New Zealand’s Privacy Commissioner issued its first compliance notice to the Reserve Bank.

The notice follows an online attack on the bank’s systems in December 2020.

While the notice makes sense, a press release from the Commissioner’s office reads more bureaucratic procedure than a public shaming.

The Reserve Bank breach happened when software which claims to be secure enough to move confidential information between banks was compromised.

Reports suggest other organisations caught up in the same attack paid ransoms to the attackers. We don’t know if the Reserve Bank paid up.

Systemic weakness

The attack breached the Reserve Bank’s security systems. As John Edwards, the Privacy Commissioner says, it “raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”

A review of the Bank’s systems uncovered many areas where it has not complied with the Privacy Act’s Principal 5. This says agencies that hold personal information must have reasonable safeguards in place to protect personal privacy.

Yet, the press release from the Privacy Commissioner quotes Edwards saying: “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”

In other words, it was sloppy but ended up doing the right thing.

The press release quotes Reserve Bank governor Adrian Orr attempting unconvincing damage limitation.

Yet the whole point of the Act is to pre-empt online attacks. Organisations like the Reserve Bank should have robust protections in place before any private information is put at risk.

While the notice is real enough, this first one is something of a practice run for dealing with future compliance failures.

Writing at Newsroom, Catalyst co-founder Don Christie says technological sovereignty could be a defining issue of the decade.

“Large multinationals arrive in the country, contribute nothing in the way of paying local taxes, and exfiltrate value and data (“the new oil” as it was unironically christened by The Economist). It is essentially digital colonialism.”

The ugly face of what Christie calls ‘digital colonialism’ was on show at a recent industry event. A handful of companies had speaking slots.

Long-term focus

Local firms spoke about serving small business, building skills and capability. Their focus was longer-term.

Meanwhile two of the multinationals that got to speak made short term sales pitches. One even used the occasion to push its latest promotion.

“…there are other approaches. Ones that involve paying taxes that provide for schools and hospitals, keeping data onshore and respecting te ao Māori, acknowledging the value of New Zealanders’ privacy, and building a resilient digital sector that will provide fulfilling, high-value jobs for Kiwis for decades to come.”

Taxes

Paying local taxes for digital products is a sore point. Yet it is not unusual for countries to tax foreign resources firms like miners and oil explorers.

On that basis, it makes sense to treat the ‘new oil’ the same way.

Tax on digital profits is being addressed at the international level. The process will be slow and could be unsatisfactory. Yet a small country like New Zealand would do better to fall into line with other like-minded nations and not go it alone.

Jobs

Jobs are critical. We have low unemployment today. Indeed, a halt to immigration means we are desperately short of skilled workers.

Yet we may be a lockdown away from widespread company failure and layoffs.

While multinationals use locals, and in cases pay well, much of the work is in sales or administration. The high value-add work tends to take place close to corporate headquarters.

More high value jobs means building more capability. It would give young New Zealanders better career paths. And that would seed interest in tech related subjects in schools and tertiary institutions.

If we get this right, there will be more corporate headquarters in Auckland, Wellington and Christchurch. This would be better for the wider economy.

“…Rebuilding New Zealand’s economy in the aftermath of the Covid-19 pandemic, and under the shadow of climate change, is a challenge that we have not seen since the end of World War II. The decisions we collectively make now have the potential to impact, positively or negatively, generations of Kiwis to come.”

Priority

There are ministers and opposition politicians who get this. Building digital capability is low down the priority list at the moment. If more prominent industry personalities speak out, we can push it higher up the agenda.

“We should be planning for our own data management, cyber security, and artificial intelligence applications, and how these can be implemented across all of our sectors: agriculture, education, finance and others.

“Building and delivering value for the current and future generations, now that technology is interwoven into every aspect of our communities and our economy.”

It’s hard to disagree with any of this. A good place to start would be with government. Even now, government buyers appear to have a built-in reluctance to choose local technology. Fixing that would be the best place to start.

Ray Ban Stories Facebook Glasses

Facebook and Ray-Ban would love you to be excited about Ray-Ban Stories.

They are sunglasses with a smattering of unimpressive technology features.

