New articles discussing technology, privacy, security and civil liberties are now posted on the NZ Council for Civil Liberties website.
This site will be kept operational to provide access to the archive.
New articles discussing technology, privacy, security and civil liberties are now posted on the NZ Council for Civil Liberties website.
This site will be kept operational to provide access to the archive.
Edited text of a speech given by Thomas Beagle at the launch of What If – “an education and action campaign working to stop data collection and sharing by the NZ State and private corporations for the purposes of social control and exploitation, and working for community control of information resources for the benefit of all”.
The technocrats have a utopian view of our data driven future. As the NZ Data Futures Forum puts it, they plan to “unlock the latent value of our data assets and position us as a world leader in the trusted and inclusive use of shared data to deliver a prosperous society.”
Indeed, is there anything that government and business couldn’t do if they had enough data and some smart people to analyse it?
Now, this is going to require a lot of data. And when you’re collecting a lot of data you’ve got to make sure that it’s accurate.
One of the things that’s particularly important is making sure that we have the right person. There’s no point in targeting John Andrew Smith with a medical checkup when it’s actually John Adam Smith whose genetic analysis shows their predisposition to a particular condition.
Wouldn’t it be easier if everyone in the country had a single electronic identity, one that we could use as a digital key across all these systems to ensure that we had the right person?
And this is where RealMe comes in. It’s a joint venture between the Department of Internal Affairs and NZ Post and, in their own words: “RealMe lets you easily and securely prove your identity online, plus access lots of online services with a single username and password.”
The sales pitch is aimed at making it easier for the citizen consumer. Get a RealMe account and access a wide range of critical services that require strong proof of identity such as govt agencies, the health system, banks, and so on.
It’s important to note that there are two sorts of RealMe accounts. You can get as many unverified accounts as you like – but if you want to use the more useful services you will need to get your account verified and your photo taken at an NZ Post shop. You’re only allowed one of these.
RealMe is of particular appeal to financial institutions because of their new responsibilities to identify their customers and report suspicious transactions to the government as a result of the Anti Money Laundering and Countering Financing of Terrorism Act. Kiwibank, the BNZ and TSB Bank are using RealMe, with more expected to follow, although uptake has been slower than expected.
RealMe itself doesn’t store any data about people, but it does enable two services that use it to share data if the person gives them permission. For example, if you apply for medical insurance, you can use RealMe to freely choose to give the insurer secure access to your medical records.
There’s not much more to RealMe, but there doesn’t have to be. It provides two vital components to enable data sharing on an ever larger scale – a key to identify a person, and a pipeline to share the data. It’s an important building block in the creation of our glorious shared data future.
Sadly, utopia is not assured. Let’s look at some of the issues.
Firstly, data sharing. While the people who developed RealMe seem to have good intentions, I can’t help feeling that they seem rather naïve. It’s great that data sharing through the RealMe service is voluntary and done under the control of the user, but does anyone really believe that’s how it’s going to work?
If you want health insurance, you will be obliged to give them access to your medical records. Credit applications will demand access to your bank accounts. You could freely refuse – at the price of being turned down for what you’re applying for.
And at some point I can assure you that there will be a small law change allowing the IRD full access to whatever data they want through the RealMe service.
There are other agencies that also have the power to override our privacy choices. The Police, SIS and GCSB can all legally access the information in the systems that RealMe have so kindly linked together, and we’d never know that they’d done it.
Secondly, it seems that RealMe will inevitably evolve into a de facto digital identity card; the “papers please” of the internet age. As processes move online, everyone is going to need a RealMe account and opting out will not be an option.
But there is a deeper philosophical problem with having a single verified identity. Do we actually want to use the same identity for dealing with the government, banks, Trademe, and a variety of social media sites? Will there be increasing pressure to use our ‘official’ identity everywhere? I see important advantages in being able to present different faces to people – to the people we work with, our parents, our children, our friends, our various communities.
And, of course, RealMe has a big future. It’s going to be available whenever the government thinks up a new reason why it needs to track us and spy on us. We don’t just have to worry about what it’s being used for now, we have to worry what will be build on it in the future.
To think of just one example, something that worries governments and businesses alike is the inability to conclusively identify who did what online. It seems possible to me that in ten years’ time we’ll be obliged to connect to the internet using our RealMe identity.
