GUEST POST: More on PBX security

Those of you with an attention span will remember we talked about PBX security a little while ago and Ben and I had quite a good discussion both in the comments and on Twitter about how important it all is.

Ben blogged on it and kindly allowed me to cross-post it here. Check out more from Ben at his blog.

A couple of weeks ago Paul Brislen posted a really good post on the TUANZ blog about PABX security. It seems some criminals had used a local companies phone system to route a huge number of international calls, leaving them with a colossal ($250k!) phone bill. These attacks are increasing common, and I have heard a number of similar stories.

Phone systems increasingly rely upon IP connectivity and often interface with other business processes, putting them in the domain of IT. But even if your PABX is from 1987 (mmm beige) and hasn’t been attacked yet, doesn’t mean it won’t be.

Both Telecom NZ and TelstraClear NZ have some good advice to start with, and you might find your PABX vendor can also give expert advice. Unfortunately many PABX systems are insecure from the factory, and a number of vendors don’t do a great job with security.

In a previous role I ended up managing several PABX systems spread across multiple sites, and learnt a few lessons along the way. Here are a few tips to get you started:

Have a single point of contact for phone issues – make it easier for users to change passwords, and get questions answered.
Educate your voicemail users, and work with them to use better passwords. Avoid common sequences like 0000, 1234 etc.

Document all the things! Make sure any company policies are documented and available (think about mobile phones etc too). Putting basic manuals on your intranet can really help new users.

Even if you outsource management of the phone system, make sure someone in your organization is responsible for it. And make sure this person gets more money!

Create calling restrictions, and put appropriate limits on where each line can call. If a line is only used for calls to local, national, and Australian numbers then that is all they should be able to call (don’t forget fax/alarm lines). Whatever you do, make absolutely sure that 111 (emergency services) works from all lines.

Standardise as many things as you can. Look at setting up system-wide call bars. Blocking 0900 numbers is a good start, and if no one will ever call Nigeria, it is a good idea to bar it. Make sure these settings are part of your standard config for new/moved sites.

Work with your vendor to ensure any root/master/service/vendor passwords are complex and unique. I have seen a vendor use the same service password everywhere, until a crafty hacker cracked it and then attacked many systems. Also talk to your vendor about a maintenance contract, and ensure they will install security updates in a timely manner. Restrict any remote service access where possible.

If you use auto attendants or phone menus, make sure they are secured too. Remove any option to dial through to an extension unless you are absolutely sure it is secure.

If you have multiple sites make sure that only appropriate calls can be routed between sites. Some phone hackers have been known to abuse site-site connections to work around restrictions.

If you have lots of sites, you may not always have control over the PABX, so work with your telco and have them restrict international calls as appropriate. Put this in your contract so it happens by default when you add/move sites.

If you have a mix of PABX systems/vendors at different sites, things can get very complicated and expensive, very quickly. Work on reducing the complexity.

Practice good IT security. Most PABX’s from the last 10+ years are Windows/Linux boxes (usually unpatched..) under the hood, and can be attacked over your network too (or used to attack your internal network!).

Ensure that both billing and system logging is enabled, and monitored. Otherwise a problem won’t be spotted until the next phone bill arrives.

The most important thing to take away is an awareness of the problem. Dealing with PABX’s can be complex. Don’t be afraid to get expert help. Your telco and PABX vendor are the best places to start. If you can’t get the support you need, change to one that will. If you have any advice, please add it below.

Latency

One issue remains to be resolved with the concept of New Zealand becoming a data centre for content and that’s latency.

We live in a remote corner of the world at least what, 120ms away from our nearest large market (sorry Australia – I’m talking about the US) and unless faster than light quantum computing becomes a reality in the near future, we’re not going to change that.

Latency affects all manner of services. Voice calls are notoriously impacted by lag, as is video calling and computer gaming. Too much lag will cause your secure VPN to fall over and that makes online banking or other reputation-aware services problematic.

