ITP Sites:   ITP Site|TechBlog|TechHub in schools|NZ CloudCode|All Tech Events|Software Escrow NZ

ITP Techblog

Brought to you by IT Professionals NZ
« Back to Security & Privacy

Brislen on Tech

Paul Brislen, Editor. 07 September 2018, 3:55 pm

OMG not this again

Privacy is usually treated as a fundamental human right, but in New Zealand at least it's not part of the Bill of Rights.

There isn't a single mention of the word "privacy" in the bill.

Yet most people will tell you they have a right not to have neighbours take photos of them in their home, that they should be free from surveillance and should be allowed to get on with their lives without having to worry about being spied upon.

Of course, many New Zealanders will tell you they don't have anything to hide and so they don't care about our privacy laws. I like to ask them what their bank account number is to see if they flinch - they generally do - because privacy issues aren't about whether you've got something to hide at all. The issue is about consent.

Having a Facebook page doesn't mean you've given up the right to decide who gets to look at your information at all. You haven't sold away any right to say "now hang on a minute" and demand that an agency or dodgy neighbour or stranger in the street do the right thing by you in terms of your private life.

Fortunately we have the Privacy Act which is nice and easy to understand (always a plus in legal circles) and which requires government departments in particular make obvious what information they're storing, why they're storing it, how they collected it and that they will give you access to that information so you can amend it should it be inaccurate.

I have an Official Information Act request in to one such government department at the moment - a request for information relating to whether data was gathered and how it was collected. The agency has failed to respond so I've complained to the Ombudsman's Office and they're currently investigating for me. If that doesn't work, it'll be the Privacy Commissioner as my next stop because government departments are accountable.

So too are any other organisation that collects data and in this day and age there are a lot of them. They collect data you freely give (name and email address for example) and they collect data you didn't know you were sharing ("to see what kind of Star Wars character you are, simply give this app access to your Facebook account - we promise not to post anything without your permission" failing entirely to say that you've just shared all your contacts, what you like to read, what you've liked and countless other snippets of valuable information) and they collect data you didn't know you'd generated (where you were standing when you sent that text message, what time of day you sent it, what type of device you used and so on).

Our Privacy Act is quite old and in need of more than a lick of paint - it needs major renovations, if only so we can hold those agencies that gather data to account when they fail to secure that data. It only takes one company to tell the world your IRD number, your mother's maiden name and your bank account details and your identity and credit rating are compromised for the rest of your days.

InternetNZ's James Ting-Edwards has written a nice piece (see below) about the need for an upgrade and the need for local politicians to understand why it's important. Feel free to tell your MP you'd like to see this progressed with due care and attention because it'll be a long time before we revisit this particular piece of legislation I'm sure.

And if you need to understand why we need robust privacy protection, check out the two Boing Boing articles on Facebook and the reach one company can build in the time since the last Privacy Act was passed into law.

The Spin Off - NZ's privacy law is covered in dust. We need a reboot for the internet age

Boing Boing - Young people finally fleeing Facebook, say researchers

Boing Boing - Find out who's manipulating you through Facebook political ads with ProPublica's free tool


OMG not this again II

You can always tell how desperate a government is to introduce things by how quickly they point the finger at terrorists and child pornographers.

Need new laws to stop people buying stuff in other currencies? Terrorists! Child pornographers!

Need to introduce new laws requiring networks to hand over information about customers? Terrorists! Child pornographers!

Want to terrify little old ladies in their homes about the evils of bitcoin? Terrorists! Child pornographers!

This time round it's the governments of the Five Eyes group (Australia, New Zealand, Canada, the UK and USA) who have once again started talking about how dangerous encryption is and how paedophiles use it to steal babies or something much like that.

It's a story they've trotted out before and is a cause to which they continue to rally, despite little evidence of a clear and present danger to life and limb.

Osama Bin Laden, it should be remembered, was tracked down not because he used text messages or Facebook but because he used human messengers and one of them dobbed him in.

Yet we're still told that encryption is bad and only used by terrorists and child pornographers.

The latest ministerial meeting of Five Eyes' nations saw the group release a lovely statement calling on IT providers to "voluntarily establish lawful access solutions to their products and services" or face having these countries introduce legislation forcing them to break their own security standards.

Australia, it should be noted, has bought into this hook line and sinker, and introduced legislation that will require service providers to allow Australian officials access to the content of messages should they want them. This isn't so much a back door into encryption-secured messaging services, but a front door. Give us the key, they say, or we'll force you to do so.

Cory Doctrow has a nice piece (link below) that outlines why this is such a stupid idea.

"Use deliberately compromised cryptography, that has a back door that only the "good guys" are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption."

I use encryption-based software all the time. So do you, probably.

