Category Archives: Privacy

Privacy trends

Posted on by
Reply

Interesting results emerge from a survey released by the Privacy Commissioner yesterday. Among the findings:

  • 35% of respondents are more concerned about individual privacy than 2 years ago.
  • At the same time, “trust ratings” for most organisations holding personal data have increased since 2 years ago.
  • 78% of under-30s use social networking sites.
  • Approximately 57% of those users (estimated) believe social networking sites are “mainly private” places for sharing information.
  • 54% of respondents were concerned about what social networking uses their personal information for.

One plausible interpretation is that at the same time we are becoming more aware and concerned about privacy issues, we are also becoming more ready to disclose information. This view would be supported by comments to a follow-up article at the NZ Herald website, which reported:

Facebook users who did not think they could protect their privacy outnumbered those who thought they could by four to one – and only one of them thought it was a bad thing.

There are several seemingly conflicting trends within this data, which bears out the overarching (and not entirely new) 64-million dollar conundrum of online privacy: people are willing to trade privacy for functionality, so to what extent should governments intervene? Do we need saving from ourselves?

The survey strongly confirms that New Zealanders do care about privacy, and a recent US survey confirmed the same in that country. Increasing education and awareness of privacy issues are key steps to empowering individuals to make their own, informed decisions, and New Zealand’s Privacy Commissioner is very much at the forefront of that process. It is also helpful when Facebook privacy concerns becomes front page news on our major daily newspaper (and not on a slow news day either).

More local coverage of this issue:

Privacy über alles?

Posted on by
Reply

Germany’s Consumer Protection minister Ilse Aigner has weighed in on the debate over Facebook’s privacy policy, demanding that Facebook “revise its privacy policy without delay”. Her demands include that:

Private data may only be passed on and used for commercial purposes with the consent of the persons involved.

The problem with her complaint (at least in the way it is framed) is that Facebook’s privacy policy, not unreasonably, allows just that. Or, if it doesn’t (or didn’t previously) then Facebook has the right to change its terms of use (see clause 13). Facebook has already received “the consent of the persons involved”, at least regarding personal information about Facebook users, and can get further consent if necessary simply by changing its terms of use. The Latin phrase is volenti non fit injuria: no injury is done to a person who consents. (Of course, it’s informed consent that matters.)

And that’s the issue. Even if Facebook, or another popular site, included privacy-busting rules from day one, what is the likelihood there would be any lasting reaction from users? Very few users actually read website terms anyway. And even if people are vaguely aware of privacy issues, that still does not stop people from signing up if there is some perceived value. If people are willing to trade privacy for value, should the state intervene? Or even the United Nations (as has been mentioned by New Zealand’s Privacy Commissioner)? Compulsory privacy principles and voluntary best-practice standards on personal data storage, such as the new ISO standards for health records, is one thing. Intervening in freedom of contract is quite another.

As I have written previously, people cannot post things to social networks and still expect privacy. Social networks and other website are very aware of the privacy issues, and the potential threat of regulation. The majority of a social networking site’s potential value lies in exploiting (in a commercial sense) the personal data that their armies of users happily supply every day. That is why it is in their own best interest to implement reasonably strong privacy policies without hamstringing their own motives, but of course listening to user pressure when necessary.

It would require a major co-ordinated global effort to impose uniform privacy regulation on social networks – which is why that will not happen. Instead, the social networks will, for the most part, stay one step ahead of well-meaning (and otherwise) crusading politicians, safe in the knowledge that their users will back them if it means a trade off between their very real enjoyment of social networks, and some intangible, hard-to-grasp privacy “benefit”.

It is somewhat ironic that the organisations being labeled (by some) as the worst abusers of privacy are quite possibly doing the most to define and shape the future of privacy law.

Privacy: a work in progress

Posted on by
Reply

The Law Commission has released its latest report on privacy law, Invasion of Privacy: Penalties and Remedies. This report (part 3 of 4) specifically deals with matters such as surveillance, interception of communications, and criminal and civil law.

A key recommendation is that “the tort of invasion of privacy recognised in Hosking v Runting should be left to develop at common law”. It is worth remembering that the Hosking case was only decided in 2004, and then only by a 3-2 judge majority – a very clear reminder that privacy law in this country is still in its most formative stages.