With everything you do online linked back to your RealMe ID, the internet truly will be the greatest surveillance machine ever built.
However, it’s when you add large scale data collection and analysis that you realise how this technocratic utopian vision can all too easily become a dystopia.
The same data that can be used to target assistance to those who need it, can be used to penalise those who transgress. Has an algorithm decided you feeding your children too much junk food? Did you spend time helping at the local community centre when you should have been looking for a job? Our data shows you were out in the car when you said you were sick last Tuesday, just how sick were you?
Citizen, justify yourself!
RealMe is just one more component of the big data transformation of our society.
I don’t think that the big data juggernaut can be stopped. Every day the technology to watch, collate and analyse data is getting cheaper and more powerful. It’s the price of the modern internet and computer driven society.
And personally, I’m still enough of a utopian that I’m not even sure that we want to stop it.
But we know that people react differently when know they’re being watched. We know that people value their privacy and feel powerless when others know their secrets. Can freedom of expression survive in a surveillance state? Will dissent, so necessary in a democratic society, wither under the all seeing eye?
So while we can’t stop it, there is a very clear need to control it. To make sure that we get the benefits while not accidentally creating a society we don’t want to live in.
However I do believe that this is possible. We can’t control what foreign companies and governments do, but we can set limits on what our own government can do, and we can pass laws that control what New Zealand companies can do.
This isn’t going to be easy. We do have the Privacy Act, but the technocrats have the ear of government and they’ve already announced plans to repeal the Privacy Act and re-enact it in a form even more friendly towards data sharing. But even then, it’s not just privacy that we’re worried about, but power and control.
To stop this trend, to set up real protections, we’re going to have to persuade our fellow New Zealanders that we need them.
We have the power to decide what sort of country we want to live in. We can reject the surveillance society and the subsequent crushing of our democracy. I hope this meeting is another step on the way to doing so.
It seems obvious – when you enter the country Customs can force you to open a briefcase to look for illegal drugs, so why can’t they force you to decode an encrypted file on your computer so they can look for information about illegal drug smuggling?
Customs have issued a set of papers discussing a planned review of the Customs & Excise Act. In the Powers paper, they are asking for the power to force people to hand over the passwords for their electronic devices or face penalties.
Unfortunately the analogy breaks down when you consider what would actually happen in the real world.
The important thing to note is that with a locked physical object there is always the option of literally forcing the issue. Any refusals are merely a delaying tactic.
The situation with encrypted files could be any of the following:
In all these cases there is nothing that the Customs officer can do to overcome either the ignorance of the person or their unwillingness to comply. The issue cannot be forced because a modern encryption system can’t be cracked without the proper key.
There’s also no easy way for the Customs officer to tell which situation they’re dealing with. Is that person saying they don’t know anything about any encrypted files on their laptop telling the truth or lying?
The worrying thing is that in any case where you make the penalties extreme enough to intimidate someone who does have illegal files into handing the key over, you are also going to end up victimising the innocents who either don’t have any encrypted files or don’t have the keys for them by making them suffer those same penalties.
And, of course, someone who really was bringing in illegal files is much more likely to store the information online somewhere, enter the country with a completely clean laptop and download it when they got here. Or they might use an encryption system that supports a “Police Key” and a “Real Key”, where handing over the “Police Key” just presents some fake innocuous files.
We haven’t even considered the civil liberties issues such as being able to protect your most personal files from government snoops, or that Customs has long been suspected of exceeding its powers to do searches on behalf of the Police.
Importantly, things that work in the physical domain don’t always transfer cleanly across to the digital domain. There are real issues with how any such power to force people to hand over keys would be used in practice.
Giving Customs this power might catch a few naive criminals but it’s not going to catch people who are even halfway serious about personal security – and we’re worried that too many blameless people might get caught up in the net, forced into the difficult task of trying to prove that they don’t know something.
It started with a Tweet from Steve Cotter, CEO of REANNZ:
Trying to do the same in NZ, but govt's TICSA legislation makes deploying SDN/NFV in backbone networks challenging http://t.co/91MUpxfOnw
— Steve Cotter (@SteveCotter) February 22, 2015
Before we go any further let’s unpack some of those acronyms and add one more:
So this is a statement by the CEO of a government owned company whose purpose is to “establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand” saying that they can’t do the research and development work they need to do because the bureaucrats in the NCSC at the GCSB are holding them back.
