Red Alert

Archive for the ‘privacy’ Category

The chilling effect of TICs

Posted by on October 14th, 2013

Update: The second reading of TICs is tomorrow. It seems likely the Govt will try to rush through the committee stages and third reading this week.If so, this is an extraordinary abuse of process, because there is almost no time to consider the impact of the Minister’s SOP and to undertake the debate that needs to be had. One fo the worst things about this Bill is the refusal to have meaningful and respectful discussions with the businesses which will be most affected, or to acknowledge the impact on NZ consumers. Please help to fight this Bill’s passage.

Tell Amy Adams what you think by emailing her at: or You can contact her on twitter @amyadamsMP

Amy Adams tonight released last minute amendments to the Telecommunications Interception Capability and Security Bill (TICs). The fact that she has introduced an SOP at such a late stage indicates she and her government is concerned that there are serious deficiencies with the Bill as it came back from the select committee.

However, her amendments are not substantive and appear to be window dressing. They reflect the hurried passage of this Bill, the lack of consultation with industry and the likely consequences on the privacy of Kiwi citizens and detrimental impact on NZ tech companies and their ability to innovate.

That she is introducing an SOP at all indicates that the National Govt majority on the committee did not, or would not, consider the implications of the Bill to NZ-based and internally-based tech companies.

In particular;
Amy Adams has now signalled there will be a more rigorous assessment of the costs and benefits, including the impact of the cost on the telecommunications company of requirements under the new law. In the Labour minority report we said: “Labour notes that subsequent submissions to the select committee by several network operators outlined potential significant annual operating costs and the potential capital expenditure costs. The committee did not seek advice on these supplementary submissions and the economic impact was therefore not taken into account. In our view this was negligent and irresponsible.”

The Govt’s majority select ctte refused to take account of the warnings raised by network operators of the impact on their business by this Bill. While she is now obviously acknowledging that there may well be an impact Amy Adams needs to specify exactly what a “more rigorous assessment of costs and benefits” will involve and where the Bill will reflect that.

Labour stands by our conclusion in the Minority Report that:
There are many reasons to oppose this Bill. It is ill-thought out, rushed and the government has refused to take account of core concerns raised by submitters. There has been no case made for the expanded powers of the GCSB and of Ministers.

Below is Labour’s Minority Report following the report back from the select committee. (more…)

Are we all John Key’s playthings?

Posted by on July 2nd, 2013

Despite a consistent chorus from lawyers, civil rights organisations, telecommunications companies, and many others arguing that John Key’s new GCSB legislation (and the accompanying telecommunications interception bill) will increase the GCSB powers and sanction its role as a domestic spy agency, this is what the Prime Minister had to say in answer to question from me last week in parliament:

Intelligence Agencies—Sharing of Information on New Zealanders

10.CLARE CURRAN (Labour—Dunedin South) to the Prime Minister: Does he stand by his statement of 11 June 2013 that “I can assure the House that we do not use our partners to circumvent New Zealand laws”?

Rt Hon JOHN KEY (Prime Minister): Yes.

Clare Curran: How can he justify his statement this week that his new laws will not expand the Government Communications Security Bureau’s powers when three telecommunications network companies, an international service provider, and the New Zealand Law Society all told a select committee today that these powers will be expanded and that they do not support this?

Rt Hon JOHN KEY: Because it is correct.

Clare Curran: How can he continue to deny the expansion of the Government Communications Security Bureau’s powers through his new legislation when the major New Zealand – based telecommunications companies, which invest millions of dollars into our local economy, told the select committee today that this will have a chilling effect on their investment and development in new networks?

Rt Hon JOHN KEY: I think the member is showing her ignorance by confusing the Telecommunications (Interception Capability and Security) Bill with the Government Communications Security Bureau and Related Legislation Amendment Bill.

Clare Curran: Are there comparable protections in his new legislation for the privacy and rights of New Zealand citizens and businesses alongside the expansion of the bureau’s powers to become a domestic spy agency?

Rt Hon JOHN KEY: I reject the member’s premise.

