The future of Privacy
Marie Shroff has completed two five-year terms as Privacy Commissioner, and her successor is currently being sought. In the following TechBlog post she considers the future of privacy issues at home and abroad.
The New Zealand Privacy Act could be said to have started with a bit of a whimper and a round of raspberries from the media; privacy law is now turning into a big bang - even, I would suggest, the 21st century human right. All over the world as well as in NZ, privacy regulators are moving up several gears, acquiring new powers, the ability to enforce the law and curb bad behaviour and a new mandate from a worried public to be a watchdog with both bark and bite.
My prediction, and that of many others, is that we are only a small way up the curve of technology and information century changes; the power of the digital medium just keeps growing.
NZ is a small country but we can take advantage of this in an economic sense - there have been big successes in local IT, for example Trademe and Xero. We are often also a test market - Facebook first rolled its new timeline feature in NZ and Google chose to showcase its Loon project in Canterbury; it is worth mentioning that the hacker who exposed security flaws in ATMs, pacemakers and other medical devices, Barnaby Jack, was a New Zealander. These are exciting times for IT professionals.
But generally as a small country, and as users, we are going to be "takers" or receivers of internationally developed products and technologies; all the more important then to be active partners in international initiatives to regulate this blooming, buzzing confusion of the digital age.
The changes to the Privacy Act will, we hope, soon mean some sharp edges being introduced into the law; e.g. compulsory privacy breach notification, the power for the Office of the Privacy Commissioner to audit and to require compliance (for example strengthening security safeguards, issuing take-down notices or ordering an agency to give access to information). We will continue to encourage the growing majority of willing compliers in the regulatory pyramid; but with increased power to use enforcement against the unwilling, or the genuine rogues.
Government agencies have had a real wakeup call from the high profile data breaches - and work is underway to respond to that and put government agencies in a position where they can put their hands on their hearts and claim to be responsible stewards of our information.
Internationally, we see that the chilling effect of 9/11 with its wave of fear and resultant strong security and surveillance legislation has receded and now we are seeing the tide run the other way. The massive data breaches at home and abroad and the revelations around PRISM and NSA will hopefully mean a more finely tuned approach to personal information and privacy.
At this point it is tempting to talk about a balance between privacy and security. I strongly believe this is a dangerous path to tread; what we need is a twin pillars approach. We need both security and privacy in our structures and systems; without either one of the twin pillars we will get a distorted and weakened building which will collapse at the first shake.
Sustained growth of privacy and security, and the principled defence of both, will produce a well-founded trust by people in government and business; this trust will then withstand the occasional passing tremor from, on the one hand, security scares, and on the other, privacy violations.
At a practical operational level, data management is now a reputational issue. It is part of every organisation's shop front and branding; it is part of day to day standards and risk management.
One of the prevailing attitudes over the past decade has been: "Done is better than perfect". But doing things at high speed can lead to lots of mistakes. The Facebook "move fast and break things" mantra informed a lot of web development over the past five years, and we're only seeing things mature now.
The game is about trust. Privacy is as important to people as it has ever been and perhaps more so because they are refusing to have their right to privacy taken for granted. People need to trust the digital environment and they won't do that unless they are sure that their personal information is being properly safeguarded. In New Zealand the high profile breaches, GCSB Bill, and the Andrea Vance/Peter Dunne issue have raised the game still further in many people's minds.
If we don't get it right civil disobedience along the lines of Anonymous, Snowden and Assange will become increasingly common with no real establishment response to allay citizen fears that the rebels have a real point. Ned Kelly was not all that bright because he forgot to protect his legs with his armour, and he was a thief and murderer to boot; but in spite of that he became a folk hero because he personified a spirit of freedom, and there were injustices and provocations that people identified with.
It's time to give serious attention to a bug bounty to be offered by government and big traditional businesses such as banks. Let's get the army of well-intentioned geeks on our side. If Facebook can do it, then so can our big institutions.
I believe the new ethics for business and government, and even social life will be the ethics of good information control. It will be about people regaining control over their information and therefore their lives. It will be about individuals and organisations treating others information with respect.
In the IT industry you have a particular responsibility to make sure people can keep control. I know some of you may feel this is an obstacle or even unimportant. But I know also that many of you, in that crucial decade we have just been through, have realised that information is power; that power is in your hands; and that the time has come to take responsibility and operate in a way which respects people's rights and their information.
You must be logged in in order to post comments. Log In