Apparently the NCSC were willing to help, but the law was inflexible enough that making any significant change – like you might want to do quite frequently on an experimental network – was going to require the full notification and authorisation procedure. When asked for an exemption the reply was that this would be extremely unlikely to be granted.
Apparently Google has also been involved with research and development into SDN in New Zealand. We’ve been told by multiple sources that they were so annoyed by the TICSA’s requirements and the NCSC’s administration of them that they have closed the New Zealand section of this project and redeployed the hardware to Australia and the USA. This can only be seen as a loss to New Zealand.
We think it’s a real worry that companies like Google and REANNZ, who are both pushing the boundaries of network research, are giving up in New Zealand due to the constraints imposed by government legislation.
It’s exactly the sort of thing we worried about in our submission to the government about the TICS Bill:
It will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions.
Some people have suggested that these companies, REANNZ and Google, just needed to work harder to jump through the NCSC’s hoops. The reality is that they obviously thought that this was not worth the effort and they abandoned the work. How many other companies in New Zealand are experiencing these exact same problems and deciding to just give up… or spend their research dollars in countries with a friendlier environment?
We stand by our original position that a spy agency can’t intercept traffic on one hand and then provide security advice on the other. We don’t believe that New Zealand’s national security is enhanced by giving the GCSB more control of our telecommunications networks than any other spy agency has in any other comparable country. We don’t believe that network operators should have to answer to a layer of micro-managing government bureaucracy to run their businesses. We think that this is in direct contravention of the GCSB’s statutory objective of contributing to the economic well-being of New Zealand.
The TICS Act is proving to be a brake on innovation. It needs to be changed.
More on the story from Juha Saarinen at the NZ Herald.
We asked the Police and while the answers aren’t as in-depth as we’d like, we thought we’d share what we got combined with our own analysis.
Firstly, if the Police can legally search you (they have a warrant, you’re in the vicinity of a legal search being executed, you’re suspected of being involved in certain classes of crime, etc), section 125(1)(l) of the Search & Surveillance Act explicitly allows them to search your phone or other data device.
Furthermore, section 130 of that Act can be used to compel assistance (i.e. you must unlock it) if they are doing a legal search. Note that the “no self incrimination” clause is generally understood to refer to the information used to unlock, not the information that is revealed by being unlocked.
The Police also have access to a range of tools used to access the information on such devices. In 2013 the Police Electronic Crime Group searched 1309 mobile phones and other devices. This number doesn’t include any searches at the District level (stats are not recorded) or by officers on the street persuading people to let them examine their phone.
Secondly, section 88 allows the Police to do a warrantless search of someone who has been arrested if they have reasonable grounds to believe that they have a thing that may be used to harm someone, be used to escape, or may contain “evidential material relating to the offence in respect of which the arrest is made”.
It would seem that this clause would allow the Police a large amount of leeway to come up with some vaguely plausible explanation as to why they need to search your digital device if you’re arrested. e.g. they could require the information on it to track your movements or who you communicated with before you were arrested.
From our brief analysis, supported by the information from the Police, it seems that the NZ Police can upon arrest:
Does anyone have a counter view?
How long can the Police hold the data for?
Who can they share the data with?
What limits as to reasonableness will the judiciary impose when it comes up in court?
We recently obtained further documentation from the NZ Police about automated number plate recognition (ANPR). This includes a Police report from September 2013, the ANPR chapter from the Police internal manual and some responses to questions in our letter.
We noted the following points of interest:
While we are not opposed to appropriate use of automated number plate recognition, we are concerned about using the system to target people and not vehicles. e.g. pulling over a vehicle because the registered owner has a drunk driving conviction. This risks unreasonable harassment of both the owner and of anyone else that they might lend the car to.
We are pleased that the Police are not using the system to set up a vehicle tracking database as we see this as a more worrying threat to civil liberties. We also note that Police statement that they believe that they need a tracking warrant under the Search & Surveillance Act to use a device (such as an ANPR database) to track vehicles.
