do feel like Android needs, like, a new face.

Jana: So ugly.

Darren: I feel like I pick up so many phones now, and it just--they always look the same. Is there discussion about a new design at all, for Android? In this Lollipop rollout?

Josh: Well, they redid it a bit in Android 4. But I think there is talk of more redo. There was a video on this document, uh, on this blog post. What is it? It's called Material Design, or something. I'm not into design that much, so I don't know-

Darren: Google are getting a lot more into design, was another article that I read about. And Inbox is a good example of this.

Jana: It's really nice.

Google Inbox

Darren: Which maybe is a good chance to segue into that. Jana, you have started using Inbox.

Jana: I have, I have. It is-

Darren: Google's remarkable new way to manage email

Darren: Well, it's a big deal, and people are very excited about it. So how's your experience been?

Jana: I'm still getting used to it. It's a different way of, a different way of looking at your email.

Previously I used to use Mailbox, which I loved. But it was sort of lacking, because it was--the only way I could access it was on my phone. They've--you know, they came out recently with a beta Mac app, which is cool. But at the same time, I couldn't ever just be at work, and check it on my work computer.

Darren: Yeah, that turned me off Mailbox, as well.

Jana: But the snoozing aspect of it I really loved. Because there's so many times where I'm like, I don't have time right now. I'll flick it off. And so, Google has quite blatantly stolen that feature. I feel kind of bad for Mailbox. But, um ... too bad. [00:16:00] And they've also got-

Josh: If Mailbox wanted the market, they just had to take it.

Jana: Well, and you know, I think they've had funding from Dropbox, so it's not like they didn't have any funding, or anything.

But yeah, it's been, it's been really good. It bundles everything together, which is--it's really nice for all the newsletters and stuff. And you can kind of--whilst it bundles it together, it still kind of ... you get a list of the kind of, the From addresses in that bundle. So you can kind of see, before you open it, what's in there. And so you can kind of tell, okay, these are literally just newsletters.

It'll take a little bit of training, but so far it's been really spot-on with what it bundles, and-

Darren: So for those that haven't used it, a bundle is a way of kind of almost auto-classifying an email as it comes in.

Jana: Yeah.

Darren: And it pops up, like-

Josh: Is that what-

Darren: You might have a bundle for travel, or you might have a bundle for promotions, or you might have a bundle for ...

Jana: Yeah. Although I think it-

Josh: It's the same logic as spam filtering, isn't it? Where you mark and unmark stuff, and that goes into [inaudible 00:17:07]

Darren: But even out of the box it does have some smarts.

Jana: It does. And I think that actually, probably that its strength would be to leave it as fairly, like, a small amount of bundles. Because otherwise it's just like, if you're going to have twenty different bundle names, then what's the point? You might as well just have everything in your--you know, singularly, in your inbox.

Josh: Big question I've got.

Jana: Yes?

Josh: Does the traditional Gmail app and web app continue to work?

Jana: Yes, it does.

Josh: Oh.

Jana: So, yay.

Josh: [inaudible 00:17:37]

Darren: Also, you can choose to do the same email between Inbox or your Gmail.

Jana: Yeah. Well, if you go, it's Inbox. And if you go to, it's Gmail.

Darren: So given--you know, because you have had to receive the email that I receive if I go away for a day or something, right?

Jana: Yeah.

Darren: So you know how tied to my email I am. Would it be something [00:18:00] that you would suggest that I use for my work email? Would it actually help me get work done, given how much email I get?

I mean, I--I guess I do like the idea of the, not just the bundling, but the being able to snooze an email-

Jana: The snoozing is so important.

Darren: That is pretty good. Because I know that I'll get something, and I'll go, yeah, yeah, I have to not forget to do that, but I can't do it right now.

Jana: Yeah. Yeah. I would def--yeah. For that feature alone. And you don't have to bundle things, either. I'm just trying to see how it works out for me.

It's actually kind of--it's kind of strangely freeing. Because with Mailbox, I've got an unread thing of like, ninety emails or something. Or seventy. And Inbox--I'm not even, at the moment--for the iOS app, this is. I'm not even sure what it is, but it says I've only got one. I'm assuming that that's the reminder that I was playing with.

Because the other thing is, they've got reminders. That's being, that's cool. But I guess I wish it was kind of a little bit more integrated with the phone. Like I could--the reminder would, I'd get a push reminder, or whatever. And the phone would start, like, go off. And it would-

Because I have another app called Due, which I use for reminders, funnily enough. It's got a snoozing function on that which works really great. But it's, it's quick and easy to do. Whereas the reminders one is just kind of like, it's a little bit more cumbersome.

