Report into Covid privacy breach

The Heron report into the Covid privacy breach has been released.

Media release:

Findings of investigation into COVID-19 active cases privacy breach

Deputy State Services Commissioner Helene Quilter has today announced the findings of an investigation into a breach of privacy regarding sensitive personal information.

The investigation looked into who or what caused the disclosure of the information, and what might have prevented the information from being disclosed and what, if any, improvements might prevent that happening again in the future.

The deputy commissioner said the investigation, led by Mr Michael Heron, QC, found that sensitive personal information was passed to someone who was not authorised to see it, who then placed it in the public arena.

The breach happened after the then Acting Chief Executive of the Auckland Rescue Helicopter Trust, Ms Michelle Boag, passed on the information, without authorisation, to Mr Hamish Walker, MP. Mr Walker subsequently passed the information on to the media.The report findings around Ms Boag, the Auckland Rescue Helicopter Trust (ARHT) and Mr Walker have raised privacy issues which are outside the deputy commissioner’s jurisdiction. Ms Quilter has therefore referred the report to the Privacy Commissioner. In particular, she has referred the actions of Ms Boag, the ARHT and Mr Walker for specific attention. Mr Walker’s actions may fall outside the jurisdiction of the Privacy Commissioner but that is for him to determine.

The deputy commissioner has also shared the report with the Speaker of the House of Representatives and the Leader of the National Party, who are referred to in the report and who may have jurisdiction.

In relation to matters under the Commissioner’s jurisdiction, Ms Quilter said the policy around the security of personal information within the Ministry of Health could have been tighter and the agency should have reviewed this earlier.

The Director-General of Health, Dr Ashley Bloomfield, has assured the Commission that the agency is fixing the areas identified in the report for improvement.“The Ministry’s policy should have been reviewed when the context shifted and it was not,” said Ms Quilter.

“I am not going to criticise the Ministry of Health beyond that when lives have been saved as a result of their actions on the broader COVID-19 front.

“The information should not have been placed in the public arena. The Ministry of Health did not place it there.”

Report Executive Summary:

Ms Boag and Mr Walker were each responsible for the unauthorised disclosure of this sensitive personal information. Their motivations were political. Their actions were not justified or reasonable. Each acknowledged their error publicly and cooperated fully with this inquiry.

The Ministry of Health policy and process in notifying emergency services of active cases was a considered response to the pressures arising during the early stages of the crisis. Whether the policy was appropriate in the circumstances applicable in April 2020 will be the subject of further review by the Privacy Commissioner. The policy and process should have been reviewed once there were no longer cases in the community and the dissemination to emergency services of the personal information ought to have stopped. In any event, there ought to have been better protection over the personal information.

On Boag and Walker:

The statements of Ms Boag and Mr Walker indicate that the cause of the leak was, first and foremost, deliberate and politically motivated. Both have expressed their sincere regret at their poor judgement in distributing this sensitive personal information to others. I was contacted by a COVID-19 patient to convey their shock and dismay that such information would be passed around in this manner. The Ministry was aware of the risks of unauthorised disclosure of such information and the harm that could be caused. Given its sensitivity, disclosure of such personal information requires clear legal authority and careful judgement.

The Privacy Act is unlikely to apply to Mr Walker in these circumstances. Section 2 of the Act states that an “agency… does not include… a member of Parliament in his or her official capacity.” Mr Walker considers he received and disseminated the information in his capacity as an MP. He says and I accept that he sought to hold the Government to account with respect to the countries from which new cases were originating and with respect to the lack of security around personal information. Mr Walker accepted that the spreadsheet did not assist to prove the first point. In my view, however, Mr Walker was acting in his official capacity.

Ms Boag’s actions in disseminating the personal information would not have been compliant with ARHT policy.

The State Services Commissioner could consider a formal referral of Ms Boag and the ARHT to the Privacy Commissioner, who is the appropriate statutory body in their case. The Privacy Commissioner is, however, already reviewing the question of whether the Ministry policy was appropriate and can investigate this matter with or without a referral or complaint.

