Privacy: 10 years of change and challenges
Institute of IT Professionals NZ AGM
Friday, October 25, 2013
Privacy: 10 years of change and challenges
I welcome the chance to talk to this IT audience – one of the few audiences I speak to who understand the huge impact of IT on personal information.
I was appointed Privacy Commissioner 10 years ago in 2003.
Let’s take a walk through that decade – some dramatic changes have occurred.
What did OPC look like then?
• Starved of resources
• Large complaints backlog
• Policy and data matching struggling under huge work load
• No technology team
• Public image probably barely positive, bedevilled by BOTPA perception
• But substantial track record already with health and telecoms codes, public education
Context: Early 2000s
The reference book, the pen, the letter and the fax machine were still dominant, but fast giving way to email, social media and the search engine.
9/11 of course was a defining moment early in this century – marks a turning point – resulting laws pushed strongly towards mass government surveillance, placed a high value on security, and a low value on privacy.
The internet and technology generally were on a rising curve but Facebook hadn’t even been thought of and Google was in its infancy.
Some of the
emerging technologies and privacy issues raised in the news
media in 2004:
• Increasing use of CCTV – even in toilets
• Sharing of health and DNA databases
• ATM skimming
• Covert filming
• Home computer security
The Players: Early 2000s
Privacy was unpopular with the media. My predecessor, Bruce Slane, said in his final annual report that the media even referred to OPC as the “Gestapo” and the Commission as “Commissar” or “Tsar”. He talked about the “lonely stand” OPC had to make on some issues.
Most of you know about the concept of the classic regulatory pyramid with the wider base of the diagram made up of willing compliers and the narrower point of the triangle made up of reluctant compliers, or actual rogues.
Early on, I would have to say that pyramid was almost inverted; reluctant compliers were numerous and at the base of the pyramid.
The public sector in particular was unconvinced of good information handling needs: many senior managers in departments and state sector agencies were openly dismissive of privacy and blind to the collateral damage to client trust, and to the efficiency and ethical issues.
Businesses were ahead of the public sector because many were importing their good privacy standards from more sophisticated HQ regimes overseas; the banks for example have always been leaders in this area and could see the direct relationship between good personal information handling, customer trust and a healthy bottom line,
The technology sector was coming at things from a slightly different angle. I would say that you were slow to wake up to privacy in the information age; in your defence the early 2000’s was the phase of understandable but pretty wild-eyed enthusiasm for new gadgets and software and even for stuff that was close to snake oil, or at best Beta versions.
Where was the public mind at this stage? In 2001 our polling showed public concern about privacy at a middling 49%; media driven concerns about freedom of speech; and fairly trivial, often inaccurately reported, stories about access to school reports and airline passenger information and the like influenced public attitudes.
In those early years, therefore, my main preoccupations at OPC were struggling to get the complaints backlog down; developing a code to control credit reporting; working on improving our public image by pointing out to the media that they were missing one of the main stories of the century by focusing on the Privacy Act as a block or impediment (“BOTPA”), rather than on the flood tide of technology and the surveillance society.
The journey to
I will now take you on a fast ride from the early 2000s to 2013.
The technology environment you know about; but just to remind you of the pace and scale of the revolution: the rise and rise of Facebook and Google and Apple and Oracle and more; the appearance of data mining and big data analysis; cloud computing – it started with little fanfare but slowly became a buzz word of the times; the mega growth of computing power and storage; the gadgets which have almost taken over the world – Skype, smartphones, pay pal, mobile computing, location tracking, Google Glass, facial recognition, drones, Maxwell Smart wristwatches – it’s all happening.
And let’s recognise how these changes became rocket fuel for the growth of government and business databases, and handed over on a plate the power to collect, farm and exploit those vast data stores for business and government advantage – and of course consumer service.
For just one example of growth, complexity and power in technology, look at the rise of ‘the stack’ – we are seeing an increased reliance on a handful of companies providing us with multiple services.
Major internet service providers like Google or Apple or Facebook or Amazon or Microsoft want to corral you into relying on their services alone. The rise of the stack means vertically integrated providers for everything from search, email, instant messaging, video calling, data storage, games and other things.
This is a quote from an essay called ‘Android is Better’ by a Twitter designer Paul Stamatiou:
‘Most services I rely on daily are owned by Google. My world revolves around Gmail and Google search. I could start listing android features I adore, but this succinctly states why android makes sense for me; the number of Google products I use each day bothers my mind. No other company has imbedded itself this deeply into my life.’
