Law and technology

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

1. All of the data was collected from public locations, specifically from public roads.
2. The data was being actively transmitted into those public locations.
3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

Interesting results emerge from a survey released by the Privacy Commissioner yesterday. Among the findings:

• 35% of respondents are more concerned about individual privacy than 2 years ago.
• At the same time, “trust ratings” for most organisations holding personal data have increased since 2 years ago.
• 78% of under-30s use social networking sites.
• Approximately 57% of those users (estimated) believe social networking sites are “mainly private” places for sharing information.
• 54% of respondents were concerned about what social networking uses their personal information for.

One plausible interpretation is that at the same time we are becoming more aware and concerned about privacy issues, we are also becoming more ready to disclose information. This view would be supported by comments to a follow-up article at the NZ Herald website, which reported:

Facebook users who did not think they could protect their privacy outnumbered those who thought they could by four to one – and only one of them thought it was a bad thing.

There are several seemingly conflicting trends within this data, which bears out the overarching (and not entirely new) 64-million dollar conundrum of online privacy: people are willing to trade privacy for functionality, so to what extent should governments intervene? Do we need saving from ourselves?

The survey strongly confirms that New Zealanders do care about privacy, and a recent US survey confirmed the same in that country. Increasing education and awareness of privacy issues are key steps to empowering individuals to make their own, informed decisions, and New Zealand’s Privacy Commissioner is very much at the forefront of that process. It is also helpful when Facebook privacy concerns becomes front page news on our major daily newspaper (and not on a slow news day either).

More local coverage of this issue:

• Media7’s program this week discussed privacy on the internet
• Social site use rising as privacy fears grow
• Facebook must evolve or wither, say analysts

Germany’s Consumer Protection minister Ilse Aigner has weighed in on the debate over Facebook’s privacy policy, demanding that Facebook “revise its privacy policy without delay”. Her demands include that:

Private data may only be passed on and used for commercial purposes with the consent of the persons involved.

The problem with her complaint (at least in the way it is framed) is that Facebook’s privacy policy, not unreasonably, allows just that. Or, if it doesn’t (or didn’t previously) then Facebook has the right to change its terms of use (see clause 13). Facebook has already received “the consent of the persons involved”, at least regarding personal information about Facebook users, and can get further consent if necessary simply by changing its terms of use. The Latin phrase is volenti non fit injuria: no injury is done to a person who consents. (Of course, it’s informed consent that matters.)

And that’s the issue. Even if Facebook, or another popular site, included privacy-busting rules from day one, what is the likelihood there would be any lasting reaction from users? Very few users actually read website terms anyway. And even if people are vaguely aware of privacy issues, that still does not stop people from signing up if there is some perceived value. If people are willing to trade privacy for value, should the state intervene? Or even the United Nations (as has been mentioned by New Zealand’s Privacy Commissioner)? Compulsory privacy principles and voluntary best-practice standards on personal data storage, such as the new ISO standards for health records, is one thing. Intervening in freedom of contract is quite another.

As I have written previously, people cannot post things to social networks and still expect privacy. Social networks and other website are very aware of the privacy issues, and the potential threat of regulation. The majority of a social networking site’s potential value lies in exploiting (in a commercial sense) the personal data that their armies of users happily supply every day. That is why it is in their own best interest to implement reasonably strong privacy policies without hamstringing their own motives, but of course listening to user pressure when necessary.

It would require a major co-ordinated global effort to impose uniform privacy regulation on social networks – which is why that will not happen. Instead, the social networks will, for the most part, stay one step ahead of well-meaning (and otherwise) crusading politicians, safe in the knowledge that their users will back them if it means a trade off between their very real enjoyment of social networks, and some intangible, hard-to-grasp privacy “benefit”.

It is somewhat ironic that the organisations being labeled (by some) as the worst abusers of privacy are quite possibly doing the most to define and shape the future of privacy law.

The Law Commission has released its latest report on privacy law, Invasion of Privacy: Penalties and Remedies. This report (part 3 of 4) specifically deals with matters such as surveillance, interception of communications, and criminal and civil law.

A key recommendation is that “the tort of invasion of privacy recognised in Hosking v Runting should be left to develop at common law”. It is worth remembering that the Hosking case was only decided in 2004, and then only by a 3-2 judge majority – a very clear reminder that privacy law in this country is still in its most formative stages.