On Michael Woodhouse:

Ms Boag had earlier provided similar personal information (but different spreadsheets) to Michael Woodhouse, MP. I received information relating to those other occasions from Ms Boag and proactively from Mr Woodhouse. Mr Woodhouse advised he did not forward such information on and has now deleted it. I considered whether I should pursue the deletion further with Mr Woodhouse, but ultimately because the information was similar in nature and it was not central to my inquiry, I determined it was not necessary to pursue it. I accept Mr Woodhouse deleted the information. Ideally, he would have counselled Ms Boag not to disclose such information and/or alerted the Ministry or Minister.

Full report:

Westpac apologises and settles with Nicky Hager over privacy breach

Westpac have apologised to Nicky Hager and agree to pay costs and compensation, settling a complaint by Nicky Hager when Westpac illegally provided the police with banking data when investigating the hack of Cameron Slater (breaching his privacy) that contributed to the book Dirty Politics.

Hager’s lawyer Felix Geiringer:

Nicky Hager has settled his privacy dispute with Westpac with the Bank agreeing to change its terms. Full media statement below.

NZ Herald details Westpac’s apology in Westpac admits breaching Nicky Hager’s privacy by giving records to police

Westpac said in a statement its new policy now required a production order from authorities before releasing private information, except in “extremely limited circumstances” such as Police searches for missing persons.

“We apologise to Hager for our part in the distress these events have caused him and his family”.

“Westpac’s practice at that time was to comply with such requests in the belief that it was entitled to do so under the Privacy Act. However, in the light of the public discussion of Hager’s and other cases, it is clear that bank customers reasonably expect that in similar circumstances such data will be kept private.”

While this is a victory for Hager it is also a win for privacy in general and proper police investigation processes.

The police have already apologised and settled:  Police apologise to Nicky Hager

In a settlement with far-reaching implications, the New Zealand Police have apologised to Nicky Hager for multiple breaches of his rights arising from their 2014 investigation into Dirty Politics.

Nicky Hager’s home was raided by Police in October 2014. The raid was part of an investigation into the source of Nicky Hager’s book, Dirty Politics. In 2015, the High Court ruled that the warrant that was used for the raid was “fundamentally unlawful”. However, many more alleged breaches of Mr Hager’s rights were left to be resolved at a later hearing.

In today’s settlement, Police have accepted that they did not have reasonable grounds for the search, that they attempted to breach Mr Hager’s journalistic privilege in multiple ways, and that they unlawfully obtained his private information from third parties including his bank. [The full Police statement is included below.]

“This is a very important agreement,” said Mr Hager. “The Police have admitted that many things they did in their investigation and search were unlawful. This sends a vital message that people can share important information with journalists with confidence that their identities will be protected. The Police have apologised for threatening that confidentiality and trust.”

As part of the settlement Mr Hager is to receive substantial damages and a substantial contribution to his legal costs. Mr Hager said “Under the agreement, I am not allowed to name the figure. However, it gives the strongest possible indication that Police accept the harm they caused and are much less likely to treat a journalist this way again. The money will help support important work in years to coming.”

During a 10-hour search of his home in 2014, Mr Hager claimed journalistic source protection privilege. He later learned that Police officers breached express promises made during the search and photographed privileged documents to use in their investigation. Police also sought to circumvent Mr Hager’s rights to source protection by obtaining his private information from third parties such as Air New Zealand, Qantas, PayPal, Customs, WestPac, Vodafone, and Two Degrees. Luckily, none of this succeeded in exposing any sources.

“This has been a long fight, but we stuck at it because we believe what we were fighting for was important,” Mr Hager said. “I want to thank my legal team and all of the people around New Zealand who have cared about the case and supported it over the last three and a half years”.

There are other questions raised in this about the speed and degree police investigated Hager after a complaint by Slater, compared to how the police have dealt with complaints made against Slater, for example the soliciting of a hack of The Standard, which Slater admitted in being offered (by police) and getting diversion despite having had diversion previously.


Winston Peters hasn’t dropped legal action against National Party

Conflicting reports this morning on whether Winston Peters has dropped legal action against the National Party and National MPs.

NZ Herald: Winston Peters hasn’t dropped legal action against National Party

NZ First leader Winston Peters has agreed to drop his legal action and pay costs to former National Party leader Bill English and other former ministers over the leak of his superannuation overpayments.