This provides an interesting contrast to recent information from Auckland Transport about the surveillance and tracking systems they are using. We note that we currently have an outstanding LGOIMA request lodged with Auckland Transport about their surveillance plans.
However, it seems that the Police are prepared to use the 48 hours of history that they are keeping to locate vehicles after the fact, we wonder if this will be extended further in the future. This contradicts other statement and we will be asking for more information.
Written by Joy Liddicoat (member of APC and Tech Liberty), this comprehensive and perceptive summary is well worth reading by anyone who wants to know how we got here – and where we need to go.
New Zealand is a small country, with a population of less than five million, situated in the far reaches of the southern hemisphere. But its physical remoteness belies a critical role in the powerful international intelligence alliance known as the “Five Eyes”, which has been at the heart of global controversy about mass surveillance. This report outlines the remarkable story of how an international police raid for alleged copyright infringement activities ultimately became a story of illegal spying on New Zealanders, and political deals on revised surveillance laws, while precipitating proposals for a Digital Rights and Freedoms Bill and resulting in the creation of a new political party. We outline how civil society has tried to respond, and suggest action points for the future, bearing in mind that this incredible story is not yet over.
Edited version of Thomas Beagle’s opening remarks at the Privacy Panel at NetHui in Auckland on 11th July 2014.
Privacy isn’t dead. Yesterday at Nethui we were told that it’s too late for privacy, that it’s over. But the fact we’re all here and talking about it is a sign of just how wrong this is.
There’s no doubt that technology is changing how we think about privacy but it’s not as simple as saying that people these days are just giving it up willy-nilly. People don’t always get it right, but most have an intense interest in keeping certain pieces of information away from certain people.
I think it’s important to note that information privacy is not simple. People have many relationships – work, family, friends, doctors, government – and they need to be able to control who sees what and when.
Just because we give a piece of personal information to one of those, or they take it without asking, doesn’t mean that we’ve lost our privacy interest in that information. I might tell my doctor about my drug use, but still need to keep it secret from my family, employer and government.
Part of this control is that for many people the debate about privacy is also about security. If you’re a teen questioning your sexuality in a conservative town, that information leaking out might be enough to get you beaten up or worse.
And at the same time, have you ever felt that sick feeling when someone you don’t trust has damaging information about you? What if it’s the government and they’re the ones paying you a benefit that is keeping your family fed? Information is power.
The surveillance demands of national security, the desire to know everything we’re doing, actually leads to many people feeling less secure because they don’t know what the government knows about them and they don’t know how they’re going to use that information.
That said, I’m optimistic about privacy.
When it comes to our digital peers such as friends and family we generally already have the tools to protect ourselves, even if we don’t always get it right.
If we look at the rest of the privacy problem, I split it up into three categories. The biggest risk is your own government, because they’re the ones that can put you in jail or deny you basic services. The second is the local companies you deal with to buy your power, your food, and so on. The third is the foreign companies such as Google and Facebook.
The good news is that in a democracy like New Zealand, we can control the first two. We can set limits on what data they collect and how they can use it and how they can share it. Maybe two out of three is actually good enough to say that we can continue to maintain our privacy in the internet age.
And we can set those limits however we like. Some people seem to believe that once something is published, either by ourselves or leaked by others, that it’s fair game. I’d argue that just because something is out there doesn’t mean that it should be available for use.
There’s ample precedent for this: You’re not allowed to use the electoral roll for anything not to do with elections. Juries are told to ignore any information they may have learnt outside of the trial.
If we decide as a society that we don’t want the Ministry of Social Development to spy on beneficiaries on social media, we can change the law so that they are not allowed to. If we don’t want the GCSB to be able to apply for wide-ranging access authorisations to spy on New Zealanders – for our own protection of course – we can change the law so that they can’t. It’s up to us.
I believe we do need changes to privacy law in New Zealand. The Privacy Act is a great base for us to work from but it needs works – and not just the new powers for the Privacy Commissioner.
It’s obvious that privacy controlled by opt-in click-through contracts doesn’t really work. I believe that the solution is to further ratchet up the baseline protections provided by the Privacy Act – and to close the law enforcement loophole.
Sadly, I fear that the government’s promised repeal and re-enactment of the Privacy Act will be going in the wrong direction. Thank you.