But what can we do that isn’t time sensitive in such a way? YouTube for example, or streaming long-form movies – an activity that accounts for anywhere between a quarter and half of all US domestic traffic. What about Dropbox-like services or most of the new range of cloud computing activities (this blog, for example, is hosted by a company based in New York but I haven’t the faintest idea where the data is stored).

As Kim Dotcom said to NBR, HTML5 means multi-threaded downloads and uploads which means aside from the initial connection, lag isn’t an issue for services like web browsing, music or movie streaming or any of the rest of it. Local content caching is becoming the norm for such data and New Zealand could easily take a place in that market.

There is no reason any of those kinds of data can’t be stored locally and served to the world – the only impediments are a lack of competition on the international leg and a willingness to go out and sell that capability to the world.

Our distance to market has always been seen as a negative – let’s make it a positive. We’re remote, we’re stable, we’re “uninvadable” by anyone who might object to freedom of information and we have cheap, renewable energy. Give us a new cable and we won’t have to worry about the negotiations between Tiwai smelter and the power companies and New Zealand will be a net exporter of data and that means money.

Critical infrastructure

The National  Infrastructure
Unit has released its review of how things are going one year on from the
launch of the government’s infrastructure plan and apparently everything in
telecommunications is fine.

Much work has been achieved in terms of UFB and RBI says the
report, and the government is making steady progress towards re-purposing the
700MHz spectrum for telco use.

One thing worries the writers of the report (and bear in
mind that the NIU sits inside Treasury) and that’s whether or not the regulatory
settings encourage investment.

To be frank, I’m less worried about that because we now
(finally) have competition in large swathes of the telco market and that in
itself is driving investment. The Commerce Commission’s review of the sector
shows that, even before we consider the UFB spend of $1.5 billion from our
pockets.

I have another issue that the report barely touches on:
volcanoes.

Auckland is built on a nest of them. Fifty or so volcanic
cones litter the area with some long since extinct and used for tourism and
others still relatively new (Rangitoto) in geological terms.

What are the risks of another one popping up? Nobody knows.
Seriously, if you visit GeoNet  or any of the other sites that talk about volcanoes, all you get is reassurance
like this:

Auckland’s
existing volcanoes are unlikely to become active again, but the Auckland
Volcanic Field itself is young and still active.

Which is not very reassuring, if you ask me. Take this
information, for example:

The
type of volcanic activity in Auckland means each eruption has occurred at a new
location; these are coming from a single active ‘hot spot’ of magma about 100
km below the city. 

Which suggests that should a new volcano pop up, it’ll
literally pop up. No point checking out the existing cones – only Rangitoto has
had repeat eruptions in the past 250,000 years.

GeoNet has 11 monitoring sites around Auckland, but when you
ask the internet about predicting the next volcanic eruption you find it’s more
of an art than a science.

The Auckland War Memorial Museum cheerful tells us that it’s
not likely in our lifetimes:

“There have been 48 eruptions over
almost 250,000 years – one every 5,000 years on average”

But then goes on to say we don’t know when these eruptions
happened, so the averaging theory may not stack up. And after that we’re told:

There is no way of knowing when it will happen.

The last eruption (Rangitoto) was by far the
biggest.

And my favourite line:

Auckland’s volcanoes are powered by runny
basaltic magma, which rises through the crust quickly, at several kilometres
per hour. So when the next eruption happens, whether it’s tomorrow or in 5000
years’ time, we won’t get much warning.

What sort of damage will a volcanic eruption in Auckland
cause? Well there’s the initial blast radius, the shockwave radius, the lava
damage (if it’s the right kind of volcano), potential for massive amounts of
super-heated water to be flung about (if it’s in the harbour), ash clouds and
so on.

I’ve written a secondary school grade essay on volcanoes because
our country’s only serious international telecommunications link, the Southern
Cross Cable network, lands on either side of the Auckland isthmus (one in
Takapuna and one in Whenuapai) only 15 km apart smack on the top of an active
volcanic field.

A single eruption in the middle would potentially take out
both landing stations and then, we as a nation are stuffed.