Facebook’s marketing calls them smart-glasses.

Which is brave considering they are not even as smart as the now abandoned Google Glass.

Normal-looking

In effect, it is a pair of cameras, linked to your phone by Bluetooth, and carefully disguised in normal-looking sunglasses.

That’s about it.

The new Ray-Ban glasses have two cameras to capture video or photos. These sync with an app called Facebook View.

You can fire up the camera by hitting a physical button or say: “Hey Facebook, take a video”.

Speakers

While there is no display in the lens, there are Bluetooth speakers on the frame. This lets you play sound from your phone or make and receive calls. There is a physical volume control and a pause button.

Indicators let you know the device is charged or needs a charge.

A tiny white lamp illuminates what you are filming or capturing. It serves a double purpose. The idea is that when the light is on, people know they are being filmed.

Privacy dead zone

It’s a stretch to accept that everyone who sees the white light will know what it means. But then privacy and respect for people has never been a Facebook virtue.

Nick Heer suggests you can cover the light with tape for secret filming. He goes on to explain that this violates the terms of service. As if that means anything.

There’s something nasty about a product which, while pretending to be a smart device, is a voyeur’s wet dream.

Facebook might tell you the glasses make it easy to record precious family moments. It’s unlikely the company’s marketing will warn you the glasses make it easy for creeps to record your family.

Creepy

It didn’t take long for those wise to Google Glass to label the creeps wearing that device to coin the term glassholes. If the Facebook product takes off we may see that name return.

Google Glass was not a success. If anything it did the company’s reputation more harm than good. For many people, Facebook’s reputation is already in the gutter. Seeding a new generation of glassholes isn’t going to fix that.

Asia Internet Coalition, a Singapore-based lobby group says its members may leave Hong Kong if a new doxxing laws comes into force.

AIC members include tech giants Facebook, Google and Apple.

The group worry that legislation could make them criminally liable.

Doxxing is when people publish private details about online personalities. It can be as simple as identifying the real name of someone using a pseudonym.

It could also refer to revealing addresses, phone numbers or other details used to trace and identify people.

Doxxing victims

In recent years people have weaponised the practice in Hong Kong to the point where there are thousands of victims.

People have used doxxing to scare activists off pro-democracy protests. On the other side, protestors have revealed the names of police or court officials who acted against protestors. It has also been used against journalists.

When private details are published people may find themselves on the wrong end of threatening calls or other intimidating behaviour. Sometimes this includes attacks on family members. Doxxing can lead to identity theft.

Hong Kong’s courts have found the effects can be severe and long-lasting.

The proposed privacy law amendments aim to outlaw doxxing and force social media companies and websites to take down personal information.

Psychological harm

The Hong Kong government proposes to change the existing data privacy legislation to include doxxing acts committed with the “intent to cause psychological harm”.

A conviction would be punishable by up to five years in prison and a fine of HK$1 million.

As things stand, Hong Kong’s officials can make employees of social media or other websites criminally liable.

The AIC objects to the definition of doxxing used in the proposed law. It also worries services like Facebook and Twitter might face liabilities when doxxing happens on their services.

In a letter, the AIC says the only way tech companies could avoid punishment would be by withdrawing their services from Hong Kong and ceasing to invest in the territory. It is not clear whether these companies make significant investments in Hong Kong.

Did you ever doubt Apple users would choose to turn off Facebook app-tracking? It’s now a week since an iOS update arrived allowing users to make their own choice. Let’s look at the numbers.

Flurry Analytics, an advertising analytics company, reports around 88 percent of iOS users worldwide have chosen not to allow apps to track them. There’s a daily update of numbers of Flurry’s website.

The number is higher in the US. There a mere four percent of iOS users allow tracking.

No wonder Facebook went on the offensive with a whingey, dishonest response to Apple’s move.

It’s worth remembering there are countries where switching off Facebook app tracking is not allowed by law. And others where authorities might treat users who opt out with suspicion.

Apple’s popular move

The only conclusion to draw is that Apple’s privacy move is popular with customers.

This is an area where Android phone makers will struggle to compete.

