Edited text of the presentation given at Kiwicon 2012 ("New Zealand's Hacker Con") by Tech Liberty co-founder Thomas Beagle.
Do not ask for whom the panopticon watches, it watches for thee
My name is Thomas Beagle and I'm from Tech Liberty. We're a New Zealand lobby group dedicated to protecting civil liberties in the digital age.
I'm going to survey some of the political issues that affect our civil liberties before talking in a bit more depth about where we're up to with mass surveillance in New Zealand.
We recently wrote about RIANZ withdrawing one of the first cases to go to the Copyright Tribunal. We made some reference to RIANZ's claims and their attempts to rewrite the law and regulations to justify a claim based on the number of times the works might have been downloaded.
We've now made RIANZ's submission to the Copyright Tribunal available for download (PDF, 8.5MB).
Some points of interest include:
- RIANZ admitting in footnote 25 that it might not be the account holder who downloaded the works but someone else sharing the connection.
- The attempted rewrite of the NZ Copyright Act and regulations in para 30 to enable RIANZ to claim for each potential download.
- The argument that the lack of challenges to the notices and the continuing file sharing showed that the infringer was flagrantly breaching the law, rather than being completely clueless about it.
- The justification for asking for $1250 worth of deterrent penalties.
- That RIANZ use Mark Monitor to track file sharing activity, a system that only downloads part of the work from the person they're accusing.
Feel free to add a comment with anything else interesting you find.
The RIANZ has withdrawn one of the first three cases to go to the Copyright Tribunal. The withdrawal happened after all submissions had been made but before the formal hearing at the Tribunal.
Tech Liberty helped the defendant with her submission along with assistance from Susan Chalmers at InternetNZ and a very solid pro bono contribution from Kate Duckworth at Baldwins.
The defendant was a student in a flatting situation and was the account holder for the flat's shared internet account. She has never used file sharing software and we had to explain to her what it was and how it worked. It seems likely that one of her flatmates had it installed.
The flat never received the first detection notice and they didn't really understand the second warning notice. She did show it to her flatmates and asked them to stop doing anything they were doing. They denied doing anything, so she checked to make sure that their wireless network was properly protected by a password in case they had been hacked. The third notice was a mess - addressed to the wrong person, Telecom eventually withdrew it and replaced it with another one.
Then came the notice from the Ministry of Justice that action was being taken against the account holder. The defendant was very upset and worried, and contacted her local Citizen's Advice Bureau for help, who put her on to us.
RIANZ claimed a total of $2669.25 in penalties. This was made up as follows:
- $1075.50 as the cost of the music.
- $373.75 to repay the cost of the notices and tribunal fee.
- $1250 as a deterrent.
The cost of the music was calculated as being five tracks (total number of notices) multiplied by the $2.39 cost of each track on the iTunes store. The observant may notice that this works out to $11.95 rather than $1075.50. RIANZ decided, based on some self-serving research, that each track had probably been downloaded 90 times and therefore the cost should be multipled by 90. There is no basis in the Copyright Act or Tribunal regulations for this claim.
When we met the defendant she was very worried about the case and what it would mean for her. It caused her significant distress and preparing a defence interrupted both her studies and her part time job. The thought of a $2669 penalty weighed heavily on her and her plans for the future.
She immediately cancelled the flat's internet account and her and her flatmates were from that point without an internet connection at home. Obviously this was not good for their studies, social lives or personal business (e.g. online banking).
The flatmates refused to acknowledge any responsibility or offer to pay any money towards the penalty. Relationships in the flat broke down and the defendant left the flat soon after.
The defence concentrated on three aspects:
- The unfairness of the account holder being penalised for someone elses alleged infringement.
- Technical faults with the notices (see below).
- Criticism of the outrageously high sum requested by RIANZ as a penalty.
You may note that there is no denial that the infringing had occurred. This was not because the defendant admitted doing it or even that one of her flatmates admitted it. It's because there is really no way to prove that the allegations are true or false.
The notices from Telecom had a number of technical faults, of which the main ones were:
- Telecom sent out an incorrect notice then withdrew it and sent out another. Even the corrected notice had some errors and used different infringement numbers and the whole situation was very confusing.
- The second and third notices did not specify which first and second notices they were following on from, as required by the regulations. This made working out the timelines very difficult.
- The corrected third and final enforcement notice was sent for an infringement that happened within the 28 day stand down period after the warning notice, which means it was not a valid enforcement notice.
The defendant did ask the Copyright Tribunal for a formal hearing which she intended to attend.
