Guest post: Privacy and the Law

Guest post from Hayden Glass – Principal with the Sapere Research Group, one of Australasia’s largest expert consulting firms. Thanks to Rick Shera (@lawgeeknz) for instructive conversation.

Part 2

In Part 1 [link] we looked at some aspects of online
privacy. In this article we look at the law.

Can the old dog still

New Zealand’s privacy laws are generally considered to be
pretty sound. The Privacy Act began life in 1993 describing a set of principles
and giving you a bunch of rights in relation to controlling the collection, use
and disclosure of personal information.

information” is defined in the Act as “information about an
identifiable individual”, i.e., information from which you can be
identified. If an agency is collecting anonymous information about your
movements online, that is one thing, but if your online profile grows to the
point that you could be identified from it, the rules in the Privacy Act can
apply. As discussed in part 1, the line between anonymous and identifiable can
be pretty uncertain

The Law Commission looked at the Act in a three-year review
of privacy laws
that was completed in August 2011. It continues to believe
that self-protection is the best protection, but suggests a substantial set of
changes aimed at improving the law including:

* new powers for the Privacy Commissioner to act against
breaches of the Act without necessarily having received a complaint, and
allowing it to order those holding information to comply with the Act or submit
to an audit of their privacy rules, and

* measures to minimise the risk of misuse of unique
identifiers, and require those holding information to notify you if your
information is lost or hacked, and

* controls on sending information overseas.

The government agrees that it is time for substantial
changes to the Act, although it does not agree with everything the Law
Commission has proposed
A new draft Bill is expected next year.

To the ends of the

One obvious issue in the internet age is the lack of match-up
between the international nature of internet services, and laws that are
limited to the borders of any particular nation. A modestly-sized nation at the
end of the world, like New Zealand, has limited ability to influence foreign
organisations who may not have any local presence, although our Privacy
Commissioner has taken action against reputable major players offering services
in this country.

One answer is to harmonise our laws with other countries, or
rely on the big fish to protect our privacy. If the US or the EU forces firms
to improve privacy protections we will benefit. The US Federal Trade Commission
can legitimately argue that its actions will protect users in other countries
(see the summary of a talk from Nethui 2012 here) and
it is focused on this stuff. Vivian Reding, then the
EU Justice Commissioner said that privacy for
European citizens “should apply independently of the area of the world in
which their data is being processed …. Any company operating in the EU market
or any online product that is targeted at EU consumers must comply with EU
rules”. The French data protection agency is investigating Google’s new privacy policy.

Another evident challenge to existing privacy law is to the
notion of “informed consent”. As a legal principle it is fine, i.e.,
your favourite online service has a privacy policy and you consent either
directly to it by checking the box and clicking “I accept” or implicitly
by using their service. So long as the policy does not breach the law and the
service follows their own policy, they are legally blameless.

In practice you likely haven’t read the policy, and you may
not be in a position to avoid surrendering some privacy in any case.
Participating in society increasingly requires online interaction, and any
online interaction will involve sharing some information. Legally operators can
rely on your click to indicate consent to their privacy policy, but in practice
you cannot really withhold it.

One solution could be crowd-sourced reviews of online
privacy policy, or organisations that rate others policies.
There are similar troubles with the terms of licensing agreements to which you
have to consent in order to use software.

Fit for purpose

Users have options to protect themselves online if they care
to. They can avoid being tracked, ensure their privacy settings for social
media services are well considered, disable cookies, turn off javascript, use
fake Gmail or Facebook accounts, use incognito modes on their browsers, access
the online world through a VPN or a range of other things. The Privacy Commissioner
has guidance also. And you either
have now or will soon also have an option to turn on a “do not track
option in your browser, that will
impede the ability of firms to piece together your internet history as you find
your own trail through the online garden.

Sadly users mostly do not avail themselves of these options.
That may be because some impede the internet experience a bit. Or because users
do not care to change their behaviour much despite saying they are worried
about online privacy.

In these circumstances, there will continue to be debate
about how far users can or should take responsibility for their own protection,
and how far the law needs to go. This battle is the natural result of the standard
model for internet services, i.e., if you want free internet services, you need
to realise that your eyeballs are the price. No one should be surprised that
advertisers try to make their services more effective by learning more about
the brains behind those eyeballs.

The Sum of All Our Fears – Privacy in the digital age

Our ideas about
privacy need redefining in the internet age

Hayden Glass is a Principal with the Sapere Research Group,
one of Australasia’s largest expert consulting firms. Thanks to Rick Shera
(@lawgeeknz) for instructive conversation.

