Edited version of Thomas Beagle's opening remarks at the Privacy Panel at NetHui in Auckland on 11th July 2014.
Privacy isn’t dead. Yesterday at Nethui we were told that it’s too late for privacy, that it’s over. But the fact we’re all here and talking about it is a sign of just how wrong this is.
There’s no doubt that technology is changing how we think about privacy but it’s not as simple as saying that people these days are just giving it up willy-nilly. People don’t always get it right, but most have an intense interest in keeping certain pieces of information away from certain people.
Privacy is multi-faceted
I think it’s important to note that information privacy is not simple. People have many relationships – work, family, friends, doctors, government - and they need to be able to control who sees what and when.
Just because we give a piece of personal information to one of those, or they take it without asking, doesn’t mean that we’ve lost our privacy interest in that information. I might tell my doctor about my drug use, but still need to keep it secret from my family, employer and government.
Privacy is also about security
Part of this control is that for many people the debate about privacy is also about security. If you’re a teen questioning your sexuality in a conservative town, that information leaking out might be enough to get you beaten up or worse.
And at the same time, have you ever felt that sick feeling when someone you don’t trust has damaging information about you? What if it’s the government and they’re the ones paying you a benefit that is keeping your family fed? Information is power.
The surveillance demands of national security, the desire to know everything we’re doing, actually leads to many people feeling less secure because they don’t know what the government knows about them and they don’t know how they’re going to use that information.
That said, I’m optimistic about privacy.
When it comes to our digital peers such as friends and family we generally already have the tools to protect ourselves, even if we don’t always get it right.
If we look at the rest of the privacy problem, I split it up into three categories. The biggest risk is your own government, because they’re the ones that can put you in jail or deny you basic services. The second is the local companies you deal with to buy your power, your food, and so on. The third is the foreign companies such as Google and Facebook.
The good news is that in a democracy like New Zealand, we can control the first two. We can set limits on what data they collect and how they can use it and how they can share it. Maybe two out of three is actually good enough to say that we can continue to maintain our privacy in the internet age.
Limiting information use
And we can set those limits however we like. Some people seem to believe that once something is published, either by ourselves or leaked by others, that it’s fair game. I’d argue that just because something is out there doesn’t mean that it should be available for use.
There’s ample precedent for this: You’re not allowed to use the electoral roll for anything not to do with elections. Juries are told to ignore any information they may have learnt outside of the trial.
If we decide as a society that we don’t want the Ministry of Social Development to spy on beneficiaries on social media, we can change the law so that they are not allowed to. If we don’t want the GCSB to be able to apply for wide-ranging access authorisations to spy on New Zealanders - for our own protection of course – we can change the law so that they can’t. It’s up to us.
Changes to the law
I believe we do need changes to privacy law in New Zealand. The Privacy Act is a great base for us to work from but it needs works – and not just the new powers for the Privacy Commissioner.
It’s obvious that privacy controlled by opt-in click-through contracts doesn’t really work. I believe that the solution is to further ratchet up the baseline protections provided by the Privacy Act – and to close the law enforcement loophole.
Sadly, I fear that the government’s promised repeal and re-enactment of the Privacy Act will be going in the wrong direction. Thank you.
Dear Mr Key
This letter is partly in response to the findings of the Kitteridge report about the GCSB and their failures to follow the law, but is also mindful of the recent PRISM revelations about the actions of the NSA in the USA, as well as the mass spying revealed to have been carried out by the GCHQ in the United Kingdom. As disturbing as these revelations have been, we cannot help but be shocked that this surveillance was done in secret without the knowledge of the citizens of each country.
We assert that, as citizens of a democratic society, we have the right to know the methods that government agencies use to watch us. Without this knowledge we cannot assert our rights to put appropriate limits on their use.
The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).
This article is a summary of the major parts of the TICS Bill.
The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
Summary of major elements of the TICS Bill
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.
The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).
Encryption and decryption
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.
The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.
Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".
The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.
All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.
The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.
The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.
Liability and protecting classified information
People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.
Analysis and comment
The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.
Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.
There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.
The NZ Police are continuing to expand their use of technology to watch and track people in New Zealand. We've already discussed automated number plate recognition, but information has emerged about two new initiatives:
The first is Signal - a tool used to scan and collate publicly availably data from multiple social media sites such as Twitter, Facebook and Youtube. This data can then be analysed to establish connections between people and events, and was used during the Rugby World Cup to monitor both boy racers and political protesters.