Darren: I'm sure it's perfect on Android.

Jana: No, you can do whatever you want now with these things. But anyway-

Jamie: How does a bundling on that differ from what Gmail already offers with the auto-tabs that it's brought in?

Jana: Well, yeah. So it's-

Josh: Oh, I hate those. Disabled them.

Jana: Yeah, I disabled those instantly, too, with old Gmail. But what it does is, they're still in your inbox. And you kind of expand them and contract them. It's sort of, it's also sort of a bit by date. So they're not really--they're not kind of hidden, they're just kind of squished together.

Darren: So same concept, but a better [00:20:00] user interface.

Jana: Yeah, yeah. Same concept, but better implementation.

Darren: All right. Well, this is obviously not a review of Inbox. There's plenty of websites out there that you can go to go get very detailed reviews of that new application. But anything that, really, you know-

Jana: The design is really nice.

Darren: I'm very interested in anything that makes email not such a chore, because I'm-

Josh: We could redirect it all to dev/null, and solve all your problems.

Darren: Thank you, Josh, that's very good.

Jamie: That'd be great for business.

Darren: All right. Well, now we're going to move on to the main part of the podcast today, which--although, that did take longer than I had expected, I must admit. But, you know-

Jamie: Considerably.

Darren: Some interesting topics there.

Josh: Our zero listeners will really be annoyed.

Darren: Yeah, that's right, yeah. Okay, we're going to move on to the main part of our podcast now.

Main Topic

Darren's identity theft

Okay. So I guess this next part--and this, I guess this first topic, is very immediate for me, because as you all witnessed a couple of weeks ago, I went through something that was pretty stressful. That was, I guess you'd describe it as a form of identity theft, where I received a phone call from my bank, who informed me that someone managed to successfully pose as me and essentially gain access to my bank accounts, and transfer money out, et cetera.

It was a case of, by the looks of it, being able to garner information off the web, and a bit of social engineering, and perhaps a bit of theft of bank statements. We still don't know where those bank statements got stolen from, or how they got the information. They seemed to have enough to convince the bank that they were me.

So that was all a bit stressful. You guys all saw me go through that. And that's--what struck you guys about that whole--was it a surprise to you about how it happened, how easy they were able to get through the bank? I mean, was there anything about that whole [00:22:00] incident that struck you, while it was going on?

Jana: Well, I've had my card details stolen, and my card used for online purchases, a couple of times. So to be honest, I'm just kind of like, uh ... and you know-

Darren: Just another one of those.

Jana: Yeah. And the bank gives you all your money back, so, that, you know. You're not out-of-pocket, at least.

Darren: That's true. For those--that's not in every country. But Australia, we are lucky that ...

Josh: Credit cards are nuts as well, from a security standpoint. Like ... no, from an insecurity standpoint, I should say. You can buy, apparently, card numbers on the net for--a thousand a time--for only, like, $20, or something.

Darren: Active card numbers?

Josh: Yeah, they're cheap. And [then 00:22:41] Twitter [handles 00:22:42]

Darren: It's crazy.

Josh: It's mental.

Jamie: Yeah. It's happened to me a couple of times, as well. And I think my first reaction was probably, you know, a bit of surprise that I haven't seen it more regularly, considering how easy it does seem to be.

Darren: Well, this felt to me different to me-

Josh: This is different.

Jana: This is definitely different.

Darren: A fraudulent credit card transaction. I've had that before, as well. But I think because someone, just the thought of someone actually thinking about me and my life, and what they need to learn about me to sort of, like, fool a bank. It was like, really scary.

And the fact that they had enough information to--they could walk into a department store now and get an in-store credit card with the information that they now own, in their, in their ... you know.

So that's all very scary. So I guess the steps that I took, you know, were fairly obvious. But one of the ones that I hadn't considered doing before was a credit check monitoring system. That is a mob that will actually monitor now, when someone tries to apply for a loan in my name, or using my phone number, or using my email address, or anything. Any details about me. I'll get alerted if someone's going, you know, trying to get an in-store credit card account, for example. Or some finance on a car, or whatever.

And so that's, I feel ... Since I've done that, I feel [00:24:00] a little bit better and more comfortable about the whole situation. Because that's the scariest thing. Your credit is so important in your life, you know? So that stuff feels to be under control, now.

Jana: You'd be kind of silly to do that, though. Because it would--if you get busted, it would be really obvious who you are.

