Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

The Independent has an update on YPG’s legal battles to uphold the copyright in its Yellow Pages listings (see my post earlier this year). The outcome of the latest Court proceedings – expected very soon – could be of interest to all database or “compilation” rightsholders.

One such group may be New Zealand television networks seeking to restrict use of their TV listings by third parties. In Australia, this was the subject of the landmark IceTV case – which confirmed there is no copyright in basic, factual TV listings. Recently, Sky Television’s lawyers sent out cease-and-desist letters to people who had written programs allowing its listings to be “screen-scraped”, on the flimsy grounds that such actions breached its copyright in those listings (assuming such copyright even exists).

Google Street View WiFi drama

Errata Security has a good technical explanation of Google’s WiFi sniffing controversy, which is the subject of a preliminary criminal investigation in New Zealand (see my post here). From the post:

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it’s easy to inadvertently capture too much information, and be unaware of it… It’s really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data (assuming you haven’t done something stupid like chosen an easily guessed password, or chosen WEP instead of WPA). If you don’t encrypt your traffic, then by implication, you don’t care if people eavesdrop on it.

Meanwhile, details are emerging that the captured data included passwords and emails. This is hardly surprising given that a huge amount of computer activity involves these two things, and it doesn’t change the “case” against Google. As I wrote earlier, intention is a key issue, as is whether the captured data is “reconstructed into a communication that indicates confidentiality” and made use of.

Luke Appleby gave his take on the Google WiFi drama here. While my post looked at the criminal acts, Luke rightly points out that Google could also have run foul of s 133A of the Radiocommunications Act 1989. That is certainly worth a look by the Privacy Commissioner (not the police; and there is still a need for intention which has yet to be established), although substantive privacy issues should be the focus of any investigation, if warranted – a case which has yet to be made.

Copyright Amendment Bill submissions

Internet NZ has published its submission on the Copyright Amendment Bill. It includes a great detailed analysis by lawyer Rick Shera. While I have different views on some aspects, I support a good many parts of the submission. Paragraphs 86 and 87 of Rick’s analysis in particular raise key questions that need to be addressed by the Committee.

The submission also emphasises the range of business and government activities reliant on internet access. This is a point I submitted on earlier, and it will be interesting to see if other business sectors pick up on this. For example, do banks and online shops really want their customers to be disconnected for transgressions against another industry group? I’m sure the recording industry would not want their online customers disconnected because one of their kids is caught shoplifting at the local dairy.

Aussie net filter to be back-burnered

The Australian government’s daft plan to impose mandatory internet filtering, which only recently was being pushed ahead, is now likely to be shelved until after the election.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

1. All of the data was collected from public locations, specifically from public roads.
2. The data was being actively transmitted into those public locations.
3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

The NZ Herald reports:

An Auckland student has incurred the wrath of computer giant Microsoft after selling unlicensed versions of its products through online auctioneers Trade Me. Shaahil Ali of Papatoetoe was ordered by the Manukau District Court to pay the US-based multinational $22,176 [plus costs] after he admitted copying its programs, then selling them on.

Ali sold 21 pirated copies of Microsoft Office 2007, netting $6,400. That works out at about $304 per copy – $105 more than buying the Home version from Dick Smith (though he may have been selling a Pro version). The fact that an unsophisticated operation such as Ali’s was able to net several thousand dollars for essentially no outlay highlights the challenge of fighting piracy. It also provides a reminder that not all piracy is simply about losses to rights-holders, but also unjust / illegal enrichment of the infringers.

That said, New Zealand is not too bad in the piracy stakes. A new study by the Business Software Alliance shows New Zealand has the 4th lowest rate of software piracy world-wide. However, the Dominion Post reports that this low piracy rate has not been “rewarded” with lower prices for consumers.

More pay for play

Aussie gyms have been hit with a 1500% rise in music royalty charges, following a decision of the Australian Copyright Tribunal enabling the hike. This could have implications in New Zealand, with a fees revamp expected later this year. Which would seem likely, as the New Zealand organisation administering licensing fees – Phonographic Performances New Zealand – shares many of the same members as its Australian counterpart.

Privacy in a nutshell

Wellington barrister Stephen Price has won the Sir Geoffrey Palmer chocolate fish prize for best definition of “privacy”:

Privacy is what people believe they have lost when they complain about their privacy being infringed.

