Activists stop GCSB from being more open – well done!

September 11th, 2015 at 3:23 pm by David Farrar

Radio NZ report:

Una Jagose was about to deliver an address to a Privacy Commission technology forum in Wellington, when two anti-GCSB protesters unfurled a banner in front of the podium and refused to move.

One man from the audience appealed to the two women to allow Ms Jagose to speak, as that was what they were there to hear, but the protesters said they intended to remain for the duration of the speech.

Privacy Commissioner John Edwards then decided to cancel the event.

Afterwards, Ms Jagose said the agency had heeded public calls for greater transparency.

“Protests are a legitimate part of the democracy that we live in and I like the democracy that we live in – so is the work that the bureau does, a legitimate part of the democracy we live in,” she said.

“So it was a shame that one stopped the other from going ahead today.”

It looks like one of the protesters is Valerie Morse, whose commitment to peace is so sincere she runs around the Ureweras with illegal guns.

Ms Jagose said she was very happy to field questions from the audience, but not to deliver her speech over the top of the protest banner.

“I was going to talk about the work that we do both in foreign intelligence and cyber defence, and talk about the systems of oversight and the controls that are in place.

“I was going to talk a lot more about more than we’ve ever talked about before in public about our cyber security programme, called the Cortex programme – how we look at the privacy interests related to that programme, how it works, how it’s controlled, what it is.

“Stuff that we’ve never said before.”

Ms Jagose said she would still get more detail out to the public, and would reschedule her speech for a later date.

Mr Edwards said, in his view, the protesters were there to disrupt and prevent the messages from coming out, and he wasn’t prepared to subject his guest and the audience to the “spectacle of people being dragged out” by security.

“That would have suited the protesters, I’m sure, to have been able to garner more media attention and to shout their message but there’s no need for that.

“This is about freedom of speech; if they use their speech to shut down this really important development in the opening up of the organisation, then I think they’ve acted counter to their interests frankly.”


Well said John Edwards.

Good to see the Privacy Commissioner working with the GCSB, encouraging them to be more open with their activities. That is a good thing, and it is a pity the protesters prevented this happening.

Should NZ have a right to be forgotten?

July 3rd, 2014 at 11:00 am by David Farrar

Privacy Commissioner John Edwards blogs:

The biggest thing in the privacy world just now seems to have exploded into the collective consciousness out of nowhere. For those of you with TLDR (Too Long Didn’t Read) syndrome, here’s the spoiler. The issue is not as clear cut as you might think. I’d like to hear a range of views about how we should approach this in New Zealand.

Since May 13, when the European Court of Justice ruled that Google in Spain should break links to an old newspaper story about the plaintiff, there has been much criticism, astonishment, suspicion, relief and applause, depending on which side of the fence (or the Atlantic) the commentator comes from.

I’m one of those fairly unimpressed with it.

Could someone in New Zealand assert a right to have links removed from a Google search on their name? Our law differs in some key respects from European law. For example, we don’t have the concept of “data controller” or “data processor”, and there are a number of other differences.

The first hurdle would be territoriality. Google could be expected to argue that their search engine and the algorithms that compile and order results are not within New Zealand’s jurisdiction. The ECJ decision might offer some assistance to a litigant on that point, as might this June 13 decision of the Canadian Supreme Court which is a more influential source of jurisprudence to our courts.

Google has a domain name registered in New Zealand. If you search for a mechanic or painter in your town, the ads that lead the search results will tell you pretty clearly that Google has a place of business here, and those points might provide the beginnings of an argument that Google should be subject to a range of domestic laws – from the Fair Trading Act, to the Copyright Act, to the upcoming Harmful Digital Communications Act. Should privacy be any different?

Google could of course close down its local office, and run its NZ operations from say Australia.

A number of other arguments would then ensue as to the liability (if any) that Google should have for content hosted on sites to which it is only providing a link to. What is the extent of Google’s obligation under the multi-qualified information privacy principle 8 in our Privacy Act?

An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.

What is the onus if a New Zealand person asserts a right of correction (a term which is defined as including deletion) under information privacy principle 7?

My views is that people who want data about them on the Internet corrected, should go to the actual publisher of the data, and not hold the search engine liable for the data published by someone else.

