Privacy: 10 years of change and challenges

ickybiblegroveInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

57 εμφανίσεις

OPC/1724

/
A330223


Keynote Speech

Marie Shroff

Privacy Commissioner

Institute of IT Professionals NZ AGM

Tauranga

Friday, October 25, 2013


P
rivacy
:
10 years

of change and challenges

[SLIDE 1: TITLE]

I w
elcome

the chance
to talk to this IT audience


one of the few audiences I speak to who
understand the
huge
impact of IT on personal information.

I
ntroduction



I was appointed Privacy
Commissioner 10 years ago in 200
3




Let’s take a walk through that decade



some dramatic
changes have occurred.




What did OPC look like then
?

o

Starved of resources

o

Large complaints backlog

o

Policy and data matching struggling under huge work load

o

No technology team

o

Public image probably barely positive
, bedevilled by BOTPA perception

o

But
substantial track record already with health and telecoms codes, public
education


Context:

Early 2000s



The
reference
book, the pen
,
the
letter and

the fax machine
were
still dominant, but
fast
giving way to email, social media and the search engine
.



OPC/1724
/
A330223


2

[
SLI
DE 2: POHUTUKAWA]



9/11 of course was a defining moment early in this century


marks a turning point


resulting laws pushed strongly towards mass government surveillance, placed a high
value on security, and a low value on privacy.




The internet and tec
hnology generally were
on
a rising curve but Facebook hadn’t even
been thought of and Google was in its infancy.




Some of the emerging technologies and privacy issues raised in the news media in 2004:

o

Biometrics

o

Increasing use of CCTV



even in toilets

o

S
haring of health and DNA databases

o

Blogging

o

RFIDs

o

ATM skimming

o

Covert filming

o

Home computer security


The
Players:

Early 2000s



Privacy was unpopular with the media
-

Bruce Slane said in his final annual report that
the media even referred to OPC as the
“Gestapo” and the Commission as “Commissar”
or “Tsar”. He talked about the “lonely stand” OPC had to make on some issues.




Most of you know about the
concept of the
classic regulatory pyramid with the
wider
base
of the diagram made up of willing compliers

and the
narrower point of the triangle made
up of
relu
ctant compliers
,

or actual rogues
.




Early
o
n
,

I would have to say that
pyramid was almost inverted
; reluctant

compliers were
numerous and at the base
of the pyramid
.




The public sector
in particular
wa
s
unconvinced of good information handling needs
:

many senior managers in departments and state sector agencies were openly dismissive
of privacy

and blind to the collateral damage to client trust
, and to the efficiency and
ethical issues.



OPC/1724
/
A330223


3



Business
es

were
a
head of the public sector
because many were importing their good
privacy standards from more
sophisticated
HQ
regimes
overseas;

the banks for example
have always been leader
s

in this area
and could see the direct relationship between good
personal
information handling
,
customer trust

and a healthy bottom line,




The technology sector


w
as coming at things from a slightly different angle. I would say
that you
people
were slow to wake up to
privacy in the
information age;

in your defence
the early
2000’s was the phase
of
understandable but pretty
wi
l
d
-
eyed enthusiasm for
new gadgets

and

software and even

for stuff that was close to
snake oil
, or at best Beta
versions
.




Where was the public
mind
at this stage? In 2001 our polling showed public conce
rn
about privacy
at
a
middling
49%;

media
driven concerns about freedom of speech
;

and
fairly trivial, often inaccurately reported,
stories about access to
school reports
and airline
passenger information
and the like influenced public attitude
s
.




In thos
e early years, therefore, my main preoccupations at OPC were struggling to get
the complaints backlog down; developing a code to control credit reporting; working on
improving our public image by pointing out to the media that they were missing one of
t
he main stories of the century by focusing on the Privacy Act as a block or impediment
(“BOTPA”), rather than on the flood tide of technology and the surveillance society.


The journey

to now

[SLIDE 3: DIGITAL SHADOW]



I will now take you on a fast ride
from the early 2000’s to
2013
.




The technology environment
you know about
; but

just to remind you

of the pace and
scale of the revolution:
the rise and rise of Facebook and Google

and Apple and Oracle
and more
;


the appearance of data mining and big data

analysis; cloud computing


it
started with little fanfare but
slowly became
a
buzz word of the
times
;

the mega growth of
computing power and storage;
the gadgets which have almost taken over the world


Skype,
smartphones,
pay

pal
,
mobile computing, lo
cation tracking, Google Glass, facial
recognition, drones, Maxwell Smart wristwatches


it

s all happening.




An
d

let’s
recognise
how
these changes
became
rocket fuel for
the growth of government
and business databases
, and
handed over on a plate the power
to collect, f
a
rm and

OPC/1724
/
A330223


4

exploit
those
vast
data stores
for business
and government
advantage



and of course
consumer service.




For
just one
example

of growth, complexity and power in technology, look at
the rise of
‘the stack’


we are seeing an increased r
eliance on a handful of companies providing
us
with multiple
services
.




