spinofflive
Image: Tina Tiller
Image: Tina Tiller

OPINIONOpinionSeptember 9, 2022

EGGS and bones: Perhaps it’s time for a tikanga Māori month too

Contributing writer
Image: Tina Tiller
Image: Tina Tiller

Asking two teenagers to recite Māori prayers over old skeletons is a lesson in why we need everyone to level-up on cultural awareness, writes Te Kuru o te Marama Dewes.

Two Māori teenagers being asked to perform karakia over old human remains that were “found” in a high school has left me feeling a little less hopeful about the progress of race relations in Aotearoa. 

I’ve been told by former students that these kōiwi have been known about for years and nothing has been done about it. 

Regardless of the fact that the bones had been donated for scientific purposes, most people will agree that it’s completely inappropriate to ask two students, teenagers, to take up the role of  pou tikanga and provide a spiritual cleanse over the bones. That request, although put forward from a place of good intention, shows the massive deficit of cultural awareness that remains within the psyche of non-Māori.

The Ministry of Education has dismissed any responsibility, stating publicly that it isn’t responsible for the resources being used in schools. Its recommendation to other schools was to ask the Māori teacher, which represents the same mindset that led to this request of the two Māori students in the first place.

The ministry also recommended that schools ask local hapū and iwi for guidance in these circumstances and to have more cultural awareness. That’s great, if the schools take that advice on board. I’m compelled to think the ministry could do more to facilitate those relationships and resource local hapū and iwi to take on that extra responsibility.

Deputy minister for education (Māori) Kelvin Davis said he personally has no problem with bones being used in schools for science if they were blessed appropriately before they were donated. Now, making those comments without knowing the history of the bones in question and whether or not they were given the appropriate rites by Māori is irresponsible, in my opinion, and reflects the minister’s own lack of understanding in the area. That’s not entirely his fault. After all, he is not the minister of Tikanga Māori. 

Although I would ideally like a more culturally sound response from the MP who has been appointed to preside over Māori education in mainstream schooling, I acknowledge that it’s not his area of expertise and that he, like the teacher in this case, should consult with those who are versed in that knowledge base.

The principal of the school has suggested that the teacher acted with good intentions, although she acknowledges that there was a breach of tikanga. Where her understanding of what a breach in tikanga comes from is unknown, as is the plan to develop that awareness further or what new protocols will be put in place. 

To be fair, it’s probably not something anyone was expecting but the fact it is that the dial-a-Māori mindset needs an upgrade. Every week I hear about Māori working within organisations being asked to complete tasks that are beyond their responsibility. Is this the painful process of reaching co-governance across the board? Perhaps. Putting that responsibility solely on Māori is unfair. We need non-Māori to use some initiative and commit to learning some basic principles about our culture. 

‘Help keep The Spinoff funny, smart, tall and handsome – become a member today.’
Gabi Lardies
— Staff writer

If a building is on fire, who do we call? Firefighters. They are the people who have been trained to respond and have skills that make them better-equipped to do so. Who do we call when we find bones? In most situations we should call the police. In the case of bones used for scientific purposes, that’s an area that schools will now be carefully evaluating. 

It reminds us that there is a need for schools, organisations and other groups to strive to form relationships with tangata whenua in their area, as recommended by the ministry of education. That some schools in this country have no existing relationship with tangata whenua is a concern, and is telling of prevailing colonial attitudes. 

We need non-Māori to use some initiative and commit to learning some basic principles about our culture. 

After hearing about the incident, in the ever-supportive role that Māori have led in race relations since the arrival of non-Māori, Ngāti Whātua reached out to the school to offer support. It’s never too late to start building those relationships, only good things can come from it. 

Over the years there has been an incremental inclusion of Māori protocol in not only ceremonial proceedings of national and local government but also within organisations, schools and community groups. 

More Reading
Treaty principles bill: Is $6m a reasonable cost for a national debate? The bill may be 'dead in the water' but there is potential for some good to come out of the debate.
No penance in privatisation Selling state-owned assets to Māori isn’t the way to create economic wealth for Māori.

When the Ventnor ship carrying the human remains of 499 Chinese miners was wrecked off the coast of Hokianga, the bones washed ashore. Those bones were buried by the local Māori, who took it upon themselves to safeguard them until their families arrived. Now, there are strong relationships between that iwi and Chinese in New Zealand, including those who share lineage with the miners.

This is one example of the relationship that Māori have with bones. The word iwi itself means extended kinship group, tribe, nation and often refers to a large group of people descended from a common ancestor and associated with a distinct territory. It also means bone.

The question now is, what next? What will happen next for non-Māori to learn what’s appropriate or not? Are we happy to sit back, without committing ourselves to proactively learning about the ways of Māori, risking potentially traumatic experiences for youth, before we realise what’s OK and what’s not OK?

As we approach Māori language week, which has now grown unofficially into Māori language month, perhaps we need to think about a tikanga Māori Month?

Follow our te ao Māori podcast Nē? on Apple Podcasts, Spotify or your favourite podcast provider. 

