Is it time for a unique identifier?

November 18th, 2014 at 12:00 pm by David Farrar

The Herald reports:

Yesterday Prime Minister John Key told reporters a wide-ranging inquiry would be launched into the matter.

He said there were many unanswered questions around the incident including “quite delicate issues around data-sharing”.

The inquiry would cover whether someone who was incarcerated for a serious crime, like Smith, should be able to be on short-term release without electronic tracking, he said.

I wonder if it is time for us to follow other countries and have a unique identifier for every resident and citizen. That way one can have 100% confidence when checking the passport application against the prisoner database that someone is eligible or ineligible.

There are risks with a unique identifier. you don’t want the IRD staffer able to access your online health records for example, and a unique identifier can increase risks of unauthorised access. But I think it is worth debating if the pros outweigh the cons.

Tags: , ,

Privacy Commissioner now blogging

May 28th, 2014 at 1:00 pm by David Farrar

The Privacy Commissioner now has a blog. Worth subscribing to, if you are interested in privacy issues.

I took part with the Commissioner in a forum last night, organised by IPANZ on what is the price of privacy. Was very enjoyable with a wide range of issues ranging from the recent European Court judgement on Google to data sharing between Government agencies, to data breaches.

One example I touched on was the request to have statistics on the percentage of homes owned by non residents. I agree that such data would be desirable. But it is worth noting that to get very accurate data you would need to data match between the property registers, citizenship registers (and we don’t really have one), immigration status databases, travel records and current address records. Is that level of data collection and matching warranted for the information we would gain from it?

Tags: ,

Protecting student privacy

July 4th, 2013 at 12:00 pm by David Farrar

Waldo Kuipers at Microsoft blogs on the issue of protecting student privacy.

New Zealand’s schools work hard to earn the trust of their communities. As part of the important work they do, schools need to collect and hold a large body of confidential and private information about children and their families.

The 2020 Communications Trust ICT in Schools survey suggests that if digital records and email are not already used extensively in every New Zealand school, they soon will be.

In recent years some schools have taken a step further, and are starting to send information to computing services outside the school grounds for storage and processing.

In the hands of teachers who have been supported with skills development and the freedom to innovate, new devices and cloud services present wonderful opportunities to prepare students for the future.

Microsoft had Curia do a survey of parents on their expectations. The results were:

  • 95% want schools to require providers of computing and Internet services to commit by contract that they’ll only use student data to deliver services to schools, not for the companies’ own purposes.
  • 97% of parents want schools to ensure student data is used only for education, and not for commercial exploitation.
  • 99% of parents indicated their belief that schools’ duty of care should apply to the computer and Internet environment they provide for student learning.
Tags: , ,

The Red Alert privacy accusations

December 10th, 2012 at 8:10 am by David Farrar

There’s been a great volume of posts and comments on the left blogs about one or more people in Labour, including an MP, allegedly targeting Labour party members for comments they have made on blogs under a pseudonym. The best summary comes from Danyl at the Dim Post:

My understanding of what’s happened here is that most authors on The Standard comment under pseudonyms. And they’ve commented on the Labour blog Red Alert using those same pseudonyms. Now, when you comment on Red Alert you have to provide your real email address. So these have been matched to Labour’s membership and the dissenting members have been contacted by party officials. All pretty creepy.

It is creepy and authoritarian, and worse.  If correct, I think the actions may breach the Privacy Act.

Lynn Prentice has commented:

I’d advise anyone who has used a pseudonym on Red Alert that could compromise them in real life to expect problems. The system operators over there are quite compromised, don’t act responsibly, and have been that way for some time. Quite simply they are not operating in a way that makes it safe to leave comments there unless you have cast-iron anonymity. …

Which incidentally, is why you don’t see Red Alert on our feed

That is a hugely damning statement. The person in charge of the most read left blog in New Zealand (and a long term Labour party member) says he won’t even link to the Labour caucus blog because of their ethical standards in using private registration details to target people.

If I was a journalist, I’d be asking whoever is in charge of Red Alert to confirm or deny the allegations from their own party members.

It seems that once the identity of certain people commenting at The Standard was known (by cross-matching the e-mail address they used on Red Alert to their membership database) they were heavied, as were their friends. The Sprout has said:

My friends were heavied in an attempt to intimidate me to stop posting during the leadership contest between Shearer and Cunliffe. Clearly someone in Wellington didn’t like me saying their pony was a rightwing puppet who couldn’t lead a party to save himself. Despite me only stating the obvious, it spurred a pretty awful and nasty intimidation campaign. They knew the people being threatened weren’t me, but they knew too that doing that to my friends would quieten me. How shitty North-Korean is that?

So far it’s been CV, millsy, Peter Wilson, and me – that I know of – but who knows who else has been leaned on to shut up?