We’ve been watching the introduction of RealMe with some concern. While it appears that they have done some serious thinking around privacy, there are some real issues around unified online identities that have not been sufficiently discussed.
This introductory article talks about what RealMe is and then asks some questions about how it might be used.
RealMe is a government sponsored online identification service. In their own words: “RealMe lets you easily and securely prove your identity online, plus access lots of online services with a single username and password.”
It’s a renamed version of the iGovt scheme originally set up by the Department of Internal Affairs. it’s now run by a combination of the Department of Internal Affairs and NZ Post (a state owned enterprise). The major enabling legislation for RealMe is the Electronic Identity Verification Act (2012).
The aim is that your verified RealMe identity will provide enough assurance that you are who you say you are that governments and commercial organisations will be able to provide products and services online that require the most stringent forms of identification such as passports, bank accounts, student loans and so on.
It’s of particular appeal to financial institutions because of their new responsibilities to identify who they’re dealing with after the passing of the Anti Money Laundering and Countering Financing of Terrorism Act. Both the BNZ and TSB Bank are now using RealMe with others expected to follow. Here’s the full list of organisations using it.
At the end of February 2013 there were 853,100 iGovt logins (although some people had more than one).
We’ve heard that implementing RealMe within an organisation is both complex and expensive. There is a significant amount of software development that the organisation is required to do, plus RealMe does its own testing to ensure that standards have been met.
Ongoing costs are based on the number of transactions (typically new identifications, RealMe is not necessarily involved once the identity of the person is established the first time). RealMe refused to release details of the pricing, claiming it is commercially sensitive.
There’s no doubt that the people who created the system did it with the best of intentions and it seems they’ve taken privacy needs into account. One important point is that two organisations using RealMe can’t share data about a person unless the person has explicitly giving them permission to do so.
However, we have to assume that this will not always be the case. It seems highly likely that at some point the IRD will get a law change to enforce access – we all want to make sure people aren’t cheating the tax system, right? And it makes sense that companies might start insisting on you sharing information, in the same way that health insurance companies currently demand access to your health records. You can refuse but then they won’t provide services to you.
It’s also easy enough for the Police, SIS and GCSB to be able to use the powers granted by their respective laws to access any person’s information across systems as well.
It seems clear that RealMe is rapidly becoming a digital identity card. It’s already not voluntary for a number of people who want to access some services such as Studylink. As more government departments and commercial organisations start requiring it, having a verified RealMe identity is rapidly going to become a requirement.
NZ and Australia both rejected the idea of a non-digital national identity card in the 1980s. There were significant public campaigns against them and the proposals were defeated. So far there’s been no outcry against this new form of digital identity card.
Of course, there were different attitudes then. In those days the very idea of government departments sharing data about people was highly contentious due to fears that the government might snoop too much or would abuse its power. Now data sharing between govt departments is commonplace and expected. RealMe is going to enable more and better data sharing, with increased confidence about the identity of the people they’re sharing information about.
But the bigger issue is – what does it mean to have one verified identity that’s used for everything?
Do we actually want to use the same identity for dealing with the government, your bank, Trademe and a variety of social media sites? Will there be increasing pressure to use your ‘official’ identity everywhere? We see advantages in being able to present different faces to people – to the people you work with, your parents, your children, your friends, your community. Is this under threat?
We already know that the world has problems with governments over-surveilling people on the internet. We fear that this surveillance already has a chilling effect on democratic dissent. Will improving it by forcing use of a single identity and further enabling data matching be worth the gains?
What does robust and pervasive online identification enable? How will these services be used in 5, 10 or 20 years time?
For example, one of the big problems with law on the internet is proving just who did something. You can trace a downloaded file to an IP address but you don’t know which person there actually did the copyright infringing download. Or maybe you want to find out who anonymously published the suppressed name of the accused in a trial.
A government of the future might look at these problems and decide that internet use should be keyed to your RealMe identity, thus undermining anonymity on the internet. It wouldn’t be a trivial task but it’s also not impossible and would enable the government of the day to track everything you do on the internet. We don’t believe that the government needs this power and we see this level of mass surveillance as a threat to our privacy and our democracy.
RealMe has some real advantages – verified identities will make it easier for people to access government and commercial services online, helping us realise some of the promises of the internet revolution. But we’re concerned about measures that increase government power over people and we fear that RealMe might be one of those measures.
