Category Archives: privacy

Can the NZ Police search your phone if you’re arrested?

If the NZ Police arrest you they also have the power to search you. In light of recent decisions in Canada and the US amongst other countries, we had two questions:

  1. Can the Police also search your mobile phone or other smart device if you’re arrested?
  2. Can the Police force you to unlock it if it is secured by a password or fingerprint?

We asked the Police and while the answers aren’t as in-depth as we’d like, we thought we’d share what we got combined with our own analysis.

Firstly, if the Police can legally search you (they have a warrant, you’re in the vicinity of a legal search being executed, you’re suspected of being involved in certain classes of crime, etc), section 125(1)(l) of the Search & Surveillance Act explicitly allows them to search your phone or other data device.

Furthermore, section 130 of that Act can be used to compel assistance (i.e. you must unlock it) if they are doing a legal search. Note that the “no self incrimination” clause is generally understood to refer to the information used to unlock, not the information that is revealed by being unlocked.

The Police also have access to a range of tools used to access the information on such devices. In 2013 the Police Electronic Crime Group searched 1309 mobile phones and other devices. This number doesn’t include any searches at the District level (stats are not recorded) or by officers on the street persuading people to let them examine their phone.

Secondly, section 88 allows the Police to do a warrantless search of someone who has been arrested if they have reasonable grounds to believe that they have a thing that may be used to harm someone, be used to escape, or may contain “evidential material relating to the offence in respect of which the arrest is made”.

It would seem that this clause would allow the Police a large amount of leeway to come up with some vaguely plausible explanation as to why they need to search your digital device if you’re arrested. e.g. they could require the information on it to track your movements or who you communicated with before you were arrested.

Conclusion

From our brief analysis, supported by the information from the Police, it seems that the NZ Police can upon arrest:

  1. Search your mobile phone or other electronic device if they can formulate a plausible reason to do so.
  2. Oblige you to unlock it.

Does anyone have a counter view?

Other questions

How long can the Police hold the data for?

Who can they share the data with?

What limits as to reasonableness will the judiciary impose when it comes up in court?

An introduction to ANPR (automated number plate recognition)

ANPR stands for automated number plate recognition.

It’s a camera that can automatically recognise and read license plates on cars and then checks them against a central database. If the plate matches a “vehicle of interest”, the police can then decide to pull over the car and talk to the driver. ANPR cameras are typically deployed in police cars and in fixed installations by the side of the road.

The current state of ANPR in New Zealand

[Edit: there is some inconsistency between the information available over multiple letters from the Police and that reported in Police News.]

[Edit 2: Superintendent Carey Griffiths has denied that the Police will be storing the ANPR data and using it for tracking. We have asked the Police Commissioner for clarification.]

According to the June 2012 edition of Police News, the NZ Police have been trialling ANPR since 2009. This has involved four mobile ANPR units which are not that sophisticated in that they need two people to operate them (one to drive, one to watch the screen).

In theory the trial ended in January 2012 but it is our understanding from Police News that they are still using the current four ANPR vehicles (2 in Auckland, 1 in Waikato/Eastern and 1 in Christchurch/Southland) and are looking at deploying another couple.

We have requested copies of reports about the trial and any recommendations about further deployment of ANPR systems.

Thanks an OIA request by Alex Harris we also have a draft copy of the ANPR manual. There is also an associated letter where the Police report that the trial began in 2010 and has consisted of only two units for a limited time in Counties Manukau and Wellington, with them currently deployed in Counties Manukau and Waitemata.

The Police answer questions about ANPR

Some questions and answers from letters to the police about ANPR (questions are ours, answers are from the Police):

Q. What data is stored with each record (e.g. location, time of day, etc)?

A. The time date and a photograph of all vehicles passing the ANPR camera is stored.

Q. Will this information include the location of the ANPR device at the time of the lookup?

A. Yes it will include the location of where the device was deployed.

Q. How long will the data for each captured license plate be kept for?

A. Data of vehicle movements captured during ANPR deployments will be retained on a secure Police database. In time this information may be deleted with it is no longer required for the purpose it was obtained. Police may search the stored data if there is a belief that there may be information relating to a crime.

Q. Are the police considering using the information stored in the ANPR database to track vehicles?

A. The ANPR system alerts police to vehicles that are a vehicle of interest to police recorded in the vehicles of interest database.

Q. If so, do the police believe they would need to apply for a warrant to use the information in this way?

A. There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.

Why does ANPR make us worried?

