Guest Post: Another loss for Fortress Google

Michael Wigley is one of the tech-industry’s leading legal lights and has worked with TUANZ on any number of issues over the years. Here’s his view on the Google/EU privacy debate, cross posted with permission from Wigley+Company’s newsletter.

Google’s “Do no evil” mantra is being challenged ever more. It’s no surprise Google is increasingly on the losing end of court and regulatory action as it exercises its market power. Despite Google’s protestations that Europe has overstepped the mark last week, in an EU court decision requiring Google to remove certain personal information under data protection legislation, the European approach is sensible and forces Google to do what it and others should be doing anyway.

This is far from chilling freedom of speech. We summarise the European decision and show why it makes sense, and we suggest what might happen in New Zealand.  First though we talk about regulatory risk for those in a dominant position. Google gives the impression of adopting a siege approach in circumstances where increased regulatory focus is inevitable. For a time, that can work for firms with substantial market power. But often the better strategy is to proactively fend off regulatory intervention by doing more things in, and that appear to be in, consumers’ and competitors’ interests.

Google – siege or rapprochement?

Google Inc has a corporate structure that makes it difficult to be sued, with carefully set up separate subsidiary companies in countries, and difficult communication channels, as we’ve seen from our clients’ experiences. And it has continued to expand its commercial dominance by its strategies.

This can work well initially for those in dominant positions. It can be difficult to trim back dominant firms. But there comes a time when such an approach bounces back on dominant firms, and regulators and other stakeholders step in assertively, as is now happening to Google across a range of fronts.

 Google win is little comfort for Google, media and content carriers

Google’s competition law exposure shows how the decision making on what a dominant firm should do can be hard. The US regulator decided not to sue Google for abuse of dominant position.

But the European regulator would have none of that and it appears that it would sue, unless Google did a deal pulling back from particular dominant positions. In February 2014, the EU announced that it would proceed down the path of agreeing concessions by Google by way of commitments made by Google. What would have been the best strategic and tactical approach for Google? To push ever harder into dominance or to take some voluntary steps to pull back (possibly steps that have the look and feel of pulling back but don’t have much adverse impact on Google).

Hard calls, often made, we think, by firms which do not see the bigger picture as part of that myopic siege mentality that happens in dominant firms. For all we know, Google might have its balance for its internal purposes about right.

Another loss for fortress Google

We don’t know the full story. But one of the big internal challenges for dominant firms is to make the decisions having regard to the broader picture and the risks. Difficult to do from within the fortress.

The privacy case that Google has lost

In 1998, a newspaper had published details of a debt collection process against a Spanish man.

12 years later, he sought a direction that Google take down the link to the page in the newspaper. Google refused, and the Spanish courts asked the European Court of Justice to decide how the EU data protection directive should apply.

That court decided, that, even though the Google search engine only collects and indexes web site-sourced information, it is still “processing…  personal data” and so the directive applies.

US based Google Inc runs the search engine, not local Google subsidiaries such as Google Spain. Google argued it was outside the coverage of the EU directive as it was based outside Europe.

Google Inc was seeking to take advantage of its careful delineation between search engine services (Google Inc’s services) and local Google companies.

The Court didn’t accept that; based on the wording of the directive, the court was able to  say that Google Spain, in taking ads in Spain with those ending up on the Google search pages, was enough to constitute Google Spain as part of Google Inc for these purposes. To decide otherwise would have been contrary to the context and purpose of the directive.

The next issue for the court was what Google must do when someone requests that personal information is removed from the Google search results. The court said that this should be decided based on a fair balance between:

·         The legitimate interests of internet users in having access to the information; and

·         The person’s fundamental rights such as in relation to privacy and the protection of personal data.

As a general rule, said the court, the individual’s own rights override the interests of internet users. But this depends on the nature and sensitivity of the information, and the public’s interest (which is an interest that may vary according to the role played by the individual in public life). Notably, the court said that Google’s commercial interests alone do not justify interference with the individual’s data protection and privacy rights.

While information can, initially, legitimately be on the Google search results, over time, some information should no longer be there, said the court. It could have become inadequate, irrelevant, or excessive given the original purpose and the time that has elapsed. On request by the individual, Google must consider removing the information, by weighing up the position, having regard to factors such as whether the individual is prominent in public life (where it is less likely the information must be removed). If Google doesn’t remove the material, the regulating bodies can do so.