Eddie confirms this in a post:

Now, a senior Labour MP has written a letter to the New Zealand Council trying to stamp on debate by party members online. The MP has singled one individual commentator in particular for attack in the letter (don’t worry, you know already if it’s you) after using back-end data from Red Alert to identify them.

To be clear, a senior MP is attempting to change the membership rules of the party to punish a member for writing somethings that the MP doesn’t agree with in the comments section of blogs (which everyone knows Labour MPs don’t read anyway). Talk about breaking a butterfly upon a wheel. Talk about abusing your institutional power in an attempt to insulate yourself from criticism, no matter the cost to the party itself.

And this comes from the party that says it is from open government and protecting people’s right of free speech on the Internet. Can you imagine what they might do if they were actually in Government?

One of those allegedly targeted was Colonial Viper. To make it harder for Labour MPs to work out who to target, many of the commenters as The Standard have adopted similar pseudonyms in a Spartacus strategy! Nice solidarity.

Pete George has a comprehensive set of links on this issue.

Tags: , , , ,

The MSD computer breach

October 17th, 2012 at 9:00 am by David Farrar

Stuff reports:

Social Development Minister Paula Bennett says security of computer systems is an operational matter despite giving earlier assurances she would monitor it.

Few people who are not partisan would expect the Minister to somehow be over the details of computer systems in a massive ministry. The job of the Minister, like a Director, is to ask questions such as have you had a firm test your security etc. Bennett did not say (as no Minister would) that she would monitor computer security. She said:

“Whilst the ministry has a strong focus on reducing its national office numbers there are also substantial plans to automate frontline services for clients through the use of online and other IT solutions,” she wrote.

However there is no doubt the Govt gets damaged when ministries fail, and they are held ultimately accountable if they are not seen to respond strongly enough and give reassurance it won’t happen again.

Consultancy firm Deloitte has been appointed to conduct an independent investigation after blogger Keith Ng revealed he was able to access Ministry of Social Development servers through public kiosks in a Work and Income office.

MSD chief executive Brendan Boyle yesterday admitted they had not have acted on earlier warnings about the system.

That is hugely concerning, and someone should be held accountable for that. Also as I had previously blogged, the investigation should not just be into the security breach, but also into why the kiosks were even connected to the main corporate network.

Tags: ,

Ng reveals massive MSD privacy breach

October 15th, 2012 at 7:55 am by David Farrar

This is a must read story. Keith Ng details how you can access pretty much the entire MSD computer system through their public kiosks. We are talking sensitive details magnitudes worse than in the ACC privacy breach. We’re talking:

  • fraud investigations
  • invoices including all contractors (including their media trainers who will now be much needed)
  • details of candidates for adoptions
  • children in CYFS care
  • medical records
  • Debts owed to MSD
  • Full names of kids in their High and Complex Needs section
  • Names of kids in CYFS residential care
  • Phone bills that reveal physical addresses of CYFS homes
  • Bills from pharmacies that deatils which children get which medications
  • An invoices from a community group for whanau support after a suicide, with the full name of the deceased

Keith says:

  • Public kiosks should not have been connected to the corporate network.
  • Servers that didn’t need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
  • Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data. 

That is a minimum. I’d expect invoices to be username and password accessible only. But the first point is the key one – the kiosks should not be linked to the corporate network.

It goes beyond saying that there must be a full inquiry into this. I have to say that my expectationis there should be staff resignations over this. This is not like ACC where the privacy breach was a mistake – a file accidentally attached to an e-mail. Mistakes will always happen. This appears to be a case of fundamentally flawed decisions – such as connecting the kiosks to the corporate network.

I don’t know how long it has been this way, but it must change.

Keith is a freelance journalist. If you want to help fund the excellent work he has done in this area, you can donate to it here. I have.

Talking on insecure data, you should also read how Whale managed to change the advertisements on The Standard through an insecure adserver. Also not a good look.

Tags: , ,

Collins on ACC and privacy

August 13th, 2012 at 10:00 am by David Farrar

John Hartevelt at Stuff reports:

ACC Minister Judith Collins wants the state insurer to start sacking staff who breach a new “zero tolerance” policy on privacy breaches.

A furious Ms Collins has revealed her astonishment at the failure of ACC to include privacy among nine of its “top priorities”.

“I’m not going to sit back and let one of the most important government entities [that] we have let people down time and time again around things such as privacy.

“They have to act in the way that I expect them to act. When I go around the branches, most of the people there absolutely understand it.

“But, actually, a few are letting them down and when we have things like the audit and risk committee having nine priorities for the year and not one of them [being] privacy, how can that be acceptable given everything else that’s going on?”

Ms Collins’ comments come as figures from ACC show 11 staff members have been reprimanded over “serious misconduct” since 2010.