A good example of which is provided here:

A magazine did not intrude into a young woman’s privacy when it published photos that she had uploaded to social networking site Bebo when she was 15 because the images had already been widely circulated online… “The magazine had not taken the material from the complainant’s Bebo site; rather it had published a piece commenting on something that had widespread circulation online (having been taken from the Bebo page sometime ago by others) and was easily accessed by Google searches,” said the PCC’s ruling.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

• 35% of respondents are more concerned about individual privacy than 2 years ago.
• At the same time, “trust ratings” for most organisations holding personal data have increased since 2 years ago.
• 78% of under-30s use social networking sites.
• Approximately 57% of those users (estimated) believe social networking sites are “mainly private” places for sharing information.
• 54% of respondents were concerned about what social networking uses their personal information for.

One plausible interpretation is that at the same time we are becoming more aware and concerned about privacy issues, we are also becoming more ready to disclose information. This view would be supported by comments to a follow-up article at the NZ Herald website, which reported:

Facebook users who did not think they could protect their privacy outnumbered those who thought they could by four to one – and only one of them thought it was a bad thing.

There are several seemingly conflicting trends within this data, which bears out the overarching (and not entirely new) 64-million dollar conundrum of online privacy: people are willing to trade privacy for functionality, so to what extent should governments intervene? Do we need saving from ourselves?

The survey strongly confirms that New Zealanders do care about privacy, and a recent US survey confirmed the same in that country. Increasing education and awareness of privacy issues are key steps to empowering individuals to make their own, informed decisions, and New Zealand’s Privacy Commissioner is very much at the forefront of that process. It is also helpful when Facebook privacy concerns becomes front page news on our major daily newspaper (and not on a slow news day either).

More local coverage of this issue:

• Media7’s program this week discussed privacy on the internet
• Social site use rising as privacy fears grow
• Facebook must evolve or wither, say analysts

Australian law professor Michael Fraser suggests that ISPs could render ACTA “superfluous” by entering into commercial agreements with content providers:

“The best approach to these issues… is to do a commercial deal and bring the ISPs into the value chain,” he said. “Rather than litigate [content providers] should include ISPs in the supply chain and ensure they get a fair part of the reward and allow access to content via the ISPs.”

The suggestion does not, of course, imply that ISPs could “contract out” of copyright law altogether. But if a commercially acceptable deal with major rights-holders could be reached, that could at least provide a “market” solution to the possible uncertainty and other concerns ACTA may cause for ISPs, rights-holders and users.

Parody rights in IP law

The studio behind Downfall film has applied to have numerous parodies of its movies removed from YouTube on the grounds of copyright infringement. The clips of the film used in the short YouTube videos are the copyright of the studio, but the question is whether the parodies are permitted under the fair use doctrine of US law.

Now, YouTube has helpfully given instructions for users whose clips have been the subject of an infringement claim by the studio.

On the local front, Luke Appleby notes that New Zealand still does not have a parody right under our copyright law. In essence, a review was announced in 2008, but has not progressed since.

Privacy attitudes

A study has been published in the US entitled “How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?”. From the report:

An important part of the picture, though, must surely be our finding that higher proportions of 18-24 year olds believe incorrectly that the law protects their privacy online and offline more than it actually does. This lack of knowledge in a tempting environment, rather than a cavalier lack of concern regarding privacy, may be an important reason large numbers of them engage with the digital world in a seemingly unconcerned manner.

From the conclusion:

… we found that in large proportions young adults do care about privacy. … Public policy agendas should therefore not start with the proposition that young adults do not care about privacy and thus do not need regulations and other safeguards. Rather, policy discussions should acknowledge that the current business environment along with other factors sometimes encourages young adults to release personal data in order to enjoy social inclusion even while in their most rational moments they may espouse more conservative norms.

The wider issue for all age groups, though, is that people seem quite happy to exchange privacy for functionality (or other benefits). To what extent should governments intervene?

InternetNZ, the New Zealand Computer Society and the New Zealand Open Source Society issued press releases yesterday in support of the ban on software patents:

• InternetNZ agrees – no to software patents
• ICT Profession Supports Removal of Software Patents
• NZ Open Source Society Congratulates Government on Patents Bill Stance

The Labour Party also issued a press release supporting the decision and Minister Simon Power’s earlier endorsement:

• Software exclusion will encourage Kiwi innovators
• Power to delete software patents

Meanwhile law firm Chapman Tripp issued a press release criticising the decision:

• Excluding Software Patents Will Stifle Innovation

Privacy Commissioner slams Google’s “experiment”

New Zealand’s Privacy Commissioner, Marie Shroff, has criticised Google Buzz as being a “commercial experimentation on New Zealanders and other internet users, involving the release of significant personal information”:

[Google's actions] violated the fundamental, globally accepted principle that people should be able to control the use of their personal information.