Darren: It'd be silly for these people to try?

Jana: To try. Well, not try that so much as try and get a car. A car loan, in your name.

Darren: Yeah, but this is what happens. I mean ... not, not--but something like an in-store credit card, for example. You could go into David Jones, you can get one of those in like, ten minutes, fifteen minutes, pretty much, if you've got the right information.

Josh: And you've only got to buy a few-

Darren: And then you just buy a bunch of stuff and leave. And what are they--are they taking a photo of you? Probably not. I mean, they don't really know anything about you other than the details that you've given.

Anyway, that was-

Josh: And you're [not even 00:24:49] going to buy $500 worth of stuff at Harvey Norman, or whatever. I mean-

Darren: Yeah.

Jamie: You'd be on CCTV, but how often do these things get pursued to that extent?

Darren: Yeah, that's right. That's right.

Jamie: If you can keep low enough amounts that no one's going to chase it up too much, like, the cops don't care about $500.

Darren: Ah, yes. So that's probably the other interesting aspect of this whole experience, was that the banks would not play back the audio of the guy, or gal, who--I imagine it was a guy who fooled them, that they were me. Would not tell me the specific questions that they were able to answer. And when I contacted the police, they were not really that interested in following it up, either.

There seems to be a real lack of transparency from banks, and a real lack of understanding from local police about what the hell to do about such a thing. So that was all a bit scary as well, given that it's a really big, I would have thought, part of the current crime scene.

If you haven't listened to it, or I'm sure there's transcriptions of it, Chris Coyer--what's the podcast that Chris Coyer does?

Jana: Um ... Oh, I keep thinking it's CSS Tricks*, but it's not CSS Tricks. Uh, ShopTalk.

Darren: ShopTalk. There's a really remarkable podcast* where he interviews, [00:26:00] essentially, a social engineer--hacker--who stole his identity at one point and messed about with his life in a major way.

It's a fascinating interview. I don't know if you guys have listened to this at all, but I know Jana and I have. Really, really interesting discussion with this person about what their motivations are, how they go about doing stuff, how easy it is to get through your stuff. So that's, that's both a really fascinating podcast, but also a very scary one.

Well, this lead me on to, just thinking about some other privacy and user authentication sort of topics that we might just quickly discuss.


In Australia there was, in March of this year, changes to the privacy act*. A lot of our clients sort of scrambled to update their privacy policies. And I thought it might be worth mentioning now what those changes basically involved. My web developers probably should be aware of them, so they can advise their clients.

It's nothing, it's nothing really major in terms of groundbreaking laws, or anything. But the problem is, if you don't follow them, a company can face fines of up to $1.7 million. And other entities, like sole traders can face fines of, like, $340 grand. So it's pretty important that, I guess, businesses do have their privacy policies in order.

The changes to the privacy act revolve around how businesses handle, use, and store, you know, privacy data, people's personal information. So that's no surprise. It really only affects you, the actual changes, in one of two cases. One, if you handle personal information, and you generate more than $3 million. And the second one is if you are under $3 million in turnover, but you are, quote-unquote, trading in personal information. [00:28:00]

Trading in personal information essentially means, do you share the personal data in any way with any third party whatsoever? Now, that doesn't mean you're selling their personal data. But you might, for example, take a database of personal data that you've collected, and give it to a marketing agency for them to do some direct marketing on your behalf, back to your client that you got, personally-

Josh: Or will take it to a mail list.

Darren: Yep. There's, there's-

Jana: MailChimp.

Josh: MailChimp.

Darren: No, I don't believe that that is an instance. I guess what people need to be doing is--like, using a tool, like MailChimp*, to correspond with people who have opted in to receive correspondence from you, does not come into the privacy act. Or the changes to the privacy act. It's if you provide it to a third-party organization, who-


Darren: Yeah, that's right. Who can then develop marketing campaigns and correspond with those users on your behalf.

Jamie: Does that apply only to personal information? Or is it sort of metadata, cookies, that sort of thing, that you can pass around from a user's activity?

Darren: I believe it's any information that you might have from that person. Yeah, it's ... the wording is not necessarily--it is a little oblique, in parts, that act. But I guess-

Jana: That's probably intentional.

Darren: Yeah, probably intentional. But I guess the bottom line is, it doesn't really matter what you're doing, in a way, as long as you tell people you're doing it. That's really what the privacy act, and what these changes, are all about. It's not going to--it's not something where you'll get fined because you're doing this. You'll get fined because you're doing it and not telling people about it.

Jana: Telling people. Yeah.

