AI assistant
SPACETALK LTD — AGM Information 2017
Nov 26, 2017
65842_rns_2017-11-26_dce889d7-bc14-484d-8ad2-0b296f956a02.pdf
AGM Information
Open in viewerOpens in your device viewer
==> picture [596 x 88] intentionally omitted <==
ASX Announcement
MGM Wireless Limited (ASX:MWR)
27 November 2017
Cyber Security Expert Gives Spacetalk Smartwatch Security Clearance
-
Weekend media report claims many children’s smartwatches have serious security flaws
-
International Cyber Security Expert investigation led by Adelaide University examines claims
-
Preliminary Report and Findings released today
-
Report finds Australian ‘’Spacetalk’’ Kids GPS Watch complies with Australian Laws
-
Spacetalk found to be secure and safe; parents can use with confidence
27 November, 2017 – Technology company MGM Wireless Limited (ASX:MWR) (‘MGM’ or ‘the Company’) today reports that its Spacetalk Children’s GPS Smartwatch Phone has passed rigorous testing by an internationally recognised Cyber Security Expert based at Adelaide University.
The report, released today, finds that the Company’s Australian Spacetalk watch meets the requirements of all Australian laws and, with minor developments, would be consistent with Norwegian Laws and Regulations.
Australian media last week raised security concerns about Children’s Smartwatches available for sale in Australia, following similar media reports from Norway and Germany in the past weeks.
The Company’s Australian Spacetalk watch– which took over three years’ to design and build – was specifically designed to incorporate international best practice security features, and to comply with all Australian Privacy and Child Safety Laws.
All data generated by the Smartwatch, AllMyTribe App and Ecosystem is stored securely in Australia and protected by Australian laws.
As an Australian Securities Exchange listed company, MGM Wireless has significant expertise and a track record protecting children’s data. The Company’s school communication business provides secure data transmission to over 1,400 schools and 1.6 million parents and students, working directly with Education Departments across Australia for the past 15 years.
RCM Compliance
Spacetalk carries the RCM compliance mark, a mandatory requirement that electronic and communications products must meet in order to be legally offered for sale in Australia. The watch has been extensively field tested in Australia under the most rugged conditions for child use.
==> picture [596 x 88] intentionally omitted <==
The Cyber Security Expert Report is attached to this ASX Release for Public Review.
Co-Founder, Chairman & CEO Commentary
MGM Wireless Co-Founder, Chairman & CEO Mark Fortunatow: “ Australian media, Norwegian and German authorities are absolutely correct that most children’s smartwatches have no meaningful security. It’s appalling that in almost every case, children’s and family data is transmitted openly and stored in China with little or no protection.“
“We are pleased to see that the Expert Cyber Security Report by Adelaide University confirms that Spacetalk complies with all Australian Privacy and Security laws.”
“Opportunistic Importers of children’s GPS watches are disregarding their responsibilities to parents and children. Chinese importers claims of providing child safety are false and misleading, because they are transmitting children’s names, locations, phone numbers and other information openly and storing this data in China without security. Anyone with basic technical knowledge can access this information.”
“MGM understands the importance of data security, child safety and the implicit responsibilities technology providers have in storing and protecting children’s and family data securely.”
Annual General Meeting | Shareholder Invitation
MGM is pleased to invite all shareholders to attend the Company’s Annual General Meeting (AGM) on November 30 at 11:00AM. The event will be held at the Radisson Blu Plaza Hotel Sydney, 27 O’Çonnell Street, Sydney NSW 2000.
==> picture [596 x 409] intentionally omitted <==
==> picture [596 x 88] intentionally omitted <==
==> picture [524 x 295] intentionally omitted <==
Ends
For more information please contact: MGM Wireless Limited Mark Fortunatow CEO [email protected] M: +61 421 328 984
About MGM Wireless
MGM Wireless Limited (ASX:MWR) is a technology company designing, developing and commercialising Internet of Things (IoT) devices for children, and software for school communication and student absence management. The Company’s AllMyTribe division has developed a wearable device called Spacetalk which allows two-way 3G communication, GPS tracking and alerts parents whenever children leave designated safe spaces such as school or the home.
MGM Wireless built its track record with school communication solutions after creating the world’s first SMS based Automated Student Absence Notification Solution. It is recognised as a global leader and pioneer in socially responsible and technology-enabled school communications. Used by over 1,100 schools and 1.6 million parents, the Company’s multichannel school communication solutions empower schools to effectively communicate to parents and caregivers through SMS, mobile in-app and other means to improve student attendance and safety, help schools reduce operating costs and increase parent engagement.
==> picture [596 x 88] intentionally omitted <==
MGM Wireless products include student absence notifications ‘messageyou’, absence analytics software ‘Watchlists’, school news and messaging app ‘School Star’, a content management and messaging platform for mobile school communication called Outreach+, and student attendance management solution ‘RollMarker’.