The second is the trialling of aerial surveillance drones. As part of the trials they have already been used in some Police investigations.
We're not reflexively opposed to the NZ Police using tools to do their job better, but we do have some concerns about how they can be used to infringe our rights to go about our lawful business without unwarranted surveillance and tracking. We believe that it is not healthy in a democratic society for our every movement and action to be monitored, stored and analysed by the government.
We've made requests to the Police for more information about both of these initiatives and will report more once we receive it.
One thing that is of concern is that the Police seem to be being quite secretive about their use of technology. It seems that they wait for someone to find out about it before releasing information in dribs and drabs, sometimes after prompting from the Ombudsman. If the Police aren't proud of what they're doing to more efficiently fight crime, perhaps they shouldn't be doing it at all.
A second concern is that our laws, even including the new Search & Surveillance Act, might already be out of date when it comes to the Police use of such technology. For example, are there any controls on amassing publicly available data to such an extent that modern data analysis software can make some assumptions about very private behaviour?
We'd like to see two things:
- The NZ Police taking a more proactive role in disclosing what they are doing and how they are doing it. They may even wish to do more consulting with community groups and watchdogs such as Tech Liberty and the NZ Council for Civil Liberties.
- Work on a new set of standards and principles to inform the Police's (and other agencies) use of new technology and "big data" systems. These should cover data integrity, retention, security, auditing and notification. This is something that Tech Liberty is currently working on.
One of the most common topics of the emails we receive at Tech Liberty is the placement of video cameras. People worry about them where they work, in the street, and on their neighbour's properties.
This guest post is from Yuri Wierda, a licensed security consultant, and he's concerned about the increasing popularity of security cameras in public toilets:
I have personally refused to install cameras in toilets and have talked a few clients out of doing it. I believe cameras in toilets are immoral and may be illegal. Part of my responsibility when advising people on security is ensuring that they themselves don't break the law.
The argument for cameras in toilets has been that it reduces vandalism.
While there may be signs advising people that there is a camera I do not believe that it justifies it or complies legally. There are several situations where signs will not provide informed consent.
- Someone may get changed in the toilet and not see the sign.
- Someone may be blind or illiterate.
- Someone may be intellectually disabled.
- Children may be visiting the toilet unaccompanied.
This creates several privacy and legal issues:
- The intellectually disabled and children CANNOT legally provide consent to being filmed in the nude or partly clothed. Toilets are places where people adjust their clothing and may be partially clothed. Children and intellectually disabled people will not expect there to be a camera filming them. Filming such an event is illegal (s216G to s216N of the Crimes Act) and potentially can (and should) result in serious criminal charges.
- People who have not seen the sign or were unable to read it cannot provide informed consent.
I am appalled that the police has provided advice that it is not illegal.
See update at end of post.
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Update 5th August 2013
The Police have announced they will be deploying new red-light and speed cameras. We asked them if these new cameras would support ANPR. Their response:
There are no current plans to deploy either digital red-light cameras or speed cameras that support Automatic Number Plate Recognition.
The main civil liberties issue is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
Nothing to fear?
The Police were represented on Close Up by Superintendent Carey Griffiths who said that these fears were incorrect: "The system we are using here, we don't retain the data."
He went on to say: "Most of the cameras and systems we use drop it off at the end of the shift. We're certainly not using it for data mining."
"Details of vehicle movements captured during ANPR deployments will be retained on a secure Police database."
What sort of data is stored?
"The time, data and a photograph of all vehicles passing the ANPR camera is stored." and "Yes it will include the location or where the device was deployed."
And will they be used for tracking?
"Police may search the stored data if there is a belief that there may be information relation to a crime; e.g. where a serious crime has taken place and Police are looking for an offender's vehicle."
And do the Police think they need a warrant to track people in this way?
"There is no requirements for police to apply for a warrant for any ANPR information as it is gathered in a public place."
The big question
Who is correct - Superintendent Carey Griffiths, Road Policing Manager, who just appeared on Close Up or Superintendent Paula Rose, National Manager Road Policing, who wrote to us in March and December 2011?
Has the policy changed in the meantime? Was Superintendent Paula Rose incorrect? Or has Superintendent Carey Griffiths been misleading us all on national TV?
Edit (19/8/2012): We have written to the Commissioner of Police to ask for an explanation and will report back with any answer we get.