All that seems to be a sensible balance between competing rights. This is very far removed from a chilling effect on freedom of speech. Google’s arguments to that effect do not pass muster and privacy rights substantially outweigh those interests. In this case, for example, the information was 12 years old. Google not seeing that having such old information removed as reasonable is concerning and does not show sufficient regard for others. What if a Google search of your  name revealed debt recovery information about you 12 years ago, even though you have asked for it to be removed? Fair and appropriate?

The final decision on this particular information is to be made by the Spanish courts but the big decision is that of the European Court of Justice. Google must now have systems to deal with requests. So must other providers.

What might happen in NZ?

The EU judgment was heavily dependent on interpretation of specific words in legislation, although context was key. The NZ regime derives also from OECD guidelines and the context is similar. The principles in our Act are capable of being applied in similar ways, save as to the international application of the Act.

It might also be argued that Google (and other website operators) have a proactive obligation to remove information past a use-by date: information that is no longer necessary to be retained for the purposes it was collected. That would extend beyond removal only on request. It may well be that news media exceptions will not be applicable to much of this information.

There are complexities and facts specific to each case so we don’t venture complete views.

How the Act and other privacy and confidentiality law applies to offshore companies raises its own set of issues. For example, s 4(3) of the Privacy Act might apply. Where information is held by a company “for the sole purpose of processing the information on behalf of another agency…. the information shall be deemed to be held by the agency on whose behalf that information ….is so processed.”

Companies like Google typically use caches and content distribution network services in NZ, often contracted out to companies like Akamai. If Google is doing something like this, that might overcome Google Inc’s careful separation away from NZ and its NZ related company, Google NZ. Google Inc might have to comply by this or other means. But that requires more detail. 

Nothing to hide but plenty I don’t want to share

I’ve had a number of discussions about online privacy,
security and matters of this sort over the past few months.

All too often I’m faced with someone who says “I have
nothing to hide” and who seems to be quite willing to put up with government
invasion of his or her privacy.

I don’t have anything to hide either, but I do keep some
things to myself. I won’t list them but trust me, they’re better off being
conducted behind closed doors with the lights off.

On top of that, I have other things I like to keep private.
My financial matters are nobody’s business but mine and the bank’s. My health
records are likewise quite important to me. Which books I get out of the
library, where I spend my money, who I call and TXT.

As a former journalist the recent spate of attacks on a
reporter’s freedom to do their job irks me. All too often I hear from readers
(or viewers) bemoaning the state of journalism in New Zealand and I tend to
agree. Today I met with an old colleague and we talked about how many of us
there were at Computerworld in its
heyday. We had 11 journalists working on a niche publication – other newsrooms
had far more. Today, the newsrooms have shrunk dramatically, the pay rates are
stagnant and each reporter is expected to churn out more copy with less time to
do it properly.

The one thing a journalist has in his or her favour is the
ability to ask questions and to get answers from people who may not want their
names splashed about the place. Journalists need access and they need privacy
in order to secure the news that quite often someone doesn’t want you to know

Journalism comes in for a lot of flak for its invasive,
intrusive nature and rightly so. I managed to avoid ever having to ask “How do
you feel” or its bedmate, “Will you apologise?” but there are plenty of
journalists who employ such phrases and far worse. I know of at least one who
likes to goad interview subjects to the point of cracking in order to get a more
salacious story and several have been known to deploy much worse tactics in
order to secure a scoop.

But “keeping the bastards honest” is at the heart of any
good journalist’s role. “Afflict the comfortable and comfort the afflicted” is
one of my favourite definitions of the job of journalist (and check out the link to see who said it – oh the irony), but in this case
perhaps there’s a better one: “News is what somebody does not want you to
print. All the rest is advertising.”

It’s vital we have a strong media that can ask questions that
someone somewhere doesn’t want answered. My hat is off to the likes of Lisa
Owen at TVNZ who once served her own organisation with an Official Information
Act request and to Andrea Vance who got the government’s report into the GCSB
ahead of time and ran a story exposing the information before the government
spin doctors had all their ducks in a row.

That’s why privacy, security and our right to know are
inextricably linked. That’s why it’s important we understand how well the
government handles our data, and what limits are put in place, and why it’s
important we understand the GCSB and associated legislation.