Darren: So I guess what you need to do is--first of all, if you're a business out there, and you are collecting people's personal information anyway, then you need to do a bit of an audit about that. What exactly are you collecting, how you're collecting it, what you're doing with it, and why [00:30:00] you're doing that with it. Literally, they do want--they do want to see, as part of these changes, for you to say, we're doing--you know, we're sharing your information with a third-party marketing agency, so that we can direct-market to you. They really do you to be specific if you can.

Jana: So would we count as that? If that makes sense?

Darren: And also--so the last part is how you're securing that data, as well. So all those aspects, if you can, you should try and include in your current privacy policy. Now what was your question, Jans?

Jana: Oh, just so--say, for example, you're setting up a member's thing on your new website, and you hand it over to your web developers.

Josh: You hand the database to us, then we're a third party to that [sampress 00:30:42]

Darren: Yeah, that's interesting, isn't it? I mean, we just went through an issue with a company where we had to really proceduralize up the yin-yang to prove that we weren't doing anything dodgy with the member data. Just because they wanted to know, when they handed it over, how we were going to-

Jana: Look after it.

Darren: Store it on our servers, and stuff like that. So yeah, I mean ... that's difficult. Because a privacy policy on a website is generally related to what you're doing with data in relation to that website.

Jana: Website, yeah.

Darren: Whereas in that instance, that particular instance, that was--that was a business asking us to build a tool that they could use to communicate with their database of members. Who had not all come through the website, they were from all sorts of different locales.

It was actually just a set of forms that they could visit after being corresponded with by mail, and all sorts of different [customer experience 00:31:40]

Josh: But if we had access to that data after the site's launched on the production server, then that would count as third-party access to it.

Darren: We have access to the data. Yeah, this is where it becomes very-

Josh: Via an admin control panel, or-

Darren: This is where it becomes just massively gray for me. Because of course we have access. We could log in, and-

Jana: We built the website.

Darren: We built the application.

Josh: Well, there's no-

Jana: On which the [00:32:00] policy that you're reading is posted.

Josh: There's nothing that says that we do have access. We could build permission systems that deny us access.

Darren: Prevent us. But that doesn't happen very often, let's face it, you know-

Josh: Because they'll, they'll call up, oh, we need to deal with X, Y, Z. Like, okay, let me--oh, I can't look at any of that. Can't help you.

Darren: No, it's still--even though I've read it, about it, and read about it a lot, there are still areas like this that feel gray to me. But I suppose in the end, all that they're hoping to achieve is just a greater level of transparency.

If you're a business--I don't believe, if one of these gray areas that we're talking about, a business doesn't mention that in their privacy policy, I don't think that's what you're going to get fined for, you know? One of these things, well, I used MailChimp to send mail, but is that a third party?

I think that's very gray, and--or you know, my web developer does have access.

Josh: You don't even have to mention the party names, actually. You just say third parties.

Darren: Oh yeah, I don't think you need to mention the party names.

Josh: So just write your privacy policy to mention that.

Darren: Yeah. So anyway, that's an overview. And it is a, it is, has become a bit of a hot topic, in Australia at least, for the last six months or so. And I know that as a web developer I was a bit slow on the uptake reading that, actually, so that I can advice clients on what they should and shouldn't do.

But really, it's not that complicated. Just be as open and transparent--do a bit of an audit, and away you go.

It did lead me to just have a quick think about some of the other things that are happening, in the technology space. And in our world, with regards to user security, and user detail security. I guess that, for me, always comes back to passwords, and how passwords are managed, and how authentication's managed.


User authentication chat


I guess some of the changes that have come up is, [00:34:00] big technology like Apple are really, I guess, leading the way with some of that stuff. And trying to do different things, which is cool. What do we all think of the fingerprint authentication that Apple started to use?

Jana: I really want to upgrade my phone just for that.

Darren: Yeah, you think? You're sold on that?

Josh: You could get a Samsung Galaxy S4.

Jana: Every--everything else I'm kind of like, eh, but ... No, but I hate Android. And I have an Android tablet, so I, I can, yeah.

Jamie: It's interesting, though, because IBM brought this technology out in the ThinkPads and the corporate devices ten years ago, and-

Josh: Twenty years ago.