Peters was taking legal action against English, Paula Bennett, Steven Joyce and Anne Tolley as well as two staff members while trying to uncover who leaked details of his superannuation overpayments to the media before last year’s election.

It is understood Peters has now agreed to withdraw the legal action and pay some of the legal costs for the National Party MPs and staff – believed to be about $10,000.

The National side had said they would take further action on costs if a settlement was not reached.

But Peters’ lawyer Brian Henry has just been on RNZ and has stated that this is incorrect.

He said that the first legal action was over – on behalf of Peters he had sought documents, and as is normal when that happens, costs needed to be paid. he wouldn’t confirm or deny the amount of costs.

The defendants will be identified when the next legal claim is lodged. Bill English, Paula Bennett, Anne Tolley, former ministerial staff Wayne Eagleson and Clark Hennessy, and journalists Lloyd Burr and Tim Murphy were included in the first action.

Henry would only say that action has been dropped against the two journalists. He says that they were never intended to be a part of the eventual legal action.

But he refused to say which of the MPs and staff might be still subject to future legal action.

Henry said no statement of claim has been lodged, and would not say when that was likely to happen – he said that these things take time.

Research on perceptions on Internet health

Mozilla has done some research on perceptions of the health of the Internet.

New Research: How Germans, Americans, Women and Men Feel About Internet Health

Fresh research from Mozilla explores perceptions of internet health among Americans and Germans; women and men; and various age, income and education levels

Today, Mozilla is publishing research that examines people’s perceptions of internet health.

In our first-ever Attitudes Toward Internet Issues report, we study how people feel about online privacy and security, online harassment, misinformation, openness, and other topics. We also explore how perceptions differ among various demographics, like Americans and Germans, women and men, and various age, income and education levels.

“Our findings reveal that a number of factors — from gender to geography — deeply influence how people perceive the state of the web,” says Sam Burton, who leads the Mozilla Foundation’s research on internet health.

“We also learned that some people are more likely than others to take action to improve the health of the internet,” Burton continues. “Actions might include using open source products, checking the source of a news article before sharing it, or standing up for someone being bullied online.”

Attitudes Toward Internet Issues is built around Mozilla’s five internet health issues: Online Privacy and Security; Openness; Decentralization; Digital Inclusion; and Web Literacy.

Key findings:

Online Privacy and Security is the most well-known internet health issue in both the United States and Germany.

  • Just over 60% of people surveyed in both countries indicate they are aware of the issue
  • Social media data correlates with this finding; posts about Online Privacy and Security surpassed posts about other internet health issues

Men are generally more aware of internet health issues than women in both the United States and Germany.

  • However, the gender gap is much smaller in Germany than in the United States
  • In Germany, women are slightly more aware of Online Privacy and Security than men (69% and 67% respectively). This is the only case in which women were more aware of an internet health issue than men

But women tend to care more about online privacy and security than men in both the United States and Germany.

  • In the United States, 75% of women versus 64% of men care about Online Privacy and Security
  • In Germany, 82% of women versus 68% of men care about Online Privacy and Security

Income and education play an important role in awareness of and engagement with internet health issues

  • The Ipsos survey indicates that people in both the United States and Germany with higher income and higher education are on average two times more likely to report familiarity with the term “internet health” than people with other socioeconomic backgrounds

Awareness of all five internet health issues increased between July 2016 and March 2017 in both the United States and Germany.

  • The up-trend was mild, but notable for all five issues
  • Open Innovation was the slowest to increase, particularly in Germany

Awareness of and concern about internet health issues do not necessarily correlate when accounting for age

  • In Germany, the oldest people surveyed (46+ year olds) are most concerned about Internet health issues
  • In both countries,the youngest people surveyed (16–25 year olds) are the most aware of Internet health issues, but expressed the least concern about most of these issues

Read the full Attitudes Toward Internet Issues report.

Hager, Farrar on privacy

Nicky Hager at The Spinoff: “‘If you’ve done nothing wrong, you’ve got nothing to fear’ is like a slogan from a police state”

The claim “If you’ve done nothing wrong, you’ve got nothing to fear” is like a slogan from a police state. I agree with the writers who say that privacy (like freedom of speech) is an essential part of a person being able to develop their personality and beliefs. It’s as crucial and fundamental as that.

