Chris Barton

Technology columnist for the NZ Herald

Smartphones test for new privacy law

The kinds of data being shared by phones today is changing our concepts of privacy. Photo / AP
The kinds of data being shared by phones today is changing our concepts of privacy. Photo / AP

Time and technology. They wait for no one.

"Technology is barrelling at the rate of knots," said Law Commissioner Professor John Burrows last week, releasing the Review of the Privacy Act 1993, the culmination of a four-stage re-assessment of our privacy laws.

Also at the launch, Privacy Commissioner Marie Shroff adopted a similarly nautical theme likening technology to a "flood tide" in which we are all inundated. Some enjoy the flood "paddling along". Others struggle against a swiftly flowing "information tide".

The language suggests those speaking are not of the generation who lives, loves and embraces technology. The generation who might greet the list of technologies the Commission suggests keeping a wary eye on - the internet, online tracking, cloud computing, deep packet inspection, location technologies, and biometrics - with an unbothered "whatever".

While both commissioners appeared alarmed at technology's onslaught, they felt the Privacy Act - with the suggested 136 modifications - would ride out the maritime catastrophe. "Overall, we think the broad principles of the Act are flexible enough to cope," says the report. With the new reforms, both commissioners declared, the Act would be "future proof".

The broad principles are straightforward. Information about individuals must be collected fairly. It's got to be held securely, so it doesn't get into the wrong hands. Individuals should be allowed to know what information any agency is holding about them. The agencies shouldn't give that information to people who don't have any need to know it And they should use the information only for purpose for which it was collected.

Come what may, broad "technology neutral" principles will keep privacy safe. Yet the report also recognises "technology issues will continue to raise privacy challenges". To meet the unknown it proposes a watching brief and regular (five-yearly) reviews. Plus expert panels to promote "privacy by design" and "privacy enhancing technologies".

A potential pitfall is the threshold definition of "personal information". Currently, only information about an identifiable individual is covered by the privacy principles. But thanks to the internet and new generation mobile phones, the boundaries between personal information and non-personal information are "somewhat opaque". Is, for example, your current location linked to a personal device like an iPad or a smartphone, "personal information"?

Location services - whether via your computer's internet browser or some other device's unique device identifier are the next big thing. As Tom Coates told the Herald at Wellington's Webstock earlier this year, they have only just begun.

"At the moment we've got social location sharing with friends, which all the large companies are excited about because it's a direct relationship between business proprietors, users and the intermediating company and there is money in it."

Coates should know. In 2008, he launched the location service Fire Eagle for Yahoo. Since then, many others - including Gowalla, Facebook Places, Foursquare and Google Latitude - have followed.

"Any site on the web could personalise itself to react to where you are as well as who you know," says Coates. Combine automatic "geotagging" (geographical identification) with blog posts, photos, tweets and so on, and suddenly you have "a hyper local sense" of what people are thinking - "what everyone in Nebraska thinks about Barack Obama or what everyone in Wellington thinks about Hilary Clinton."

Such a service also tell you where your friends are and what shopping opportunities are to be had nearby. Bring the same sort of function to handheld devices that can relay their geographical location back to HQ and the sky's the limit for what stuff can be sold to us.

Early this year the world learned the Apple iPhone and Android smartphones keep track of where their owners have been, and can store the data on the phone where it can be read by someone with know-how. Reaction varied from outrage that Apple or Google were collecting this spyphone data to a "whatever" from people who proudly displayed their iPhone tracks on blogs. Location data is collected by mobile networks anyway, so what's the problem?

The difference is that the networks are bound by law to keep such data secret and secure and only release it to the police or other authorities under strict guidelines whereas Apple and Google have much more free rein. Either way we're all being tracked.

Should we be worried? In 2003 Jerome Dobson and Peter Fisher raised the spectre of "geoslavery" -- society facing a new form of slavery by location control. They acknowledged that not all location services and human tracking is bad. Mountaineers, who have an accident while climbing, know one call will report almost exactly where they are. But the technology also enables "one entity, the master" to "coercively or surreptitiously" monitor and exert control over the physical location of another.

Coates argues the American companies in charge of our data are motivated - by the fear of massive lawsuits and "terrible PR incidents" - to get privacy right. With good design he says the user can be in control of their location information. Fire Eagle for example was designed so users could see all the information that was stored about them, could purge and delete their locations and could stop sharing them with other services. "We didn't keep backups. We figured if users purged it, it should be gone forever."

It's view that gets some support from Shroff who says she makes up for her lack of enforcement powers in the current Privacy Act by making an organisation's bad or questionable privacy practices public.

"Nobody wants to be in public having the Privacy Commissioner saying that they're not trustworthy people's information," says Shroff. The tactic was used to good effect in December when it was found Google had collected information from WiFi networks in New Zealand while it was conducting its Street View filming for Google Maps.

"We used the international community to put our name and shame type pressure on Google to stop collecting WiFi information through their Street View cars."

In the end Google apologised to New Zealanders for breaching our Privacy Act and said "as soon as practicable" it would delete the payload data that it collected in New Zealand. Which sounds good, except that there is no audit to show that has happened. New Zealanders just have to take Google's word for it.

Users have to take some responsibility. Despite numerous privacy gaffes by American corporations which now hold most of our digital life, track our online moves, and quite possibly are secretly exploiting our personal data in ways we never dreamed of, there's no sign of users abandoning Gmail or Facebook in droves. In fact their numbers seem to be growing exponentially.

At Webstock in February Peter Sunde of Pirate Bay fame pointed out that one of the biggest countries in the world at present is Facebook. A nation which has a totalitarian leader who is "the judge, the police, the executor and the lawmaker all in one person" and 750 million active users apparently trust him.

"We don't discuss that enough. We don't have rules saying if that is OK or not," says Sunde who advocates for more control over such companies "to make sure people own their own data about themselves."

Whether our Privacy Act has the clout to deal proactively with the might of Google and Facebook remains to be seen. Danah Boyd, a social media researcher at Microsoft Research is another calling for web companies to take more responsibility for how they handle users' personal information.

Last year she told Technology Review how it's the market, not users that's changing privacy.

"When you think about Facebook, the market has very specific incentives: Encourage people to be public, increase ad revenue," said Boyd. "Facebook is saying, 'Ah, the social norms have changed. We don't have to pay attention to people's privacy concerns, that's just old fuddy-duddies'."

In other words, people might still value privacy, but they value Facebook too - even though it's driven to undermine privacy to make money. Technology we can't live without.

Meanwhile, the Law Commission sees education as key.

"We also note the critical importance of educating people - particularly young people - on how to respect and protect their online privacy.''

Good luck with that.

- NZ Herald

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_n2 at 19 Sep 2014 01:20:04 Processing Time: 559ms