Does the “purpose” element of the non-retention principle (principle 9) absolve search engines of the obligation to proactively purge old content? Should I issue a code of practice which spells out the respective rights of search engines and individuals?

I’m going to leave these questions until I am presented with an actual case to apply them to. There are many other authorities around the world grappling with the same difficulties.

I want my search engines to locate all content that is on the Internet, that the published has been asked to be indexed.

It may be that a case will come before me to determine before the issue comes to the Court or to Parliament. Someone might argue that Google should break a link to personal information that has been published online from a data breach, or that it is in breach of a Court suppression order. If I do have to determine such a case, in addition to weighing the various rights of privacy against the rights in the NZBORA, I will need to take into account the matters specified in s.14 of the Privacy Act. That means that, among other things, I have to have due regard to “the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way”.

Where do you think the balance should lie?

This is an issue that won’t go away.

Privacy Commissioner now blogging

May 28th, 2014 at 1:00 pm by David Farrar

The Privacy Commissioner now has a blog. Worth subscribing to, if you are interested in privacy issues.

I took part with the Commissioner in a forum last night, organised by IPANZ on what is the price of privacy. Was very enjoyable with a wide range of issues ranging from the recent European Court judgement on Google to data sharing between Government agencies, to data breaches.

One example I touched on was the request to have statistics on the percentage of homes owned by non residents. I agree that such data would be desirable. But it is worth noting that to get very accurate data you would need to data match between the property registers, citizenship registers (and we don’t really have one), immigration status databases, travel records and current address records. Is that level of data collection and matching warranted for the information we would gain from it?

Clarification on the paedophile privacy case

April 15th, 2013 at 1:00 pm by David Farrar

Steven Price blogs:

I confess I’m entirely befuddled by the Dominion Post’s front-page lead on Saturday, “Prosecution for breaching paedophile’s rights”. Can someone help me out here?

Isn’t the story conflating the Commission with the Office of Human Rights Proceedings, an independent office within the HRC? But why is the Office of Human Rights Proceedings bringing a “prosecution”? Does the DomPost mean a claim before the Human Rights Review Tribunal (it seems so, since it mentions the Tribunal later on)? That’s not a prosecution, which is a criminal action.

Or is it a charge that the Sensible Sentencing Trust has breached name suppression? Now, that would be a criminal prosecution, but why isn’t it being brought by the police?

If it’s a Human Rights Proceedings Office case, it sounds like a Privacy Act claim, and not a charge for breach of name suppression at all (some of the language in the story suggests it’s about the Privacy Act, though the Act gets barely a mention in the story). That would also suggest that the Privacy Commissioner has already been involved and either refused to uphold the complaint or couldn’t reach a settlement with the Sensible Sentencing Trust. That would be interesting to know.

And the Human Rights Commission has clarified:

A story published by The Dominion Post on Saturday 6 April “Prosecution for breaching pervert’s rights” and on requires clarification.

The statement that the Human Rights Commission plans to prosecute the Sensible Sentencing Trust needs to be clarified.

The Director of Human Rights Proceedings is instituting proceedings under the Privacy Act. The Privacy Act requires the Director, at his discretion, to make the decision as to whether to institute proceedings.

The Director of Human Rights Proceedings is acting on a referral from the Privacy Commissioner that the Sensible Sentencing Trust interfered with an individual’s privacy.

This is quite important info. As far as I can tell, this matter doesn’t involve any of the Human Rights Commissioners. The agency that appears to be behind this issue is the Office of the Privacy Commissioner.

This whole issue is quite convoluted. The man’s identity was actually published in Truth in 2009, and I believe again last week.

Privacy guide to cloud computing

February 20th, 2013 at 4:00 pm by David Farrar

The Privacy Commissioner has published a guide for users of cloud computing. It’s a very useful resource.

Their checklist for small business is:

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you’ll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security – lock it down
  5. Check out your provider
  6. Know exactly what you’re signing up for
  7. Be as up front with your clients as you can
  8. Location – where will the information be?
  9.  Use and disclosure – who sees the information and what will it be used for
  10. Ability to exit, and deleting information

I just wish data caps were higher so I could backup my stuff to the cloud in real time.