ANPR stands for automated number plate recognition.
It’s a camera that can automatically recognise and read license plates on cars and then checks them against a central database. If the plate matches a “vehicle of interest”, the police can then decide to pull over the car and talk to the driver. ANPR cameras are typically deployed in police cars and in fixed installations by the side of the road.
The current state of ANPR in New Zealand
[Edit: there is some inconsistency between the information available over multiple letters from the Police and that reported in Police News.]
[Edit 2: Superintendent Carey Griffiths has denied that the Police will be storing the ANPR data and using it for tracking. We have asked the Police Commissioner for clarification.]
According to the June 2012 edition of Police News, the NZ Police have been trialling ANPR since 2009. This has involved four mobile ANPR units which are not that sophisticated in that they need two people to operate them (one to drive, one to watch the screen).
In theory the trial ended in January 2012 but it is our understanding from Police News that they are still using the current four ANPR vehicles (2 in Auckland, 1 in Waikato/Eastern and 1 in Christchurch/Southland) and are looking at deploying another couple.
We have requested copies of reports about the trial and any recommendations about further deployment of ANPR systems.
Thanks an OIA request by Alex Harris we also have a draft copy of the ANPR manual. There is also an associated letter where the Police report that the trial began in 2010 and has consisted of only two units for a limited time in Counties Manukau and Wellington, with them currently deployed in Counties Manukau and Waitemata.
The Police answer questions about ANPR
Some questions and answers from letters to the police about ANPR (questions are ours, answers are from the Police):
Q. What data is stored with each record (e.g. location, time of day, etc)?
A. The time date and a photograph of all vehicles passing the ANPR camera is stored.
Q. Will this information include the location of the ANPR device at the time of the lookup?
A. Yes it will include the location of where the device was deployed.
Q. How long will the data for each captured license plate be kept for?
A. Data of vehicle movements captured during ANPR deployments will be retained on a secure Police database. In time this information may be deleted with it is no longer required for the purpose it was obtained. Police may search the stored data if there is a belief that there may be information relating to a crime.
Q. Are the police considering using the information stored in the ANPR database to track vehicles?
A. The ANPR system alerts police to vehicles that are a vehicle of interest to police recorded in the vehicles of interest database.
Q. If so, do the police believe they would need to apply for a warrant to use the information in this way?
A. There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
Why does ANPR make us worried?
If ANPR was simply used by the police to help find people they are actively looking for, we’d probably have no argument against it.
The problem is that it’s more than just a simple database lookup. That central database isn’t just responding to queries, it’s also storing the date, the time and the place for every car that passes the ANPR camera.
So the police end up with a very big database of car sightings – which gives them the ability to track the movements of any car they wish. Even more worrying is that they can keep this data for as long as they like and therefore “go back in time” by entering queries for any day since the database was started.
The technology is rapidly getting cheaper and could easily end up deployed in every police car and in fixed places around major cities and roads, allowing for near total coverage.
There are three types of harm that can come from creating a new database like this:
- An inappropriate extension of police power that might be used badly. e.g. the Police use it to spy on political activists who are engaged in peaceful protest, breaching their rights to privacy and freedom from Police surveillance.
- Extension to other government departments. e.g. could CYFS access the database to determine that you are feeding your children badly because you park near the local McDonalds each day?
- Improper use. A police officer using it to stalk someone for their own reasons.
Tracking used to be hard
Tracking someone used to be hard and expensive but ANPR is going to make it easy and cheap. With ANPR you don't need a whole team of people, you don't need to install a GPS tracking device, you don't need to get a court order to access mobile phone data - you just install ANPR devices everywhere and then ask the database about whoever you like.
More to the point, you also don’t need to change any laws or apply for a surveillance warrant to install a tracking device – you can just start doing it.
It’s the sort of information that a totalitarian regime would love to have. But is it the sort of information that we want our government to have about everyone?
Shouldn't we talk about what sort of controls we might want to impose if such a system is implemented?
Are we going to end up with this system watching our every move without even any public debate about it?
The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
An interview with Ross from Cyberdodge, a supplier of VPN services that enables internet users to hide what they do on the internet.
What inspired you to offer the service?
People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.
Are you getting many customers and what do they want it for?
Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.
How do you feel about the fact that some of your customers will probably be using your service to break NZ law?
What sort of information do you keep about your customers?
We only keep the email address.
What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)
We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.
Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?
No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.
Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?
No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.