I consider myself a fairly typical internet user. Google for
web search, a Gmail account for email, calendar and contacts, the Chrome
browser for surfing, and my Google drive for a whole host of documents stored
and shared in the cloud. On my Android phone I have 60 or so apps installed. I
have no Facebook account, but I am on Twitter. I use Dropbox to share files,
Flickr for my photos, iTunes for music, and Tumblr and WordPress for blogs.
Plus, like the rest of you, I use online banking, shop online, and get my news
nearly exclusively from online sources. I provide my location to make Google
maps work better and also to help get better search results, but I click
“Deny” when my phone gives me the choice to share location with any
particular website.

I am sharing, therefore, quite a lot of information on the
internet. This is an entirely standard way of life. Around 80% of us use the
and 80% of users report using Facebook.

The internet is such a part of daily life that we now share
information unconsciously. Everything we do online creates a record and we
don’t think too much about what happens to it. In US academic Daniel Solove’s
vivid phrase, “data is the perspiration of the Information Age”. Others, like
American computer security specialist Bruce Schneier, think of your
click-stream as a type of pollution, in the sense
that it is created by doing some useful online task but it can have unpleasant side-effects
that need to be managed.

In Part 1 of this post we take a brief look at the online
privacy environment and what makes it different. In Part 2 we will look at
how laws are changing to adapt to it.

Part 1

Something new under
the sun

Problems of information privacy are much more difficult in
the internet age because the internet itself is so widely available, and
information flows on it are difficult to control.

The internet has no borders, and is not based in any
particular country. The location of service providers or users is generally
unimportant: information available in one place is available in all, and it is
difficult to control or trace the flow of data. Content is continually being
added or modified, but content is also persistent, i.e., information that was
once on a website can be searched for and retrieved even after the content of
the site has changed.

The internet is also tricky for governments to control.
There are, of course, still telecommunications operators who connect you to the
internet. They have extensive physical investments,  powerful brands and reputations to uphold. But
service providers who hold information about you are generally not dependent on
individual governments for resources at all. Most of the New Zealand internet’s
most popular services are provided by US firms based in California with servers
all over the world, and with little local presence here. The ability of the New
Zealand government to influence the activities of, say, Facebook is limited,
and given the aterritoriality of the internet, it is often not clear how firms
can navigate the thicket of different national responsibilities.

Privacy, of course, is also a non-internet problem. Those
holding information need to not, for example, lose sensitive government data in
the internal post
, or leave
their computer systems open for members of the public to access.

But often internet users do not realise how much they are
sharing (see these unfortunate Belgians), or what the consequences are.
Facebook stands accused of deliberately making it hard for users to control
their own privacy
and even the most sophisticated can get it wrong, releasing data that they
think is innocuous (like AOL or Netflix)  that turns
out not to be when combined with other public data. See also a local example.

Gold in them thar

The major online services companies have also raised
substantial privacy concerns by mis-estimating what their users are happy with:
cue dismay when Mark Zuckerberg, Facebook CEO, said that his firm was built on
privacy expectations that all users might not share and the furore over changes to Facebook’s privacy settings that have led to EU
and FTC regulatory
, or when Google’s then CEO Eric Schmidt said that if you want to
keep something private online “maybe you shouldn’t be doing it in the
first place”

With all of this information about your online activities
able to be discovered, there is money to be made in sifting through it,tying it
together, and then selling the profiles to online advertisers.

Consider Rapleaf, a US outfit
that matches email addresses with a range of public data including Zip code,
age, income, property value, marital status and whether the person who controls
this email address has children. It claims to have data on over 80% of US email
addresses, and charges 0.5 cents per match.

Or this (registration required), a deal between Facebook and a firm called Datalogix
that allows the site to track whether ads seen on Facebook lead users to buy
those products in stores. Datalogix buys consumer loyalty data from retailers,
and matches email addresses in its database to email accounts used to set up
Facebook profiles.

Generalised concern

It is hardly surprising that people are concerned about
online privacy. Americans say their biggest perceived privacy threat is social
networking services like Facebook and Twitter (they are also worried about
unmanned drones, electronic banking, GPS/smartphone tracking and roadside

New Zealanders are worried too. A Law Commission survey revealed that 84% of respondents were concerned about “the security of
personal details on the internet”, more than were concerned about
“confidentiality of medical records” (78%) or “government
interception of telephone calls or email” (72%).

Expectations of privacy clearly depend a lot on context. Information
I share with my mother I may not wish to share with my friends (sorry guys),
and information I share with my friends I may wish to keep secret from a
potential employer. Information that I directly and intentionally share (e.g.,
via Twitter) is less sensitive than information that I do not know is being
collected. I would consider my browser history, my email and my search history
more sensitive than my purchase history from I am pretty relaxed if
information about these things is used just to target online advertising. I am
less relaxed if these data were put together and used to establish my identity
or calculate my credibility and trustworthiness.