The breaches involved: theft; fraud against ACC or a claimant; serious misuse of ACC property, including information and systems; dishonesty; disobeying a lawful and reasonable instruction from a manager; and any act that had the potential to bring ACC into disrepute.

Nine staff were sacked as a result of the breaches and two were given final written warnings.

Ms Collins said while the serious misconduct cases were “a shame”, she was pleased they were taken seriously and not covered up. “I think that they need to be – and they are now – taking on a culture of zero tolerance to privacy breaches, in particular,” she said.

Police had a “zero tolerance” approach to staff accessing private details about people without good reason.

“People lose their jobs over it, and that’s something that I think ACC needs to have, which is that we have people’s very personal information, we should treat it with respect and should understand it’s a very privileged position.”

d

Tags: , ,

Compulsory location indicators in cellphones

February 11th, 2012 at 10:41 am by David Farrar

Adam Bennett at NZ Herald reports:

Technology allowing police and other authorities to identify the location of callers may become mandatory for all cellphones in New Zealand in a move to improve the 111 emergency calling system.

But although the proposal could save lives, Telecom and the Privacy Commissioner have rung alarm bells.

The mandatory global positioning system (GPS) idea was raised in a discussion paper reviewing the 111 system issued yesterday by Communications Minister Amy Adams.

Umm, no.

I’ve chosen to have GPS on my cellphone. Personally I like the idea of the authorities being able to trace me in case of emergency. Hell, I’m even on Foursquare, so I boroadcast my location to several hundred people.

But that is my choice. Equally I should have the choice of being able to use a cellphone that does not indicate my location.

Once the Government has the ability to detect your location via your cellphone for one purpose (a noble one), there is a slippery slope that they will want to use it for other purposes.

Tags:

Google under investigation

June 10th, 2010 at 7:31 am by David Farrar

The Herald reports:

Police are investigating allegations that computer giant Google illegally gathered personal email and wireless internet data during its “Street View” operation in New Zealand. …

Representatives of the police and the Privacy Commissioner met yesterday to discuss Google’s possible breach of the Crimes Act after concerns were expressed about reports it had collected WiFi information while photographing houses and streets with 3D cameras for Street View, its online mapping service.

Google has acknowledged it collected fragments of data over public WiFi networks in more than 30 countries, though it is not known what kind of information was involved.

This is key. If all Google did was collect SSIDs, then I can’t see how that is a breach of the Crimes Act. If they were somehow accessing the data going over a wireless network, then there could be issues.

Tags: ,

Editorials 3 June 2010

June 3rd, 2010 at 11:15 am by David Farrar

The Herald wants an FTA with Russia given priority:

Last year, New Zealand exports to Russia were worth $187 million, a modest sum even if well up on the $51 million of a decade earlier. As Russia has a population of 142 million, those figures hint at the potential of a free-trade pact.

But more telling still is the fact that not so long ago, New Zealand enjoyed thriving commercial arrangements with the former Soviet Union despite an often strained diplomatic relationship, not least over the invasion of Afghanistan.

But Keith Locke supported that invasion, so maybe we should make Keith the free trade negotiator for Russia :-)

The Press supports the creation of a new bank:

The proposal to merge three finance organisations to create a new locally owned bank is a timely one.

For the finance institutions themselves, it is an opportunity, driven by necessity, to turn themselves into stronger, more robust entities, particularly after the turmoil of the last three years or so.

For investors, looking to diversify their investments away from the great Kiwi stand-by, domestic real estate, it could provide a worthwhile and productive place to put their money.

And for borrowers, particularly small-business owners who have complained of being cold-shouldered by unsympathetic banks during the financial crisis, it could provide a friendlier, more knowledgeable lender to local business. …

The three entities involved – Pyne Gould Corporation’s finance arm Marac Finance, the Canterbury Building Society and the Southern Cross Building Society – are established names in finance.

They have not been unscathed by the upheavals of the financial crisis, but they have survived it with credit ratings still at very respectable levels for non-bank institutions.

Two have BB+ ratings and the other a BB rating, which is at the high end for entities that are not banks.

But still not great. The acceptable grades are:

  • AAA : the best quality borrowers, reliable and stable (many of them governments)
  • AA : quality borrowers, a bit higher risk than AAA
  • A : economic situation can affect finance
  • BBB : medium class borrowers, which are satisfactory at the moment
  • BB : more prone to changes in the economy
  • B : financial situation varies noticeably

Once you start to get into CCC and below, institutions are officially vulnerable.

The Dom Post talks off shore drilling:

But for recent events in the Gulf of Mexico, the Government would be making more of a fuss of Brazilian oil giant Petrobras’ decision to explore for oil and gas off the East Coast of the North Island.