All our international communications would be down for a
period of months at a minimum. Our ability to trade commodities online would
cease. Our government’s relations with other nations would grind to a halt –
and I’m not talking about our vital trade negotiations or our role in South
Pacific peace keeping, but mundane daily things like our ability to trade
currency and update the stock markets with information.

Any business based in New Zealand that tried to communicate
with customers outside New Zealand would be cut off. Our ability to let the
world know what was happening would slow to a trickle and you can forget us
recovering from that in a hurry.

I’ve always been ambivalent about the calls for another
international cable because of disaster recovery needs, but having taken a
closer look at our current situation I have to say it’s not pretty. We probably
won’t see a volcano pop up in our lifetimes, but the downside if it does happen
is quite severe.

Risk assessments must address two issues – the likelihood of
an event happening and the damage from that event if it does. In this case
we’ve got a low likelihood but a tremendous amount of damage should that event
occur.

As Wikileaks told us, the US considers the Southern Cross
Cable network to be a critical infrastructure that needs to be protected and that the Department of Homeland Security has included the landing sites in
its National Infrastructure Protection Plan (NIPP).

We have a single point of failure that’s got a tremendous
amount of risk associated with it.

We can mitigate that risk of course. A second cable that
lands somewhere else would do the trick, but the cost of laying one ($400m for
Pacific Fibre’s planned route) is prohibitive if all we’re talking about is a
DR plan.

Fortunately, we could use said capacity for other things and
we’ve discussed that elsewhere on this blog (and I’ll do so again shortly).

Any future second cable must include a requirement that it
land somewhere other than Auckland. The problem with that is that it increases
the cost to the builder but given that I expect the government would need to be
a part owner, I suspect that won’t be a problem.

You can see the government’s National Plan for
Infrastructure here
(WARNING: PDF) and it says telecommunications infrastructure is “able to deal
with significant disruption” and that the goal for the government beyond the
UFB and RBI projects is to make sure the regulatory regime works well. That’s
it, for the next 20 years, according to the plan.

In fact, the whole plan looks only at domestic
infrastructure, and I find that intriguing. Telecommunications is the only area
that is international in the way this report defines it. Gas pipelines, roads,
rail links, electricity production – it’s all domestic stuff. Only
telecommunications has that complete reliance on an international link, and yet
everything else relies on that link working continuously.

The report, quite rightly, focuses on Christchurch and the
rebuild work going on there. The report’s three year action plan, point seven,
is to “Use lessons from Christchurch to significantly enhance the resilience of
our infrastructure network”.

International telecommunications is a single point of
failure that could bring our economy grinding to a halt. It’s not about surfing
the net or downloading the next episode of our favourite TV shows, it’s about
ensuring we survive as an independent entity.

To quote from the report:

The Plan describes resilient
infrastructure as being able to deal with significant disruption and changing
circumstances. This recognises that resilience is not only about infrastructure
that is able to withstand significant disruption but is also able to recover
well. Buildings and lifelines that save lives are a priority, while the
earthquakes also revealed the resilience of widely distributed but highly
collaborative networks.

It’s time we looked at our international link in that light.

Strawman: How to save the New Zealand economy

Put aside the idea that it’s Kim Dotcom who wants to build a
new cable connecting New Zealand with the outside world for a moment and think
about what we’re really talking about here.

Firstly, we’re talking about building a data centre. Nothing
unusual in that – we have many dotted around New Zealand, some large enough to
register on the international scale of such things. Between Orcon, Vocus
Communications and Weta FX’s donation of the New Zealand Supercomputer Centre,
we have several.

But this would be orders of magnitude larger – something that
would either power Dotcom’s new Me.ga service or cope with the demands placed
on Google, for example. It needs to be robust, it needs to be multiply
redundant and it needs power. Lots of power. Green power. Fortunately we have
that and even better, the Tiwai aluminium smelter is apparently going to be
coming available soon and it requires 610MW to function. That’s 14% of the
national output, which makes for a scary conversation with government whenever
the smelter’s owners talk about packing up and leaving.