These laws give the government security agencies
unprecedented powers of access to our daily lives. I may not have anything to
hide, but I have plenty I don’t want to share and if I do, I want to know it
will be handled with all due care and diligence.

Unfortunately, the government (in various guises) does not
have a good track record on this score. Take a look at this list and then tell
me – do you think we should give the government agencies more access to our

July 2012 – Immigration privacy breach results in staff being fired

March 2012 – ACC spreadsheet debacle

October 2012 – MSD kiosk debacle

November 2012 – Immigration privacy breach

November 2012 – Novopay sends wrong information to multiple

December 2012 – Corrections faxes sensitive data to removals

March 2013 –  Ministry of Environment email breach

April 2013 – EQC privacy breach twice

April 2013 – IRD privacy breach

April 2013 – Ministry of Justice security flaw revealed (and a note from IITP about white hat hackers)

April 2013 – GCSB “Kitteridge report” leaked

May 2013 – WINZ privacy breach 

June 2013 – Peter Dunne resigns

July 2013 – Journalists described as “subversion” threat to New
Zealand Defence Force

July 2013 – Andrea Vance’s access records handed to PM’s investigator

July 2013 – Andrea Vance’s phone records handed to PM’s
 (and here’s a very good time line of events from Dylan)

August 2013 – Govt admits SIS has a “special protocol” for
spying on journalists

Sundry other “minor” breaches that involved only one or two people’s private information.

The Privacy Commissioner’s annual report last year includes this quote from Marie Schroff and it’s worth repeating here: 

“The public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset.

“They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation.

“There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold.”


Electronic McCarthyism

The government’s committee looking after the GCSB bill has
reported back and made very few changes in light of the overwhelming opposition
to the law change.

Currently opposed to the bill are the Privacy Commissioner,
the Human Rights Commission, InternetNZ, the Law Society, dozens of individual
submitters, the Labour party, the Green party, possibly NZ First and of course

In favour of the bill is the government and, presumably, its
security allies the US, Australia, the UK and Canada.

Increasingly, New Zealand trades with China, yet it is China
that is specifically listed as a potential threat from what we can read of the
advice to government over this bill and its sister, the Telecommunications
(Interception and Security) Bill which is still proceeding unhindered through
the political process, albeit “under urgency”.

We have a number of issues with the two bills, not least of
which is the cost it will impose on the industry and which will, inevitably, be
passed on to customers.

Under the bills, not only will the telcos be required to
store information they normally wouldn’t bother with, but they’ll also be
required to consult with the GCSB over changes to the network up to and
including which vendors they wish to use.

Assume for a moment that Chinese company Huawei is making
huge inroads into network deployments around the world and that US companies
are upset by this. Assume that Huawei is providing a better product at a
cheaper price and is currently engaged by all our major telcos in one form or
another. Assume that the GCSB still thinks China is the enemy and that Huawei
is a puppet of the Chinese political system.

What will that mean for our future network deployments?

Will Telecom, Vodafone, 2Degrees, Orcon and Slingshot and
all the rest be forced to use non-Chinese technology?  Will they be required to only use “friendly”
technology providers, even if the cost is 20% more and the deployment that much

Will the GCSB balk at a request from a telco to move to technology
that passes email and TXTs through the network rather than decrypting and
storing them for future retrieval?

Will the GCSB ban Apple or Google or any other provider from
selling certain “uncrackable” products in New Zealand or ban New Zealand companies
from developing similar products for sale overseas?

In decades to come, will the GCSB be able to trawl through a
political leader’s entire online history looking for signs of being a teenager
in order to embarrass or block that person from office?

If all that seems unlikely to you then you’ll have no
problem with the bills as they stand. But even then there’s a problem.

The US Electronic Communications Privacy Act (ECPA)
specifically excludes US-based companies from providing the kind of support the
GCSB and TICS bills demand. Under this law it is illegal for US-based companies
to provide foreign intelligence services with access to such customer data.

So even if these bills are introduced, Google and Apple,
Microsoft and all the rest will be unable to comply without facing legal action
in the US, presumably from the US government itself.

We’ve not been shown any pressing need to change our laws,
and most New Zealanders it seems are unhappy about the level of intrusion into
their lives these bills represent.

Just as difficult is the position it puts New Zealand in
with regard to both our trading partner, China, and our security partner, the
United States.