Google’s mobile operating system has tracking baked through its insides like the word Blackpool through a stick of seaside rock. That’s the main reason Google subsidises Android.

Presumably there are Android users who prefer not to be tracked. Switching to Apple and iOS is bothersome, but worth the effort if you prize privacy.

Transparency

Apple calls the new iOS feature App Tracking Transparency. When you open an app, a pop-up appears on screen. It asks if you want to allow the app to track your activity across other companies’ apps and websites?

There are two choices. The first is “Ask App Not to Track”. The second choice is “Allow.”

If you take the first choice, Apple stops the app from using the code that identifies the device.

This is a string on letters and numbers. There is one per iPhone or iPad. It gives companies a unique identifier they can track as you move between apps and websites.

Apple then tells the app owner that you don’t want them to track you in any way. It sends a clear, unambiguous message.

It’s almost as clear and unambiguous as the message that 88 percent of users are unwilling to be surveillance fodder.

Facebook tells users intrusive, privacy abusing ad-tracking keeps the social media service free-of-charge. It’s a snow job.

A week ago Apple upgraded its iPhone operating system. One key new feature of iOS 14.5 enraged online advertisers. It allows users to decide whether apps can track them across different sites.

Facebook’s response was to use its apps to tell users ad-tracking helps keep the service free of charge. 1 The warning appears on both the Facebook and Instagram apps.

Remember, Apple users can choose to let Facebook continue tracking. Keep in mind also that, for now, there is no similar feature on Android phones.

The implication is that without intrusive surveillance, Facebook can no longer feed you cat pictures.

Let’s stop right there

For decades before Facebook came along media companies such as newspapers, radio and TV channels managed to maintain teams of skilled journalists and talented broadcasters to keep you informed.

Like Facebook they did that by selling advertising. They had a rough idea who the audience was, in part because old media covered well-defined geographic areas. But they rarely knew much about the target audience.

Facebook has unprecedented global scale. It still knows where its audience is. Thanks to digital technology it has better location information than old media ever had.

It can piece together a lot of other information from clues its users disclose on the Facebook site. The internal Facebook data is often good enough to know if someone is about to become a parent or is in the market for a new car.

Ad-tracking means a better picture of you

By tracking a user over the rest of the online world it can get an ever more accurate picture of each individual user.

The information must be valuable to Facebook. It’s squealing and whinging tells you Apple rattled Facebook. Yet, from Facebook’s point of view there is less at stake than you might imagine.

Apple might account for close to half of US phone users, but worldwide less than one person in five uses an iPhone. And not all will use the privacy feature. (That comment didn’t age well). Facebook stands to lose extra tracking information from, at a rough guess, one user in ten.

It won’t lose all the information it gathers. It can continue to capture activity inside Facebook’s apps.

Which means in round numbers Facebook could lose five percent of the data it collects. That isn’t going to change the economics of its surveillance capitalism business model.

We know this will cost Facebook something.

At the moment it can track when users buy a product in an online store, it can then use that information to push ads for complimentary products. Think: ’You’ve bought a new motorbike, here’s a selection of helmets and leather jackets”.

When a user sees an ad on Facebook and, two days later, learns the user purchased that product online, it can bill more for the advertisement.

Ad-tracking drop in the ocean

In the first three months of 2021 Facebook took a whopping US$26 billion in revenue. Its net income was close to $10 billion. That’s double the result a year earlier.

The pace Facebook is growing at dwarfs any effect Apple’s privacy feature might have.

And that’s if we assume Facebook does not earn another cent from Apple customers who use its app. It’s an heroic assumption.

To argue that choosing not to let the technology giant know what you had for breakfast last Thursday so it can sell you a slimming aid next week means Facebook has to start charging is laughable.

It could end up costing Facebook two or three percent of its revenue. Remember, this is at a time earnings double every twelve months.


  1. At this point I should mention that for years Facebook had a message on the site that says words to the effect that the service was free and that it always would be. ↩︎

 

Mark Zuckerberg

“They’re not good in any industry they have to compete in or have to be innovative in. They can buy and they can copy, like they just did the other day, again, with another thing. What did they borrow from? From Clubhouse or whatever. They just can’t do anything innovative.”