Google’s combined data centres use 260MW as best I can
fathom
which leaves us in a very good position to take over production of the whole
lot and do it entirely by green means. That’s quite important to a company like
Google, but don’t forget Facebook, Apple, Twitter (those tweets don’t weigh
much but by golly there are a lot of them) and all the rest. In fact this piece
in GigaOM nails it quite nicely  so have a look at why North Carolina is the place these guys base their mega
centres. Hint: power’s cheap there – cheap but dirty (61% of their electricity
is from coal, 31% from nuclear).

How cheap? They pay between 5c and 6c per kilowatt hour,
which is a really good price.

According to Brian Fallow in the Herald  Tiwai smelter pays 5c per kilowatt hour also, but don’t forget that’s New
Zealand money, not US money, so let’s call it 4c per kilowatt hour in American.

Clearly that’s a good price, plus it’s almost all green
which means a big gold sticker for any data centre using New Zealand.

So we’ve got electricity covered, if Kim gets his submarine fibre
built we tick off another huge problem. There’s not much we can do about the
latency between here and the US, so let’s ignore that thorny issue for now. We’re
conveniently located a long way from everyone so let’s move along.

There’s the issue of land which as we know is hideously
expensive in New Zealand. Unless it’s somewhere like Tiwai Point in which case
it’s not. I think we can tick that box off, particularly if you consider the US
pricing as your benchmark.

That leaves us with two major stumbling blocks. Firstly, the
staffing situation.

We need to produce enough graduates (or import enough
graduates) to staff this kind of monstrous facility and at the moment we’re not
doing that. We don’t have any push to get secondary school students into the
industry and we don’t have any long term plan to stop this incessant churning
out of management students and encourage kids into the world of ICT.

Without these kids coming through at all levels, we’re just
not going to get a data haven off the ground.

Because that’s what we’re talking about here – turning New
Zealand into a data haven where anyone can store data safe in the knowledge
that we treat bits as bits and that’s that. Nobody is going to trust us to look
after their data if we’re willing to send in the Armed Offenders Squad in a
chopper-fuelled moment of madness on the say so of some foreign national. It’s
just not viable.

The final problem then, is the legal situation.

We would need to become the neutral ground, the data
Switzerland if we’re to gain their trust. Publicly adhered to rules regarding
data collection and retention. Privacy built in, access only under the
strictest conditions.

But think of the upside – the PM talked about New Zealand becoming
a financial hub and while I get where he was coming from, that’s old school
stuff. Let’s become the home to all things data related instead. It turns our
long-time weaknesses (distance to market, isolation, relatively small size)
into strengths. Plus we’re New Zealand! Nobody’s going to invade us, we’re too
far away and too friendly.

Latency aside, what’s the downside of getting this done? If
we build the capacity we can attract a first mover in and if we have one, we
can attract more.

Customers from banks to insurance companies to individuals
to governments to movie studios (yes, you luddites, you) could make use of our
clean power, our isolation, our cheap land and our fantastic environment to
secure their precious bits and we would get a steady, reliable source of
revenue for the country that’s sustainable in all meanings of the word.

Have I missed anything? Why won’t this work? Is anyone
thinking about this?

Kim Dot Com or Kim Dot Come on?

If nothing else, Kim Dotcom’s tweet has reignited debated
about whether we need a competitive international cable market for New Zealand.

The short answer is yes, because we don’t have a competitive
international cable market. We have Southern Cross Cables and its network, but
we don’t have competition, and this concerns me. It also concerns most of the
telcos and ISPs I talk to and it should concern anyone who is supportive of New
Zealand building an internationally competitive digital economy.

In the old days we talked about the internet as the “freezer
ship” of the future. The internet could deliver the same increase in
productivity to the New Zealand economy that the introduction of freezer ships
did way back when.

It seems so quaint now, to think of the internet in terms of
commerce, when these days we use it to organise revolutions both social and
political, but there it is, the internet’s dirty little secret: it can be used
to make money.

