Tag Archives: Privacy

LawComm recommends data breach notification

Posted on by
Reply

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

Sony’s privacy breach

Posted on by
Reply

Details are continuing to emerge about Sony’s massive security breach, which has resulted in personal information of up to 77 million users, including New Zealanders, being stolen. It is unclear how much of the data was encrypted, although Sony has said that credit card information was encrypted.

The first lawsuits are already flying, and it has lost as much as 5% of its share price:

Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.

“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.

The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.

What protection is offered to New Zealanders affected by the breach? New Zealand’s privacy protection stacks up relatively well, as Auckland University Senior Lecturer Gehan Gunasekara has noted. The recent EU Working Party report on New Zealand’s privacy regime is available here. As the report notes:

4) Security principle: The controller must adopt appropriate technical and organisational measures against the risks presented by the processing. Any person acting under the authority of the controller, including the person in charge of processing, must not process data except on instructions from the controller.

The Working Party considers that principle 5 (Storage and security of personal information) covers the aspects required for the security principle. This principle is based on the OECD security safeguards principle and the wording is similar to the wording of article 17(1) and (2) of the Directive in that security measures must protect against loss, access, use, modification, disclosure and misuse. Agencies must do everything reasonably within their power to prevent unauthorised access and disclosure where information is given to a processor.

The Privacy Commission has previously investigated data loss caused by insecure computer systems (though obviously not on the probably unprecedented scale of Sony’s recent data loss). The Commission cannot impose fines or damages, although a complainant (or the Commissioner) can refer matter to the Human Rights Tribunal, which does have the ability to award damages for:

(a) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose:

(b) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference:

(c) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.

Remedies are also potentially available under negligence. However, this is very unlikely to occur in New Zealand, in large part because of the difficulties in bringing class actions as in the US. It is also likely that the relevant principles under the Privacy Act do not apply to information held overseas by Sony in this case. This is unfortunate, as it means that while US citizens are able to seek compensation from Sony, New Zealanders who have suffered the same inconvenience and harm have no practical remedy (whether under the Privacy Act 1993, or tort law, or negligence). Likewise, if Sony offers compensation to users whose data has been stolen, it may be able to avoid compensating New Zealand users without (direct) detriment.

It surely must be the case that, in future years, better and more accessible remedies will be available to New Zealand citizens who suffer loss of personal information as a result of egregious security lapses by agencies holding that information.

The privacy bargain

Posted on by
Reply

Stephen Bell of Computerworld recently outlined his views on the privacy bargain:

Another view, which I find more persuasive, is that when we make use of a service like Facebook, we enter a commercial bargain. Something very useful is provided to us free of charge and in exchange we cede something of our private selves to the providers, to be sold for whatever they can earn.

This is also my view, as I have written about here. Interestingly, Stephen got the view of the Privacy Commissioner:

I put this to Privacy Commissioner Marie Shroff. She suggests the bargain accepters are not as numerous as I believe, and in the wake of the Facebook and Google embarrassments, privacy champions are becoming a majority.

Yet what is happening is that companies such as Facebook and Google – who arguably stand to lose the most from pushing the privacy envelope a bridge too far – are themselves becoming the leading “privacy champions”, and shaping the future of privacy expectations and regulation at the same time. For example, Google has announced it will be undertaking biennial “independent privacy reviews to keep it on the straight and narrow”.

PR stunt? Window-dressing? Possibly, though assuming not then I think it is a very good idea. But the size and reach of Google means any practical changes will affect users around the world, and shift the goalposts of expectations and norms, years in advance of any regulation. And in the meantime, users will continue to flood to social networks and other systems – many of whom will never have known a world with any different processes or expectations of privacy.

How, then, might Government-imposed regulation be seen? Stephen sums it up very well:

There is a risk that the Privacy Commissioner and her staff might then be seen as the villains, keeping us from using new technology to smooth our businesses and lives because of their legalistic obsession with an abstract value.

The evidence to hand shows the privacy bargain has been well and truly been accepted, for better or for worse. The challenge for any regulation is to be seen as adding value (for citizens) to these bargains, not getting in the way of willing parties.

Telecom database update

Posted on by
1

The Herald reports more details of the alleged privacy breach involving a Telecom database:

The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.

Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.

The Privacy Commissioner’s office has also announced an investigation:

“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.

“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”

A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?

A criminal investigation is also likely. Possible charges for improperly accessing a database include:

For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.

The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.

Telecom database access privacy concerns

Posted on by
1

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.

Website security privacy complaint

Posted on by
Reply

A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.

Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.

Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.

Google cleared of privacy crime

Posted on by
Reply

In a victory for common sense, and as I predicted three months ago, the police have cleared Google of committing “privacy crime” during its recent WiFi snooping incident. Detective Senior Sergeant John van den Heuvel makes a good point when he says:

Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

Tech law update 21 June 2010

Posted on by
Reply

Copyright in compilations

The Independent has an update on YPG’s legal battles to uphold the copyright in its Yellow Pages listings (see my post earlier this year). The outcome of the latest Court proceedings – expected very soon – could be of interest to all database or “compilation” rightsholders.

