Australian Immigration Daily News

Registered Migration Agents are advised to be very careful about using a new "e-Signature" concept offered by KONDESK, promoted by SearchMyANZSCO.com.au.  SearchMyANZSCO is owned by Konze Enteprises and as far as we can determine, they are not owned or operated by RMAs.  Therefore they do not need to comply with the industry's Code of Conduct.

The poorly worded English on an email received today, promoting the e-signature service states as follows:

"E-SIGNATURE On Compliance Related Document", and

The problem is, this is technically not an e-signature service.  It is a "copy-paste of a hard-copy signature" service, or a 'digital ink' service.  At its lowest level, it is a 'type your name in the box' service.  Below is a screen grab showing KONSIGN's three signature options for RMAs:

A secure digital, authenticated signature is very different to these options.

KONDESK offers the Registered Migration Agent profession an 'auto-fill signature' for 956 forms via its service KONSIGN.  KONDESK is an unfortunate sounding name to begin with, as is the sound of KONSIGN.

There is nothing particularly special about the copying and pasting of a saved signature onto a 956 form, drawing on a screen or typing on a screen, however there is something potentially alarming about this offering by KONDESK/KONSIGN.  The copy-paste of a saved signature, or the drawing of an RMAs signature onto a screen, or the typing of an RMA's name onto a screen has to be the laziest habit that not only risks the privacy and electronic security of the RMA, but is also being saved in a system that is not controlled by the RMA.

Who gets access to the RMA's copy-pasted signature once it is saved in the KONDESK system?  How many times could that signature, or any of its incarnations be recycled without an RMA's knowledge?  Does SearchMyANZSCO.com.au also get access to the copy-pasted signature once it is saved?  We can see on their video tutorial that the following image appears:

The "copy-paste, draw, type your own" signature process, and reusing it is a security risk.  Is this even a valid signature type for the purpose of a Form 956 document or is it simply "digital ink"?  Even the KONDESK tutorial video shows a screen which advises the user (RMA) that what they are clicking is a  'Suspicious Link" and states "This link leads to an untrusted site.  Are you sure you want to proceed to Konsign.com?"

This is the same as leaving your signature lying around.  People can find and reuse it.  RMAs don't have control of the staff who work in the offsite office of KONDESK / KONSIGN. 

Can agents be sure that the people who run or work at KONDESK/KONSIGN are not going to recycle the signature, MARN, address and photo from the OMARA website and compile a turnkey solution to RMA identity theft?  Do they also operate in the DarkWeb?  Do we know the people who operate KONDESK, and every single person associated with their businesses?   It would normally be ok that we don't know the answers to these questions, but for the fact they are starting to make offerings including a Home Affairs Form 956 combined with RMA signatures.  

Most importantly, if an RMA uses this copy-paste style signature, it calls into question the entire integrity of the RMAs electronic signature and of the 956 document as a whole.    We go so far as to say that this type of signature may in fact be invalid for the purposes of a Form 956.  We also ask RMAs to consider the Code of Conduct in this context.

Back in 2010 companies such as ZNet were writing about actual digital signatures posing a security risk.  That's the signatures where there has been no 'copy-paste' component.  

Speaking at the International Forum on Surveillance by Design in London, senior cryptographer with specialists in anonymous Internet technology Zero Knowledge Dr Stefan Brands warned that digital signatures might lead to widespread government tracing and identity theft.

Although digital signatures may appear to solve many consumer worries, Brand believes that they raise equally pressing questions over liberties. Dr Brands warned that digital signatures could lead to a future where the online movements of citizens can be traced by governments. "These identity signatures are a very dangerous trend," says Brands. "Everything you do can be traced automatically. In the near future identity certificates may be built into anything that contains a computer such as phones and watches."

Brand warned that as well as unwanted surveillance, digital signatures could allow for wholesale online identity theft.   Is the RMA profession ready for wholesale online ID theft?  Would we even be aware if it was occurring?

The Global Commission on Internet Governance (GCIG) was established in January 2014 to articulate and advance a strategic vision for the future of Internet governance. In recent deliberations, the Commission discussed the potential for a damaging erosion of trust in the absence of a broad social agreement on norms for digital privacy and security.

It is now essential that governments, collaborating with all other stakeholders such as RMAs, take steps to build confidence that the right to privacy of all people is respected on the Internet.  It is essential at the same time to ensure the rule of law is upheld. The two goals are not exclusive; indeed, they are mutually reinforcing. Individuals and businesses must be protected both from the misuse of the Internet by terrorists, cybercriminal groups and the overreach of governments and businesses that collect and use private data.

Businesses or other organizations like Registered Migration Agencies that transmit and store data using the Internet must assume greater responsibility to safeguard that data from illegal intrusion, damage or destruction. Users services provided on the internet should know about, and have some choice over, the full range of commercial use on how their data will be deployed.  Such businesses should also demonstrate accountability and provide redress in the case of a security breach.  Does KONDESK/KONSIGN offer this surety?  Does the Office of the MARA allow KONSIGN as an acceptable form of signature on the Home Affairs Document?

It is important to recognize that the communications and data of all of these actors are mixed together in the packet-switched networks and data clouds of the Internet. For the authorities charged with tracking down terrorists, countries that conduct espionage, cyber vandals and criminals of all kinds, the internet provides a reservoir of information about their targets. But at the same time, the ability to access the intermingled data raises concerns over personal privacy and data protection, especially for RMAs and their clients.

All developed economies now have multiple internet dependencies. As the global reliance on the Internet rises, the vulnerability to disruption increases. Although Internet access is far from universal, by 2020 the number of Internet users is expected to reach five billion, with each user capable of interacting with any other. The largest portion of this further growth will be in the developing economies. The opportunities to collect, retain and use data for commercial profit, for harm and criminal gain, and for intelligence and security purposes, will increase commensurately.  

As a profession, we as RMAs need to be careful about who we share our identities with and who we allow to access our personal bio-data combinations.  This includes providing copies of our physical signatures, drawn signatures, and our names typed onto a screen and saved by unknown and untested third parties.

Source: https://www.zdnet.com/article/digital-signatures-pose-security-risk-says-expert/

and

https://www.cigionline.org/sites/default/files/documents/GCIG%20Volume%20%235WEB_0.pdf