Bennett v Fuller

August 15th, 2012 at 2:50 pm by David Farrar

The Human Rights Commission reports:

The Director of Human Rights Proceedings announced today the resolution of a complaint under the Privacy Act against Hon Paula Bennett, Minister of Social Development.

The Director, Mr Robert Hesketh said, “On the basis of the Minister’s letter to me, I have agreed to close my file. The matter has been resolved to the satisfaction of all parties. The letter from the Minister is attached. We have all agreed that the letter speaks for itself and we will make no further comment.”

The complaint had been referred to the Director by the Privacy Commissioner. This is the normal process under the Privacy Act when the Privacy Commissioner considers a complaint has substance, but the parties cannot agree on a settlement.

The letter is here. Bennett says she maintains she was justified in her actions, but regrets the comments same others made re Fuller, and the hurt that caused.

I do believe that if individuals who receive state support portray themselves publicly as “hard done by”, that there is an obligation for the full nature of such support to be revealed. Without it, we the public, have incomplete information.

However the best practice in future would be for the individuals involved to be asked to consent to MSD releasing their details. If consent is refused, that should be publicised, and if then a decision made on whether to release without consent.

Note this does not apply to individuals on state support criticising the Government or its policies generally. Absolutely not. Only if they talk about their individual circumstances in a way which doesn’t provide the full picture.

Speaking next week

April 26th, 2012 at 12:18 pm by David Farrar

For those interested, I’ve got three speaking engagements next week.

On Monday evening I’m speaking in Auckland on the MMP review to the National Party’s Northern Region Policy Committee. That is open to party members only.

On Tuesday I’m speaking at a forum organised by the Legal Research Foundation on media and new media regulation. This is also in Auckland and open to the public. There is a fee to attend.

On Wednesday I’m speaking at the “Privacy in the age of big data” forum, organised by the Privacy Commissioner. This is in Wellington and open to the public. Also a fee to attend.

A somewhat diverse range of subjects. Hence, blogging may be lighter than normal next week.

Labour and the Privacy Commissioner

June 14th, 2011 at 1:01 pm by David Farrar

Tracy Watkins in the Dom Post reports:

Labour is appealing to the privacy commissioner about lists of supporters and donors falling into the hands of a right-wing blogger.

Details of 18,000 people were on the databases downloaded by blogger Cameron Slater, severely embarrassing Labour, which had to email donors and people who had contacted it through its website to apologise for the breach.

Slater has revealed on his blog how he obtained the databases, which appear to have been publicly available and easy to download without needing to hack into the site.

It is good that Labour is talking to the Privacy Commissioner. But rather than appealing to her, they should be begging mercy.

The good Commissioner could do worse than read Danyl at the Dim Post who translates technical stuff to English:

  • Labour registered another site called, also hosted on this server. But when you visited this address you didn’t see a normal web page – you saw a directory listing of the Labour Party web server. This let you browse Labour’s server and read any file you wanted, just as you can with your own computer.

  • This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.

  • It gets worse. All organisations back up their sensitive data – usually onto a backup server and/or tapes, which are then kept in a highly secure location. Confidential data like, say, financial records are always encrypted and password protected. But someone in the Labour Party decided to back up their donor database onto their web server – the only server in their organisation accessible to the general public, so by definition the last place you’d put any backup files.

  • So all you had to do was enter, click on a few directories and you could download Labour’s unencrypted donor database.

Danyl’s conclusion:

Like the Darren Hughes fiasco, this is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.

If someone really had hacked the Labour website, exploiting a recent vulnerability, then my attitude would be very different. Few websites are immune from a totally dedicated expert hacker. But this is the exact opposite of that – this is listing all your private files on the frontpage of a website.

Manukau City Council refuses to reveal dinner attendees until after election

October 6th, 2010 at 5:36 pm by David Farrar

Stuff reports:

Secret details of an $810 dinner Manukau mayor Len Brown charged to his council credit card are unlikely to be revealed before this weekend’s local body election, the Ombudsman says.

Why not you ask? Do they not have to obey the law?