If ANPR was simply used by the police to help find people they are actively looking for, we’d probably have no argument against it.

The problem is that it’s more than just a simple database lookup. That central database isn’t just responding to queries, it’s also storing the date, the time and the place for every car that passes the ANPR camera.

So the police end up with a very big database of car sightings – which gives them the ability to track the movements of any car they wish. Even more worrying is that they can keep this data for as long as they like and therefore “go back in time” by entering queries for any day since the database was started.

The technology is rapidly getting cheaper and could easily end up deployed in every police car and in fixed places around major cities and roads, allowing for near total coverage.

Potential harm

There are three types of harm that can come from creating a new database like this:

  1. An inappropriate extension of police power that might be used badly. e.g. the Police use it to spy on political activists who are engaged in peaceful protest, breaching their rights to privacy and freedom from Police surveillance.
  2. Extension to other government departments. e.g. could CYFS access the database to determine that you are feeding your children badly because you park near the local McDonalds each day?
  3. Improper use. A police officer using it to stalk someone for their own reasons.

Tracking used to be hard

Tracking someone used to be hard and expensive but ANPR is going to make it easy and cheap. With ANPR you don’t need a whole team of people, you don’t need to install a GPS tracking device, you don’t need to get a court order to access mobile phone data – you just install ANPR devices everywhere and then ask the database about whoever you like.

More to the point, you also don’t need to change any laws or apply for a surveillance warrant to install a tracking device – you can just start doing it.

It’s the sort of information that a totalitarian regime would love to have. But is it the sort of information that we want our government to have about everyone?

Shouldn’t we talk about what sort of controls we might want to impose if such a system is implemented?

Are we going to end up with this system watching our every move without even any public debate about it?

Interview – Cyberdodge VPN service

An interview with Ross from Cyberdodge, a supplier of VPN services that enables internet users to hide what they do on the internet.

What inspired you to offer the service?

People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.

Are you getting many customers and what do they want it for?

Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.

How do you feel about the fact that some of your customers will probably be using your service to break NZ law?

No Comment.

What sort of information do you keep about your customers?

We only keep the email address.

What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)

We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.

Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?

No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.

Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?

No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.

Customs testing body scanners

New Zealand Customs have been trialling body scanners at Auckland Airport and are now working on plans to implement them.

Green Party MP Keith Locke says that using such equipment is illegal as they are banned by the Aviation Crimes Act.

with respect to a person searched under subsection (1), a member of the police, an aviation officer, a Customs officer, or an agent of the carrier authorised by the carrier for the purpose may not use an aid or device that produces an unclothed image of the person.

We also had concerns about both the desirability and legality of this body scanning technology and wrote to the Minister of Customs, Maurice Williamson, earlier this year expressing our concerns. He responded (PDF) that while it was illegal to use body scanners for the purposes of aviation security, it was allowed under the Customs and Excise Act 1996 for the purpose of searching for contraband.

However, Keith Locke responds that the language used when the Aviation Crimes Act was amended in 2007 very clearly showed that Parliament’s intention was to “…prevent any production of an unclothed image … there was no hint of any exception.”

Maurice Williamson says that he is not aware of any plans to further amend the Aviation Crimes Act.

1-Day finds that anonymity is hard

Update: 1-Day claims that they have tweaked the feature so that customers can choose to use aliases. However, there appears to be no way to enter an alias when signing up for an account or proceeding through checkout without an account (18/11/2010).

Update 2: 1-Day support are unaware of any new alias feature. They suggest entering an initial instead of your first name. The site continues to publish live customer data (18/11/2010).


Update 3: 1-Day have now added a checkbox for “Make my purchase public” to the sale process and have included a link that explains the feature. We think that this is sufficient notification and allows people to opt out if they wish, although it would be better if the checkbox was not ticked by default (23/11/2010).

1-Day is another of the many “deal a day” sites. An extra feature on this particular site is Watch People Shop – a dynamic map of NZ with “Sharon in Lower Hutt bought a Mistral Bread Maker 5 minutes ago” overlaid.
Continue reading 1-Day finds that anonymity is hard

Changes to availability of car rego info delayed

The New Zealand Transport Agency has announced that the changes to public access to the Motor Vehicle Register have been delayed until April 1, 2011.

Current law

Currently, the names and addresses held on the Motor Vehicle Register are publicly available to any person who provides the registration plate number of the vehicle and pays the prescribed fee. It is possible to request a confidential listing.

This means that anyone who knows the registration number of your car can find out where you live.
Continue reading Changes to availability of car rego info delayed