Law and technology

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

Details are continuing to emerge about Sony’s massive security breach, which has resulted in personal information of up to 77 million users, including New Zealanders, being stolen. It is unclear how much of the data was encrypted, although Sony has said that credit card information was encrypted.

The first lawsuits are already flying, and it has lost as much as 5% of its share price:

Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.

“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.

The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.

What protection is offered to New Zealanders affected by the breach? New Zealand’s privacy protection stacks up relatively well, as Auckland University Senior Lecturer Gehan Gunasekara has noted. The recent EU Working Party report on New Zealand’s privacy regime is available here. As the report notes:

4) Security principle: The controller must adopt appropriate technical and organisational measures against the risks presented by the processing. Any person acting under the authority of the controller, including the person in charge of processing, must not process data except on instructions from the controller.

The Working Party considers that principle 5 (Storage and security of personal information) covers the aspects required for the security principle. This principle is based on the OECD security safeguards principle and the wording is similar to the wording of article 17(1) and (2) of the Directive in that security measures must protect against loss, access, use, modification, disclosure and misuse. Agencies must do everything reasonably within their power to prevent unauthorised access and disclosure where information is given to a processor.

The Privacy Commission has previously investigated data loss caused by insecure computer systems (though obviously not on the probably unprecedented scale of Sony’s recent data loss). The Commission cannot impose fines or damages, although a complainant (or the Commissioner) can refer matter to the Human Rights Tribunal, which does have the ability to award damages for:

(a) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose:

(b) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference:

(c) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.

Remedies are also potentially available under negligence. However, this is very unlikely to occur in New Zealand, in large part because of the difficulties in bringing class actions as in the US. It is also likely that the relevant principles under the Privacy Act do not apply to information held overseas by Sony in this case. This is unfortunate, as it means that while US citizens are able to seek compensation from Sony, New Zealanders who have suffered the same inconvenience and harm have no practical remedy (whether under the Privacy Act 1993, or tort law, or negligence). Likewise, if Sony offers compensation to users whose data has been stolen, it may be able to avoid compensating New Zealand users without (direct) detriment.

It surely must be the case that, in future years, better and more accessible remedies will be available to New Zealand citizens who suffer loss of personal information as a result of egregious security lapses by agencies holding that information.

Stephen Bell of Computerworld recently outlined his views on the privacy bargain:

Another view, which I find more persuasive, is that when we make use of a service like Facebook, we enter a commercial bargain. Something very useful is provided to us free of charge and in exchange we cede something of our private selves to the providers, to be sold for whatever they can earn.

This is also my view, as I have written about here. Interestingly, Stephen got the view of the Privacy Commissioner:

I put this to Privacy Commissioner Marie Shroff. She suggests the bargain accepters are not as numerous as I believe, and in the wake of the Facebook and Google embarrassments, privacy champions are becoming a majority.

Yet what is happening is that companies such as Facebook and Google – who arguably stand to lose the most from pushing the privacy envelope a bridge too far – are themselves becoming the leading “privacy champions”, and shaping the future of privacy expectations and regulation at the same time. For example, Google has announced it will be undertaking biennial “independent privacy reviews to keep it on the straight and narrow”.

PR stunt? Window-dressing? Possibly, though assuming not then I think it is a very good idea. But the size and reach of Google means any practical changes will affect users around the world, and shift the goalposts of expectations and norms, years in advance of any regulation. And in the meantime, users will continue to flood to social networks and other systems – many of whom will never have known a world with any different processes or expectations of privacy.

How, then, might Government-imposed regulation be seen? Stephen sums it up very well:

There is a risk that the Privacy Commissioner and her staff might then be seen as the villains, keeping us from using new technology to smooth our businesses and lives because of their legalistic obsession with an abstract value.

The evidence to hand shows the privacy bargain has been well and truly been accepted, for better or for worse. The challenge for any regulation is to be seen as adding value (for citizens) to these bargains, not getting in the way of willing parties.

The Herald reports more details of the alleged privacy breach involving a Telecom database:

The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.

Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.

The Privacy Commissioner’s office has also announced an investigation:

“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.

“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”

A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?

A criminal investigation is also likely. Possible charges for improperly accessing a database include:

• Accessing a computer system without authorisation (section 252 Crimes Act); and
• Accessing computer system for dishonest purpose (section 249 Crimes Act).

For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.

The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

• Were user logins (and failed logins) recorded?
• If so, were they ever audited and how?
• And if so, why was the improper use not detected?
• Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
• What password expiry regime (if any) was used for this database?
• What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
• Were there any user warnings / confirmation processes as to appropriate use built into the database?
• Was only the minimum amount of personal information necessary made available in Wireline in the first place?
• Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.

A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.

Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.

Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.

The recently-enacted Privacy (Cross-border Information) Amendment Act 2010 improves New Zealand’s privacy framework, but also highlights the challenges to privacy caused by the internet. The new law amends the Privacy Act 1993 in 2 main ways:

• It strengthens cross-border privacy co-operation by providing for the referral (by the Privacy Commissioner) of complaints to overseas authorities; and
• It establishes a “mechanism for controlling the transfer of information outside New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated” – so, an anti-circumvention measure.

The cross-border co-operation provision is a small but good step. There are ongoing international privacy initiatives, such as the recent APEC Cross-border Privacy Enforcement Arrangement, and an essential aspect of any international arrangements is the ability for local authorities to interact with their foreign counterparts.

The anti-circumvention measure also assists in this regard, to prevent New Zealand being seen as a “privacy haven” – one that permits “data laundering” if you will . As the Privacy Commissioner Marie Shroff says:

Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand’s reputation.

The anti-circumvention measure was added as Part 11A of the Privacy Act 1993. Section 114B(1) states:

The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that:

(a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

(b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.

This provision will be useful, for example, to help promote New Zealand data centres hosting data for overseas clients. New Zealand firms who do host or receive data from overseas (it does not apply to New Zealand-sourced data) should have processes in place for ensuring that the “transfer” of data out of New Zealand can be halted if required by the Privacy Commissioner issuing a transfer prohibition notice.

But in the age of cloud computing, are things that clear-cut? Often, the cloud (or the internet in general) makes it hard to know just where data is located. A New Zealand firm may receive data from overseas, and “host” that data in its facilities, but if the New Zealand provider itself uses cloud-based storage, what appears to be data being hosted in New Zealand may in fact be hosted overseas again. A key benefit of cloud computing is that providers can (in theory) transfer data anywhere in the cloud seamlessly. Data can be divided to multiple places at once, and be transferred without notice at about the speed of light. In these situations, who on earth will know what information is where? All of which makes the language of section 114B(1) – “if information has been, or will be, received in New Zealand from another State” – sound rather quaint, as if they are dealing with courier packages.

The challenges of privacy controls in the cloud-era are well known. Just how much regulation is ultimately attempted, necessary or desirable remains to be seen, bearing in mind that most users are willing to trade privacy for functionality.

In a victory for common sense, and as I predicted three months ago, the police have cleared Google of committing “privacy crime” during its recent WiFi snooping incident. Detective Senior Sergeant John van den Heuvel makes a good point when he says:

Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

1. All of the data was collected from public locations, specifically from public roads.
2. The data was being actively transmitted into those public locations.
3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.