What inspired you to offer the service?

People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.

Are you getting many customers and what do they want it for?

Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.

How do you feel about the fact that some of your customers will probably be using your service to break NZ law?

No Comment.

What sort of information do you keep about your customers?

We only keep the email address.

What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)

We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.

Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?

No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.

Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?

No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.

Here are some of the things that were discussed:

1. That everything you do on the internet leaves a trail. While anonymity is achievable, it is generally much harder than most people believe.
2. That this data can be collected, aggregated and analysed to reveal a surprising amount of information about people - and that this is only going to get easier.
3. Consent is meaningless when people are presented with a long document written in legalese with a checkbox at the end and no chance to question or negotiate.
4. A major new source of privacy breaches is people sharing information about their friends and family. Normally these remain within a social group but sometimes they can be picked up by other people and shared across the world.
5. Young people often don't understand the ramifications of posting personal data about themselves and their friends to social networking sites. There have been a number of cases where the news media have used photos, comments and other material from these sites in reporting.
6. The increase in geo-tagged data is making it increasingly possible to track people - which most people see as an unwanted invasion of privacy. Possibility of creating a "tracking without consent" offence.
7. The EU has rules about the "processing" of geographical data. For example, if you wanted to collect location data for a person from a Twitter update, a Flickr photo and a Four-Square check-in and use it for some purpose, you would need to get the permission of that person, even though they'd already published that data themselves.
8. New Zealand can't set its own rules in isolation - we're too small to enforce them on the global internet. Instead we should be supporting international harmonisation, particularly with like minded countries such as those in the EU.
9. If a company collects personal information, stores it "in the cloud" and then the information leaks out, the Privacy Act seems to imply that the company wouldn't be responsible.
10. That the Privacy Act does not stop companies from sharing any private information with the Police for the purpose of stopping crime. No warrant is required.
11. Should companies have to notify people of a privacy breach? Does this apply to all types of personal information? Should it apply to all breaches (individual and en masse)? How would we know if people are honouring this provision?
12. Anonymising data is harder than everyone thinks - as shown by inadvertent leaks by AOL and Netflix.

Some tentative conclusions

Many organisations are collecting huge amounts of data in many ways across multiple jurisdictions and then making it available in a variety of ways. We can't control this, all we can do is control how organisations and people in New Zealand use the data that is collected. Some rules we might like to consider:

• aggregating data about a person from multiple sources should require the permission of the person.
• you can outsource your data processing, but you can't outsource your responsibility for the data be used and stored responsibly.
• banning or limiting the republishing of information about minors from social media sites.

There is no real way to control what people publish about their friends. We're going to need to rely on new social norms being developed.

We recently asked Customs whether they were able to do this and they replied that they could under the Customs and Excise Act (1996).

Looking for information

We'd like to find out more about what Customs are doing in this area. In particular we'd like to know what they're looking for, whether they're targeting anyone in particular, and what they do with the systems and data they seize.

Please contact us if this has happened to you or anyone you know. Please include as much detail as possible. We promise to respect your anonymity.

Of course, this assumes that the person involved actually has the password. It's quite common for someone running a system to not be able to break the encryption used by other users to secure their data. Will the courts understand that? And even if they understand that, will they believe it?

The United Kingdom has passed a similar law and has now jailed someone for refusing to give up passwords to encrypted data. It won't be a surprise to anyone that the first victim of a law that was designed to protect the people from terrorists and other serious dangers turns out to be a science hobbyist who appears to be no threat to anyone. This case is at least relatively simple - there is no doubt that the man does have the passwords, but he has chosen to maintain his right to silence even though the law has tried to remove that right.

The same provision in New Zealand's Search and Surveillance Bill is in direct contravention of the right to remain silent. You normally have the right not to answer questions from the police, and the right to choose not to testify in your defence in court. This right came into English law in the late 1600s after the abuses of the Star Chamber.

I believe that this clause is wrong in principle and unenforceable in practice. As such, it should be removed from the Search and Surveillance Bill before it comes law.

Update

Stephen Bell notified me that New Zealand passed the Counter Terrorism Bill in 2003 which already gave the Police powers to compel people to reveal passwords (he wrote about it at the time).

This bill added clause 198b to the Summary Proceedings Act 1957. This gives the power to compel the owner or someone responsible for a computer system to provide access to the information on it. The language in the Search and Surveillance Bill is obviously taken from this clause.

Of course, in the Summary Proceedings Act (1957) only a judge, magistrate or court register could grant a search warrant, and they could only grant them to a Police officer. The Search and Surveillance Bill allows the Attorney General to appoint anyone as being able to issue a search warrant, and they can be issued to members of a very large number of organisations.

The Law Foundation has done a useful analysis (PDF) of the conflict between this power and the common law principle that people do not have to incriminate themselves. Their conclusion is that such a power should be limited to the most serious matters such as counter-terrorism.