The recommendation to leave privacy law “to develop at common law” is the equivalent of kicking for touch – and in the circumstances, the only realistic option for the Commission. It is clear that much of the “real” privacy issues that will affect New Zealanders on an everyday basis will not be decided by New Zealand’s courts or the government. Rather, where Europe and the US go, New Zealand will have to follow. The increasingly connected nature of the world makes it futile to attempt to chart a different course. And in any case, there are benefits in following the lead of others, with far greater resources and innovation, in this area.

Another recent report, this time from the European Union, highlights just how far advanced Europe is, compared to New Zealand at least, in defining and developing privacy rights. With the terribly exciting name “Study on Online Copyright Enforcement and Data Protection in Selected Member States” (PDF), the report examined 6 EU states (not including the UK) and tells us:

• “IP addresses are generally considered to be personal data” and therefore subject to privacy laws.
• “IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing, invoicing, etc.), and that consent is generally required to process them for other purposes (such as online copyright enforcement).”
• “ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to the judicial authorities or to the Hadopi Commission [not dissimilar to NZ's s92A] is allowed).”
• “The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions (e.g., in France if the Hadopi Act is complied with).”
• “The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.”
• “The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law. “

This is a level of detail and analysis not yet seen in New Zealand. Of course, privacy law around the world is a rapidly developing area of law, policy and social issues (e.g. see my post Changing expectations of privacy). The EU report itself acknowledges that “many of the legal concepts and questions examined have not been the subject of authoritative decisions by courts or data protection authorities” (such as NZ’s Privacy Commissioner). But the decisions, policies, research and jurisprudence being developed in the EU will ultimately determine (or at least, strongly influence) the direction New Zealand takes.

The BBC reports on how the expanding use of online social networking is redefining “reasonable expectations” of privacy for everyone. It cites Dr Kieron O’Hara of the University of Southhampton:

“As more private lives are exported online, reasonable expectations are diminishing. When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes”.

The reason is that the law attempts to balance the “reasonable expectations” of privacy with other considerations, such as freedom of information and free speech. In New Zealand, the Bill of Rights Act 1990, section 14, enshrines this freedom (as best it can, given the unsatisfactory state of that Act):

“14. Freedom of expression: Everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”.

That right remains strong, but there is no doubt that “reasonable expectations” of privacy are rapidly shifting. In the article Dr O’Hara gives the example of an embarrassing photo taken at a party:

“A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers.”

Another prime example is Google’s Street View. A decade or two ago there may have been some expectation of privacy when walking in the street (although as Katrine Evans of the University of Wellington, now Assistant Privacy Commissioner, notes there is a “considerable body of [precedent] which states that innocuous photographs of people in public places will not attract the protection of the common law”).

Today, Street View routinely photographs people in the streets; there is no doubt that this sort of occurrence will be a permanent part of our lives in some shape or form. Street View has various privacy measures in place (e.g. blurring faces) but there have been cases of people caught in compromising situations and a number of court cases have been fought or are pending.

A while ago I blogged (Don’t expect privacy in cyberspace) about a US case where a girl’s public MySpace rant – ostensibly intended only for her friends – was republished in a newspaper. She claimed a breach of privacy. The Court said:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material”.

The US Court’s ruling was quite sensible, however it highlights the point that not only are expectations of privacy rapidly changing, but the avenues for disseminating private information (and thereby possibly redefining what constitutes reasonable expectations) are also expanding. This is happening at the same time that the law in many common law jurisdictions (e.g. UK, US, Canada, Australia & New Zealand) is still relatively unsettled and developing. The societal changes of “the Facebook generation” has already been recognised in data loss / information security incidents, and is equally relevant in privacy law.

It is worth noting that in New Zealand’s current leading case on privacy (Hosking v Runting [2005] 1 NZLR 1) the actual existence of a tort of privacy was only accepted by a 3-2 decision. Since that time, other jurisdictions have expanded their privacy laws more liberally than the Hosking case’s relatively narrow scope. Most recently the 2008 Max Mosley case in the UK (argued on the basis of breach of confidence and “unauthorised disclosure of personal information”) has thrown up a number of related issues likely to be explored in a future New Zealand case.