To learn more please visit: www.mgmwireless.com
==> picture [596 x 409] intentionally omitted <==
==> picture [103 x 80] intentionally omitted <==
26 November 2017
PRELIMINARY REPORT
AllMyTribe Spacetalk Watch REVIEW OF SECURITY AND PRIVACY
On Wednesday 22 November 2017 I was contacted by Mark Fortunatow, CEO of MGM Wireless Holding Pty Ltd, and commissioned to conduct a detailed review of Security and Privacy aspects of the Spacetalk children’s GPS smart watch phone product and its associated ecosystem.
SCOPE OF WORKS
The final report will consider:
-
Technical security mechanisms implemented in the AllMyTribe ecosystem to protect user privacy. This review will consider technical documentation provided by the company, interviews with technical staff of the company, and some penetration testing (technical experimentation).
-
Compliance with relevant policy and regulations in the Australian market, including such matters as informed consent, legal requirements for retaining customer records and measures required to secure private information.
-
Other matters related to user safety and device security.
-
Recommendations related to the security and privacy framework to support the evolution of the product and ecosystem.
The draft report is due on 15 December 2017, while the final report, including recommendations related to the product evolution, is due on 23 February 2018.
It is the intention that reports will be made public, although some technical details may be redacted for commercial-in-confidence reasons.
In line with best ethical practice, if security defects are identified, the company will be informed immediately so that remediation can be put in place before public disclosure.
MY CREDENTIALS
I have over 19 years of experience teaching, developing and consulting in the areas of telecommunications and multimedia engineering, and have been a tenured member of academic staff at the University of Adelaide since 2002. I am currently Senior Lecturer in the School of Electrical and Electronic Engineering.
I hold a PhD in Information Technology from George Mason University (1998), a Bachelor of Engineering in Computer Systems (1993) from the University of Adelaide, a Bachelor of Science in Theoretical and Experimental Physics (1992) from the University of Adelaide, and a Graduate Certificate in Management from the University of Adelaide (2002).
Since 2005, my primary areas of research have been in the forensic analysis of digital images and video, with specific focus on artifacts and limitations introduced by digital capture and
School of Electrical and Electronic Engineering The University of Adelaide SA 5005 AUSTRALIA Tel: +61 410 432 762 Email: [email protected] www.adelaide.edu.au
CRICOS provider number 00123M
compression processes; and more recently on related areas of electronic device security and forensics, cyber defence and cyber crime with some experience in internet security and cryptanalysis. I have acted as an expert or provided technical support in a number of criminal and civil cases in South Australia, and I currently provide investigative consulting services to a number of law enforcement agencies.
In 2008 and 2009 I chaired the “e-Forensics: Forensic Applications and Techniques in Telecommunications, Information and Multimedia” international conference in Adelaide.
Since 2013 I have been an invited academic observer at the United Nations Office of Drugs and Crime Intergovernmental Experts Panel on Cybercrime in Vienna, Austria.
In 2017 I was appointed as an academic member of the INTERPOL Digital Forensics Expert Group, specialising in wearable devices such as smart watches and fitness devices.
I am currently actively engaged in research collaboration in cyber-security and digital government with the Tallinn University of Technology in Tallinn, Estonia.
PREVIOUS ENGAGEMENT WITH MGM WIRELESS
In 2003, the Convergent Communications Research Group at the University of Adelaide, of which I was then Research Director, was commissioned by Ezyimage Ltd to prepare an independent expert valuation report of MGM Wireless Holdings Pty Ltd. I also supervised an Honours student project in that year, sponsored by MGM Wireless, to explore the thenemerging Multimedia Messaging Service.
PRELIMINARY OBSERVATIONS
On 18 October 2017, the Norwegian Consumer Council (Forbruker Rådet) released a detailed report which identified serious privacy and security flaws in four GPS-enabled watches for children available in the Norwegian market. That report – with some redaction – is publicly available at https://www.mnemonic.no/news/2017/watchout/.
The findings of that report against the reviewed devices are not disputed and will be used to benchmark the Spacetalk Watch and some competitor products in the Australian market. It is believed that the competitor products in Australia may be the same OEM products available in the Norwegian market, although this has yet to be confirmed.
As a first stage in the evaluation of the Spacetalk Watch, the key findings list of that report are considered to identify whether there are comparable defects – including serious technical or compliance defects, in that product. That summary is annexed to this statement.
Of particular relevance is that MGM Wireless Ltd’s Privacy Policy is written to comply fully with the Australian Privacy Principles[1] in line with their current market. Privacy is more tightly regulated in Europe and there are some differences in regulated record-keeping requirements. Hence, consideration has been given to the required compliance under Australian regulation as well as hypothetical compliance under European principles if the Spacetalk Watch were to be released in European markets.
As a broad preliminary summary, the issues raised in the Norwegian Consumer Council Report have been appropriately addressed in the implementation of the Spacetalk Watch in the context of the Australian market. A small amount of additional ecosystem development would be required to meet the regulatory requirements in Europe.