The comments follow Ms Shroff’s signing of a joint letter to Google, stating:

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

These comments, including constructive requests that organisaions collects and process “only the minimum amount of personal information necessary” and create “privacy-protective default settings”, are admirable. Ms Shroff does a great job in standing up for New Zealanders’ privacy rights.

The difficulty, as I have written previously, is that people happily trade privacy for functionality. Millions of people willingly pour personal information into different websites every day. To what extent can Google be criticised for finding new, creative uses of information it has been willingly given, in accordance with terms agreed to by users? And to what extent is it necessary or right for governments to intervene?

Open standards in Government procurement

Earlier this year I commented that “the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement”.

European Union ministers have now called for “the introduction of open standards and interoperability in government procurement of IT”. This comes as part of an ongoing development of procurement frameworks.

The report states that some groups claim the proposal has been “so watered down due to intense lobbying by the proprietary software makers, to such an extent that the document will have no impact on the market”. Other industry groups have praised the proposals as “well balanced”.

New Zealand’s privacy commissioner, Marie Shroff,  has suggested that a United Nations treaty may be required to protect privacy.  She said:

“The reason for this is [a global regime] would bring legal certainty… We have to look at whether and how we can regulate to provide certainty for businesses and protections for individual citizens”

Legal certainty is a very good thing though as I said the other day, there is unlikely to be an “imposed” global regime, and Ms Shroff denied the proposal would be “some sort of a bureaucratic initiative to impose more regulation on business”. The continued development of international guidelines (also suggested by Ms Shroff), co-ordinated enforcement, and even UNCITRAL-type “model law” is more likely here (a TRIPS-like treaty could be a possibility). New Zealand’s “privacy principles” approach works well, and the Privacy Commissioner plays a good and efficient domestic role – could the New Zealand regime be a model template? Standards would also assist and reinforce the nascent “self-regulation” by the industry, such as the Digital Due Process Coalition launched recently.

New Zealand TV listings copyright row

Kiwiblog has commented on Sky TV’s recent attempts to prevent a software developer from distributing software that could be configured to copy its TV listing, claiming their listings are protected by copyright (more on this another day).

Net nuetrality setback

A US court has ruled that the Federal Communicationc Commission does not have the authority to stop an ISP prioritising traffic, meaning that the ISP can take steps such as choking file-sharing traffic. Some see this as a major setback for maintaining net nuetrality, while others are more sanguine. For the record, New Zealand does not have any internet nuetrality regulation.

Private data may only be passed on and used for commercial purposes with the consent of the persons involved.

The problem with her complaint (at least in the way it is framed) is that Facebook’s privacy policy, not unreasonably, allows just that. Or, if it doesn’t (or didn’t previously) then Facebook has the right to change its terms of use (see clause 13). Facebook has already received “the consent of the persons involved”, at least regarding personal information about Facebook users, and can get further consent if necessary simply by changing its terms of use. The Latin phrase is volenti non fit injuria: no injury is done to a person who consents. (Of course, it’s informed consent that matters.)

And that’s the issue. Even if Facebook, or another popular site, included privacy-busting rules from day one, what is the likelihood there would be any lasting reaction from users? Very few users actually read website terms anyway. And even if people are vaguely aware of privacy issues, that still does not stop people from signing up if there is some perceived value. If people are willing to trade privacy for value, should the state intervene? Or even the United Nations (as has been mentioned by New Zealand’s Privacy Commissioner)? Compulsory privacy principles and voluntary best-practice standards on personal data storage, such as the new ISO standards for health records, is one thing. Intervening in freedom of contract is quite another.

As I have written previously, people cannot post things to social networks and still expect privacy. Social networks and other website are very aware of the privacy issues, and the potential threat of regulation. The majority of a social networking site’s potential value lies in exploiting (in a commercial sense) the personal data that their armies of users happily supply every day. That is why it is in their own best interest to implement reasonably strong privacy policies without hamstringing their own motives, but of course listening to user pressure when necessary.

It would require a major co-ordinated global effort to impose uniform privacy regulation on social networks – which is why that will not happen. Instead, the social networks will, for the most part, stay one step ahead of well-meaning (and otherwise) crusading politicians, safe in the knowledge that their users will back them if it means a trade off between their very real enjoyment of social networks, and some intangible, hard-to-grasp privacy “benefit”.

It is somewhat ironic that the organisations being labeled (by some) as the worst abusers of privacy are quite possibly doing the most to define and shape the future of privacy law.