Due to reasons of cost, substantial court cases involving breaches of privacy are rare. It seems likely that, whatever currently a “reasonable expectation” of privacy is, it will have changed again by the time the next case is argued.

The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:

1. Assess the risks associated with using PSDs in your organisation.
2. Introduce and actively communicate policies that set out how staff may use PSDs.
3. Minimise the use of personal PSDs in the workplace.
4. Introduce software or hardware controls (or both) to restrict use of PSDs.
5. Actively monitor the use of PSDs for compliance with policies.

A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.

In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:

“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”

Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.

From October, the UK will be restricting access to the residential addresses of company directors on new registrations (and optionally for existing registrations).

At present – as in NZ – directors must disclose their residential addresses, although – unlike in NZ – a director may apply to have that information restricted on the grounds of possible attack. Soon, residential addresses will become “protected information” by default – only disclosable to credit reference agencies and certified authorities. There will also be an option to hide the residential address from even those authorities.

The change is apparently in response to increased privacy concerns and threats of violence against directors.

In New Zealand, the law requires that company directors disclose their residential address (e.g. section 215 of the Companies Act 1993 among other sections). There is no provision for withholding an address. Interestingly, our Companies Act also requires that founding shareholders provide a residential address (section 12(2)(c)), but not subsequent shareholders (section 87 only refers to “the latest known address” which, in the case of a person, could be a non-residential postal or even electronic address. Many companies I have dealt with and managed use a non-residential person-shareholder address).

It is probable that New Zealand will eventually go the way of the UK, although there has not been any call for it yet. Australia has a provision for suppressing directors’ residential addresses which would also be a possible model to adopt.

Is this a good idea? It depends on the purpose of showing a director’s residential address. Why do we really need to know that information? If the answer is to serve documents on a director, that can be easily achieved by allowing directors to be served:

1. At an alternative “address for service” specified by the director (the new UK model); or
2. At the company’s “address for service” which all companies must have anyway.

Provided we have one of the above options, the residential address isn’t really needed and should be able to be suppressed. This would be consistent with the UK and Australia, and also the approach under the Electoral Act 1993. The electoral roll is open for public inspection (though not electronically) and can be used to find a residential address, but with the ability for individuals to request suppression under section 115.

The Privacy Commissioner has guidelines suggesting a model similar to Australia’s, allowing suppression on request, although for some reason its report does not mention the Companies Act at all.

In the meantime, all company records including director addresses are open to full public inspection. Is there some other reason why it should stay? Openness and transparency are always good things, but if it is not necessary to disclose this personal information, should we?

Yet another survey, this time of New Zealand firms, confirms that data loss will be the number one most important issue in IT for the near future. As reported by Computerworld, “58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance”.

Interestingly, the Australia/New Zealand rate is above the US and global rates. This is despite New Zealand having very few reported incidents, while reported incidents in the UK and US seem to have reached near-epidemic levels. As the article reports, maybe this is because they are kept out of the press.

It is true that other countries have (or are implementing) mandatory data loss notification laws. Locally, the idea has been proposed by the Privacy Commissioner, which says there is a “good case” for such a law. However, this could be many years away. The issue is not currently on the Law Commission’s project list, which would probably be the first step to introducing such a law, and it is fair to say the Government has more important things to worry about at present.

It is inevitable, however, that we will implement such a law, and when we do we are likely to look to the UK as a model. The UK and EU have been particularly active in the area of data protection (for good reason). Last year, the UK passed a “reckless data loss law“, allowing their Data Protection Commissioner to impose fines on people or companies who:

“knew or ought to have known that there was a risk that [data loss] would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the [data loss].”

This could even extend to personal liablity for a reckless sysadmin. Whether or not this is a good idea remains to be seen, as the law has been passed but is not yet in force. And unfortunately for victims, the UK Government gets to pocket the fine.

In the meantime, in this country the Privacy Commission should be the first stop for personal data loss issues. Beyond that, it is very much a matter of being careful with who you entrust your personal information to – bearing in mind that whoever you give it to will almost certainly involve third party contractor access at some level.

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

Continue reading ‘Don’t expect privacy in cyberspace’ »