Jamie: Nobody, nobody--it was a nice gimmick, and people bought into it, at first. But then nobody really used it. I mean, in a previous employment I had a fingerprint computer. It was really easy to do that, but you never did, you know? Once the novelty wore off. I wonder if it's going to be the same again, this time, or will it just-

Jana: But it, it's so well implemented into, like, into the phone now. I don't know about the other disasters. But I've tried to use somebody else's laptop when it had the scanner, it was like you had to slide your finger, and it was just really painful to use. Whereas, like, I've seen my mom and my partner. They just, like, hold their thumb there for like, not even a millisecond, and it's open.

Darren: My understanding of what sets the Apple one apart is that it's built into the OS, whereas those other implementations of it wasn't built into the OS. And that enables them to store it locally on the device, store all the decryption methods locally on the device. So it's not living in a cloud, or in, on Apple servers.

Josh: The ThinkPad one-

Darren: Or anything like that, is my understanding of what makes the Apple one a little bit, maybe, better. What were you going to say, Joshy?

Josh: Oh, the ThinkPad one, the actual--on those old laptops, [ancient 00:35:41] Used to do the storage of the fingerprint data was in a chip that was, like, a hardware chip on the thing. So it wasn't actually stored on the hard drive of the computer, the fingerprint data. It was stored on the laptop itself.

Darren: Well, that's how I believe the Apple one explains it, as well. But I, [00:36:00] it's funny that-

Josh: Yeah. I think more of it is the fact that the Apple thing, they’ve provided an API to developers, and stuff-

Darren: That's right.

Josh: But they off--like, that--it's a lot. Because it's on all of those, what is, the iPhone 5, or 6, or whatever one?

Jana: Uh, yeah. 5S, or whatever it is.

Josh: 5S, or whatever. So if you're running an app that hits, that's targeting the 5S, you can say to yourself, hey, we could use fingerprint scanning. Because they know it's got it. But on these older laptops, most didn't have it. So no one would write software that targeted it.

Jana: So you could only use it to open your computer, unlock.

Josh: Yeah, you could only use it to unlock your computer. So now they've opened up this opportunity to use it for payment authentication, or on any card of a number of different types of all--that people might want to use.

Darren: Yeah. Is this going to result in, like, you know, people lopping people's thumbs off so that they can break into their accounts and stuff like that? Is this where we're heading?

Jana: Yeah, but that--that doesn't work.

Josh: Well, there's cheaper and easier ways than that, anyway. You can get a mob to-

Darren: Well actually, there was a mob in Germany, the Chaos Computer Club, who did hack this.

Josh: Yeah, models and stuff.

Darren: But apparently yeah, no, it's epically difficult to do. but they did it, and they were all proud of themselves.

Josh: It's less epic than chopping off a thumb.

Jamie: I'm going to assume that when that data's stored on the device as well, it can't just be retrieved by [road apps 00:37:12]

Josh: No, that's, it'd be--it'd be stored encrypted. And then like, it's like a separate little CPU on the thing. And a message goes to it saying, do you authenticate, and it says yes or no, sort of thing.

Jamie: Okay.

Josh: So the actual authentication and decryption's happening separate from the rest of the-

Jamie: It's more like a chip and PIN system in the phone.

Josh: Yeah.

Darren: What about other levels of authentication? I mean, obviously most web applications have password. Is there any two-factor auth that you guys have ever seen, or that you like?

Jana: I use Google Authenticate on my phone. Two-factor.

Darren: Yep. Google are obviously bringing that in, with the mobile phone.

Jana: Yeah. Like the--you know, going back to the sort of, personal security stuff, there was that Wired journalist who [00:38:00] had his--all his devices wiped, basically, so that someone could steal his Twitter handle, and he couldn’t get it back. And he lost, like, a year's worth of his child's photos and all this sort of-

Darren: Yeah. Yeah, it was horrible.

Jana: Yeah, and he basically said that--well, he, you know. He blamed the lack of security on the company's side. But he also said, if he'd had Google Authenticate, it wouldn’t have been a problem.

Josh: Or any two-factor authenticator, for that matter.

Jana: Any two-factor authenticator for his email. But his email was Gmail, he didn't have Google Authenticate, and that meant that they could reset his password and get in.

Darren: So for those that are unclear about what we're talking about with two-factor authentication--that is, the facility to have one component which is, say, a password. But then that may trigger a second factor, such as sending an SMS saying hey, are you about to log in? And you go yes, that's me, and they go, okay.

Josh: Or an RSA [program 00:38:50]

Jana: So yeah, I have an app.

Darren: So yeah, that's the other one that I read about.* 00:38:54]. I mean, this is probably one of many. But yeah, it's like, location-specific. So you have an app on your phone. And as long as that phone is in the same locale as the device you're logging into, it then accepts that it is you. So-

Josh: That sounds like a terrible idea, though.