And government is no different – it has recently passed the amendment to the Privacy Act that allows information about you and me to be widely used and shared across government. I welcome the privacy safeguards that have been built into this legislation, at the suggestion of my office and the Law Commission. But there is no getting away from the fact that there is also a government ‘stack’ developing, which will share our information and dominate much of our lives into the future. We are born, we use the health and education systems, we get married or live together, we pay taxes, we get a passport, we fill in census forms, we register a company, we get a traffic fine or break the law or go to prison, we receive a benefit, we cross the border and come back, we get government subsidies, we retire and get superannuation. When we die that fact is digitally recorded but while we may be gone we are not digitally forgotten. All of this is generating digital information about ourselves which is collected, shared, mostly retained forever and accessible to a greater or lesser extent across the government ‘stack’.
And let’s not forget what we do willingly ourselves – we social network, we use cloud storage, we buy and sell online, we use search engines, we store digital photos; so we also leave a voluntary trail wherever we go. The internet and IT empower us hugely but also put us at huge risk. We are now digital citizens in the digital century.
The Global Digital Universe
Is this unique to New Zealand? Of course not. It’s happening everywhere, and what’s more information has gone global; privacy has gone global. The bad news is currently it is all pretty much out of our individual control; the good news is that worldwide there is a battle being waged to get things back into some sort of order.
One of the more exciting things about my 10 years as Privacy Commissioner has been to see the dawning of international efforts to bring some order to the wilder frontiers of IT. APEC, OECD, the EU, GPEN, APPA, the International Privacy Commissioners Conference - all are working to provide some rules and standards to protect us in this new world of data. In a very interesting development the United States, via its Federal Trade Commission and Department of Commerce, are stepping up the action. They are recognising that because they regulate the US based global internet companies, they the US regulators, need to take a responsible global view of how they handle these monsters. Both Google and Facebook have recently been fined heavily for breaches, by the FTC. Both are subject to orders imposed on them by the FTC to report annually for the next 20 years against certain standards of behaviour, or risk penalties.
I have just returned from the 35th International Privacy Commissioner’s conference in Warsaw where we decided to get in behind the Global Privacy Enforcement Network through which we will help each other to identify misbehaviour and harm to consumers; and then provide redress and impose penalties. We also took some real steps towards a more active coalition of Privacy Commissioners to act globally across a range of privacy issues.
What happened at home?
So back to NZ, what has changed during those years of the new century, up to now?
The digital citizen is nearly a reality; public use of the internet has reached 86% (up from 37% in 2001); IT power and the internet have permeated every corner of our lives.
The media have woken up to the fact that they were missing, as I said, the story of the century and have focused increasingly on privacy and technology stories. Our own media enquiries have shot up from about 150 in 2003 to over 300 ten years later; once privacy was petty as far as the media were concerned; CCTV stories predominated; now the likes of the Andrea Vance issue certainly got the media focussing on privacy as an essential part of freedom of speech, rather than its enemy; a complex, live issue – rather than a BOTPAs. Privacy has become a pressing political issue, rather than a slightly boring compliance issue.
Increasingly both the public and the media have realised that the changes I have described above in technology, government and business have huge power to help them; but also to intrude on their everyday lives, limit their freedoms and deprive them of choices and control over their own lives.
Increasingly OPC has gained profile as a watchdog and a regulator, as of course we always were – but were undervalued for that role.
Not surprisingly our
polling shows that public concern about privacy issues has
shot up, from 49% in 2001 to 67% in 2012. 88% of those
polled want businesses punished if they misuse people’s
personal information; 97% want the OPC to have the power to
stop a company breaching the Privacy Act; 84% are worried
about their children on the internet; and 82% are worried
about how business uses their information.
What else happened? Well, ACC happened and MSD happened and EQC happened. Last year was a watershed year for data breaches for the public sector.
Failures on a number of
1. ACC – email breach in August 2012 – details of 6700 clients leaked.
2. MSD – unsecured WINZ information booths.
3. EQC – email breach
The public woke up to the fact that their information is no
longer completely safe with government departments, if it
Also in the private sector – Telecom/Yahoo/Xtra breach in February 2013 when the email accounts of 60,000 New Zealanders were compromised.
Along the way from 2003-2013 I should remind you we at OPC have been busy; the credit reporting code, data breach guidelines, CCTV guidelines, cloud computing guidelines, material for youth and seniors, for schools, business, the health sector and government; surveys of data transfers, PSDs and cloud computing. Early on we set up a small technology team in the office; developed a privacy officers network; PAW started in 2007. We achieved EU acceptance of our privacy law – an important achievement to open business opportunities. Also along the way our incoming enquiries have risen by 36% and media enquiries have risen 44%; demand for our advice has also risen sharply.
In 2011 after 5 years of study the Law Commission recommended giving the Privacy Commissioner more powers to promote good stewardship of personal information and punish the bad. These recommendations have taken on new urgency in the light of all of the developments, but especially the data breaches by government departments.
