Thinking Cybersecurity

We bring critical thinking and mathematical insight to cybersecurity problems.

My name is Vanessa Teague. I'm a cryptographer living and working on Wurundjeri land in Southeastern Australia (near Melbourne). I am interested in cryptographic protocols that support a free and democratic society. I work on openly-available research and open source software for supporting democratic decisionmaking and empowering ordinary people to make choices about their own data.

Some highlights and favourite papers are:

Analysis of the Australian Tax Office's myGovID system

Ben Frengley and I found that the myGovID digital identity system is vulnerable to an attack unless users check very carefully that their 4-digit code comes from You can read the details of the problem and recommended mitigations or watch this video for nontechnical users.

Cryptographic analysis of e-voting systems

We've shown serious errors and security problems in e-voting and e-counting systems in Western Australia, New South Wales and Switzerland. The problems we identified allowed for undetectable privacy breach or election manipulation. We hope that we have made that a little harder. Our talk for IEEE Security and Privacy (Oakland) is here. The same attack applies also to the NSW iVote system, with a slight modification described here.

See also this nontechnical article from the IEEE Security and Privacy magazine, which explains the main ideas of electronic election verification.

Joint work with Andrew Conway, Chris Culnane, Mark Eldridge, Aleks Essex, Alex Halderman, Thomas Haines, Sarah Jamie Lewis and Olivier Pereira.

Auditing complex elections

We've developed a number of new tools and techniques, most supported by open source software, for auditing complex elections. This culminated in a world-first pilot Risk-Limiting Audit of Instant Runoff Votes in San Francisco in November 2019. You can do RLA's for IRV!

See also our proposal for auditing Parliamentary elections such as India's.

Joint work with Andrew Conway, Michelle Blom, Chris Culnane, Dan King, Laurent Sandrolini, Philip B. Stark and Peter J. Stuckey.

Privacy and open data

Chris Culnane, Ben Rubinstein and I demonstrated the easy re-identifiability of doctors and patients in open Australian Medicare-PBS data and of ordinary commuters in open Victorian Public Transport data. We were hoping this would encourage the enlightened view that a person's detailed personal data is still theirs, even when their name has been removed.

Privacy-preserving Contact Tracing

I am a contributor to an MIT-led project on private automated contact tracing (PACT) for impeding the spread of infectious diseases such as COVID19. The approach is very similar to the protocols of the TCN coalition, covid-watch and DP^3T, all of which I support. To explain why I think this is the best approach, I wrote a series of blog posts on why contact tracing doesn't require surveillance including security and privacy analysis of the Australian government's COVIDSafe app and the UK's first NHS app, which has now been replaced with one based on the Google/Apple Exposure Notification API.


Email me at [my first name]@[thisdomain].com or reach me on Twitter @VTeagueAus, or see blogs and code on github.

A list of students, teachers and other academic work is here.