There are many people who are amazed at all the controversy surrounding privacy at the moment. The European Union, Facebook, Google and Cambridge Analytica are in the news almost constantly and many people just don’t seem to care or refuse to consider how it effects them, especially in New Zealand.
It might just be an outcome of the current generation though. In the 1970’s there were large scale protests against the erosion of privacy. Firstly in 1976 with protests against the Wanganui Computer Legislation (allowing the Police, Ministry of Transport and Justice officials to share information via hundreds of terminals around the country) and again in 1977 against the amendments to the SIS Act (vastly expanding the powers of the SIS).
It wasn’t until 1993 that the first version of the Privacy Act came into being. For a little perspective on how long ago that is, at the time Internet in New Zealand had roughly 10,000 users, the population was 3,500,000, Google didn’t exist and the National Party won the election because voters felt betrayed by Labours neo-liberal reforms. Clearly things have changed. Unfortunately, although the Act was touted as promoting and protecting individual privacy it only protected information privacy and weakly at best.
That, of course, is hindsight. When the Act was written there was no way the government could have foreseen the rise of commercial surveillance on the Internet. There is no mention in the Act of cookies, advertising, GPS or on-line tracking because those things either didn’t exist or weren’t seen to have any impact on the general population. Largely people were concerned about data like their name, address and birth date. That was what was considered personal information.
As the Act says,
Personal information means information about an identifiable individual; and includes information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act (as defined by the Births, Deaths, Marriages, and Relationships Registration Act 1995)
Now companies don’t need to have someone’s name to identify them. A persons online habits, devices used, collections of cookies or web beacons can identify them on-line as an individual just as well as a name. Using the Panopticlick just a browser can be seen to be an individual fingerprint that is possibly even more identifying than a name. After all, there are lots of people with the same name but my browser fingerprint was unique amongst the 1,500,000 tested on the service so far.
And how is an address more useful in identifying a place of residence than the GPS of a phone. 456,000 New Zealanders have a smart phone and in most of those cases the GPS data will be being uploaded. Google is being investigated in Australia over claims that it is harvesting 1GB of data from phones per month and even when location services are turned off they have admitted to tracking Android users using cell towers. They are also accused of using peoples mobile data to do so.
As for a persons birth date. How many people have received an email with happy birthday or happy 40th. Because if that email wasn’t encrypted then every server between where it was sent and where it was received could read it. Email wasn’t designed with security in mind and it is only recently that truly secure email services have become popular or readily available.
Clearly what it means to be an identifiable individual has changed in the 25 years since the Privacy Act 1993. Luckily the Act is up for review with submissions for the Privacy Bill being accepted now. This upgrade has been put forth by Andrew Little, Minister for the courts, GCSB, Justice, NZSIS, Pike River Re-Entry and Treaty of Waitangi Negotiations. And if it seems a little dubious having the Minister in charge of government surveillance in charge of the Privacy Bill then take some time and write a submission. It doesn’t take long and you may have to live with the outcome of this bill for another 25 years.