Facebook may look invincible. Yet as Kara Swisher and Scott Galloway discuss, it could face a rough future. See: Why Facebook Is the Most Vulnerable of the Tech Giants.

It’s hard to like Facebook. At its worst, the company’s business model depends on manipulating emotions. At times it does this in dangerous ways. The more it seeds fear, loathing and misinformation, the richer it gets.

When it’s not undermining democracy, Facebook makes money by spying on its users. It then sells the fruits of its espionage to the highest bidder.

Facebook has no respect for its users.

Over half a billion Facebook customers have details leaked

Last week we heard the personal details of over 530 million users are circulating online. Facebook treated the issue as a public relations problem, not a security breach.

To put that leak into perspective, 530 million people is around seven percent of the world’s population.

Facebook says it has no plans to notify users of the data leak. At no point was there anything resembling an apology or an admission of guilt. So far it has focused on deflecting blame.

Old news

The leak may be old news, Facebook says it is. It says it fixed the problem. Yet it underlines the lax attitude and incompetence. A company packed with high-paid engineers should be able to protect user information.

There’s evidence that Facebook has known about the problem for a long time.

To date the tech giant has skirted past crisis after crisis. Everyone knows you can’t trust Facebook. 

Each act of incompetence or cynicism looks like it could be the last straw for certain users. Each time the business recovers and moves on. It is not going any time soon.

The latest news is also unlikely to sink the company. Although if you listen to what it says, you might think otherwise.

Facebook has made a lot of noise about Apple’s privacy plans for iOS 14.5. Anyone with an iOS app must warn users about the data they collect.

Squeals

Judging by Facebook’s squeals, you’d think transparency will destroy the world’s economy. As the Wall Street Journal puts it: Apple and Facebook Clash Over Ads, Mom-and-Pop Shops Fear They’ll Be the Victims.

Facebook launched an ad campaign insisting that those who will be most hurt by Apple’s changes are small and medium-size businesses, which represent the majority of the social network’s more than 10 million advertisers.

If their business depends on lying to users, that’s not a real problem. 

Swisher and Galloway end their discussion acknowledging that for a potentially vulnerable business, it remains popular with investors. That’s true.

Facebook isn’t going to fall overnight. There’s enough wealth in the business for it to switch its focus and remain huge. Microsoft did this when it flipped from PC software to cloud computing.

Writing about remote work at the Gartner Blog Bart Willemsen says: “…a proactive approach toward transparency and privacy creates an opportunity for a competitive difference among enterprises by fostering increased productivity and sales successes, improving public image, and enhancing customer trust.”

It’s hard to disagree with this.

He goes on to list one of five predictions Gartner made on the future of privacy. Making predictions about aspects of technology is central to Gartner’s business.

By 2023, organisations that do not excessively monitor remote working employees will experience up to 15 percent higher productivity than those that do.

Excessive remote work monitoring is one of the nastiest forms of Taylorism.

Lack of trust

This is a century-old management idea that sees workers as machines. It is dehumanising. It kills any notion of trust between employer and employee.

There are jobs and tasks that can benefit from monitoring. These are the mundane and repetitive things. That kind of job belongs to machines or bots.

When people need to think and come up with creative ideas, constant monitoring is counterproductive. You can’t deliver inspired thinking to order.

Remote work monitoring means lower productivity 

As Gartner points out, excessive monitoring will lead to lower productivity. No doubt companies that engage in the practice will find it hard to recruit. Those who have an option will choose to work elsewhere.

This matters more now that remote working is mainstream.

Dumb employers like to measure worker input: keystrokes per minute, completed calls and similar. Smart employers focus on output. That’s the part that matters. The how is less important. If someone gets the job done or hits targets, you don’t need to worry about the details of how they reached their goals.

One other point. Smart workers will go to lengths to get around monitoring. For some it is a challenge.

New Zealand joined its Five Eyes security partners to ask social media companies like Facebook to allow access to encrypted data.

Five Eyes is a security partnership that includes the United States, Britain, Canada, Australia and New Zealand. India and Japan also took part in the move.