Over the next few months we’re planning to explore some of the issues around RealMe. In particular, we want to answer the following two questions:
Your ideas and contributions would be welcome.
The Harmful Digital Communications Bill has been reported back and the select committee has made a few changes.
The Bill has added the definition of IPAP (Internet Protocol Address Provider – roughly an internet service provider) from section 122A(1) of the Copyright Act and then in section 17(2A) gives the District Court the ability to order an IPAP to release the identity of an anonymous communicator to the court. Of course, this would only reveal the name of the person who owns the internet account that was used and not the name of the person who used it, so the utility of this will be limited.
The Approved Agency (still unnamed, still expected to be Netsafe) would be subject to the Ombudsmen Act, the Official Information Act and the Public Records Act in respect of the functions performed under the bill. This is a welcome change as it’s important that any agency performing state functions is covered by the bills that help provide proper oversight.
There have also been minor changes allowing the courts to vary orders made previously, clearing up which teachers can apply on behalf of pupils, and allowing threats to be treated as possible grounds for an order to be made.
The major change has been to the section 20 Safe Harbour provisions of the Bill that were dumped into the previous version at the last minute.
The original proposal was terrible – content hosts (pretty well anyone who allows the public to submit comments such as on a blog or forum) would be protected from legal action if they removed material immediately after receiving a complaint. It was obvious that this would be abused by those trying to silence people who they disagreed with.
The good news is that some complaints will be changed from “takedown on notice” to “notice and notice”. This means that upon receiving a complaint, the content host will forward it to the original author of the complained about material (i.e. the person who wrote the comment). If the author agrees or doesn’t respond, the material will be taken down, but if they disagree with the complaint the material will be left up – and the content host will still be protected from legal action under the safe harbour.
However, this does not apply when the original author cannot be identified (or if the author either doesn’t want to respond or can’t respond within the 48 hour time limit). Indeed, the phrasing of the act reads as if content hosts must remove material when in reality they only need do so if they wish to be protected by the safe harbour provisions.
Disturbingly a number of other suggested improvements were not picked up by the select committee. In particular we supported the ideas that complainants should have to make their complaint a sworn statement and that complainants would have to have been harmed by the material themselves.
So while this is a significant improvement, we still fear that these provisions will be abused by serial complainers, internet busybodies and those who want to suppress their “online enemies” by any means possible.
What’s more serious is what hasn’t changed. You can read our articles and submissions to see our full critique of the Bill but there are three points we wish to mention.
Firstly, the Bill sets a different standard for the content of speech online and offline. While we do understand that online communications might require a different approach in available remedies, we firmly believe that the standard of speech should be the same. We note that the internet isn’t only for “nice” speech, it’s increasingly the place where we all exercise the freedom of expression guaranteed to us by the NZ Bill of Rights Act.
Secondly, rather than fixing the horribly broken section 19 – causing harm by posting digital communication – the penalties have been increased. This section completely fails to recognise that some harmful communications have real value to society. For example, the idea that someone might be fined or jailed because they harmed a politician by posting online proof that the politician was corrupt is just horrendous. We honestly believed that the lack of a public interest or BORA test was a mistake but it seems that the Select Committee really does want to criminalise all harmful online speech. This neutered and ineffectual internet is not one we wish to see. (Edit: this section is still subject to the BORA as detailed in 6(2).)
Thirdly, we worry that the bill will be ineffectual where it might be needed most while being most effective where it’s most problematic to civil liberties. Many of the example harms mentioned in the original Law Commission report would not be helped by this Bill – they happen overseas, or they happen too fast, or the people being harmed are just too scared to tell anyone anyway. The Approved Agency will be able to do a lot in the cases where anything can be done, but we’re not convinced of the need for the more coercive elements of the Bill.
There is no doubt that some people are being harmed by online communications. There is definitely a good argument to be made that the government could do something useful to help those people. We’re not convinced that the approach taken by the Law Commission and the Government is effective and we’re quite sure that it includes a number of unreasonable restrictions on the right to freedom of expression guaranteed to us all by the NZ Bill of Rights Act.
It seems inevitable that the Bill will be passed in its current form if there’s time before Parliament closes for the elections. We can but hope that a future government will repeal it and have another go.