Clare Curran: Given the revelations last week that the Government Communications Headquarters—the British equivalent of the bureau—is attaching intercept probes on to transatlantic fibre-optic cables where they land on British shores, does the bureau intercept the Southern Cross cable or any other transoceanic system that connects New Zealand’s internet to the rest of the world?

Rt Hon JOHN KEY: I do not believe it is in the national interest to talk about those matters.

Clare Curran: Is he aware of the concern raised in Google’s submission to the select committee that requiring global internet companies based outside New Zealand to undertake interception may put them in conflict with statutory privacy and confidentiality obligations in other countries—in other words, enforcing his law might force companies such as Google to break other laws?

Rt Hon JOHN KEY: The member should direct her question to the Minister responsible. She is getting terribly confused between the Telecommunications (Interception Capability and Security) Bill and the Government Communications Security Bureau and Related Legislation Amendment Bill.

I wasn’t confused at all. Both pieces of legislation are intimately linked. As John Key knows. Tomorrow will be interesting

Privacy Bill to be Debated

Posted by on May 16th, 2013

Today, my Bill to give more tools to the Privacy Commissioner to deal with privacy breaches was drawn from the members’ ballot.
The Bill gives the Privacy Commissioner the ability to undertake investigations into agencies and require them to become compliant with the Act.
Currently the Privacy Commissioner can only act on complaints from individuals – the Bill would allow her to instigate investigations and require information-handling audits.
It is timely, given the huge number of embarrasing privacy breaches happening under this Government.
From ACC to EQC, through to the deliberate privacy breaches committed by Minister Paula Bennett against two sole parents, the breaching of New Zealanders’ private information has been rife under National.
If they are serious are about addressing these issues, then they will support this Bill, as will other Parties across our Parliament.
Having had three bills drawn out of the ballot in the last 12 months, I’m keen to get to the races to see if I can pull off other trifectas!
Now, for my next bill….

Should notification of data breaches be mandatory?

Posted by on April 3rd, 2013

The Privacy Commissioner Marie Shroff last week told us that public trust is being eroded by government sector breaches. She said  government agencies have huge databases of information which the public is forced to provide, and in return they need to look after that information properly and that public sector agencies needed to have stronger controls in place when handling spread sheets of personal information.

Last year she warned us that the public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset. They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation. There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold.

Data breach notification isn’t currently required by law, but the Law Commission recently recommended that it should be made compulsory where breaches put people at risk. That would bring New Zealand law into line with practice overseas.

The private sector has warned repeatedly that New Zealand has a major problem with information security, and a strategy released late last year by a group of  IT security professionals said that although technological innovation is high within the New Zealand market, the national spend on educating, training, and developing skilled technical personnel is surprisingly low, creating an imbalance and directly contributing to the fragility and vulnerability of our nation’s IT systems. If that is not a significant warning, I do not know what is.

Last week the chief executive officer of the  Institute of IT Professionals, Paul Matthews, said that the Earthquake Commission had failed Security 101 and that it was  mickey mouse stuff that such sensitive information could be sent so easily to an outside person.

We are daily finding out about more data breaches, which indicates that they are commonplace.

The solutions aren’t off the shelf, but the Government’s refusal to treat the breaches as systemic, requiring the highest attention is very concerning.

The reason for many breaches will no doubt lie in the way each department and agencies IT systems have grown. Privacy and security systems are unlikely to have been built into these systems from the very beginning. Many issues can be resolved through training people using the systems in simple procedures to protect data. IT solutions exists to provide password protected spreadsheets being sent out as attachments and sometimes to prevent email attachments fullstop.

An across government response is required with a Chief Technology Officer with clout responsible to the Prime Minister. Our approach to information security is 20th century and inexcusable. I fear the public service is ill resourced to deal with the ongoing breaches we have faced and will face.

Instead, we have a Prime Minister who shrugs his shoulders and dismisses the breaches as “inevitable, human error and a trade-off”. He may rue those remarks.

