Online privacy protection should be a hot topic for general public debate, says Don Hollander of the 2020 Trust, but it threatens to become locked in rarefied discussion within small specialist groups.
His comments were made at the InternetNZ annual general meeting, before which Victoria University Cyberlaw Fellow Cynthia Laberge presented work from her research project, studying gaps in local privacy laws.
Laberge says she hopes the work can forestall conflicts, such as now being experienced in the US, by establishing dialogue between the public and those planning national security actions.
Laberge gives the example of a series of lawsuits from the executive branch of the US government demanding access to records of customer phone and internet use from telecommunications companies.
“This data was released to the FBI and NSA (National Security Agency) through the use of National Security Letters (administrative subpoenas) that, unlike warrants, do not require a judge’s signature,” says Laberge. “Legislation was recently passed in the US Congress, after much debate, granting the telcos retroactive immunity for cooperating with warrantless wiretaps providing they can produce documents establishing that they received instructions from government.
“My question was: could this occur in New Zealand?”
The answer is far from clear, she says. There are at least 17 statutes in New Zealand law that bear on the question and the Law Commission is undertaking a major report on privacy (Computerworld, March 3). There is uncertainty to what extent any of these laws apply to the activities of private companies.
Particular concern, mostly in the specialist circles Hollander refers to, revolves around the technique of “deep packet inspection” — looking at data within a communicated packet as well as just the header. This can have worthy objectives such as checking for viruses, illicit intrusion attempts or spam, but equally could be used to pry into the user’s affairs.
It might be assumed that privacy would be respected, but one only has to mention hot topics such as terrorism or illegal pornography and restraint “goes out of the window”, said one InternetNZ member at the meeting.
Other concerns include the “net neutrality” argument — that deep packet inspection should not be used to slow certain kinds of traffic at the expense of others for purely commercial reasons.
“Is the practice of deep packet inspection exempt from the Privacy Act or the Telecommunications Code,” asks Laberge, “since one school of thought is that there is no personally identifying information ascribed to the data collected from DPI?”
This raises the further question of whether a static IP address, even one assigned to a computer with only one user, qualifies as personal information.
On the data-matching front, Laberge says, some concern is bound to centre on the use of the all-of-government igovt identity scheme. States of the US are fighting efforts to impose a similar centralised identifier, she says.
State Services Minister David Parker, at a conference on identity earlier this year, acknowledged that new laws are likely to be needed to guard against misuse of the igovt scheme (Computerworld, May 3).
Meanwhile, the contentious international Anti-Counterfeiting Trade Agreement discussions raise the question of whether deep packet inspection could be used to detect transmission of copyright material.
A seminar under the auspices of UNESCO on the theme of identity, which Hollander co-chaired last month (Computerworld, July 28) produced “more questions than answers”, he says.
Is there, Hollander asks, a need to organise larger gatherings to convey discussion of these issues beyond the small select groups that are now debating them out into the public arena?
One such intermediate arena for debate could be Privacy Awareness Week, to be marked from August 24-30 and centred on a Wellington “privacy issues forum”, to be held in Wellington on August 27.
Laberge is scheduled to present a final report on her research by March next year.