The recommendation to leave privacy law “to develop at common law” is the equivalent of kicking for touch – and in the circumstances, the only realistic option for the Commission. It is clear that much of the “real” privacy issues that will affect New Zealanders on an everyday basis will not be decided by New Zealand’s courts or the government. Rather, where Europe and the US go, New Zealand will have to follow. The increasingly connected nature of the world makes it futile to attempt to chart a different course. And in any case, there are benefits in following the lead of others, with far greater resources and innovation, in this area.

Another recent report, this time from the European Union, highlights just how far advanced Europe is, compared to New Zealand at least, in defining and developing privacy rights. With the terribly exciting name “Study on Online Copyright Enforcement and Data Protection in Selected Member States” (PDF), the report examined 6 EU states (not including the UK) and tells us:

  • “IP addresses are generally considered to be personal data” and therefore subject to privacy laws.
  • “IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing, invoicing, etc.), and that consent is generally required to process them for other purposes (such as online copyright enforcement).”
  • “ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to the judicial authorities or to the Hadopi Commission [not dissimilar to NZ's s92A] is allowed).”
  • “The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions (e.g., in France if the Hadopi Act is complied with).”
  • “The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.”
  • “The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law. “

This is a level of detail and analysis not yet seen in New Zealand. Of course, privacy law around the world is a rapidly developing area of law, policy and social issues (e.g. see my post Changing expectations of privacy). The EU report itself acknowledges that “many of the legal concepts and questions examined have not been the subject of authoritative decisions by courts or data protection authorities” (such as NZ’s Privacy Commissioner). But the decisions, policies, research and jurisprudence being developed in the EU will ultimately determine (or at least, strongly influence) the direction New Zealand takes.

Changing expectations of privacy

Posted on by
Reply

The BBC reports on how the expanding use of online social networking is redefining “reasonable expectations” of privacy for everyone. It cites Dr Kieron O’Hara of the University of Southhampton:

“As more private lives are exported online, reasonable expectations are diminishing. When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes”.

The reason is that the law attempts to balance the “reasonable expectations” of privacy with other considerations, such as freedom of information and free speech. In New Zealand, the Bill of Rights Act 1990, section 14, enshrines this freedom (as best it can, given the unsatisfactory state of that Act):

“14. Freedom of expression: Everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”.

That right remains strong, but there is no doubt that “reasonable expectations” of privacy are rapidly shifting. In the article Dr O’Hara gives the example of an embarrassing photo taken at a party:

“A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers.”

Another prime example is Google’s Street View. A decade or two ago there may have been some expectation of privacy when walking in the street (although as Katrine Evans of the University of Wellington, now Assistant Privacy Commissioner, notes there is a “considerable body of [precedent] which states that innocuous photographs of people in public places will not attract the protection of the common law”).

Today, Street View routinely photographs people in the streets; there is no doubt that this sort of occurrence will be a permanent part of our lives in some shape or form. Street View has various privacy measures in place (e.g. blurring faces) but there have been cases of people caught in compromising situations and a number of court cases have been fought or are pending.

A while ago I blogged (Don’t expect privacy in cyberspace) about a US case where a girl’s public MySpace rant – ostensibly intended only for her friends – was republished in a newspaper. She claimed a breach of privacy. The Court said:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material”.

The US Court’s ruling was quite sensible, however it highlights the point that not only are expectations of privacy rapidly changing, but the avenues for disseminating private information (and thereby possibly redefining what constitutes reasonable expectations) are also expanding. This is happening at the same time that the law in many common law jurisdictions (e.g. UK, US, Canada, Australia & New Zealand) is still relatively unsettled and developing. The societal changes of “the Facebook generation” has already been recognised in data loss / information security incidents, and is equally relevant in privacy law.

It is worth noting that in New Zealand’s current leading case on privacy (Hosking v Runting [2005] 1 NZLR 1) the actual existence of a tort of privacy was only accepted by a 3-2 decision. Since that time, other jurisdictions have expanded their privacy laws more liberally than the Hosking case’s relatively narrow scope. Most recently the 2008 Max Mosley case in the UK (argued on the basis of breach of confidence and “unauthorised disclosure of personal information”) has thrown up a number of related issues likely to be explored in a future New Zealand case.