I use it for chatting with friends, but also to chat with business partners, clients and colleagues. I use it to conduct online banking transactions, something I want to be very secure, and I use it when I shop online and spend money. If I transact with my government I want that to be secure so when I ask for a passport they know it's me and not someone next door having a laugh. I use encryption when my computer talks to other computers on the internet and I use it when I make phone calls because unless you have a very good reason to be listening in (that is, get a warrant) you shouldn't be given access to the tools to breach my privacy.

Once again, none of this means I have anything to hide, but it does mean I don't want to broadcast my private conversations to the world at large. I am sent confidential information that I have a duty to look after, and I've signed many serious-looking documents that say I will do what I can to ensure the integrity of my clients' information.

How can I, or any of us, operate in a world where that is all secondary to the ongoing hunt for terrorists and child pornographers and is the price we'll pay actually related to that and actually worth it?

TechBlog - Five Eyes calls on tech sector to 'do the right thing'

Boing Boing - Oh for f***'s sake, not this fucking bullsh*t again (cryptography edition)

New York Times - 'Five Eyes' Nations Quietly Demand Government Access to Encrypted Data

InternetNZ - InternetNZ is calling for debate on Five Eyes recommendations

Stuff - Prison boss fired for illegal spying

NZ Herald - Ministry staff misconduct claim as inquiry into government agencies' use of private investigators Thompson and Clark widened

Five Eyes


OMG not this again III

Speaking of governments doing stupid things (ED: Not another rant about the CTO role, surely?) here's the EU being stupendously stupid in a way that beggars belief.

Normally the EU is a bastion of calm and rational thought (ED: Not another rant about Brexit, surely?) and has managed quite well to navigate the waters of fast-moving tech despite being a cumbersome, slow moving, multi-headed bureaucracy.

Just look at the way the EU regulated telcos to introduce competition. Just look at the General Data Protect Regulations, that make a lot of sense and are the gold standard for privacy discussions. Just look at the way they're not part of the Five Eyes consortium (Ed: That's probably enough about Brexit for one week).

But sadly, even the EU with its grey-suited mandarins from Belgium have managed to hang their hat in the hall of shame that is "hey, this thing is new and we don't understand it: let's regulate it!" that is technology in the early 21st century.

The EU wants to break the internet as we know it in the name of saving copyright.

The EU has been mulling over an update to the EU Copyright Directive (which is a bit old and dusty since it was written 17 years ago) and all was going along quite normally until earlier this year when Article 11 and Article 13 (two components of the regulation long since rejected for being unworkable) were reintroduced.

Next week the EU will vote on whether to introduce the new Directive with both articles in place.

Article 11 is the so-called "link tax" which says online services are banned from allowing anyone on their site (think Facebook or Twitter or pretty much any blog or presumably email) to link to a news service story unless they get a licence to do so.

The article does not define what a news service is, or indeed what a link is, so expect a lot of legal battles over whether or not My Dodgy Blog is news or just the meanderings of a madman accidentally protected under the new law.

Article 13 requires anyone who posts video, audio or indeed anything that can be copyrighted to send these posts to a copyright authentication unit (!) before publication. The unit (basically an algorithm because they Know Everything) will decide whether or not your content breaches someone's copyright and act accordingly.

"This post has been APPROVED by the copyright machine."

Given the US legal industry's love of filing legal challenges to tie up competitors in court, and the reluctance of YouTube, Facebook, Google, Twitter and all the other US companies to actually think about these things (if they receive a takedown notice they usually just remove content even if you happen to own the copyright to the thing you put online) you can easily see where this will all lead.

Now think about how Wikipedia will look if either of these Articles is introduced. How would a not-for-profit organisation survive when faced with a tax on every link ("you must buy a licence before you can link to my content") or having takedown notices served constantly about content that may or may not actually be posted illegally.

In case all this sounds eerily familiar, it should. Article 13 was rejected in July this year but has made a stunning return from the dead and is alive and kicking once more.

If you think this isn't a problem because New Zealand isn't in the EU and we don't abide by such laws anyway, just remember that the internet is a global beast but two main factions (the EU and the US) are home to much of the content we consume and if the EU changes its laws the rest of the world is likely to introduce similar laws to maintain an even playing field.

And that playing field will be laid over the top of what remains of the internet of old. RIP.

EFF - Why the Whole World Should Be Up in Arms About the EU's Looming Internet Catastrophe

EFF - 70+ Internet Luminaries Ring the Alarm on EU Copyright Filtering Proposal (June, 2018)

Boing Boing - Wikipedia's warning: EU copyright changes threaten the internet itself

Wired - The EU's dodgy Article 13 copyright directive has been rejected (July 2018)

CNet - Article 13: Europe's hotly debated revamp of copyright law, explained (July 2018)


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio