Clarification on the paedophile privacy case

April 15th, 2013 at 1:00 pm by David Farrar

Steven Price blogs:

I confess I’m entirely befuddled by the Dominion Post’s front-page lead on Saturday, “Prosecution for breaching paedophile’s rights”. Can someone help me out here?

Isn’t the story conflating the Commission with the Office of Human Rights Proceedings, an independent office within the HRC? But why is the Office of Human Rights Proceedings bringing a “prosecution”? Does the DomPost mean a claim before the Human Rights Review Tribunal (it seems so, since it mentions the Tribunal later on)? That’s not a prosecution, which is a criminal action.

Or is it a charge that the Sensible Sentencing Trust has breached name suppression? Now, that would be a criminal prosecution, but why isn’t it being brought by the police?

If it’s a Human Rights Proceedings Office case, it sounds like a Privacy Act claim, and not a charge for breach of name suppression at all (some of the language in the story suggests it’s about the Privacy Act, though the Act gets barely a mention in the story). That would also suggest that the Privacy Commissioner has already been involved and either refused to uphold the complaint or couldn’t reach a settlement with the Sensible Sentencing Trust. That would be interesting to know.

And the Human Rights Commission has clarified:

A story published by The Dominion Post on Saturday 6 April “Prosecution for breaching pervert’s rights” and on Stuff.co.nz requires clarification.

The statement that the Human Rights Commission plans to prosecute the Sensible Sentencing Trust needs to be clarified.

The Director of Human Rights Proceedings is instituting proceedings under the Privacy Act. The Privacy Act requires the Director, at his discretion, to make the decision as to whether to institute proceedings.

The Director of Human Rights Proceedings is acting on a referral from the Privacy Commissioner that the Sensible Sentencing Trust interfered with an individual’s privacy.

This is quite important info. As far as I can tell, this matter doesn’t involve any of the Human Rights Commissioners. The agency that appears to be behind this issue is the Office of the Privacy Commissioner.

This whole issue is quite convoluted. The man’s identity was actually published in Truth in 2009, and I believe again last week.

Tags: , ,

Privacy guide to cloud computing

February 20th, 2013 at 4:00 pm by David Farrar

The Privacy Commissioner has published a guide for users of cloud computing. It’s a very useful resource.

Their checklist for small business is:

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you’ll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security – lock it down
  5. Check out your provider
  6. Know exactly what you’re signing up for
  7. Be as up front with your clients as you can
  8. Location – where will the information be?
  9.  Use and disclosure – who sees the information and what will it be used for
  10. Ability to exit, and deleting information

I just wish data caps were higher so I could backup my stuff to the cloud in real time.

Tags: ,

Bennett v Fuller

August 15th, 2012 at 2:50 pm by David Farrar

The Human Rights Commission reports:

The Director of Human Rights Proceedings announced today the resolution of a complaint under the Privacy Act against Hon Paula Bennett, Minister of Social Development.

The Director, Mr Robert Hesketh said, “On the basis of the Minister’s letter to me, I have agreed to close my file. The matter has been resolved to the satisfaction of all parties. The letter from the Minister is attached. We have all agreed that the letter speaks for itself and we will make no further comment.”

The complaint had been referred to the Director by the Privacy Commissioner. This is the normal process under the Privacy Act when the Privacy Commissioner considers a complaint has substance, but the parties cannot agree on a settlement.

The letter is here. Bennett says she maintains she was justified in her actions, but regrets the comments same others made re Fuller, and the hurt that caused.

I do believe that if individuals who receive state support portray themselves publicly as “hard done by”, that there is an obligation for the full nature of such support to be revealed. Without it, we the public, have incomplete information.

However the best practice in future would be for the individuals involved to be asked to consent to MSD releasing their details. If consent is refused, that should be publicised, and if then a decision made on whether to release without consent.

Note this does not apply to individuals on state support criticising the Government or its policies generally. Absolutely not. Only if they talk about their individual circumstances in a way which doesn’t provide the full picture.

Tags: , , ,

Speaking next week

April 26th, 2012 at 12:18 pm by David Farrar

For those interested, I’ve got three speaking engagements next week.

On Monday evening I’m speaking in Auckland on the MMP review to the National Party’s Northern Region Policy Committee. That is open to party members only.

On Tuesday I’m speaking at a forum organised by the Legal Research Foundation on media and new media regulation. This is also in Auckland and open to the public. There is a fee to attend.

On Wednesday I’m speaking at the “Privacy in the age of big data” forum, organised by the Privacy Commissioner. This is in Wellington and open to the public. Also a fee to attend.

A somewhat diverse range of subjects. Hence, blogging may be lighter than normal next week.

Tags: , , , , ,

Labour and the Privacy Commissioner

June 14th, 2011 at 1:01 pm by David Farrar

Tracy Watkins in the Dom Post reports:

Labour is appealing to the privacy commissioner about lists of supporters and donors falling into the hands of a right-wing blogger.

Details of 18,000 people were on the databases downloaded by blogger Cameron Slater, severely embarrassing Labour, which had to email donors and people who had contacted it through its website to apologise for the breach.

Slater has revealed on his blog how he obtained the databases, which appear to have been publicly available and easy to download without needing to hack into the site.

It is good that Labour is talking to the Privacy Commissioner. But rather than appealing to her, they should be begging mercy.

The good Commissioner could do worse than read Danyl at the Dim Post who translates technical stuff to English:

  • Labour registered another site called healthyhomeshealthykiwis.org.nz, also hosted on this server. But when you visited this address you didn’t see a normal web page – you saw a directory listing of the Labour Party web server. This let you browse Labour’s server and read any file you wanted, just as you can with your own computer.

  • This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.

  • It gets worse. All organisations back up their sensitive data – usually onto a backup server and/or tapes, which are then kept in a highly secure location. Confidential data like, say, financial records are always encrypted and password protected. But someone in the Labour Party decided to back up their donor database onto their web server – the only server in their organisation accessible to the general public, so by definition the last place you’d put any backup files.

  • So all you had to do was enter healthyhomeshealthykiwis.org.nz, click on a few directories and you could download Labour’s unencrypted donor database.

Danyl’s conclusion:

Like the Darren Hughes fiasco, this is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.

If someone really had hacked the Labour website, exploiting a recent vulnerability, then my attitude would be very different. Few websites are immune from a totally dedicated expert hacker. But this is the exact opposite of that – this is listing all your private files on the frontpage of a website.

Tags: , ,

Manukau City Council refuses to reveal dinner attendees until after election

October 6th, 2010 at 5:36 pm by David Farrar

Stuff reports:

Secret details of an $810 dinner Manukau mayor Len Brown charged to his council credit card are unlikely to be revealed before this weekend’s local body election, the Ombudsman says.

Why not you ask? Do they not have to obey the law?

In what was possibly the most memorable part of this year’s local body election campaign, Brown gave an emotional and passionate address to his council colleagues about the dinner. He punched his head and chest and said he would “never” reveal who attended.

“Will I give you the names? Never. I want to tell you that, I feel so intensely strong about this.”

So Len’s position is clear – he will never ever voluntarily reveal the names, despite ratepayers paying for the dinner. But Manukau City Council knows and they can be ordered to do so under the Official Information Act.

The Ombudsman received a number of complaints about Brown’s refusal to name those who he took to Volare.

It was hoped a decision would be made by the end of this week, but that is now unlikely.

“We are pushing this as fast as we can,” an Ombudsman spokswoman said today.

“There has been huge controversy around this. We understand people wanted to know about this before they voted.”

However the Ombudsman was required, by law, to consult with the Privacy Commissioner before reaching a decision.

This week commissioner Marie Shroff asked a set of questions of Manukau City Council about the dinner.

She wanted to know “whether the attendees knew they were accompanying Brown in his capacity as mayor” and “did they know the dinner was being charged to his mayoral credit card”.

Reasonable questions to ask. And very easy to answer.

But the council’s chief executive Leigh Auton told the Ombudsman there would not be enough time to answer the questions before the election.

Outraegous. My God – this involves around 30 minutes of phone calls, and they have 500 or so staff. One has to suspect this is a deliberate obstruction. Why are they so desperate to not name those who had dinner shouted?Is it because their identities would be in conflict with the reason giving for paying?

Auton was first notified of the complaint against his council in August.

It is understood an urgent telephone conference was being held this afternoon between the Ombudsman and Auton.

Sadly, even if it comes out tomorrow, it will be too late. But the Ombudsman should not reward the Council for stonewalling, and order the names released this week.

Tags: , , , ,

Privacy Commissioner on Search and Surveillance Bill

November 3rd, 2009 at 9:00 am by David Farrar

Their submission is online here.

It will also increase the situations that interception and tracking devices can be used in. Instead of being restricted to certain types of serious crime, enforcement officers will be able to apply for surveillance device warrants on the same basis as search warrants.

This is the point Bell Gully also made. And there is a significant difference (to me anyway, and I am sure most people) between a search warrant and covert surveillance.

However, notification to the individual who has been the subject of a surveillance warrant is not required before a prosecution. An issuing Judge may order notification only if there has been a problem with the warrant (eg a breach of its conditions). From a privacy perspective this is problematic as an individual should generally have the right to know what surveillance has been carried out. I appreciate that in the case of surveillance warrants it is impractical to provide notification in advance of the warrant being carried out. However, notification after the fact should be a matter of course. This must be subject to practical considerations such as the status of ongoing investigations and the safety of others. Notification is common in other jurisdictions such as Germany and the United States.

As I read this, you could have your phones bugged. And if the information obtained is not used in a prosecution, you will never know you were bugged. I think one should know if the state has bugged your phone – unless it will interfere with ongoing investigations or endanger other people.

3.3. Allowing search warrants to be the basis for remotely accessing computers is, from a privacy perspective, alarming. This is mitigated to some extent by the specific limits put on this power in clause 101 (k). The warrant must state whether remote access is authorised, and the provision states that the remote search is limited to things such as Internet data storage facilities that are not located at a physical location that can be searched. This does not seem to allow remote access to the computer itself.

So it sounds like the state can not hack into your home PC remotely, but they can hack into your Google accounts!

Production orders can be issued by an ‘Issuing officer’ who can be a Judge but can also be ‘any other person’ authorised under clause 106. This is a lowering of an important safeguard, particularly in light of the expansion of availability of the orders. Traditional expectations are that intrusions will not be made in private communications without rigorous oversight by a Judge. This is carried into this Bill in the issuing requirements for surveillance device warrants in clause 48. It seems logical that these relatively new, and potentially technical, production orders should also be issued by a Judge.

I prefer judicial oversight. So what does clause 106 allow:

The Attorney-General may authorise any Justice of the Peace, Community Magistrate, Registrar, Deputy Registrar, or other person to act as an issuing officer for a term, not exceeding 3 years, specified in the notice of authorisation.

I like the “or other person” clause. That means I could be appointed an issuing officer for warrants :-)

Tags: ,