I’ve said it before, repeatedly, and I’ll keep on saying it.
New Zealand stands to gain the most from the move to a digital economy. We can
export teaching instead of teachers, we can export intellectual property
instead of goods, we can export talent without losing those people. We can
export our business savvy, our capability, our cost effectiveness and our
willingness to get the job done. These things are all in short supply around
the world – we can fill that need and we can do it from here, without having to
go overseas unless we want to.

For that to work we need something that’s also in short
supply. Leadership. We don’t need more management, we need leaders with a
vision. We need someone to say “this is the plan, this is what we’re going to
do because it needs doing”, not “my staff didn’t inform me” or “of course I’m
worth my million dollar salary”.

If nothing else, Kim Dotcom is good at cutting through the
red tape and getting on with it. Love him or hate him, you have to give him
that. Want to share files? Build a file-sharing site. Want to play Modern Warfare
2? Lay fibre to the mansion and hook up your Xbox. Want to run an international
business from New Zealand but the infrastructure is lacking? Build the
infrastructure yourself and get on with it.

We need four things to get this digital economy off the
ground: international connectivity, cheap green power, an environment that will
attract talent and more students coming through the system keen to work in the digital
economy. Let’s focus on that for a while and see how we get on.

And if it takes an odd German with an odd name and a penchant
for the wrong German cars (get a Porsche) then so be it. We’re in no position
to be picky – let’s just get it build and then discuss the niceties.

I’ve heard from a number of TUANZ members who are keen to see something get off the ground. They see the need for competition on the international leg and were disappointed to see Pacific Fibre fall by the wayside.

Suggestions have ranged from a TUANZ tax on every telco bill to fund a build through to setting up a trust similar to the model used to build electricity lines around New Zealand. I’d be keen to see whether such a thing would fly – it would need the buy-in of some major telcos so we could add the  pennies per call or dollars per month to the bill, but that’s not insurmountable. 

What do you think? Would a publicly-funded project get off the ground?

Guest post: Privacy and the Law

Guest post from Hayden Glass – Principal with the Sapere Research Group, one of Australasia’s largest expert consulting firms. Thanks to Rick Shera (@lawgeeknz) for instructive conversation.

Part 2

In Part 1 [link] we looked at some aspects of online
privacy. In this article we look at the law.

Can the old dog still
hunt

New Zealand’s privacy laws are generally considered to be
pretty sound. The Privacy Act began life in 1993 describing a set of principles
and giving you a bunch of rights in relation to controlling the collection, use
and disclosure of personal information.

 “Personal
information” is defined in the Act as “information about an
identifiable individual”, i.e., information from which you can be
identified. If an agency is collecting anonymous information about your
movements online, that is one thing, but if your online profile grows to the
point that you could be identified from it, the rules in the Privacy Act can
apply. As discussed in part 1, the line between anonymous and identifiable can
be pretty uncertain
.

The Law Commission looked at the Act in a three-year review
of privacy laws
that was completed in August 2011. It continues to believe
that self-protection is the best protection, but suggests a substantial set of
changes aimed at improving the law including:

* new powers for the Privacy Commissioner to act against
breaches of the Act without necessarily having received a complaint, and
allowing it to order those holding information to comply with the Act or submit
to an audit of their privacy rules, and

* measures to minimise the risk of misuse of unique
identifiers, and require those holding information to notify you if your
information is lost or hacked, and

* controls on sending information overseas.

The government agrees that it is time for substantial
changes to the Act, although it does not agree with everything the Law
Commission has proposed
.
A new draft Bill is expected next year.

To the ends of the
earth

One obvious issue in the internet age is the lack of match-up
between the international nature of internet services, and laws that are
limited to the borders of any particular nation. A modestly-sized nation at the
end of the world, like New Zealand, has limited ability to influence foreign
organisations who may not have any local presence, although our Privacy
Commissioner has taken action against reputable major players offering services
in this country.

One answer is to harmonise our laws with other countries, or
rely on the big fish to protect our privacy. If the US or the EU forces firms
to improve privacy protections we will benefit. The US Federal Trade Commission
can legitimately argue that its actions will protect users in other countries
(see the summary of a talk from Nethui 2012 here) and
it is focused on this stuff. Vivian Reding, then the
EU Justice Commissioner said that privacy for
European citizens “should apply independently of the area of the world in
which their data is being processed …. Any company operating in the EU market
or any online product that is targeted at EU consumers must comply with EU
rules”. The French data protection agency is investigating Google’s new privacy policy.

