Labour is appealing to the privacy commissioner about lists of supporters and donors falling into the hands of a right-wing blogger.

Details of 18,000 people were on the databases downloaded by blogger Cameron Slater, severely embarrassing Labour, which had to email donors and people who had contacted it through its website to apologise for the breach.

Slater has revealed on his blog how he obtained the databases, which appear to have been publicly available and easy to download without needing to hack into the site.

It is good that Labour is talking to the Privacy Commissioner. But rather than appealing to her, they should be begging mercy.

The good Commissioner could do worse than read Danyl at the Dim Post who translates technical stuff to English:

• Labour registered another site called healthyhomeshealthykiwis.org.nz, also hosted on this server. But when you visited this address you didn’t see a normal web page – you saw a directory listing of the Labour Party web server. This let you browse Labour’s server and read any file you wanted, just as you can with your own computer.

• This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.

• It gets worse. All organisations back up their sensitive data – usually onto a backup server and/or tapes, which are then kept in a highly secure location. Confidential data like, say, financial records are always encrypted and password protected. But someone in the Labour Party decided to back up their donor database onto their web server – the only server in their organisation accessible to the general public, so by definition the last place you’d put any backup files.

• So all you had to do was enter healthyhomeshealthykiwis.org.nz, click on a few directories and you could download Labour’s unencrypted donor database.

Danyl’s conclusion:

Like the Darren Hughes fiasco, this is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.

If someone really had hacked the Labour website, exploiting a recent vulnerability, then my attitude would be very different. Few websites are immune from a totally dedicated expert hacker. But this is the exact opposite of that – this is listing all your private files on the frontpage of a website.

Secret details of an $810 dinner Manukau mayor Len Brown charged to his council credit card are unlikely to be revealed before this weekend’s local body election, the Ombudsman says.

Why not you ask? Do they not have to obey the law?

In what was possibly the most memorable part of this year’s local body election campaign, Brown gave an emotional and passionate address to his council colleagues about the dinner. He punched his head and chest and said he would “never” reveal who attended.

“Will I give you the names? Never. I want to tell you that, I feel so intensely strong about this.”

So Len’s position is clear – he will never ever voluntarily reveal the names, despite ratepayers paying for the dinner. But Manukau City Council knows and they can be ordered to do so under the Official Information Act.

The Ombudsman received a number of complaints about Brown’s refusal to name those who he took to Volare.

It was hoped a decision would be made by the end of this week, but that is now unlikely.

“We are pushing this as fast as we can,” an Ombudsman spokswoman said today.

“There has been huge controversy around this. We understand people wanted to know about this before they voted.”

However the Ombudsman was required, by law, to consult with the Privacy Commissioner before reaching a decision.

This week commissioner Marie Shroff asked a set of questions of Manukau City Council about the dinner.

She wanted to know “whether the attendees knew they were accompanying Brown in his capacity as mayor” and “did they know the dinner was being charged to his mayoral credit card”.

Reasonable questions to ask. And very easy to answer.

But the council’s chief executive Leigh Auton told the Ombudsman there would not be enough time to answer the questions before the election.

Outraegous. My God – this involves around 30 minutes of phone calls, and they have 500 or so staff. One has to suspect this is a deliberate obstruction. Why are they so desperate to not name those who had dinner shouted?Is it because their identities would be in conflict with the reason giving for paying?

Auton was first notified of the complaint against his council in August.

It is understood an urgent telephone conference was being held this afternoon between the Ombudsman and Auton.

Sadly, even if it comes out tomorrow, it will be too late. But the Ombudsman should not reward the Council for stonewalling, and order the names released this week.

It will also increase the situations that interception and tracking devices can be used in. Instead of being restricted to certain types of serious crime, enforcement officers will be able to apply for surveillance device warrants on the same basis as search warrants.

This is the point Bell Gully also made. And there is a significant difference (to me anyway, and I am sure most people) between a search warrant and covert surveillance.

However, notification to the individual who has been the subject of a surveillance warrant is not required before a prosecution. An issuing Judge may order notification only if there has been a problem with the warrant (eg a breach of its conditions). From a privacy perspective this is problematic as an individual should generally have the right to know what surveillance has been carried out. I appreciate that in the case of surveillance warrants it is impractical to provide notification in advance of the warrant being carried out. However, notification after the fact should be a matter of course. This must be subject to practical considerations such as the status of ongoing investigations and the safety of others. Notification is common in other jurisdictions such as Germany and the United States.

As I read this, you could have your phones bugged. And if the information obtained is not used in a prosecution, you will never know you were bugged. I think one should know if the state has bugged your phone – unless it will interfere with ongoing investigations or endanger other people.

3.3. Allowing search warrants to be the basis for remotely accessing computers is, from a privacy perspective, alarming. This is mitigated to some extent by the specific limits put on this power in clause 101 (k). The warrant must state whether remote access is authorised, and the provision states that the remote search is limited to things such as Internet data storage facilities that are not located at a physical location that can be searched. This does not seem to allow remote access to the computer itself.

So it sounds like the state can not hack into your home PC remotely, but they can hack into your Google accounts!

Production orders can be issued by an ‘Issuing officer’ who can be a Judge but can also be ‘any other person’ authorised under clause 106. This is a lowering of an important safeguard, particularly in light of the expansion of availability of the orders. Traditional expectations are that intrusions will not be made in private communications without rigorous oversight by a Judge. This is carried into this Bill in the issuing requirements for surveillance device warrants in clause 48. It seems logical that these relatively new, and potentially technical, production orders should also be issued by a Judge.

I prefer judicial oversight. So what does clause 106 allow:

The Attorney-General may authorise any Justice of the Peace, Community Magistrate, Registrar, Deputy Registrar, or other person to act as an issuing officer for a term, not exceeding 3 years, specified in the notice of authorisation.

I like the “or other person” clause. That means I could be appointed an issuing officer for warrants