Due to reasons of cost, substantial court cases involving breaches of privacy are rare. It seems likely that, whatever currently a “reasonable expectation” of privacy is, it will have changed again by the time the next case is argued.

Portable storage devices & data loss

Posted on by
Reply

The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:

  1. Assess the risks associated with using PSDs in your organisation.
  2. Introduce and actively communicate policies that set out how staff may use PSDs.
  3. Minimise the use of personal PSDs in the workplace.
  4. Introduce software or hardware controls (or both) to restrict use of PSDs.
  5. Actively monitor the use of PSDs for compliance with policies.

A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.

In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:

“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”

Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.

Privacy for company director addresses

Posted on by
Reply

From October, the UK will be restricting access to the residential addresses of company directors on new registrations (and optionally for existing registrations).

At present – as in NZ – directors must disclose their residential addresses, although – unlike in NZ – a director may apply to have that information restricted on the grounds of possible attack. Soon, residential addresses will become “protected information” by default – only disclosable to credit reference agencies and certified authorities. There will also be an option to hide the residential address from even those authorities.

The change is apparently in response to increased privacy concerns and threats of violence against directors.

In New Zealand, the law requires that company directors disclose their residential address (e.g. section 215 of the Companies Act 1993 among other sections). There is no provision for withholding an address. Interestingly, our Companies Act also requires that founding shareholders provide a residential address (section 12(2)(c)), but not subsequent shareholders (section 87 only refers to “the latest known address” which, in the case of a person, could be a non-residential postal or even electronic address. Many companies I have dealt with and managed use a non-residential person-shareholder address).

It is probable that New Zealand will eventually go the way of the UK, although there has not been any call for it yet. Australia has a provision for suppressing directors’ residential addresses which would also be a possible model to adopt.

Is this a good idea? It depends on the purpose of showing a director’s residential address. Why do we really need to know that information? If the answer is to serve documents on a director, that can be easily achieved by allowing directors to be served:

  1. At an alternative “address for service” specified by the director (the new UK model); or
  2. At the company’s “address for service” which all companies must have anyway.

Provided we have one of the above options, the residential address isn’t really needed and should be able to be suppressed. This would be consistent with the UK and Australia, and also the approach under the Electoral Act 1993. The electoral roll is open for public inspection (though not electronically) and can be used to find a residential address, but with the ability for individuals to request suppression under section 115.

The Privacy Commissioner has guidelines suggesting a model similar to Australia’s, allowing suppression on request, although for some reason its report does not mention the Companies Act at all.

In the meantime, all company records including director addresses are open to full public inspection. Is there some other reason why it should stay? Openness and transparency are always good things, but if it is not necessary to disclose this personal information, should we?

Data loss & disclosure

Posted on by
Reply

Yet another survey, this time of New Zealand firms, confirms that data loss will be the number one most important issue in IT for the near future. As reported by Computerworld, “58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance”.

Interestingly, the Australia/New Zealand rate is above the US and global rates. This is despite New Zealand having very few reported incidents, while reported incidents in the UK and US seem to have reached near-epidemic levels. As the article reports, maybe this is because they are kept out of the press.

It is true that other countries have (or are implementing) mandatory data loss notification laws. Locally, the idea has been proposed by the Privacy Commissioner, which says there is a “good case” for such a law. However, this could be many years away. The issue is not currently on the Law Commission’s project list, which would probably be the first step to introducing such a law, and it is fair to say the Government has more important things to worry about at present.

It is inevitable, however, that we will implement such a law, and when we do we are likely to look to the UK as a model. The UK and EU have been particularly active in the area of data protection (for good reason). Last year, the UK passed a “reckless data loss law“, allowing their Data Protection Commissioner to impose fines on people or companies who:

“knew or ought to have known that there was a risk that [data loss] would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the [data loss].”

This could even extend to personal liablity for a reckless sysadmin. Whether or not this is a good idea remains to be seen, as the law has been passed but is not yet in force. And unfortunately for victims, the UK Government gets to pocket the fine.

In the meantime, in this country the Privacy Commission should be the first stop for personal data loss issues. Beyond that, it is very much a matter of being careful with who you entrust your personal information to – bearing in mind that whoever you give it to will almost certainly involve third party contractor access at some level.

Don’t expect privacy in cyberspace

Posted on by
Reply

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

Continue reading