We don’t need to rush into a decision. There is no “clear
and present danger” that requires New Zealand to enact these laws without first
considering the obvious ramifications both at home and abroad. We need to get
this kind of thing right, because the consequences are grave indeed.


Quis custodiet ipsos custodes

I’ve spent the past few days talking to various journalists about the GCSB, Big Brother and spying on citizens.

To be honest, I’m a tad uncomfortable with the whole thing. Spies, spooks and state surveillance are a bit “tin foil hat” for my liking. I’ve had several emails and phone calls to the effect that I should watch out for black helicopters and that the only thing stopping the drone strike is my cellphone dropping out (seriously, what is that about? Central Auckland, no less).

In a theoretical world, the spies would spy on high priority folk like diplomats and bomb makers and other spies. They’d have secret alliances and counter-alliances and no doubt secret handshakes as well. We commoners would be below the radar and we’d be left alone to get on in peace.

In a theoretical world, we wouldn’t be bothered by any of this kind of nonsense and the only time we’d care is when the spies leave their briefcases (complete with meat pies, copies of Playboy and a file marked “TOP SECRET”) in a taxi in Wellington somewhere. Then we’d all have a laugh and go back to work.

Sadly we don’t live in such a world. Instead, we face a security service that seems keen on the idea of storing all our online communications in perpetuity on the off chance that some years from now they might want to have a poke around and pull something out that could be juicy enough to justify their endeavours. It could be a politician who is making life difficult for them, it could be a department head they’d rather see the back of, it could be a journalist who has a source and won’t say who it is.

Just as bad, if not worse, is the model that this surveillance will take. Instead of user pays, the expectation is that the telcos will have to pay for it. Store every email, TXT message and the “metadata” about every phone call? No problem – make the telcos do it. They won’t want to keep that kind of information, of course. TXT messages alone take up terabytes of space and it’s only growing. Apparently the world’s data doubles every two years – currently (according to the internet so it must be true) we have around 1.8 zettabytes of data. I have no idea how many zeros that is but the handy graphic says it’s roughly 200 billion HD movies each running for two hours.

Storing all the transient stuff (typically the “metadata” that the spooks like because they can access it without a warrant in the US) is non-trivial and is a cost the telcos wouldn’t carry other than at the behest of the government. We will end up carrying that cost, of course, because telcos pass on costs to customers.

And really, do you want a spy agency bogged down with petabytes of cat videos, Facebook postings and tweets about breakfast? Wading through that lot is also non-trivial and frankly just asking for trouble.

I also wonder just what heinous crime has been committed against New Zealand’s sovereignty that requires such a drastic step as spying on every New Zealander’s online lives. Did I miss the terrorist strike? Is Tasmania poised to invade us? Did a secretive German industrialist set up shop in New Zealand with a plan for world domination? Other than the ones we know about, obviously.

I can think of no rationale for a system that allows intelligence agencies (through a legal sleight of hand) to gather and retain information about my day to day life.

This then is the reason I’m opposed to increasing our own intelligence agencies’ abilities in this area. It isn’t based on practical matters such as cost or signal-to-noise ratio. It’s based on the basic premise that we are innocent until proven guilty and that government in all its various forms should keep its nose out of my business, regardless of how banal or tedious my life actually is.

The new GCSB bill and Telecommunications Interception bill are before parliament at the moment. Submissions on the Interception bill are due by the 13th of June and given the news breaking in the US and UK this week we’ve asked for an extension to that time line so we can better understand just what these two bills mean for New Zealanders. It’s important we get this right as there are a lot of moving parts so we need the extra time to really come to grips with just what is being proposed. Is it going to be a police state or will we retain our right to privacy. That’s what’s at stake here.

The Telecommunications Interception Capability and Security Bill

UPDATE: I’ve been emailed by the Ministry to tell me I’ve got parts of this wrong – as I said, it’s a first take on the bill and I’m still working through all the ramifications so that’s not surprising.

I’ve included the changes and clarifications the Ministry has suggested below.

I’m working my way through the new Telecommunications
Interception Capability and Security Bill
(known as TICSA) and although I’m not
done yet, there are a few issues that we need to discuss.

Basically this bill will allow the security agencies to
spy on phone calls, TXT messages, emails and other data transfers, much as they
do today under our existing law.

(EDIT: The Ministry points out that this bill is about the telcos, not the agencies themselves, and the obligations placed on the telcos themselves. Well, yes).