Another evident challenge to existing privacy law is to the
notion of “informed consent”. As a legal principle it is fine, i.e.,
your favourite online service has a privacy policy and you consent either
directly to it by checking the box and clicking “I accept” or implicitly
by using their service. So long as the policy does not breach the law and the
service follows their own policy, they are legally blameless.

In practice you likely haven’t read the policy, and you may
not be in a position to avoid surrendering some privacy in any case.
Participating in society increasingly requires online interaction, and any
online interaction will involve sharing some information. Legally operators can
rely on your click to indicate consent to their privacy policy, but in practice
you cannot really withhold it.

One solution could be crowd-sourced reviews of online
privacy policy, or organisations that rate others policies.
There are similar troubles with the terms of licensing agreements to which you
have to consent in order to use software.

Fit for purpose

Users have options to protect themselves online if they care
to. They can avoid being tracked, ensure their privacy settings for social
media services are well considered, disable cookies, turn off javascript, use
fake Gmail or Facebook accounts, use incognito modes on their browsers, access
the online world through a VPN or a range of other things. The Privacy Commissioner
has guidance also. And you either
have now or will soon also have an option to turn on a “do not track
option in your browser, that will
impede the ability of firms to piece together your internet history as you find
your own trail through the online garden.

Sadly users mostly do not avail themselves of these options.
That may be because some impede the internet experience a bit. Or because users
do not care to change their behaviour much despite saying they are worried
about online privacy.

In these circumstances, there will continue to be debate
about how far users can or should take responsibility for their own protection,
and how far the law needs to go. This battle is the natural result of the standard
model for internet services, i.e., if you want free internet services, you need
to realise that your eyeballs are the price. No one should be surprised that
advertisers try to make their services more effective by learning more about
the brains behind those eyeballs.

The site’s a bit broken today

Possibly because of Sandy – Squarespace, which runs the back end – is in New York.

I think I can wait out the storm (so to speak) and will chase them up later – in the mean time any of the links you see are broken so don’t bother clicking on them.

Except this one: hopefully it’ll work and you can see what they’re up to.

UPDATE: No, even that one. Head over to status.squarespace.com if you want to see what they’re up to.

It’s the long weekend – do you know what your PABX is up to?

Another long weekend, and another PABX hacking takes place.

It tends to come in waves, but lately it’s been particularly
nasty with at least one report of a $250,000 weekend for one local company.

You probably know how it works but it bears repeating.
Ratbags ring around after business hours looking for a PABX system. They try
various combinations of readily available default passwords (user name and
password set to 0000 for example) and once they’ve struck gold they wait for a
long weekend.

Staff clear out on Friday at 5pm, then the diallers start
in. They have access to the set-up systems of the hacked PABX (which hasn’t
really been hacked, just left unguarded) so they assign all the direct dial
outbound lines to call numbers overseas – typically in those countries that
couldn’t care less about such things. Think Somalia or Azerbaijan. These
compromised systems spend the next three days dialling out and every time they
connect the company in questions starts paying through the nose for the toll
call.

The staff return to work on Monday none the wiser until the
phone bill arrives, typically with tens of thousands of dollars’ worth of toll
calling included.

The company will then ring the telco which will say sorry
but your phones made all those calls, and even if the local telco waives any
profit margin and offers the calls at cost, you’re still in the gun for
thousands of dollars owed to a foreign telco that isn’t going to take no for an
answer.

The ratbags in question typically get a clip of the revenue
earned in their country and have had quite a profitable weekend. Even if the
host telco over there wises up and kicks them out, there’s always another telco
to use.

Rinse, repeat until wealthy.

This isn’t a new phenomenon – in 2005 we covered the
situation
at Computerworld and even then we referred to advice given in 2003.

There are, however, some simple steps you can take here to
make sure you’re not done over. Fortunately it’s all quite straight forward.