M
ajor internet service providers like Google or Apple or Facebook or Amazon or Micros
o
ft

want to corral you into relying on
their services alone.
T
he rise
of
the st
a
ck means
vertically integrated provider
s

for everything from search, email, instant messaging, video
calling, data storage, games and other things
.




This is a quote from an essay called ‘Android is Better’ by a Twitter
designer
Paul
Stamatiou
:

o

‘Most services I rely

on daily are owned by Google. My world revolves
around Gmail and Google search. I could start listing android features I
adore, but this succinctly states why android makes sense for me; the number
of Google products I use each day bothers my mind. No
other company has
imbedded itself this deeply into my life.’




And government
is no

different


it has recently passed the amendment to the Privacy
Act that
allows
information about you and
me to
be widely
used and
shared across
government. I welcome the
p
rivacy
safeguards that have been built into this legislation
,

at the suggestion of my office and the Law Commission. But there is no getting away
from the fact that there is also a government ‘stack’
developing,
which will share
our
information
and domina
te much of our lives into the future.

We are born, we use the
health and education systems, we get married or live together, we pay taxes, we get a
passport, we fill in census forms, we register a company, we get a traffic fine or break
the law or go to p
rison, we receive a benefit, we
cross the border
and come back,

we
get government subsidies,
we retire and get superannuation.
When we die that
fact
is
digitally recorded but while we may be gone we are not digitally forgotten.
A
ll of this is
generating
d
igital
information about ourselves which is collected, shared,
mostly
retained forever and accessible to a greater or lesser extent

across the government
‘stack’.


[SLIDE 4: FACEBOOK FRIEND]



OPC/1724
/
A330223


5



And let’s not forget what we do willingly ourselves


we socia
l network
,
we use
cloud
storage,
we
buy
and sell online, we use search engines, we store
digital photos
; so

we
also leave a
voluntary trail wherever we go. T
he internet and IT empower

us hugely but
also put us at huge risk. We are
now
digital citizens
in the digital century
.


The Global Digital Universe




Is this unique to New Zealand?


Of course not.

It’s
happening everywhere, and
what’s more information has gone global;
privacy has gone global. The bad news is
currently it is
all
pretty much
out of our
individual c
ontrol
;
the good news is that
worldwide there
is a battle being waged
to get things back
into some sort of order
.




One of the more exciting things about my 10 years as Privacy Commissioner has
been to see the dawning of internation
al efforts to bring some order to the
wi
lder
frontiers of IT.
APEC, OECD, the EU,
GPEN, APPA,
the International Privacy
Commissioners
Conference
-

all are working to provide some rules and standards

to
protect us in this new world of data
. In a very inter
esting development the United
States
,

via
i
ts Federal Trade Commission

and

Department of Commerce
,

are
stepping up
the action.
They are
recognising that because they regulate the
US
based
global internet
companies, they

the
US
regulators,
need to take a re
sponsible
global view of how they
handle
the
se

monsters.
Both Google and Facebook have
recently been fined heavily for breaches, by the FTC.
Both are subject to orders
imposed on them by the FTC to report annually
for the next 20 years
against certain
s
tandards of behaviour
,

or risk penalties.




I have just returned from the

35
th

International Privacy Commissioner’s conference
in
Warsaw
where we decided
to
get in
behind
the Global Privacy Enforcement Network
through which we will help each other to
identify misbehaviour and harm to
consumers; and then provide redress and impose penalties.

We also took some
real step
s

towards a
more active
coalition

of Privacy Commissioners to act globally
across a range of privacy issues.




What happened at home?



So back to NZ, what
has changed
during those years
of the new century, up to now
?


OPC/1724
/
A330223


6




The digital citizen is

nearly a
reality
;
public
use of the internet has re
ached 86% (up
from 37% in 2001); IT power and the internet have
permeated

every corner of our
liv
es.




The media have woken up to the fact that they were missing, as I said, the story of
the
century and have focused increasingly on
privacy and technology stories. O
ur
own media enquiries have shot up from
about 150

in 2003 to
over 300 ten years
later
;
once privacy was
petty

as far as the media were concerned
;

CCTV

stories
predominated
; now
the
likes of the
Andrea
V
ance issue certainly got
the media
focussing on
privacy
as an essential
part of freedom of speech
,

rather than its
enemy
;
a

complex,
l
ive issue


rather

than
a

BOTPAs
. P
rivacy has become a
pressing
political issue, rather tha
n a slightly boring compliance issue.


[SLIDE 5: TRAIN WRECK]



Increasingly
both
the public and the media have realised that the changes I have
described above in
technology,
government and business have
huge
power

to
help
them; but also to intrude on
their everyday lives, limit their freedoms and deprive
them of choices and control over their own lives.




I
ncreasingly
OPC has gained profile
as a watchdog and a reg
ulator
,

as of course we
always were


but
were
undervalued for that role.




Not surprisingly our polling shows that public concern about privacy issues has shot
up
,

from 49% in 2001 to 67% in 2012.
88% of those polled want businesses
punished if they mis
use people’s personal information; 97% want the OPC to have
the power to stop a company breaching the Privacy Act;
84
% are worried about their
children on the internet; and
82
% are worried about how
business uses their
information.