And since my list of privacy preferences will not be the
same as yours, it becomes clear that the question of online privacy is about
the limits of my ability to control the flow of information about me, and my
basic point here is that the internet age means that I have less control than

If users are concerned about control but feel
(and to some extent are) powerless, what help does the law provide? We take up
that story in Part 2.


In Part 1 of this post (link) we look at the historical approach to universal service. Part 2 looks at the future: and in particular at rural broadband.

To its credit, the government has recognised that access to broadband in rural areas is a serious economic and social issue. The Rural Broadband Initiative (RBI) is the response: an industry-funded, government-led programme building faster broadband infrastructure in rural areas. When it is finished 86% of households outside the cities and most rural schools, health centres and public libraries will be able to access fast broadband, mostly within the next two years. Vodafone is building around 150 new sites and securing fibre to more of its towers, and Chorus is building 3,100 kms of new fibre.

The RBI was a big and welcome change in approach on how to to encourage telecommunications companies to provide services in hard to reach areas.

  • The TSO simply imposes the obligations on Telecom (and from 2001 to 2011 required other operators to pitch in to the costs). A similar model operates in Australia, where Telstra has the obligations and the other operators compensate it to the tune of around 50m each year (see the article on Universal Service Obligation here.
  • The RBI is a competitive subsidy model (the money actually comes from the industry itself through a levy), rewarding Chorus and Vodafone, who won the tender, for building networks and providing services in rural areas. The German government has done something similar, requiring bidders for new generation cellphone spectrum to commit to build their networks in rural areas before they are allowed to build them in urban areas (see that story here), implicitly accepting a lower sale price for the cellphone spectrum as the price of universal broadband coverage.

Not only is the RBI a better approach in terms of actually getting services rolled out in rural areas, but it sets a simple and clear standard for minimum broadband services which:

  •  will reach 86% of rural customers, over half of whom will have access to multiple competitors and a choice of technology (copper or wireless)
  • will deliver a peak speed of at least 5 Mbps over wireless (a bit quicker than average fixed broadband services today) and 20 Mbps for copper-based services
  • *will be priced so that services cost the same in both urban and rural areas. 

Four challenges for the review

First, there will be continued pressure from rural customers for better broadband services (see paras 164 to 167 of this Commerce Commission summary. 

This could take the form of a minimum guaranteed broadband service that must be available to all New Zealanders. There was much debate around the RBI as to whether 5 Mbps was fast enough for those customers relying on fixed wireless services (although of course it is a whole lot better than the no broadband at all that many ruralcustomers faced before the RBI came along). The UN has defined broadband as a basic human right, and Finland in 2010 made a rule that all telecommunications operators were required to offer broadband access of at least 1 Mbps.

Competition over the RBI-funded infrastructure should mean that customers willgradually get more bang for their buck – in urban areas competition has meant growing datacaps with broadly static prices. Wireless services have smaller data caps than copper-based services reflecting the higher costs of data on wireless technologies. But new mobile technologies should allow faster wireless data speeds and bigger data caps in due course.

Second, the government’s review will need to consider updating the TSO requirements for the internet age.

Certainly free local calling is heavily utilised – accounting for 29% of all voice minutes in 2011 (see page 11), but if the Commission is right it is holding back competition.

For the growing number of customers who use mostly or only their mobiles,”free” local calling is rather expensive. Other elderly TSO requirements – like not charging more in rural areas than in urban areas, and ensuring Chorus does not shrink its network seem superflous given the developments of recent years.

What to do with the ineffective price cap on basic voice services is trickier. It does not seem to serve customers very well, although clearly it is helpful for the industry to be able to put up prices every year. 

Third, the obligations could be extended beyond just Telecom. With Chorus, the network company, now split from Telecom, the retailer, it doesn’t obviously make sense that the TSO obligations should rest only on Telecom. If Telecom is required, say, to have a standard plan that offers free-local calling as an option, there is no obvious reason why this rule should not apply to other operators as well.

The fourth challenge is ensuring everyone can get decent broadband.

Even after the completion of phase 1 of the RBI there will be coverage and competition black spots. There is a phase 2 of the RBI ably explainedby the Commision in para 159 of this report to reach schools and other priority users that are not at present covered by the RBI or the government’s fibre network (the UFB).

Systematic, public, up-to-date data on remaining areas of trouble could also help – it seems like it would be an easy extension on the government’s broadband map to show people who do not have service at present. This would help operators to figure out the value of network extensions, sharing infrastructure where it makes sense in remote areas. Satellite solutions will work for many. Community self-build solutions like those from Wiz Wireless can also help in some parts of the country.