First, talk to your PABX system provider. Actually, the real
first step is to figure out if anyone in your organisation is responsible for
the PABX – in many cases I’m told responsibility has devolved to the IT department
who don’t necessarily know all the old PABX hacker tricks.

But talk to your provider about securing your system and you’ll
probably discover the easiest thing to do is change the default passwords to
something more difficult.

I’m in two minds about password security – on the one hand a
long and tricky password means you’re unlikely to be hacked. On the other hand,
who can remember them? Bruce Schneier once told me the best way to secure a
system was with a long password that’s complex and difficult that is written
down and stored by the computer, on the basis that anyone who steals your PC
won’t know about the bit of paper and will miss it, and anyone who’s hacking in
from outside won’t be able to see the bit of paper because they’re in another
country. I quite like that.

TelstraClear has a page of advice on what to do that’s worth
a read. The TCF put out a warning last year and also has a page of information on what to do.

While the telcos do what they can to limit the damage from
this kind of thing, at the end of the day we the customers have to play our
part and making sure we bolt the door before we head away for a break is a very
good thing to do.

The Sum of All Our Fears – Privacy in the digital age

Our ideas about
privacy need redefining in the internet age

Hayden Glass is a Principal with the Sapere Research Group,
one of Australasia’s largest expert consulting firms. Thanks to Rick Shera
(@lawgeeknz) for instructive conversation.

I consider myself a fairly typical internet user. Google for
web search, a Gmail account for email, calendar and contacts, the Chrome
browser for surfing, and my Google drive for a whole host of documents stored
and shared in the cloud. On my Android phone I have 60 or so apps installed. I
have no Facebook account, but I am on Twitter. I use Dropbox to share files,
Flickr for my photos, iTunes for music, and Tumblr and WordPress for blogs.
Plus, like the rest of you, I use online banking, shop online, and get my news
nearly exclusively from online sources. I provide my location to make Google
maps work better and also to help get better search results, but I click
“Deny” when my phone gives me the choice to share location with any
particular website.

I am sharing, therefore, quite a lot of information on the
internet. This is an entirely standard way of life. Around 80% of us use the
internet
,
and 80% of users report using Facebook.

The internet is such a part of daily life that we now share
information unconsciously. Everything we do online creates a record and we
don’t think too much about what happens to it. In US academic Daniel Solove’s
vivid phrase, “data is the perspiration of the Information Age”. Others, like
American computer security specialist Bruce Schneier, think of your
click-stream as a type of pollution, in the sense
that it is created by doing some useful online task but it can have unpleasant side-effects
that need to be managed.

In Part 1 of this post we take a brief look at the online
privacy environment and what makes it different. In Part 2 we will look at
how laws are changing to adapt to it.

Part 1

Something new under
the sun

Problems of information privacy are much more difficult in
the internet age because the internet itself is so widely available, and
information flows on it are difficult to control.

The internet has no borders, and is not based in any
particular country. The location of service providers or users is generally
unimportant: information available in one place is available in all, and it is
difficult to control or trace the flow of data. Content is continually being
added or modified, but content is also persistent, i.e., information that was
once on a website can be searched for and retrieved even after the content of
the site has changed.

The internet is also tricky for governments to control.
There are, of course, still telecommunications operators who connect you to the
internet. They have extensive physical investments,  powerful brands and reputations to uphold. But
service providers who hold information about you are generally not dependent on
individual governments for resources at all. Most of the New Zealand internet’s
most popular services are provided by US firms based in California with servers
all over the world, and with little local presence here. The ability of the New
Zealand government to influence the activities of, say, Facebook is limited,
and given the aterritoriality of the internet, it is often not clear how firms
can navigate the thicket of different national responsibilities.

Privacy, of course, is also a non-internet problem. Those
holding information need to not, for example, lose sensitive government data in
the internal post
, or leave
their computer systems open for members of the public to access.