The defendant sent a submission to the Copyright Tribunal along with her request for a formal hearing.
A couple of weeks later she received notice from the Tribunal that RIANZ had withdrawn their claim and the file was closed. We do not know why RIANZ chose to withdraw their claim.
The law is unjust and unfair
This case exemplifies just how unjust and unfair the law is.
If you are the account holder you will be responsible for the actions of anyone using the account. There is no way for non-technical people to monitor or control what their flatmates or other people sharing the internet connection are doing. Even IT professionals would struggle to do so with the normal tools available on a home network.
The provisions in the law allowing for an internet account to be cut off have been suspended for now. This was because it is becoming increasingly clear that an internet account is becoming critical for engaging in modern society. However, the effect of this law was still the same - the defendant panicked at these allegations and cancelled her account, cutting off her entire flat from the internet.
The law is meant to act as a deterrent to infringing copyright, but the way it is written it is actually an incentive. "Just use a connection that doesn't have your name on the account and they'll be be the one who is penalised!" The only deterrent is to becoming an internet account holder.
How can you protect yourself against this unfair and unjust law?
- Don't be the account holder. See if you can persuade your flatmates, family member or business to be the internet account holder so that they'll be the ones who are penalised. Of course this is just protecting yourself at the expense of someone else.
- Don't use peer to peer file-sharing software to download copyrighted material without permission of the copyright holder. Tell anyone sharing your connection not to do so either.
- If you do receive a notice, examine it very carefully to check whether it is valid. Our article about valid infringement notices might help.
- If you get a second, warning, notice, cancel your account with that ISP and switch to a new one. This will reset the count.
- If you get summonsed to the Tribunal, spend the time to write a proper submission in your defence and ask for a formal hearing.
Ultimately, the only real protection is to get the law changed.
Feel free to contact us if you have received copyright infringement notices and would like some advice or assistance.
One of the most common topics of the emails we receive at Tech Liberty is the placement of video cameras. People worry about them where they work, in the street, and on their neighbour's properties.
This guest post is from Yuri Wierda, a licensed security consultant, and he's concerned about the increasing popularity of security cameras in public toilets:
I have personally refused to install cameras in toilets and have talked a few clients out of doing it. I believe cameras in toilets are immoral and may be illegal. Part of my responsibility when advising people on security is ensuring that they themselves don't break the law.
The argument for cameras in toilets has been that it reduces vandalism.
While there may be signs advising people that there is a camera I do not believe that it justifies it or complies legally. There are several situations where signs will not provide informed consent.
- Someone may get changed in the toilet and not see the sign.
- Someone may be blind or illiterate.
- Someone may be intellectually disabled.
- Children may be visiting the toilet unaccompanied.
This creates several privacy and legal issues:
- The intellectually disabled and children CANNOT legally provide consent to being filmed in the nude or partly clothed. Toilets are places where people adjust their clothing and may be partially clothed. Children and intellectually disabled people will not expect there to be a camera filming them. Filming such an event is illegal (s216G to s216N of the Crimes Act) and potentially can (and should) result in serious criminal charges.
- People who have not seen the sign or were unable to read it cannot provide informed consent.
I am appalled that the police has provided advice that it is not illegal.
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Please send any updates or other useful links and we'll incorporate them. Last updated: 10/9/2012.
- What's wrong with the Communications (New Media) Bill and can it be fixed?
- Law Commission - Harmful Digital Communications
- Powers of the Proposed Communications Tribunal
Lawyer Steven Price
Lawyer John Edwards
Stephen Bell at Computerworld
Mike O'Donnell from Trademe at Stuff
David Farrar at Kiwiblog
Chris Barton at NZ Herald
Richard Boock at Stuff
- Negotiation is the new black - the "Approved Agency"
- Trolls provide motivation for greater regulation
- Workshops on the Communications Bill are worth attending
Police Minister Judith Collins
- The creation of a new criminal offence that targets digital communications which are "grossly offensive or of an indecent, obscene or menacing character and which cause harm". Harm is said to include physical fear, humiliation, mental and emotional distress.
- The establishment of an Agency (i.e. Netsafe) that will be able to assist and advise people suffering from unpleasant digital communications.
- The establishment of a Communications Tribunal that will be able to respond to complaints and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices."
- Amendments to the Harassment Act, Human Rights Act, Privacy Act and Crimes Act to ensure that the provisions of these laws can be applied to digital communications.
- New requirements for NZ schools to work harder at stopping bullying of all kinds.