The current Act, in place since 2006 (EDIT: Actually, 2004) allows the security
services to contact a telco and demand they make certain communications
available to the authorities. They must have a warrant to do this – you can’t
just ring up like they do in the movies and get someone to dig around a bit.
None of the telcos would stand for that.

The Act has been working well, but apparently there are
enough issues with it to require an update – hence the new bill.

The bill deals with two key issues – network management
and interception.

Network management is new – under this proposed bill the
telcos must work with GCSB when deploying their networks, must agree to consult
with the GCSB with regard to key decisions that may affect national security
(or, I’m alarmed to read, New Zealand’s economic wellbeing, which frankly is
quite a broad addition to the old regime) and must agree to inform the GCSB
whenever it makes changes to the network that may impact on national security
(or again on our economic wellbeing).

(EDIT: The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today. That’s as may be, but the emphasis from the new bill is new and the explicit formalisation of the relationship goes beyond what is contained in the current bill)

EDIT: The Ministry says the bill:

requires network operators to engage in good
faith with the government on the design, build and operation of networks where
this may affect New Zealand’s national security or economic wellbeing;

requires network operators to notify the GCSB of
certain proposals such as procurement decisions or changes in relation to areas
of particular national security interest (those areas are set out in the Bill);

sets out a stepped process for network operators
and the government to agree, where possible, on the response to an identified
network security risk).

Does this mean the GCSB will be directing the telcos in
their network rollouts? Does it mean certain vendors will be unable to provide
gear for certain parts of the network? Does it mean those telcos that already
use a certain provider (I’m thinking here specifically of Huawei but it could
be anyone) be excluded from certain key government contracts?

This rings alarm bells for me because any government
involvement beyond wanting to simply use the networks is fraught. These are
commercial entities that already face challenging economic times and adding in
yet another layer of complexity is far from ideal.

The other half other half of the bill covers interception
and the idea that the telcos must make their networks “able to be
intercepted” should the need arise.

(EDIT: The Ministry would like me to point out that the current bill requires telcos to work with government agencies. Yes, that’s a given – I’m not suggesting they aren’t already doing some of this.)

Here I must confess to some moral ambiguity. On the one
hand, government-led security services have no business demanding we hand over
anything that may incriminate us. If the police (or SIS or GCSB) want to prove
I’m breaking the law then it’s up to them to prove it. I should not, as an
individual, be required to help. I’m innocent until proven guilty – that is,
unless I own a computer and then I’m required by law to help the police find
evidence to convict me.

Think I’m making that up? It’s part of the Crimes Act,
introduced post 911 to help police get round the tricky business of people
using this newfangled “encryption” stuff to hide their crooked
business dealings.

For me, this is taken to a whole new level by the
requirement on telcos that their networks be made “able to be
intercepted” (is that “interceptable”? Computer says no). Now my
telco is required to help the police prove I’m a criminal. This upsets me
greatly, not because I am a criminal but because I shouldn’t have to prove that
I’m not.

Having said that, I know the police have solved some
fairly major crimes by having access to telco records and I know that the
creation of the internet has been one of the biggest boons in policing of those
responsible for child pornography. The internet is a giant copying machine and
anyone sharing objectionable material leaves a trail a mile wide.

So I’m torn on the general need for interception at this
level. It also annoys me that the security services are, in effect, outsourcing
the entire thing to the telcos and demanding that the telcos spend money on
staff and technology which, if left to their own devices, would not be needed
in the day-to-day commercial running of the network. These things all add cost
to the network operators’ budgets and it’s a cost that doesn’t deliver a return
so it will indeed get passed on to users, yet again.

The bill introduces a multi-stage approach to defining
its telcos. If you’re a small operator or a wholesale-only operator, the
interception requirement is less than if you’re a fully-fledged telco with lots
of customers. You’re only required to make your network “intercept
ready” or “intercept accessible” whereas the big telcos have to
provide the full intercept capability. Oh and the minister (one of three
ministers) can decide which category you fall into as the need arises.

The law also says it applies to companies based in New
Zealand or overseas, which is entertaining. Quite how the bill can be applied
to, say, a VPN service based in Uzbekistan is an interesting one, but this
catch-all concept means that the new TICSA will be applied to Facebook, Google,
Yahoo and all the other “over the top” providers (including
presumably Skype and Viber) as well.