Darren: Well--well, no, no. It's a second factor. So you still have to have the password. So you log in with the password-

Josh: Yeah.

Darren: And then it goes, all right, well, you know the password, but is it you? And it checks your phone to see if it's basically you. If you're in the, within the location of the device you're logging into.

Josh: That's not really checking whether you're in the location.

Darren: Okay. Well, it means that someone has to steal your password, and steal your mobile phone.

Josh: Or steal your password and hack the location sensor on a device, to output that it's located wherever--to say, oh, this laptop's in Adelaide, I'm sure of it. As in, go through an Adelaide VPN.

Jamie: But it's still going to be more secure than-

Darren: Just a password.

Jamie: And a lot of two-factor, if you haven't set it up, it allows you to set it up on the fly as you go along. So you say, I want to [00:40:00] two-factor authenticate, I'll set it up now. Here is my phone number, let me authenticate with it.

I find that's a risk with the existing two-factor. Is if you don't have it set up, you can make it harder to get your account back. Because someone can set it up rogue, on the spot.

Jana: I've like ... well, I haven't lost my account. But I've forgotten my Gmail password once, because I changed it. And then because I've sort of logged into my phone and my computer, I forgot it. And God, that was so painful to reset it. It was mindblowingly painful, because of the two-factor stuff that I've set up so ...

Darren: Yeah. Yeah. I mean, I think it's, I think it's where we're all probably heading. Some kind of second factor around significant logins. Digits* is another one that's just come out, which is on the Twitter framework. And I think it's developed by Twitter, I think. And that's one where basically, you don't have a password. You just say, I want to log in. It sends you an SMS with the password for this session, you type it in, and away you go.

Again, that's--comes back to, you know, someone could steal your phone and do some damage there, I suppose. So yeah, a lot of those-

Josh: Or hack SMS, maybe.

Darren: Or hack SMS. I mean, would you really? That seems like a lot of effort, to hack SMS.

Josh: Well, it's a lot of effort now, but it wouldn't be a lot of effort if there's lots of people using these services.

Darren: That's right. That's the problem. As soon as you come up with a-

Josh: So there's RSA tokens that aren't internet-connected, and generate a code based on the current time and based on an algorithm. And then a server uses the same algorithm to generate a code. Because it's not internet connected, that's the best possible you can get for two-factor.

Darren: Yep. Yep.

Jamie: A lot of these things present other problems, as well. I mean, as someone who travels internationally quite a lot, for instance, I couldn't be getting text messages to validate this or that, and-

Darren: No, it's true.

Jamie: If I want to, you know, go visit my family and try and log into my email, then I've got a whole world of problems. Because I'm in a different country, it looks like I'm logging in from the wrong place. I've got no phone to authenticate it.

Darren: So what we're saying here is that while there's lots of people trying, no one's really nailed it.

Jamie: Yeah.

Darren: [00:42:00] Hmm. Well, there's a task. There's a challenge for everyone.

Jamie: And it's always the weak link in the chain, if you're sharing passwords. One crappy website.

Darren: I think there's a lot of people trying. Because there's a lot of money in this. If someone nails this process, and can patent it in some way, then there is going to be big dollars. And of course, a lot of happy people. Because I think we're all a bit concerned about it.

I guess the last thing to talk about and mention, that's happened in the last few weeks, is Apple Pay, and them incorporating that into their phones. Now, from--my understanding is, that's, uses NFC? A bit like the payWave that we use on credit cards?

Josh: Yeah, and like Google Wallet.

Darren: Yeah. So I guess the thing is, apparently Australia's uptake of NFC payments has been-

Josh: It's ginormous.

Darren: Really big, compared to, say, the US, who haven't really got into them.

Josh: The US are still on swipes.

Darren: Yeah. So I suppose there is some opportunity in Australia to develop applications that use only Apple Pay.

Josh: I hear that the US still use a carrier pigeon, occasionally, for credit card transactions. They put the card onto a carrier pigeon--over to the bank.

Darren: Well, any US listeners we've ever had have now formed a strong opinion of Josh as being somehow anti-American, which I assure you, he isn't.

Josh: I'm not actually anti-American. I've just ... they're backwards with their payments.

Darren: With their payments, specifically.

Josh: Their payments are backwards.

Darren: Okay, fair enough. I've not noticed this about the US. One of the most financially successful nations in the world..

Josh: Well, except for 2008.

Darren: Yeah. Well, that was a bit of a glitch. Poor--yeah. Let's, that's not even-

Josh: Just put that to one side.