While sympathetic to the aims, we have some serious questions about the law and the thinking that lies behind it. This article discusses some of the problems that we see, talks about ways to resolve them and asks whether the problems are too great for some parts to be worth pursuing. We have arranged our arguments thematically and finish with our conclusions and recommendations.
The Law Commission has proposed the creation of a Communications Tribunal that will be able to respond to complaints about internet speech and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices." The Tribunal would be made up of one of a number of selected District Court judges, with the optional assistance of a technical expert where required.
We were curious to see how what powers the proposed Bill would give the Communications Tribunal and how that would compare to the other tribunals mentioned in the report.
A future article will discuss the types of complaints that the Tribunal will deal with and the principles they are to use when doing so.
What powers would this Communications Tribunal have?
Once a complaint has been made and accepted by the Tribunal, they have certain investigatory powers:
- require any person to provide any document, information or things
- require any person (including the defendant) to give evidence.
Once the Tribunal has made the decision ("...with as little formality and technicality, and as speedily as is permitted...") it can order one or more of the following:
- remove any material from any online media
- forbid anyone from republishing or encouraging others to republish the same or similar material
- demand a correction, an apology or the right of reply
- publicly identify the author of a particular communication.
If the demand to produce/give evidence or any of these orders are disobeyed it would be punishable by up to 3 months jail and/or a $5000 fine.
Compared to other tribunals
In the Ministerial Briefing, they compare the Communications Tribunal to other tribunals such as the Tenancy Tribunal, Human Rights Review Tribunal and the Disputes Tribunal.
Firstly, we note that there is a major difference between the Tenancy and Dispute Tribunals (where the tribunal is arbitrating an existing agreement between two parties) and the Communications and Human Rights Review Tribunals where there is no pre-existing agreement between the people involved. This means that we think the Human Rights Review Tribunal is a better subject for comparison.
Secondly, disobeying any orders from the other tribunals does not result in a jail sentence but rather fines of between $1500 and $5000. The ability to back its decisions with a threatened 3 month jail sentence is is a major difference in the powers of the Communications Tribunal.
Thirdly, the laws for the other tribunals are much more detailed as to how they are to perform their work. There are procedures, clarifications of who can appear and when, oath-taking, rights of appearance and notification, etc, etc. The proposed Bill is either unfinished or the Law Commission really does seem to want hearings to be a quick and dirty affair, something that may not be appropriate when talking about issues that have important Bill of Rights implications.
Fourthly, the other tribunals do have some powers to order evidence and testimony - but legally privileged information is protected and the Human Rights Review Tribunal is subject to the Evidence Act.
Is there any defence/appeal?
There is no requirement for the defendant to be heard or to have a chance to put their case forward. (Lawyer John Edwards counters this by saying that the Tribunal's requirement to comply with the principles of natural justice would require that affected parties be given an opportunity to be heard.)
The complainant can appeal a decision to an Appeal Tribunal (made up of two District Court judges).
The defendant has no opportunity to appeal any decision, nor do other possible targets of an order (the ISP, webhost or 'any other person').
The Communications Tribunal would have very broad powers over internet content. Breaching one of their orders will result in a serious fine of up to $5000 or jail time of up to three months. This contrasts with the report stating that it would be "protective, rather than punitive" and would "not have powers to impose criminal sanctions". If you refuse to follow the orders (possibly because you believe they are unfair, breach your freedom of expression, or because it's technically impossible) you'll find that punitive criminal sanctions quickly follow.
The Law Commission repeatedly mentions that the Tribunal should be "speedy" and "efficient" with "little formality". The proposed Bill is very light on detail when it comes to the nitty gritty of running a Tribunal - presumably with the thought that this would just slow them down. They seem to be of the view that the Tribunal must react in "internet time" without quite realising that a result in days or even hours probably won't be good enough to avoid harm to the complainant.
The cases coming before the Tribunal are not always going to be easy, with internet flamewars and inter-clique battles typically leading to bad behaviour from all of the parties that will need to be unpicked properly to make a fair decision.
This lack of process and protection for the rights of the defendant to a fair hearing (including the right to silence) will surely lead to bad decisions that fail to take into account the principles of natural justice.
Moreover, the Tribunal is dealing with a very serious matter, the right to freedom of expression as guaranteed by the NZ Bill of Rights. This is not some petty dispute over who pays for the repairs to a car or whether the oven was cleaned properly on vacating a flat. The level of formality and respect to the rights of the participants is very different between the Communications Tribunal and the more directly comparable Human Rights Review Tribunal.