In what was possibly the most memorable part of this year’s local body election campaign, Brown gave an emotional and passionate address to his council colleagues about the dinner. He punched his head and chest and said he would “never” reveal who attended.

“Will I give you the names? Never. I want to tell you that, I feel so intensely strong about this.”

So Len’s position is clear – he will never ever voluntarily reveal the names, despite ratepayers paying for the dinner. But Manukau City Council knows and they can be ordered to do so under the Official Information Act.

The Ombudsman received a number of complaints about Brown’s refusal to name those who he took to Volare.

It was hoped a decision would be made by the end of this week, but that is now unlikely.

“We are pushing this as fast as we can,” an Ombudsman spokswoman said today.

“There has been huge controversy around this. We understand people wanted to know about this before they voted.”

However the Ombudsman was required, by law, to consult with the Privacy Commissioner before reaching a decision.

This week commissioner Marie Shroff asked a set of questions of Manukau City Council about the dinner.

She wanted to know “whether the attendees knew they were accompanying Brown in his capacity as mayor” and “did they know the dinner was being charged to his mayoral credit card”.

Reasonable questions to ask. And very easy to answer.

But the council’s chief executive Leigh Auton told the Ombudsman there would not be enough time to answer the questions before the election.

Outraegous. My God – this involves around 30 minutes of phone calls, and they have 500 or so staff. One has to suspect this is a deliberate obstruction. Why are they so desperate to not name those who had dinner shouted?Is it because their identities would be in conflict with the reason giving for paying?

Auton was first notified of the complaint against his council in August.

It is understood an urgent telephone conference was being held this afternoon between the Ombudsman and Auton.

Sadly, even if it comes out tomorrow, it will be too late. But the Ombudsman should not reward the Council for stonewalling, and order the names released this week.

Privacy Commissioner on Search and Surveillance Bill

November 3rd, 2009 at 9:00 am by David Farrar

Their submission is online here.

It will also increase the situations that interception and tracking devices can be used in. Instead of being restricted to certain types of serious crime, enforcement officers will be able to apply for surveillance device warrants on the same basis as search warrants.

This is the point Bell Gully also made. And there is a significant difference (to me anyway, and I am sure most people) between a search warrant and covert surveillance.

However, notification to the individual who has been the subject of a surveillance warrant is not required before a prosecution. An issuing Judge may order notification only if there has been a problem with the warrant (eg a breach of its conditions). From a privacy perspective this is problematic as an individual should generally have the right to know what surveillance has been carried out. I appreciate that in the case of surveillance warrants it is impractical to provide notification in advance of the warrant being carried out. However, notification after the fact should be a matter of course. This must be subject to practical considerations such as the status of ongoing investigations and the safety of others. Notification is common in other jurisdictions such as Germany and the United States.

As I read this, you could have your phones bugged. And if the information obtained is not used in a prosecution, you will never know you were bugged. I think one should know if the state has bugged your phone – unless it will interfere with ongoing investigations or endanger other people.

3.3. Allowing search warrants to be the basis for remotely accessing computers is, from a privacy perspective, alarming. This is mitigated to some extent by the specific limits put on this power in clause 101 (k). The warrant must state whether remote access is authorised, and the provision states that the remote search is limited to things such as Internet data storage facilities that are not located at a physical location that can be searched. This does not seem to allow remote access to the computer itself.

So it sounds like the state can not hack into your home PC remotely, but they can hack into your Google accounts!

Production orders can be issued by an ‘Issuing officer’ who can be a Judge but can also be ‘any other person’ authorised under clause 106. This is a lowering of an important safeguard, particularly in light of the expansion of availability of the orders. Traditional expectations are that intrusions will not be made in private communications without rigorous oversight by a Judge. This is carried into this Bill in the issuing requirements for surveillance device warrants in clause 48. It seems logical that these relatively new, and potentially technical, production orders should also be issued by a Judge.

I prefer judicial oversight. So what does clause 106 allow:

The Attorney-General may authorise any Justice of the Peace, Community Magistrate, Registrar, Deputy Registrar, or other person to act as an issuing officer for a term, not exceeding 3 years, specified in the notice of authorisation.

I like the “or other person” clause. That means I could be appointed an issuing officer for warrants 🙂