Apparently the security agencies already deal with such
offshore entities whenever they need to, but this bill will formalise that

Curiously, the bill also gives the government the ability
to ban a product if the government decides it can’t be made interceptable.
Imagine, if you will, the TUANZ encrypted email and storage service that makes
sure your highly sensitive documents are stored and transmitted with the
greatest of encryption levels. If the security agencies decide that’s going to
be a problem, the government will simply ban us from offering it.

Interestingly, they won’t necessarily tell me about it
(if TUANZ was based off shore) but rather would tell the telcos and ISPs in New
Zealand that it was banned, because they would be deemed to be
“reselling” the service, even though all the ISP are doing is giving
my customers access to the service. And if they don’t remove the service from
“sale” in New Zealand they’re liable for fines that accumulate on a
daily basis.

On top of all that, we have a police-held register of
ISPs and telcos, which must be kept up to date at all times. Yes, we’re getting
a “licensed ISP” regime without any of the benefits.

All of this concerns me. We’ll need to submit on it, if
the government opens up the bill to public submission (something it may choose
to avoid). While I’m always wary of getting involved in any conversation about
security agencies and various tin-foil hat (black tin-foil hat, no less)
conspiracies, I do object to having my right to privacy treated in a cavalier
manner. Hopefully we can make some suggestions that will improve this bill
before it’s passed into law.

For more reading on this I suggest you have a look at
Thomas Beagle’s excellent piece over at Tech Liberty. Thomas is a much faster
reader than I am and he’s done a good job of working through the various parts
of the bill. We’ll need to do a lot more of that before the government gets to
decide on interception of our communications.

Privacy Commissioner issues guidance on SME and cloud computing

the right choices in cloud computing – new Privacy Commissioner guidance


February 2013

The Privacy Commissioner today released
guidance material for small to medium sized businesses (SMEs), to help them
protect personal information when using cloud computing.

 “Businesses today are increasingly
turning to cloud computing, but many are flying blind with the range of
options, providers and risks. Shifting to the cloud can often make really good
sense. But responsible businesses will always want to be sure that their client
and staff information will be safe. We saw a gap in the guidance that was
available,” Privacy Commissioner Marie Shroff said today.

“The reality is you’re still responsible
for what happens to your customers’ information in the cloud. You are going to
be the one answering the questions about what went wrong if there’s a privacy
breach. A loss of customer trust will directly hit a business’ bottom line, so
a lot of SMEs are nervous about using the cloud.  But sometimes they’re
too nervous – the risks may be easier to manage than they think.

“Deciding whether to move to the cloud is a
business decision that depends on a variety of factors – but businesses don’t
necessarily have time to put together a checklist for themselves. So we’ve developed some guidance, including a list that sets out the most important
questions for SMEs to think about, and ask prospective cloud providers about.”

Some questions to ask providers are:

          types of


Developing the guidance

“We started by talking to some NZ
businesses and government agencies to see how they were using the cloud, and
work out where the information gaps might be. We’ve also consulted those
businesses and agencies in developing the guidance. We welcome feedback to help
us ensure that the guidance remains up to date and useable throughout the
business and government community,” Marie Shroff said.

The Commission’s guidance on SME and cloud computing can be found here (WARNING: PDF)

Guest post: Privacy and the Law

Guest post from Hayden Glass – Principal with the Sapere Research Group, one of Australasia’s largest expert consulting firms. Thanks to Rick Shera (@lawgeeknz) for instructive conversation.

Part 2

In Part 1 [link] we looked at some aspects of online
privacy. In this article we look at the law.

Can the old dog still

New Zealand’s privacy laws are generally considered to be
pretty sound. The Privacy Act began life in 1993 describing a set of principles
and giving you a bunch of rights in relation to controlling the collection, use
and disclosure of personal information.

information” is defined in the Act as “information about an
identifiable individual”, i.e., information from which you can be
identified. If an agency is collecting anonymous information about your
movements online, that is one thing, but if your online profile grows to the
point that you could be identified from it, the rules in the Privacy Act can
apply. As discussed in part 1, the line between anonymous and identifiable can
be pretty uncertain

The Law Commission looked at the Act in a three-year review
of privacy laws
that was completed in August 2011. It continues to believe
that self-protection is the best protection, but suggests a substantial set of
changes aimed at improving the law including:

* new powers for the Privacy Commissioner to act against
breaches of the Act without necessarily having received a complaint, and
allowing it to order those holding information to comply with the Act or submit
to an audit of their privacy rules, and

* measures to minimise the risk of misuse of unique
identifiers, and require those holding information to notify you if your
information is lost or hacked, and

* controls on sending information overseas.