What does it mean for OPC? Remember the struggling and embattled little organisation I came into in 2003? Well, in 2013 we are still small and under pressure, but the climate has changed; our public mandate is much strengthened through public concern and demand for good information stewardship by government and business. We are still under-resourced – in fact our resources are little changed from 2005, but we have rejigged our priorities to help us to cope. We hope that the Government will look favourably on both law reform and increased resourcing in the near future; we are also empowered by our international colleagues’ support; and by the growing willingness of big business and internet corporates to recognise that good privacy is actually good for their business in the longer term.
The New Zealand Privacy Act could be said to have started with a bit of a whimper and a round of raspberries from the media; privacy law is now turning into a big bang – even, I would suggest, the 21st century human right. All over the world as well as in NZ, privacy regulators are moving up several gears, acquiring new powers, the ability to enforce the law and curb bad behaviour and a new mandate from a worried public to be a watchdog with both bark and bite.
My prediction, and that of many others, is that we are only a small way up the curve of technology and information century changes; the power of the digital medium just keeps growing.
NZ is a small country but we can take advantage of this in an economic sense - there have been big successes in local IT, for example Trademe and Xero. We are often also a test market – Facebook first rolled its new timeline feature in NZ and Google chose to showcase its Loon project in Canterbury; it is worth mentioning that the hacker who exposed security flaws in ATMs, pacemakers and other medical devices, Barnaby Jack, was a New Zealander. These are exciting times for IT professionals.
But generally as a small country, and as users, we are going to be “takers” or receivers of internationally developed products and technologies; all the more important then to be active partners in international initiatives to regulate this blooming, buzzing confusion of the digital age.
The changes to the Privacy Act will, we hope, soon mean some sharp edges being introduced into the law; e.g. compulsory privacy breach notification, the power for OPC to audit and to require compliance (for example strengthening security safeguards, issuing take-down notices or ordering an agency to give access to information). We will continue to encourage the growing majority of willing compliers in the regulatory pyramid; but with increased power to use enforcement against the unwilling, or the genuine rogues.
Government agencies have had a real wakeup call from the high profile data breaches – and work is underway to respond to that and put government agencies in a position where they can put their hands on their hearts and claim to be responsible stewards of our information. The pyramid has been turned on its head –it is now the right way up, with willing compliers the majority.
Internationally, we see that the chilling effect of 9/11 with its wave of fear and resultant strong security and surveillance legislation has receded and now we are seeing the tide run the other way. The massive data breaches at home and abroad and the revelations around PRISM and NSA will hopefully mean a more finely tuned approach to personal information and privacy.
At this point it is tempting to talk about a balance between privacy and security. I strongly believe this is a dangerous path to tread; what we need is a twin pillars approach. We need both security and privacy in our structures and systems; without either one of the twin pillars we will get a distorted and weakened building which will collapse at the first shake.
Sustained growth of privacy and security, and the principled defence of both, will produce a well-founded trust by people in government and business; this trust will then withstand the occasional passing tremor from, on the one hand, security scares, and on the other, privacy violations.
At a practical operational level, data management is now a reputational issue. It is part of every organisation’s shop front and branding; it is part of day to day standards and risk management.
One of the prevailing attitudes over the past decade has been: “Done is better than perfect” – But doing things at high speed can lead to lots of mistakes.
The Facebook “move fast and break things” mantra informed a lot of web development over the past 5 years, and we’re only seeing things mature now.
The game is about trust. Privacy is as important to people as it has ever been and perhaps more so because they are refusing to have their right to privacy taken for granted. People need to trust the digital environment and they won’t do that unless they are sure that their personal information is being properly safeguarded. In New Zealand the high profile breaches, GCSB Bill, and the Vance/Dunne issue have raised the game still further in many people’s minds.
If we don’t get it right civil disobedience along the lines of Anonymous, Snowden and Assange will become increasingly common with no real establishment response to allay citizen fears that the rebels have a real point. Ned Kelly was not all that bright because he forgot to protect his legs with his armour, and he was a thief and murderer to boot; but in spite of that he became a folk hero because he personified a spirit of freedom, and there were injustices and provocations that people identified with.
It’s time to give serious attention to a bug bounty to be offered by government and big traditional businesses such as banks. Let’s get the army of well-intentioned geeks on our side. If Facebook can do it, then so can our big institutions.
I believe the new ethics for business and government, and even social life will be the ethics of good information control. It will be about people regaining control over their information and therefore their lives. It will be about individuals and organisations treating others information with respect.
In the IT industry you have a particular responsibility to make sure people can keep control. I know some of you may feel this is an obstacle or even unimportant. But I know also that many of you, in that crucial decade we have just been through, have realised that information is power; that power is in your hands; and that the time has come to take responsibility and operate in a way which respects people’s rights and their information.
Individuals must be aware, make choices and retain control wherever they can. Where they cannot, privacy commissioners and governments have to watch, monitor and control (2007 AR).