I know as a writer on intelligence that most people by far aren’t being spied on. But if the idea or fear is around that our lives aren’t private, it undermines this vital stuff about who we are. (Also, by the way, the loudmouths who say “If you’ve done nothing wrong, you’ve got nothing to fear” would actually be enraged if their privacy was breached.)

I think Hager would be outraged if his privacy was breached, for example via a police raid. Fair enough, he should be outraged if the police act improperly or illegally.

This brings us back to the subject of privacy. It is awful if people wonder needlessly whether someone is reading their private email, or decides they’d better not be involved in politics, or generally shrinks down and limits who they are because of an unnecessary fear of surveillance. Because, unfortunately, the fear that we’re being watched does almost as much damage as the reality would.

Given that Hager has more than once been the recipient of private communications and has published these details in books, there’s a degree of conflict in what he says.

He used a major privacy breach to both make money and to try and influence the outcome of an election with his ‘Dirty Politics’ book on 2014.

It’s as if he thinks that breaching privacy for the right cause is fine, otherwise it’s evil.

David Farrar responds to Hager on privacy.

I have had my private e-mails read. They have twice appeared in books published by Nicky Hager.

I have considered quitting politics because of the fear of surveillance.

I’ve had spies put into my business to steal documents.

So pardon me if I have trouble reading the above without getting a bit angry.

I think that’s a reasonable reaction. Farrar  has also tried to influence elections, but I’m not aware of him using illegally obtained communications to do that.

Hager generally seems to be reasonably intelligent, but it almost seems as if he doesn’t see the contradictions in what he says and does.


Peeping drones

Using drones to peep and spy is disturbing by not really surprising.

Stuff: Peeping incidents among drone-related complaints made to Civil Aviation Authority

Peeping and peering incidents involving drones figure numerous times in information on drone-related incidents released by the Civil Aviation Authority under the Official Information Act 

The incidents feature the machines, which can carry cameras, hovering outside homes at night, and sometimes targeting several neighbouring properties in succession. 

In a typical incident from the CAA report, a Christchurch resident reported a drone flying close to their window one night last May.

“Complainant closed curtains and soon afterwards the [drone] moved to the neighbouring property,” the file notes.

A Petone, Lower Hutt resident complained in April this year about a drone appearing at night over homes and “hovering around windows of houses at close proximity”.

Another, in Auckland in December, also had a drone over their property.

“I noticed it then go and hover over at least three of our neighbours’ properties.”

There could be a variety of reasons for using drones like this. Peeping is an obvious one, but they could also be used to ‘case joints’ to aid burglars. And malicious intent like harassment is another possibility.

CAA has released rules for drones, acknowledging: “Aviation regulators around the world are grappling with how to integrate [drones] into existing aviation safety systems”.

Those rules include provisions not to fly at night, to get consent from anyone you want to fly above, and to get permission before flying over properties.

But Wellington barrister Stephen Iorns said there were currently very few criminal charges that could be laid if someone broke the authority’s rules. 

“It’s only a criminal offence under the Crimes Act if someone is naked or engaged in intimate behaviour,” he said.

So if you want to be protected from drones by current laws turn up the heat and go naked indoors.

“The Privacy Commissioner can’t investigate without [someone] identifying who the party who did the filming is.” 

And the Privacy Commission did not have the power to issue fines.

Instead, victims would have to go through the Human Rights Tribunal for that, but only once they had a favourable ruling from the Privacy Commission.

Identification will be a real problem.

Is it legal to use drone Stingers?


Vulnerable children and information sharing

Personal information, who can have it, what they can use it for and who they can share it with are contentious issues.

The starting point should generally be that personal information should remain as private as possible. But there need to be exceptions, for the good of individuals and for the greater good.

And the care and protection of vulnerable children is a priority that should override some privacy. Their rights should certainly take precedence over abusive carers and families.

Stacy Kirk writes: About time children’s rights came first

Under proposed new laws, government agencies dealing with a vulnerable child in danger will be able to share information without needing the family’s permission.

It’s about time.