The government agrees that it is time for substantial
changes to the Act, although it does not agree with everything the Law
Commission has proposed
A new draft Bill is expected next year.

To the ends of the

One obvious issue in the internet age is the lack of match-up
between the international nature of internet services, and laws that are
limited to the borders of any particular nation. A modestly-sized nation at the
end of the world, like New Zealand, has limited ability to influence foreign
organisations who may not have any local presence, although our Privacy
Commissioner has taken action against reputable major players offering services
in this country.

One answer is to harmonise our laws with other countries, or
rely on the big fish to protect our privacy. If the US or the EU forces firms
to improve privacy protections we will benefit. The US Federal Trade Commission
can legitimately argue that its actions will protect users in other countries
(see the summary of a talk from Nethui 2012 here) and
it is focused on this stuff. Vivian Reding, then the
EU Justice Commissioner said that privacy for
European citizens “should apply independently of the area of the world in
which their data is being processed …. Any company operating in the EU market
or any online product that is targeted at EU consumers must comply with EU
rules”. The French data protection agency is investigating Google’s new privacy policy.

Another evident challenge to existing privacy law is to the
notion of “informed consent”. As a legal principle it is fine, i.e.,
your favourite online service has a privacy policy and you consent either
directly to it by checking the box and clicking “I accept” or implicitly
by using their service. So long as the policy does not breach the law and the
service follows their own policy, they are legally blameless.

In practice you likely haven’t read the policy, and you may
not be in a position to avoid surrendering some privacy in any case.
Participating in society increasingly requires online interaction, and any
online interaction will involve sharing some information. Legally operators can
rely on your click to indicate consent to their privacy policy, but in practice
you cannot really withhold it.

One solution could be crowd-sourced reviews of online
privacy policy, or organisations that rate others policies.
There are similar troubles with the terms of licensing agreements to which you
have to consent in order to use software.

Fit for purpose

Users have options to protect themselves online if they care
to. They can avoid being tracked, ensure their privacy settings for social
media services are well considered, disable cookies, turn off javascript, use
fake Gmail or Facebook accounts, use incognito modes on their browsers, access
the online world through a VPN or a range of other things. The Privacy Commissioner
has guidance also. And you either
have now or will soon also have an option to turn on a “do not track
option in your browser, that will
impede the ability of firms to piece together your internet history as you find
your own trail through the online garden.

Sadly users mostly do not avail themselves of these options.
That may be because some impede the internet experience a bit. Or because users
do not care to change their behaviour much despite saying they are worried
about online privacy.

In these circumstances, there will continue to be debate
about how far users can or should take responsibility for their own protection,
and how far the law needs to go. This battle is the natural result of the standard
model for internet services, i.e., if you want free internet services, you need
to realise that your eyeballs are the price. No one should be surprised that
advertisers try to make their services more effective by learning more about
the brains behind those eyeballs.

The Sum of All Our Fears – Privacy in the digital age

Our ideas about
privacy need redefining in the internet age

Hayden Glass is a Principal with the Sapere Research Group,
one of Australasia’s largest expert consulting firms. Thanks to Rick Shera
(@lawgeeknz) for instructive conversation.

I consider myself a fairly typical internet user. Google for
web search, a Gmail account for email, calendar and contacts, the Chrome
browser for surfing, and my Google drive for a whole host of documents stored
and shared in the cloud. On my Android phone I have 60 or so apps installed. I
have no Facebook account, but I am on Twitter. I use Dropbox to share files,
Flickr for my photos, iTunes for music, and Tumblr and WordPress for blogs.
Plus, like the rest of you, I use online banking, shop online, and get my news
nearly exclusively from online sources. I provide my location to make Google
maps work better and also to help get better search results, but I click
“Deny” when my phone gives me the choice to share location with any
particular website.

I am sharing, therefore, quite a lot of information on the
internet. This is an entirely standard way of life. Around 80% of us use the
and 80% of users report using Facebook.

