A small boost for NZ privacy – cloud questions remain

The recently-enacted Privacy (Cross-border Information) Amendment Act 2010 improves New Zealand’s privacy framework, but also highlights the challenges to privacy caused by the internet. The new law amends the Privacy Act 1993 in 2 main ways:

  • It strengthens cross-border privacy co-operation by providing for the referral (by the Privacy Commissioner) of complaints to overseas authorities; and
  • It establishes a “mechanism for controlling the transfer of information outside New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated” – so, an anti-circumvention measure.

The cross-border co-operation provision is a small but good step. There are ongoing international privacy initiatives, such as the recent APEC Cross-border Privacy Enforcement Arrangement, and an essential aspect of any international arrangements is the ability for local authorities to interact with their foreign counterparts.

The anti-circumvention measure also assists in this regard, to prevent New Zealand being seen as a “privacy haven” – one that permits “data laundering” if you will . As the Privacy Commissioner Marie Shroff says:

Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand’s reputation.

The anti-circumvention measure was added as Part 11A of the Privacy Act 1993. Section 114B(1) states:

The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that:

(a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

(b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.

This provision will be useful, for example, to help promote New Zealand data centres hosting data for overseas clients. New Zealand firms who do host or receive data from overseas (it does not apply to New Zealand-sourced data) should have processes in place for ensuring that the “transfer” of data out of New Zealand can be halted if required by the Privacy Commissioner issuing a transfer prohibition notice.

But in the age of cloud computing, are things that clear-cut? Often, the cloud (or the internet in general) makes it hard to know just where data is located. A New Zealand firm may receive data from overseas, and “host” that data in its facilities, but if the New Zealand provider itself uses cloud-based storage, what appears to be data being hosted in New Zealand may in fact be hosted overseas again. A key benefit of cloud computing is that providers can (in theory) transfer data anywhere in the cloud seamlessly. Data can be divided to multiple places at once, and be transferred without notice at about the speed of light. In these situations, who on earth will know what information is where? All of which makes the language of section 114B(1) – “if information has been, or will be, received in New Zealand from another State” – sound rather quaint, as if they are dealing with courier packages.

The challenges of privacy controls in the cloud-era are well known. Just how much regulation is ultimately attempted, necessary or desirable remains to be seen, bearing in mind that most users are willing to trade privacy for functionality.

Hacker convicted

A man has been pleaded guilty in the Queenstown District Court of intentionally accessing a computer system at the hostel he was staying at:

Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.

ISP filtering

The Department of Internal Affairs’ (DIA) internet filter has gone live. The system is aimed at blocking illegal images of children. While this is a voluntary scheme (unlike Australia‘s scheme), the experience in the UK has been that there will be pressure on ISP’s (including direct Ministerial threats) to join the “voluntary” scheme, lest they become a known haven for those seeking illegal content. Now, all UK ISP’s subscribe to the Cleanfeed filter.

In New Zealand, any move to make the filter mandatory would require legislation. While many opponents of the filter would likely oppose legislation, it would at least have the effect of defining the parameters of the filter and its regulation. The legislation would need to comply with the Bill of Rights Act (unsatisfactory though that law may be), or be passed with a statement expressly acknowledging where it breaches that Act. This would clear up concerns (or at least bring them into the open) that the filter may one day start to gradually be used for other purposes, such as blocking breaches of name suppression. It would make the filtering accountable to Parliament and the Courts. Also, the enabling legislation does not need to create make filtering mandatory – it could ensure that ISP’s remain free to choose whether or not to sign-up.

As long as the scheme remains voluntary and unregulated, though, no legislation is needed. While the objective is admirable (putting aside major questions over effectiveness), concerns include:

  • What information is being stored in the system, who has access to that information, and is it in compliance with the Privacy Act 1993?
  • What oversight is there on the content being filtered?
  • Is there a risk that the system could be extended to include material covered by name suppression orders?
  • Is pressure being brought to bear on ISPs to join the system?

For now, some ISP’s have expressed strong concerns about the filter which, as long as it remains voluntary, makes it unlikely that full sign-up will be achieved in the short term.

Don’t expect privacy in cyberspace

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

Continue reading