In keeping with best practice, MGM is adopting a process of continuous monitoring, improvement and public disclosure of the Spacetalk Watch in terms of its functionality,
1 Privacy Fact Sheet 17: Australian Privacy Principles, available at https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australianprivacy-principles, accessed 26/11/17
security and privacy. This approach ensures rapid discovery, assessment and rectification in the event that a security defect is identified, and maintains public trust by timely disclosure. It is emphasised that a preliminary review of the implementation of the Spacetalk ecosystem suggests that none of the serious technical flaws identified in the watches reviewed in Norway are evident.
==> picture [99 x 47] intentionally omitted <==
Dr Matthew Sorell Senior Lecturer
ANNEX: Preliminary Evaluation of AllMyTribe Spacetalk Watch against the Norwegian Consumer Council findings
Summary of Terms (Page 5 of the NCC report)
| ANNEX: Preliminary Evaluation of AllMyTribe Spacetalk Watch against the Norwegian Consumer Council findings |
ANNEX: Preliminary Evaluation of AllMyTribe Spacetalk Watch against the Norwegian Consumer Council findings |
ANNEX: Preliminary Evaluation of AllMyTribe Spacetalk Watch against the Norwegian Consumer Council findings |
|---|---|---|
| Summary of Terms (Page 5 of the NCC report) | ||
| Consent is sought at registration |
AU: COMPLIANT |
The Privacy Policy2is explicitly referenced in the registration process in compliance with Australian Privacy Principles. It is recommended that more explicit informed consent be implemented, especially in a European market context |
| I will be notified if the terms are changed |
YES | MGM has undertaken to email registered users of the AllMyTribe app, and registered account holders, of changes to policies including End User Licence Agreements, Privacy Policy, etc. To date these terms have not changed. |
| My personal data will not be used for marketing purposes |
YES | Specified in the Privacy Policy APP-8 (page 6) |
| I can delete data in the app |
AU: COMPLIANT DEVELOPMENT IN PROGRESS |
I understand these features are in development. They are not required under Australian privacy principles and may be restricted in scope by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. These features would require implementation for the European market. |
| Location data is automatically deleted after a set period of time |
||
| I can delete my user account |
YES | However, account deletion requires manual intervention by the company |
| Promises to implement reasonable security standards |
YES | Specified in the Privacy Policy APP-11 (page 8) |
| It is made clear where personal data is transmitted and stored |
YES | Specified in the Privacy Policy APP-8 (page 6) and in other documentation that all personal data remains within, and is stored and processed in, Australia. Alternative data housing arrangements may be required for other markets. |
As a further observation, anonymity is protected by the option for end users to use pseudonymous identifiers to access the AllMyTribe app and child identifiers. However, under Australian law, mobile phone accounts, which are used to access the Spacetalk Watch and the AllMyTribe app on a parent’s smartphone, are required to be linked to a verifiable identity.
2 MGM Wireless Privacy Policy, at
https://mgmwireless.com/downloads/MGM_Wireless_Customer_Privacy_Policy.pdf, accessed 26/11/17
Features of the device (Page 8)
| Features of the device (Page 8) | Features of the device (Page 8) | Features of the device (Page 8) |
|---|---|---|
| Make/receive calls | YES | Calls can only be made and received with numbers on the Contact List, which is maintained through the AllMyTribe app by the parent. Calls with no caller ID are blocked. |
| Contact list | YES | |
| GPS tracking in app | YES | Transmission of location information to the parent-managed app is a key feature of the product. Secure transmission protocols are used to protect against interception of location data. |
| Geofencing | YES | |
| SOS button | YES | This is a simple process for the child to make contact in case of emergency |
| Receive SMS | YES | SMS can only be received from sources on the contact list. Of note is that notifications from the 3G mobile carrier regarding prepaid credit will not be received, but these messages will be interpreted by the AllMyTribe server and the end user notified through the app. |
| Voicemail | NO | However it is technically possible to set up voicemail through the mobile service provider. |
| Monitoring | NO | Surveillance through the device is generally illegal without the informed consent of the parties to the conversation. |
| Alert if device is removed from arm |
NO | These features are not supported, in line with the_Privacy_ _rights of children and young people at international law_3. In short, children have the right to choose not to be tracked and to protect their own privacy. |
| Prevent child from turning off device |
NO |
Technical Assessment
The Spacetalk watch has not yet been tested against the technical security assessment conducted by mnemonic for the Norwegian Consumer Council and annexed to that agency’s report, dated 18 October 2017. Preliminary discussions with engineering staff at MGM Wireless, and review of technical documentation provided to date, suggest that the technical exploitation weaknesses identified in mnemonic ’s report have been considered and addressed in the design and implementation of the Spacetalk watch.
3 Decision Making by and for Individuals Under the Age of 18, at
https://www.alrc.gov.au/publications/68.%20Decision%20Making%20by%20and%20for%20Individuals %20Under%20the%20Age%20of%2018/privacy-rights-children-, accessed 26/11/17