At first sight this looks like a continuation of a long campaign by Western governments to unravel digital encryption. I talked to Kathryn Ryan about this on RNZ Nine-to-Noon last week.

Governments say they worry that criminals and terrorists can use encryption to keep illegal online activity private. There’s no question this goes on.

Important role

The difference this time is that the governments acknowledge encryption plays an important role. It gives people privacy and enables online commerce including banking. This would be difficult to do without encryption.

When Justice minister Andrew Little announced New Zealand’s support earlier this week he was clear that any access to encrypted data would require a warrant.

This would subject large technology companies like Facebook and Google to the same measures as local companies like Spark or Vodafone. New Zealand’s Telecommunications Interception Capability and Security Act (TICSA) means local companies must comply with proper warrants.

Hard to enforce

While New Zealand law applies to foreign technology giants, our system has little power to enforce warrants. An international agreement and a common legislative framework will make it easier for local law enforcement.

The UK and US have legislation to address this. Australia has anti-encryption legislation, which has not been effective because it can’t be enforce.

Five Eyes is not asking for carte blanch. At this stage it is making a request and asking the tech companies for their ideas.

The security partnership says it wants to embed public safety in system designs. This would let companies act against illegal content and activity without reducing user safety.

Five Eyes wants law enforcement access to content in a readable and usable format where an authorisation is lawfully issued. At the moment companies can respond to warrants with indecipherable encrypted data.

There are, as you’d expect, fears about privacy and freedom.

While we shouldn’t play these fears down, in part this is back to the question of social media companies taking more responsibility for what happens on their sites.

Encryption works

There’s a clear message here that governments remain frustrated by their inability to access encrypted material. In other words, encryption is working.

There’s a contraction here, earlier in the week GCSB director Andrew Hampton talked about this on Nine-to-Noon. The relevant clip is the last few minutes of a long 27 minute interview.

He rightly talked about the “threat surface” and security vulnerabilities. Yet encryption is on of the best tools we have to reduce these threats and vulnerabilities.

This action is not about making tech companies give government agencies back doors into encryption. That has been discussed in the past.

Back doors are a bad idea because the moment there is an entry point for government agencies there is one for criminals and terrorists. It takes one law enforcement officer anywhere in the world to hand those keys over to a criminal.

A survey conducted by the Office of the Privacy Commissioner found that two-third of New Zealanders want more privacy regulation.

Less than a third of those surveyed are happy with things as they stand. Six percent of New Zealanders would like to see less regulation.

Women are more likely to want more privacy than men. The survey found Māori are more likely to be very concerned about individual privacy than others.

Business sharing private data

In general, New Zealanders are most concerned about businesses sharing personal information without permission. Three quarters of the sample worry about this. Almost as many, 72 percent, have concerns about theft of banking details. The same number has fears about the security of online personal information.

The use of facial recognition and closed circuit TV technology is of concern to 41 percent.

UMR Research conducted the survey earlier this year. It interviewed 1,398 New Zealanders.

The survey results appeared a week after Parliament passed the 2020 Privacy Act. They show the public is in broad support of the way New Zealand regulates privacy.

Most of the changes to the Privacy Act bring it up to date. Parliament passed the previous Act in 1993 as the internet moved into the mainstream. There have been huge technology changes since then.

Justice Minister Andrew Little says the legislation introduces mechanisms to promote early intervention and risk management by agencies rather than relying on people making complaints after a privacy breach has already happened.

Mandatory notification

An important part of the new Act is mandatory privacy breach notification.

If an organisation or company has a breach that poses a risk, they are now required by law to notify the Privacy Commissioner and tell anyone affected.

The new Act also strengthens the role of the Privacy Commissioner.

The commissioner can issue a compliance notice telling data users to get their act together and comply with the Act. If they don’t, the commissioner can fine them up to $10,000.

Another update is when a business or organisation deals with a New Zealander’s private data overseas. They must ensure whoever gets that information has the same level of  protection as New Zealand.

The rules apply to anyone. They don’t need to have a New Zealand physical presence. Yes, that means companies like Facebook.

There are also new criminal offences. It’s now a crime to destroy personal information if someone makes a request for it.