We believe that, even before you consider the grounds for complaining to the Communications Tribunal and the principles it will follow to make decisions, there are some serious problems with the Tribunal as conceived by the Law Commission. The proposed remedies are too expansive, the penalties for disobeying too harsh and the unseemly haste that will go into making a decision is not appropriate.
This post has been corrected on 22/8/2012 to clarify that only the complainant, not the defendant, can appeal an order of the Tribunal.
The main civil liberties issue is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
Nothing to fear?
The Police were represented on Close Up by Superintendent Carey Griffiths who said that these fears were incorrect: "The system we are using here, we don't retain the data."
He went on to say: "Most of the cameras and systems we use drop it off at the end of the shift. We're certainly not using it for data mining."
"Details of vehicle movements captured during ANPR deployments will be retained on a secure Police database."
What sort of data is stored?
"The time, data and a photograph of all vehicles passing the ANPR camera is stored." and "Yes it will include the location or where the device was deployed."
And will they be used for tracking?
"Police may search the stored data if there is a belief that there may be information relation to a crime; e.g. where a serious crime has taken place and Police are looking for an offender's vehicle."
And do the Police think they need a warrant to track people in this way?
"There is no requirements for police to apply for a warrant for any ANPR information as it is gathered in a public place."
The big question
Who is correct - Superintendent Carey Griffiths, Road Policing Manager, who just appeared on Close Up or Superintendent Paula Rose, National Manager Road Policing, who wrote to us in March and December 2011?
Has the policy changed in the meantime? Was Superintendent Paula Rose incorrect? Or has Superintendent Carey Griffiths been misleading us all on national TV?
Edit (19/8/2012): We have written to the Commissioner of Police to ask for an explanation and will report back with any answer we get.
The Law Commission has released Harmful Digital Communications (PDF) - the rushed report into the "adequacy of current sanctions and remedies". According to the summary they are proposing:
- The creation of a new criminal offence that targets digital communications which are "grossly offensive or of an indence, obscene or menacing character and which cause harm". Harm is said to include physical fear, humiliation, mental and emotional distress.
- The establishment of a Communications Tribunal that will be able to respond to complaints and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices." It is also envisioned that Netsafe would take a larger role in being a first port of call for people seeking help.
- Amendments to the Harassment Act, Human Rights Act, Privacy Act and Crimes Act to ensure that the provisions of these laws can be applied to digital communications.
- New requirements for NZ schools to work harder at stopping bullying of all kinds.
The last two of these seem innocuous so our response will concentrate on the first two.
New "digital communications" offence
While it is undoubtedly true that the internet has allowed people to be nasty to each other on a wider scale than before, we are still not convinced that new laws are needed.
This is especially true when the Commission believes that the law should forbid offensive speech that has only got as far as causing someone "significant emotional distress", a rather low bar when adolescents or other excitable people are involved. (The Commission acknowledges that this goes beyond the current bounds of NZ criminal and civil law.)
We are also concerned when it is proposed to make something illegal on the internet that wouldn't be illegal if it was published in some other way. Does it really make sense that the same message might be legal on a billboard in the middle of Auckland but illegal if it was then posted to the Trademe Forums? As we say in our founding principles, "We believe that our civil liberties don't just disappear when using the internet."
It seems like that the new law will mainly be used as just another threat/weapon by people already engaged in internet battles.
All in all, we view this proposed new law with suspicion and fear that it will limit freedom of expression and cause more problems than it solves.
Establishment of a Communications Tribunal
It is always a concern when a new body with the power to censor is created, epecially when it is envisioned that it should be "speedy, efficient and cheap". When you realise that it's going to be tasked with censoring communications on the global internet, you have to wonder just what they were thinking.
Even reading the summary paper you get the feeling that the Law Commission doesn't think the Communications Tribunal is going to do much good, citing problems with identifying people and establishing jurisdiction overseas. Obviously it's only really going to have jurisdiction in New Zealand and this is just going to drive people's nastiness offshore.
Furthermore, the Tribunal will consist of one of a number of selected District Court judges, and they're going to have the power to order ISPs and web administrators to take down content. This can be significantly more difficult than it sounds and seems like a significant threat to freedom of expression, especially in those cases where the original author cannot be found therefore cannot defend themselves.
The Communications Tribunal seems to be a "at least we tried" measure, doomed to failure in all but a very narrow range of cases. We question whether it is worth doing at all.
We look forward to reading the full report and the proposed legislation and giving a fuller response when this is available.