The internet is such a part of daily life that we now share
information unconsciously. Everything we do online creates a record and we
don’t think too much about what happens to it. In US academic Daniel Solove’s
vivid phrase, “data is the perspiration of the Information Age”. Others, like
American computer security specialist Bruce Schneier, think of your
click-stream as a type of pollution, in the sense
that it is created by doing some useful online task but it can have unpleasant side-effects
that need to be managed.

In Part 1 of this post we take a brief look at the online
privacy environment and what makes it different. In Part 2 we will look at
how laws are changing to adapt to it.

Part 1

Something new under
the sun

Problems of information privacy are much more difficult in
the internet age because the internet itself is so widely available, and
information flows on it are difficult to control.

The internet has no borders, and is not based in any
particular country. The location of service providers or users is generally
unimportant: information available in one place is available in all, and it is
difficult to control or trace the flow of data. Content is continually being
added or modified, but content is also persistent, i.e., information that was
once on a website can be searched for and retrieved even after the content of
the site has changed.

The internet is also tricky for governments to control.
There are, of course, still telecommunications operators who connect you to the
internet. They have extensive physical investments,  powerful brands and reputations to uphold. But
service providers who hold information about you are generally not dependent on
individual governments for resources at all. Most of the New Zealand internet’s
most popular services are provided by US firms based in California with servers
all over the world, and with little local presence here. The ability of the New
Zealand government to influence the activities of, say, Facebook is limited,
and given the aterritoriality of the internet, it is often not clear how firms
can navigate the thicket of different national responsibilities.

Privacy, of course, is also a non-internet problem. Those
holding information need to not, for example, lose sensitive government data in
the internal post
, or leave
their computer systems open for members of the public to access.

But often internet users do not realise how much they are
sharing (see these unfortunate Belgians), or what the consequences are.
Facebook stands accused of deliberately making it hard for users to control
their own privacy
and even the most sophisticated can get it wrong, releasing data that they
think is innocuous (like AOL or Netflix)  that turns
out not to be when combined with other public data. See also a local example.

Gold in them thar

The major online services companies have also raised
substantial privacy concerns by mis-estimating what their users are happy with:
cue dismay when Mark Zuckerberg, Facebook CEO, said that his firm was built on
privacy expectations that all users might not share and the furore over changes to Facebook’s privacy settings that have led to EU
and FTC regulatory
, or when Google’s then CEO Eric Schmidt said that if you want to
keep something private online “maybe you shouldn’t be doing it in the
first place”

With all of this information about your online activities
able to be discovered, there is money to be made in sifting through it,tying it
together, and then selling the profiles to online advertisers.

Consider Rapleaf, a US outfit
that matches email addresses with a range of public data including Zip code,
age, income, property value, marital status and whether the person who controls
this email address has children. It claims to have data on over 80% of US email
addresses, and charges 0.5 cents per match.

Or this (registration required), a deal between Facebook and a firm called Datalogix
that allows the site to track whether ads seen on Facebook lead users to buy
those products in stores. Datalogix buys consumer loyalty data from retailers,
and matches email addresses in its database to email accounts used to set up
Facebook profiles.

Generalised concern

It is hardly surprising that people are concerned about
online privacy. Americans say their biggest perceived privacy threat is social
networking services like Facebook and Twitter (they are also worried about
unmanned drones, electronic banking, GPS/smartphone tracking and roadside

New Zealanders are worried too. A Law Commission survey revealed that 84% of respondents were concerned about “the security of
personal details on the internet”, more than were concerned about
“confidentiality of medical records” (78%) or “government
interception of telephone calls or email” (72%).

Expectations of privacy clearly depend a lot on context. Information
I share with my mother I may not wish to share with my friends (sorry guys),
and information I share with my friends I may wish to keep secret from a
potential employer. Information that I directly and intentionally share (e.g.,
via Twitter) is less sensitive than information that I do not know is being
collected. I would consider my browser history, my email and my search history
more sensitive than my purchase history from I am pretty relaxed if
information about these things is used just to target online advertising. I am
less relaxed if these data were put together and used to establish my identity
or calculate my credibility and trustworthiness.

And since my list of privacy preferences will not be the
same as yours, it becomes clear that the question of online privacy is about
the limits of my ability to control the flow of information about me, and my
basic point here is that the internet age means that I have less control than

If users are concerned about control but feel
(and to some extent are) powerless, what help does the law provide? We take up
that story in Part 2.