The final report of a panel tasked with overhauling Child, Youth and Family (CYF) was released this week. It delivered on a promise to propose radical change.

A major problem for CYF is that when a vulnerable child is handed to them  by another agency (such as health or justice),  the child often becomes CYF’s responsibility alone.

Not always, but far too often, other agencies will notify CYF if they see an issue and then think: “great, child referred, job done”.

Worse, they won’t notify  CYF due to privacy concerns.

Two key paragraphs buried within a mountain of text signal a major shift toward the presumption of information-sharing when children are at risk.

“If information is to be shared without consent, this should only occur where the practitioner believes that the benefits of information exchange to a child or young person outweighs any potential negative impacts…”

Under this proposal, anyone acting in good faith would be protected from civil, criminal or any professional disciplinary action.

That includes doctors, priests, psychiatrists, social workers, lawyers and all those other professions where client confidentiality is ingrained and sometimes legislated for.

But where those people are dealing with children, and particularly children in danger, they will not only be given the ability to share relevant information without permission, they will be expected to.

Social Development Minister Anne Tolley, in a Cabinet paper to her ministerial colleagues, said she supported the approach.

Children’s Commissioner Russell Wills, a paediatrician, says it’s an important shift that lowers the threshold for information exchange.

The safety of a child should always trump the privacy of a family that doesn’t always have the best interests of that child at heart.

Rights of children, especially the care and safety of vulnerable children and abused and mistreated children, must be a higher priority than keeping information private.

Security versus privacy

The review of our spy agencies the GCSB and the SIS has reignited the security versus privacy issue.

Ideally we need to find a way of improving security, which requires some surveillance, while strengthening the protection of personal privacy. We should be targeting simpler clearer laws, possibly with some greater powers but with greater transparency and much better independent and political oversight.

A number of related reports:

Jane Patterson at Radio NZ: Security v privacy: A balancing act

A review of New Zealand’s intelligence agencies has found the laws governing the Security Intelligence Service (SIS) and the Government Security Communications Bureau (GCSB) are clunky, inconsistent and preventing those agencies from properly carrying out their jobs.

The challenge confronting lawmakers, past and present, is how to balance citizens’ rights to living in a safe and secure country, against their rights to privacy.

She concludes:

The review has attempted to balance the rights of security against privacy by proposing stronger oversight and warranting provisions.

It is now up to the politicians to strike that balance in line with the expectations of the New Zealand public.

A look at our chief security overseer at Stuff: National Portrait: Inspector-General of Intelligence and Security Cheryl Gwyn

Gwyn is the official spy watchdog, and she bites.

Gwyn has begun a series of inquiries which ask dangerous questions about both the SIS and the other intelligence agency, the GCSB.

Did the GCSB use its powers to help former Trade Minister Tim Groser in his (unsuccessful) bid to become head of the World Trade Organisation?

Were New Zealand spies involved with the CIA’s torture of prisoners between September 2001 and January 2009?

Does the GCSB snoop on the communications of New Zealanders working or holidaying in the South Pacific?

This could be a breach of the law preventing the GCSB from bugging New Zealand citizens or permanent residents. It was the bureau’s illegal bugging of permanent resident Kim Dotcom that lit a firestorm under the GCSB.

Claire Trevett on Michael Cullen and the review: The ex-politician who came in from the cold

Cullen proved the perfect man to front the report for the Government. His own lengthy tenure as Deputy Prime Minister and Attorney-General meant he was well aware of the type of information the intelligence agencies provide, and the importance of that information for a government.

He told the spy agencies to up their game when it came to public relations if they wanted to reduce public scepticism about their role. He then proceeded to do that PR for them, running through a list of threats to New Zealand from domestic attacks to cybercrimes. He spoke of whether the GCSB could help if a New Zealander was lost at sea or taken hostage – hypothetical situations but based on actual risks New Zealand had faced.

That it also makes it harder for Labour to quibble with the recommendations put forward is almost the only the cherry on the top.

If we are to achieve better security and better privacy it’s essential for both National and Labour to work together on this without partisan sniping. They will both at times be in the most responsible position for providing security for the country and protection of us, the citizens.

Identity theft warning

While most people commenting at Your NZ do so responsibly there has been a problem over the last couple of weeks in particular with a small number of people commenting with obvious malicious intent.