The world’s fourth-biggest energy company, a world leader in offshore drilling, this week won the right to explore about half of the Raukumara Basin, which extends north and east of East Cape. The company will spend up to US$118 million (NZ$174m) over the next five years gathering seismic data and drilling an exploratory well.

The project will create jobs and draw international attention to New Zealand as a potential source of petroleum.

But the big gains will come if Petrobras makes a commercial find. Already the petroleum sector generates about $3 billion a year in export revenue. Energy Minister Gerry Brownlee has estimated that figure could rise to $30b by 2025 if preliminary estimates of New Zealand’s petroleum resources prove to be correct.

Which would make a huge difference to our standard of living, and ability to fund health and education services.

However, celebrations this week have been muted by the ongoing disaster in the Gulf of Mexico. Six weeks after an explosion on BP’s Deepwater Horizon rig killed 11 workers, the well 1.6 kilometres beneath the sea is continuing to spew between 1.9b and 3b litres of oil a day into the gulf, polluting the fragile Louisiana coastline, threatening fisheries and destroying the livelihoods of fishermen and tourist operators.

For that reason it is essential that the promised overhaul of New Zealand’s health, safety and environmental arrangements for offshore petroleum operations is completed well before any deepwater drilling begins.

Agreed.

The ODT looks at Facebook and privacy:

Facebook, once a small, “free” social networking site for university undergraduates to share personal information, has become a vast subdivision on the information super highway.

It is expected soon to reach a landmark figure of 500 million registered users.

This would make it the third largest country on Earth, bigger than all but India and China.

On Monday this week – “Quit Facebook Day” – Canadian campaigners urged people worldwide to remove themselves from the site.

They, and many others, were riled about the way in which they felt their privacy was being purloined for profit.

Quite why they should have been so surprised is another matter: you do not pay upfront to belong to Facebook, but the company must make ends meet – and a tidy profit – somehow.

That “somehow” is no great secret.

The site sells advertising to companies tailored to the defined demographics of its users.

The “footprint” they create in their Facebook activities is like gold to advertisers and marketers who will pay accordingly.

I was talking last night to someone about Facebook, with the idea being that if a user is aged under 18 then their privacy settings are set by default to not share data with anyone but friends.

Tags: , , , , , , , , ,

Income and wealth public in Norway

October 24th, 2009 at 7:59 am by David Farrar

Incredible. Norway publishes both the income and the wealth of every Norwegian taxpayer. That would put the NBR Rich List out of circulation when you can get it straight from the IRD!

Many media outlets use the tax records to produce their own searchable online databases. In the database of national broadcaster NRK, you can type a subject’s name, hit search and within moments get information on what that person made last year, what was paid in taxes and total wealth.

It also compares those figures with Norway’s national averages for men and women, and that person’s city of residence. Defenders of the system say it enhances transparency, deemed essential for an open democracy.

“Isn’t this how a social democracy ought to work, with openness, transparency and social equality as ideals?” columnist Jan Omdahl wrote in the tabloid Dagbladet.

But he acknowledged that many treat the list like “tax porno” – furtively checking the income of neighbours or co-workers.

Critics say the list is actually a threat to society.

“What each Norwegian earns and what you have in wealth is a private matter between the taxpayer and the government,” said Jon Stordrange, director of the Norwegian Taxpayers Association.

Besides providing criminals with a useful tool to find prime targets, he said the list generates playground taunts of my-dad-is-richer-than-your-dad.

“The children of people with low wages are being teased about it in the schools,” Stordrange said.

“People with low salaries are being met with comments at the grocery store, ‘How can you live on these low wages?”‘

The information had been available to media until 2004, when a more conservative government banned the publication of tax records. Three years later, a new, more liberal government reversed the legislation and made it possible for media to obtain tax information digitally and disseminate it online.

I can’t see a party campaigning on such a policy here!

Tags: ,

The right to privacy

October 22nd, 2009 at 3:27 pm by David Farrar

The Herald reports:

A detailed membership list for the far-right British National Party has been leaked, revealing that the white supremacist party’s influence reaches as far as New Zealand.

The list, which contains 16,000 names, many with contact details, was published on the website Wikileaks. Three New Zealanders appeared on the list.

xxxxx  from Glenfield, said he had been a member of BNP for six years and was not fazed by his details being made public.

The leadership of the BNP are nasty pieces of work, but I don’t approve of publishing the names and addresses of members of the BNP. People may have joined up on the spot many years ago after attending a meeting before getting to know more about them. Or yes they may fully back the BNP as one gentleman quoted does. But regardless political party membership is essentially a private matter and I think it is regrettable that people have ben hounded over their membership.

It is a slippery slope between that, and revealing who people voted for in an election.

Tags: ,