Keep going!
He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)
He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)

OPINIONSocietySeptember 9, 2022

No, the Christchurch hot pools weren’t ‘hacked’ – the council just messed up

Contributing writer
He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)
He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)

It’s much easier to claim you’ve been hacked than to ‘fess up to failing to protect customer data, writes Dylan Reeve.

If there’s one important thing to know about modern computing, it’s probably this: security is hard.

In some ways internet security is easier now than it’s ever been – we have built-in antivirus; our home internet connections are usually pretty safely firewalled; most of the big websites we use have entire departments filled with well-trained geeks keeping things secure.

But also we’re in a time where everything is online. Hell, some car companies are using our ubiquitous always-online reality to turn things like heated seats into monthly subscriptions.

While getting stuff on to the internet is easier now than ever before, it’s also, therefore, easier to screw that up somehow. And that appears to be what happened to Christchurch City Council’s He Puna Taimoana hot pools.

The Stuff article about this issue, headlined ‘Computer hacker steals sensitive information from 20,000 Christchurch hot pools customers’, illustrates how the facts can be obfuscated when information security is covered those who – through no fault of their own – lack the specialist knowledge to fully understand what’s going on.

A better headline for their article would have been ‘Christchurch City Council organisation leaves sensitive information from 20,000 customers unprotected online’.

Obligatory hacking stock photograph

I’ve written before about organisations crying “hacking” when they make mistakes that see their information shared more widely than they intended, and headlines about this latest situation, based on public statements from the council, did just that.

For some reason, it would appear the council-owned pools had been using a system that puts important files in “the cloud” – the nebulous term we use for stuff we store on the internet in a way we don’t really understand – and due to, presumably, some type of configuration error, more than 20,000 files (some containing sensitive personal information like passport details) were accessible to anyone who knew, or could figure out, where to look.

Why, exactly, was a council swimming pool storing sensitive personal data about their customers? Well it’s not immediately clear exactly what data was being stored online, but being a council facility, the complex offers discounted rates to local residents, for which proof of address and identity may be required. Part of this process can be completed online through the pool’s website, and requires the submission of a “proof of address”.

We live in a world of digital technology, and cheap storage, so it is often easy for organisations, when designing systems like this, to simply say, “oh, we’ll just store it all in case we need it later”. So, rather than just sighting the records in question, they’ll take a copy and hold on to them in case they want to double check later. Under New Zealand privacy law, organisations are only allowed to collect information they need for a lawful purpose, and they have an obligation to protect the information they collect. But many don’t think about whether they need to actually store all that they collect beyond the very moment it’s needed.

Spoiler: this data wasn’t ‘hacked’ either

In general, storing stuff online is easy and cheap now. You can signup for an account with Microsoft Azure, Amazon Web Services or Google Cloud in just minutes, and there are countless ways to integrate existing software tools with those services. This ease of setup is also an ease of screw-up, however, and it’s simple to make a configuration mistake that might open your data to anyone who stumbles upon it.

But we also live in a time where irresponsibly handling customer data is frowned upon so, like many before them, the council decided to frame their mistake in this instance as the malicious action of someone else.

The Stuff article about the incident describes the event as “hacking” which is certainly how the council would like the situation understood, and says, in the opening paragraph, “information about as many as 20,000 members of the public has been stolen in a data breach”.

But a detailed post from US data breach news website, DataBreaches.net, which first notified the council about the issue, describes the situation very differently, explaining that a researcher had stumbled upon the unsecured “blob” (a general file storage container) on Microsoft’s Azure cloud service and attempted to notify the council without response before reaching out to DataBreaches.

In this instance the council had been relying on “security by obscurity”, essentially the idea that something is secure just by being hard to find – sort of like putting your life savings under a mattress, instead of a safe, on the grounds that no one is likely to look there.

Unfortunately for the council (and literally tens of thousands of other organisations worldwide which have made the same mistake), the contents of their unsecured storage had been discovered and indexed by at least some specialist search engines online that are used by both white hat (ethical) and black hat (criminal) hackers for research and exploitation.

The initial researcher, and subsequently DataBreaches, downloaded only enough data from the cloud service to understand what was stored there and by whom, and then made good faith efforts to contact those responsible for the issue so they could correct it.

However in his email to affected customers, Christchurch City Council head of sport and recreation, Nigel Cox, said that a third party, which he accurately described as a “white-hat hacker” had “accessed and illegally downloaded files stored on the He Puna Taimoana cloud server”, suggesting a level of illicit activity that simply wasn’t present, and also subtly avoiding the question of the council’s culpability for failing to secure the data.

The article about the issue from DataBreaches concludes with this summary:

The council should have disclosed this incident by saying, “We screwed up and didn’t lock down all the files we had with your personal information. We’re sorry for that and embarrassed. Thankfully, a kind and ethical researcher discovered our mistake, and when they couldn’t reach us to alert us, they asked a journalist they trusted to make the notification. The researcher and their employer destroyed all the data they had downloaded.”

Organisations of all sizes need to take the time to understand the implications of the technologies they’re relying on, and when they (almost inevitably) screw something up, they should be up front with their customers and the public about what happened. Similarly, journalists who are covering the complex world of IT and information security should take the time to check with subject matter experts before taking an organisation’s word for it that they were “hacked” – because most of them would much prefer that framing over “screwed up”.