One such group may be New Zealand television networks seeking to restrict use of their TV listings by third parties. In Australia, this was the subject of the landmark IceTV case – which confirmed there is no copyright in basic, factual TV listings. Recently, Sky Television’s lawyers sent out cease-and-desist letters to people who had written programs allowing its listings to be “screen-scraped”, on the flimsy grounds that such actions breached its copyright in those listings (assuming such copyright even exists).

Google Street View WiFi drama

Errata Security has a good technical explanation of Google’s WiFi sniffing controversy, which is the subject of a preliminary criminal investigation in New Zealand (see my post here). From the post:

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it’s easy to inadvertently capture too much information, and be unaware of it… It’s really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data (assuming you haven’t done something stupid like chosen an easily guessed password, or chosen WEP instead of WPA). If you don’t encrypt your traffic, then by implication, you don’t care if people eavesdrop on it.

Meanwhile, details are emerging that the captured data included passwords and emails. This is hardly surprising given that a huge amount of computer activity involves these two things, and it doesn’t change the “case” against Google. As I wrote earlier, intention is a key issue, as is whether the captured data is “reconstructed into a communication that indicates confidentiality” and made use of.

Luke Appleby gave his take on the Google WiFi drama here. While my post looked at the criminal acts, Luke rightly points out that Google could also have run foul of s 133A of the Radiocommunications Act 1989. That is certainly worth a look by the Privacy Commissioner (not the police; and there is still a need for intention which has yet to be established), although substantive privacy issues should be the focus of any investigation, if warranted – a case which has yet to be made.

Copyright Amendment Bill submissions

Internet NZ has published its submission on the Copyright Amendment Bill. It includes a great detailed analysis by lawyer Rick Shera. While I have different views on some aspects, I support a good many parts of the submission. Paragraphs 86 and 87 of Rick’s analysis in particular raise key questions that need to be addressed by the Committee.

The submission also emphasises the range of business and government activities reliant on internet access. This is a point I submitted on earlier, and it will be interesting to see if other business sectors pick up on this. For example, do banks and online shops really want their customers to be disconnected for transgressions against another industry group? I’m sure the recording industry would not want their online customers disconnected because one of their kids is caught shoplifting at the local dairy.

Aussie net filter to be back-burnered

The Australian government’s daft plan to impose mandatory internet filtering, which only recently was being pushed ahead, is now likely to be shelved until after the election.

Google not guilty of privacy crime, your honour

Posted on by
Reply

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

  1. All of the data was collected from public locations, specifically from public roads.
  2. The data was being actively transmitted into those public locations.
  3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

Tech law update 19 May 2010

Posted on by
Reply

Trade Me piracy prosecution

The NZ Herald reports:

An Auckland student has incurred the wrath of computer giant Microsoft after selling unlicensed versions of its products through online auctioneers Trade Me. Shaahil Ali of Papatoetoe was ordered by the Manukau District Court to pay the US-based multinational $22,176 [plus costs] after he admitted copying its programs, then selling them on.

Ali sold 21 pirated copies of Microsoft Office 2007, netting $6,400. That works out at about $304 per copy – $105 more than buying the Home version from Dick Smith (though he may have been selling a Pro version). The fact that an unsophisticated operation such as Ali’s was able to net several thousand dollars for essentially no outlay highlights the challenge of fighting piracy. It also provides a reminder that not all piracy is simply about losses to rights-holders, but also unjust / illegal enrichment of the infringers.

That said, New Zealand is not too bad in the piracy stakes. A new study by the Business Software Alliance shows New Zealand has the 4th lowest rate of software piracy world-wide. However, the Dominion Post reports that this low piracy rate has not been “rewarded” with lower prices for consumers.

More pay for play

Aussie gyms have been hit with a 1500% rise in music royalty charges, following a decision of the Australian Copyright Tribunal enabling the hike. This could have implications in New Zealand, with a fees revamp expected later this year. Which would seem likely, as the New Zealand organisation administering licensing fees – Phonographic Performances New Zealand – shares many of the same members as its Australian counterpart.

Privacy in a nutshell

Wellington barrister Stephen Price has won the Sir Geoffrey Palmer chocolate fish prize for best definition of “privacy”:

Privacy is what people believe they have lost when they complain about their privacy being infringed.

A good example of which is provided here:

A magazine did not intrude into a young woman’s privacy when it published photos that she had uploaded to social networking site Bebo when she was 15 because the images had already been widely circulated online… “The magazine had not taken the material from the complainant’s Bebo site; rather it had published a piece commenting on something that had widespread circulation online (having been taken from the Bebo page sometime ago by others) and was easily accessed by Google searches,” said the PCC’s ruling.