Over to you

So the ball lies fairly firmly in the government’s court. Its review is required to be completed by the end of 2013.

We wait to see the outcomes with interest. A bold answer would consign the outdated TSO requirements to the dustbin, and ensure a sensible alignment between the TSO and the RBI as we continue to work towards universal broadband.

Hayden Glass is a consultant specialising in telecommunications with the Sapere Research Group, one of Australasia’s largest expert services firms

Guest blog – Where to for universal service

Guest post from Hayden Glass from the Sapere Research Group.

And broadband for all

Now everyone has access to a telephone, the question is how to get everyone great broadband.

Next year, the government will review the rules about universal service, ie, the questions of what minimum level of telecommunications service should be guaranteed to everyone, and how best to make that happen.

The legislation requiring the review is quite specific about what to cover, including whether existing universal service rules are still needed, how they should be delivered on, and funding arrangements.

Successive governments have required Telecom to make basic voice services available to everyone. These historic requirements are now out of date, overtaken by competition and by technology (especially mobile). The real questions for the future are about broadband, as the government’s Rural Broadband Initiative (RBI) recognises.

Part 1 of this post looks at what the universal telecommunications services are, and how the requirements have fared over time.

Part 2 will consider the future, explain why the RBI is a big improvement, and looks at what remains to be done.

What is universal service

The universal service programme in New Zealand suffers under the moniker of the Telecommunications Service Obligation for Local Residential Telephone Service (TSO). Fundamentally its job was to ensure that everyone had access to a fixed-line telephone that they could afford. (There are also separate arrangements for a text relay service for the deaf, confusingly also called a TSO, that are not the subject of this post.)

The latest incarnation of the TSO is a deed (WARNING: PDF) agreed in December 2011 as part of the separation of Telecom and its network arm, Chorus. The TSO imposes four main requirements on Telecom.

* Never raise the price of basic fixed-line phone service for residential customers faster than the rate of inflation, unless Telecom can show its profitability is “unreasonably impaired”.
* Never charge more in rural areas than in urban areas for “basic residential service”, which in effect means Telecom’s standardHomeline service .
* Continue to offer fixed-line phone service to all customers who were connected in December 2001, and
* Provide free local calling as part of the basic phone service for residential customers. Via an exchange of letters with the government in 2000,  Telecom was also required to provide slow-speed dialup services to most customers.

Chorus, the network company, has obligations to maintain its fixed network coverage to ensure that Telecom can continue to meet its obligations.

These obligations have changed only slightly since they were put in place on Telecom’s privatisation in 1989 despite radical changes in the industry in the meantime. The slow-speed dial-up data requirements were put in place in 2001, when Telecom was given the ability to bill its competitors for some of the alleged negative profit impacts of having to meet these obligations. The Commerce Commission checks each year whether the obligations have been met .

The 2001 requirement for the industry to compensate Telecom was never going to be a popular policy in the industry. It led to a verylong-running legal dispute eventually won by Vodafone, although as between Telecom and Vodafone the case had already been settled before the last court decision came out. Vodafone was essentially arguing that the Commission had not followed the law properly and as a result had substantially overstated the cost of the TSO obligations for Telecom. Soon after, the government announced it would get rid of the contribution system, particularly in light of evidence cited by the government that Telecom had not spent the money it had been given by Vodafone and others on rural network infrastructure in any case.

Universal service anyway

The TSO obligations have worked so far as they went, ie, the fixed-line network is as no smaller than it was in 1989, the price of basic fixed-line phone has gone up at almost exactly the rate of inflation, and free local calling remains part of Telecom’s Homeline package (as seen in the Commerce Commission’s helpful report).

But thanks to competition and technological change, these obligations are now chronically out of date.

* Ensuring access to a fixed-line telephone is no longer the problem. Just about everyone has access to a fixed line and a mobile phone, coverage continues to expand through competition, philanthropy (Vodafone’s community tower build programme), and the RBI, and local calls are cheaper and cheaper on prepay mobile plans with no minimum spend.

* The price cap on residential phone service was insufficiently tough in the first place. The Commerce Commission thinks that free local calling has retarded competition, and that New Zealand has one of the highest prices for standard residential service in the OECD. The price of standard residential phone services has risen even while prices for other phone services have collapsed.  Local calling is only “free” for customers who pay the high monthly fee, which might be why the now-renamed Ministry of Economic Development calls it “charge-free local calling“.

In short, the existing TSO is a solution to a problem that no longer exists. The real issue now is broadband for everyone. As we shall see in Part 2.

Hayden Glass is a consultant specialising in telecommunications with the Sapere Research Group, one of Australasia’s largest expert services firms.