But often internet users do not realise how much they are
sharing (see these unfortunate Belgians), or what the consequences are.
Facebook stands accused of deliberately making it hard for users to control
their own privacy
,
and even the most sophisticated can get it wrong, releasing data that they
think is innocuous (like AOL or Netflix)  that turns
out not to be when combined with other public data. See also a local example.

Gold in them thar
hills

The major online services companies have also raised
substantial privacy concerns by mis-estimating what their users are happy with:
cue dismay when Mark Zuckerberg, Facebook CEO, said that his firm was built on
privacy expectations that all users might not share and the furore over changes to Facebook’s privacy settings that have led to EU
and FTC regulatory
intervention
, or when Google’s then CEO Eric Schmidt said that if you want to
keep something private online “maybe you shouldn’t be doing it in the
first place”
.

With all of this information about your online activities
able to be discovered, there is money to be made in sifting through it,tying it
together, and then selling the profiles to online advertisers.

Consider Rapleaf, a US outfit
that matches email addresses with a range of public data including Zip code,
age, income, property value, marital status and whether the person who controls
this email address has children. It claims to have data on over 80% of US email
addresses, and charges 0.5 cents per match.

Or this (registration required), a deal between Facebook and a firm called Datalogix
that allows the site to track whether ads seen on Facebook lead users to buy
those products in stores. Datalogix buys consumer loyalty data from retailers,
and matches email addresses in its database to email accounts used to set up
Facebook profiles.

Generalised concern

It is hardly surprising that people are concerned about
online privacy. Americans say their biggest perceived privacy threat is social
networking services like Facebook and Twitter (they are also worried about
unmanned drones, electronic banking, GPS/smartphone tracking and roadside
cameras
) (WARNING: PDF).

New Zealanders are worried too. A Law Commission survey revealed that 84% of respondents were concerned about “the security of
personal details on the internet”, more than were concerned about
“confidentiality of medical records” (78%) or “government
interception of telephone calls or email” (72%).

Expectations of privacy clearly depend a lot on context. Information
I share with my mother I may not wish to share with my friends (sorry guys),
and information I share with my friends I may wish to keep secret from a
potential employer. Information that I directly and intentionally share (e.g.,
via Twitter) is less sensitive than information that I do not know is being
collected. I would consider my browser history, my email and my search history
more sensitive than my purchase history from Amazon.com. I am pretty relaxed if
information about these things is used just to target online advertising. I am
less relaxed if these data were put together and used to establish my identity
or calculate my credibility and trustworthiness.

And since my list of privacy preferences will not be the
same as yours, it becomes clear that the question of online privacy is about
the limits of my ability to control the flow of information about me, and my
basic point here is that the internet age means that I have less control than
before.

If users are concerned about control but feel
(and to some extent are) powerless, what help does the law provide? We take up
that story in Part 2.

The Big Hairy Audacious Goal

The Commerce Commission has cleared Vodafone’s bid to buy
TelstraClear, paving the way for the merger.

However, there doesn’t appear to be any form of ongoing
monitoring or caveats on the deal. Vodafone had already indicated it would not
be buying all of TelstraClear’s spectrum assets as that would exceed the limits
on 2100MHz spectrum and would also potentially be a barrier to approval. That
aside, we had expected to see some kind of monitoring regime put in place
specifically for this merger. Market dominance is now effectively in the hands
of two players – Telecom and Vodafone – and TUANZ would have liked to see some
kind of additional monitoring put in place to assure customers that no cosy
duopoly could emerge. Presumably the Commission felt either it couldn’t impose
such a regime or that existing market monitoring was enough.

From the Commission’s press release:

“In reaching its decision, the Commission considered that
the merged entity would continue to face competition from Telecom, as well as
Orcon, Slingshot and other smaller businesses in providing fixed line voice and
broadband services to residential and small business customers”.

The Commission says there was no significant business
overlap between Vodafone and TelstraClear – something that has been painfully
obvious for many years now. Hopefully the two combined together will have the
ability to shake up the market and to challenge Telecom for the number one spot
– a long-held goal of Vodafone CEO Russell Stanners.

Time will tell – and TUANZ will be keen to see the results
of any competitive tension in the market.