One of the worst offences has been posting comments using another person’s identity – this is called identity theft and is a serious breach of blog protocol.

Someone did this yesterday  using a well known identity and it included using the person’s email address.

I contacted this person and they confirmed to me that it wasn’t them who had commented.

So here’s a warning – anyone found to have used another person’s identity foregoes any rights to privacy. I may pass on what I know about any such people to the person whose identity was misused, or for law enforcement.

And as these people are obviously legally ignorant I suggest they read this from NZ Police:

About online identity theft

Identity theft is when someone assumes another person’s identity, such as their name, bank account details or credit card number, to commit fraud or other crimes.

Identity theft is one of the fastest growing areas of crime across the world and has no geographical boundaries – victims and offenders can be on opposite sides of the world. This makes it difficult for Police to investigate the crime, catch the perpetrator or help the victim.

Not so difficult in recent cases here is identifying the culprits through their commenting style and malicious motives.

If anyone sees that a comment has been made using their identity here please advise me as soon as possible so I can take appropriate action.

Legal opinion on Westpac release of Hager data

An interesting legal opinion from LawGeekNZ (Lowndes Jordan) on Westpac handing over Nicky Hager’s banking information in their investigation into the Rawshark hacking of Cameron Slater’s data.

Privacy Implications of Westpac’s Release of Nicky Hager’s Personal Information

We’ve heard this week that Westpac Bank voluntarily provided the New Zealand Police with author Nicky Hager’s bank account information, without requiring a production order or warrant from the Court. The information was apparently requested on the basis that it might reveal information about the person known as Rawshark, who had allegedly supplied illegally obtained material to Mr Hager, for use in his book, Dirty Politics.

There has been criticism of both the Police and Westpac.

Some of the criticism (that the Police are acting as “totalitarian enforcers” for example) is a little unfair, particularly where the request was made of Westpac, which was fully capable of looking after itself, as did the other organisations that refused the Police request.

In the absence of any evidence of political motivation, the Police were doing what they considered to be their job. They operated within the bounds of the Privacy Act, which, as we shall see, envisages information being provided by an “agency” (a Privacy Act term for a holder of personal information) such as a bank, without the need for any court order.

That’s not to say that the Police weren’t pushing the boundaries. It’s revealing they did not proceed to obtain court orders against the other organisations that refused their request. Perhaps the Police got all they needed from Westpac, or perhaps they didn’t quite have enough evidence to chance refusal of an application to the Court for a production order in respect of the personal information of a high profile person like Mr Hager.

They then go on to look specifically at the Westpac aspect.

Two things we know though.

Firstly, that the information in question is personal information under the Privacy Act. That’s easy when we’re talking about confidential financial information.

Secondly, it’s clear it was released in response to an informal request by the Police without a court order.

But, contrary to various reports we’ve seen, this does not automatically mean there has been any Privacy Act breach. The Privacy Act allows an agency to disclose personal information, without the consent of the individual, where (among other exceptions) that:

is necessary … (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences (IPP 11(e))

So, the Police would have sent a request to Westpac, referencing this exception to the prohibition on disclosure without consent and, presumably (although, maybe not, given that other agencies refused), providing evidence why the information was “necessary”.

They then give a number of details and explanations, including document examples. It’s well worth a read if you have an interest in this.

And a more general conclusion:

Given the increasing amount of personal information (including metadata) now held by third parties, particularly as a result of all of our internet use, there is a need for much clearer public explanation by agencies who hold our information as to whether and how it will be released. “Internal policies” no longer cut it in our view.

I agree on this. Much clearer explanations are needed.

This doesn’t just involved banks and companies like Trade Me and communications/Internet/phone companies.

I hold personal data of anyone who comments here. I need to know clearly what my responsibilities are.

As per Westpac under the Privacy Act I have responsibilities to keep information private, but if the police request via a court order that I hand over information about anyone who comments here then I am required by law to do so.

And it’s also possible for the police to request information from me without a court order as they did with Westpac and others in the case of Hager.

This means it is left to my judgement as to whether it is necessary … (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences (IPP 11(e)).

So I would certainly like clarification on this.