NB: have attempted to contact Threat Toons for copyright permission. But have repeatedly been blocked from accessing their site. Might be the title. Happy to continue trying

10 questions for Hekia Parata

Posted by on August 17th, 2012

There are still a lot of unanswered questions about Hekia Parata’s practice of dobbing in teachers who write to her to complain about government policy to their board of trustees. Fortuitously have an ability to ask them of her! Today I’ve lodged the following Written Parliamentary Questions. I’ll post the answers when I get them here on Red Alert.

  1. How many letters did she receive expressing concern about her government’s plan to increase class sizes?
  2. How many letters did she receive from teachers expressing concern about her government’s plan to increase class sizes?
  3. How many of her responses to letters she has received from teachers expressing concern about her government’s plan to increase class sizes were sent to the Board of Trustees that employs the teacher concerned?
  4. Is it her policy to send replies to any correspondence she receives from teachers to the Board of Trustees that employs the teacher, if so, why?
  5. How many letters did she receive from teachers expressing concern about her government’s plan to increase class sizes where the teacher did not identify the school that they work at, and how many of those teachers received a direct response?
  6. How many letters did she receive from teachers expressing concern about her government’s plan to increase class sizes where the teacher did not identify the school that they work at, and how many of her responses to those letters were sent to that teacher’s employer?
  7. If she sent a reply to a letter from a teacher who did not identify the school they work at to the Board of Trustees that employs the teacher, how did she identify which school board to send the letter to?
  8. Who prepared her replies to letters she received from teachers expressing concern about her government’s plan to increase class sizes?
  9. Did any of the people involved in preparing her replies to letters she received from teachers expressing concern about her government’s plan to increase class sizes access any government database or record system to identify the school the teacher worked at?
  10. Why did she send replies to letters she has received from teachers expressing concern about her government’s plan to increase class sizes to the Board of Trustees that employs the teacher concerned?

Not sure I like the sound of this

Posted by on October 11th, 2010

Government licensing access to the internet. If your computer is thought to be “infected” you get shut down til it is cleansed. A Microsoft executive put up the idea during last week in the US using a health scare (an epidemic or pandemic) as the analogy.

Not sure I like the sound of this. Particularly in the light of discussions around open government and the importance of and need for access to the internet by the population.

But I need to do more research on it. So shall not take a hard and fast view yet.  Privacy issues and cybersecurity keep being raised with me in discussions with a range of tech people across the spectrum.

This is one of the big issues. Keen for your thoughts.

Here’s one take on what Microsoft said

Here’s another :

A new proposal by a top Microsoft executive would open the door for government licensing to access the Internet, with authorities being empowered to block individual computers from connecting to the world wide web under the pretext of preventing malware attacks.

Speaking to the ISSE 2010 computer security conference in Berlin yesterday, Scott Charney, Microsoft vice president of Trustworthy Computing, said that cybersecurity should mirror public health safety laws, with infected PC’s being “quarantined” by government decree and prevented from accessing the Internet.

“If a device is known to be a danger to the internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the internet, minimizing the risk of the infected device contaminating other devices,” Charney said.

Charney said the system would be a “global collective defense” run by corporations and government and would “track and control” people’s computers similar to how government health bodies track diseases.

Invoking the threat of malware attacks as a means of dissuading or blocking people from using the Internet is becoming a common theme – but it’s one tainted with political overtones

Our private parts… are they?

Posted by on January 12th, 2010

On 9 January, the guy who started Facebook did a public U turn on the site’s privacy policy which has created an online storm.

Facebook founder Mark Zuckerberg told a live audience that if he were to create Facebook again today, user information would by default be public, not private as it was for years until the company changed dramatically in December. He says the age of privacy is over.

How private should the online information about us be? Whether we post it ourselves, or whether someone posts it about us.

Social networking sites like Facebook and the subscribers to those sites are confronting this issue. Read this open letter to the Huffington Post to give you an idea. Google it to read more.

The privacy of our information is a huge issue. Data privacy is key policy ground for governments around the world. There are shifting meanings for what is public and private. But I would contend there is still very much a need and desire by people to keep control of information about themselves. Which seems to me, to be the important principle.

Not sure what right Facebook’s founder has to make a decision on behalf of 350 million subscribers that they don’t care about privacy.

This is important stuff for policy makers and legislators as well as companies.