Darren: Not even joke about that. All right. So, all right. Apple Pay, yeah, that's interesting. I think--and again, it's one of those things, it's a bit like the fingerprint sensor where, well, people have already invented that. Well, now that Apple have invented it, it'll probably take off. Which is probably rotting the socks of, like, many people in the world.

Jana: It's kind of like any tech thing, really. It's like, it comes out initially ten years ago, and it's all really cool, but it's super [00:44:00] expensive, or really clunky and really annoying. And then, you know, it takes a little refining until it gets to a certain point, where it becomes cheap and it becomes easy. And then everybody picks it up.

Josh: The first tablet computer was invented twenty-five years before the iPad.

Jana: Exactly. So it's like, it takes--you know. It takes a lot of refining to make a good product.

Darren: Well, but that's just suggesting that the only reason Apple is successful is because they just always have great timing. It can't be as simple as that.

Jana: Oh, no, I'm not--no, I'm not saying that Apple is--that's because ... that Apple is successful. I'm saying that, you know, the reason, you know, why some of the stuff that they do hasn't been picked up earlier is because it wasn't implemented well. Apple are good implementers.

Josh: Well, Apple Pay also need-

Darren: And good marketers.

Jamie: Yeah, I was going to say, marketing's a pretty big part of that.

Josh: They need 100% pickup of NFC payments at merchants for this to work.

Darren: Yes, that's right. Well, apparently right now, they're really going after all the big banks. They're not really addressing business needs and API that much, they're just really talking to banks.

Josh: But the issues is, if you walk into, like, our local cafes. The six local cafes around here, or whatever. Half of them don't take NFC.

Darren: No.

Jana: Yeah, but it's a lot more impressive than I thought it would have been.

Josh: Yeah yeah yeah. Yeah, but until everywhere takes NFC, you have to take your cards with you anyway, in your wallet. So you might as well just take your cards and use your cards.

Jana: Yeah. Yeah. But it's-

Josh: So until you can--until you can tap your phone everywhere, then you gain nothing. You're not gaining anything feasible.

Darren: Yeah.

Josh: You're only going to affect oh, do I pull out my wallet and insert the card, or do I pull out my phone and tap the [card 00:45:38]

Jana: Yeah, but that's now. But it's going to, it's going to change. It's, it's-

Josh: Yeah. Obviously it's going to change.

Jana: The rollout has been really impressive, I think. Like-

Josh: Here.

Jana: Most of the time here, I've been-

Darren: The NFC rollout.

Jana: Yeah, yeah. Most of the time here, I've been able to payWave.

Darren: Yeah, it's true.

Jamie: The uptake's really fast. I mean, I go surfing through some backwater country towns, and they've already got NFC there, you know? It's really taking off.

Darren: Yeah. So it feels like the timing is about [00:46:00] right. Especially in this country-

Josh: Here it is.

Darren: For Apple Pay to ... I wonder if we will be building applications in the next few years here that incorporate Apple Pay. It would not surprise me.

Josh: Yeah.

Darren: Because there is a big API.

Josh: Well, there's also the various other payment things, like, PayPal are the big one. But there's Amazon Payments now, as well, and Google have a payments thing. All of them are letting you save cards on it and stuff, so someone could just click a button and it's done. So there's definitely options here beyond the traditional credit card form on a website.

Darren: Indeed. All right, well, I think we'll wrap it up there. It's an interesting chat, and there's so much more that we could talk about.


What we are looking forward to this week


Darren: Let's end with what we're looking forward to this week. What are you guys looking forward to for the rest of the week?

Jana: Well ... I'm really, really into Legend of Korra TV show at the moment.

Darren: Yeah, yeah.

Jana: Like, really, really. And it's just, it's at the, it's the start of the pointy end of the season. And-

Josh: The pointy end?

Jana: The point--you know.

Josh: I understand.

Jana: Gearing up for the finale. And the finale of the final season.

Josh: Oh, yeah. Where they put you on a cliffhanger just to follow next season.

Jana: No, no. There won't be another season.

Josh: Oh, cool.

Jana: And the funny thing about this is that, the ... you can't really see a clear resolution to this. Like, the show's really grown up, I guess. And the villains have gone from being like, you just got to defeat the villain and everything will be okay, to like, a really shade of gray world, where it's like--okay, so, you have to defeat the villain, but how? And how are you going to do that? And what are the repercussions of that? So it's intriguing.

Darren: Okay. Television show. Sweet.

Jana: Yep.

Jamie: I've been spending the last few weeks, as you guys well know, working on a, on a van. Making a camper van for the summer, and all my final bits have arrived now, so hopefully this will be the weekend where it gets finished. So I'm going to be-

Darren: Wow, finished.

Jana: Done.

Jamie: Going to be in the shed, [hauling 00:47:54] and nailing, again. Which is all I've been doing for most weekends for the last, last few weeks.

Darren: Wow. There's actually a [00:48:00] really great English show that I've caught on Foxtel, called ... it's called something like Small Spaces.

Jamie: Oh, yeah.

Darren: Have you heard of that? And it's this-

Jamie: Yeah, yeah. There's some pretty inspiring little designs on there.

Darren: Oh, amazing stuff. And there was one, actually, with a [combi 00:48:11] van. And the way that they actually utilized and made best use of the space within the combi van, to just cover all possible human functionality was fantastic. It was just brilliant. I loved it. I just so wanted it.

Jamie: The approach we've taken has been a bit more like, make a living room, and then fit the storage around it. So it's all about comfort. I mean, the bed in there's bigger than a queen size. So when it's set up, it's pretty palatial.

Darren: That sounds great.

Jamie: But um, yeah. The storage is a bit of a, um, workaround.

Darren: And Josh? What are you, uh, looking forward to this week?

Josh: I have the kids, so-

Jana: Kids [are staying 00:48:42]

Darren: So you're looking forward to seeing your kids, then?

Josh: Yep. It's just nothing else.

Darren: What about your driveway? You going to finish your driveway?

Josh: Uh, yeah. But I've got to wait a few weeks, before I can pour. We've got to retain, and stuff.

Jana: Kids plural?

Josh: No. I said, I've got a kid.

Jana: Oh, sorry.

Josh: It's not plural yet.

Darren: Well, I'm looking forward to listening to this podcast and seeing if it's complete rubbish or not. And editing it, and getting it ready, and having a think about whether this is a go. But I've enjoyed the process of-

Josh: Editing it. Delete Josh's anti-Americans-

Darren: That's right.

Josh: And your opinion. And now we'll move on.

Darren: That's right. No, no. I'll look forward to hearing and seeing if it feels like something that is, uh-

Josh: You are a big fan of listening to podcasts.

Darren: I do listen to a lot of podcasts. Which really lead to me saying hey, look, we can-

Jana: Do this.

Darren: Do this. I'm also really quite enjoying-

Josh: You can be our first listener.

Darren: And I don't know if I should be ashamed to say this, because it's on the CW network in the US, which is like, you know, pretty much targeting fourteen-to-nineteen-year-olds, I believe. Um, or twelve-to-nineteen-year-olds.

Jana: No, it's real.

Darren: Is it?

Jana: Yeah.

Darren: Really?

Jana: Have you watched The Flash? No, um-

Darren: That's what I'm talking about, I'm watching the Flash-

Jana: No, yeah yeah--that's what I thought. I meant to say, have you watched The Arrow. But, um ... Arrow, yeah.

Darren: No, no. What I'm saying is, I'm really enjoying The Flash.

Jana: I knew exactly where you were [00:50:00] going with it.

Darren: I'm up to episode four, and so far it's just great. And I think The Flash, for some reason-

Jana: Oh, it's so cool-

Darren: Was my favorite superhero as a kid. And I think because--we had a long passageway in my house when I was growing up. And I used to run in the passageway thinking, no one has ever run this fast, down this, you know, down this or any other passageway.

Josh: That's probably true.

Darren: And so, yeah. And so I really felt like I had an affinity with that superhero.

Jana: So you like Grant Gustin? Grant Gustin, is that-

Darren: I don't know what you're talking about. I don't know the names of the actors or anything. But I'm enjoying-

Jana: The Flash.

Darren: Okay. But I'm enjoying the show-

Jana: Do you like The Flash as The Flash.

Jamie: Is this it, I thought, I better try to be cool now? I don't know what you're talking about.

Darren: No, no. No, I really don't know the names of the actors-

Jamie: Posters on your bedroom wall.

Darren: Yes, well.

Jana: I haven't seen him in anything else other than this, anyway.

Darren: Anyway. That's what I'm looking forward to, this week. But I will let--that wraps it up for this week. And we'll see, we'll see how this, you know, all washes out. Thanks, everyone.

Jana: Ciao.

Jamie: Ciao.

Tagged with:


Tell me more...

More web rambles on similar topics

Want to get webby with us?

We’d love to hear from you