What else happened? Wel
l, ACC happened and MSD happened and EQC
happened
.
Last year was a watershed year for data breaches for the public sector.




Failures on a number of fronts:

1.

ACC


email breach in August 2012


details of 6700 clients leaked.

2.

MSD


unsecured WINZ in
formation booths.


OPC/1724
/
A330223


7

3.

EQC


email breach




End result? The public woke up to the fact that their information is no

longer
completely
safe with government depar
tments, if it ever was.




Also in the private sector


Telecom/Yahoo/Xtra breach in February 2013
when the
email accounts of 60,000 New Zealanders were compromised.




A
long the way from 200
3
-
2013 I should remind you we
at OPC
have been busy; the
credit reporting code, data breach guidelines, CCTV guidelines,
c
loud
c
omputing
guidelines, material for youth and seniors, for schools, business, the health sector
and government; surveys of data transfers, PSDs and cloud computing. Early on we
set up a small technology team in the office; developed a privacy officers netw
ork;
PAW started in 2007. We achieved EU acceptance of our privacy law


an important
achievement to open business opportunities. Also along the way our incoming
enquiries
have risen by 36% and media e
nquiries have risen 44%;

demand for our
advice has
also risen sharply.




In 2011 after 5 years of study the Law Commission recommended giving the Privacy
Commissioner more powers to promote good stewardship of personal information
and punish the bad
. T
hese recommendations have taken on new
urgency
in the l
ight
of all of the developments
,

but especially the data breaches by government
departments
.




What does it mean for OPC?

Remember the struggling and embattled little
organisation I came into in 2003?

Well
,

in 2013
we are
still
small and
under
pressure
,

but
the
climate has change
d
;

our
public
mandate is much strengthened
through public concern and demand for good
information stewardship by
government
and business
. W
e are still under
-
resource
d



in fact our resources are little change
d

from 200
5
,

but we
have re
jigged
our priorities to

help us to

cope
. W
e
hope that the
G
overnment will look favourably on both law reform and
increased
resourcing in the
near future; we are also empowered by our international colleagues


support
;

and
by
the growing willingne
ss of
big business and internet corporates to recognise that
good privacy is actually good for their business in the longer term
.



OPC/1724
/
A330223


8

The future



The New Zealand Privacy Act could be said to have started with a bit of a whimper
and a round of raspberries from

the media; privacy law is now turning into a big bang


even
,

I would suggest
,

the 21
st

century human right
. A
ll over the world as well as in
NZ, privacy regulators are moving up several gears, acquiring new powers, the ability
to enforce the law and
cu
rb
bad behaviour and a new mandate from a worried public
to be a watchdog with
both
bark and bite
.

[SLIDE 6: HEAVEN AGM]




My prediction
,

and that of many others
,

is that we are only a small way up the curve
of technology and information century changes
;
the power of the digital medium just
keeps growing.




NZ is a small country but we can take advantage of this in an economic sense
-

there
have
been big successes in local IT, for example Trademe and Xero
. W
e are often
also a test market


Facebook first r
olled its new timeline feature in NZ and Go
ogle
chose to showcase its Loon

project in Canterbury; it is worth mentioning that the
hacker who exposed security flaws in ATMs
,

pacemakers and other medical devices,
Barnaby Jack, was a New Zealander
. These are

exciting times for IT professionals.




But generally
as a small country, and as users,
we are going to be

takers


or
receivers of internationally developed products and technologies; all the more
important then to be active partners in international initi
atives to regulate this
blooming
,

buzzing confusion of the digital age
.




The changes to the Privacy Act will
, we hope,

soon
mean
some sharp
edges being
introduced into the law
; e.g. compulsory
privacy breach notification, the power
for
OPC
to audit

and to
require compliance (for example strengthening security
safeguards, issuing take
-
down notices or ordering an agency to give access to
information)
. We will continue to encourag
e

the growing majority of

willing compliers

in the regulatory pyramid
; b
ut with increased power to use enforcement against the
unwilling
,

or the
genuine
rogues.




Government agencies have had a real wakeup call
from
the high profile data
breaches


and work is underway to respond to that and put government agencies in
a position where they can put their hands on their hearts and claim to be responsible

OPC/1724
/
A330223


9

stewards of our information
.

The pyramid has been turned on its he
ad

it is now

the
righ
t

way up
,

with willing compliers the majority.

[SLIDE 7: WHERE IN THE WORLD
?
]




Internationally
,

we see that the chilling effect of 9/11 with its wave of fear and
resultant
strong security and surveillance legislation
has receded and

now we are
seeing
the tide run the other way. T
he massive data breaches
at home and abroad
and
th
e revelations around PRISM and N
SA will hopefully
mean
a more
finely tuned
approach to personal information and privacy
.




At this point it is tempting to tal
k about a
balance between privacy and security
.
I
strongly believe
this is a dangerous
path to tread
; what we need is a twin pillars
approach
. W
e need both security and privacy

in our structures and systems
; without
either one

of
the twin pillars
we will

get a distorted and weakened building which will
collapse at the first
shake.




S
ustained
growth of
privacy and security
,

and the principle
d

defence of both
,

will
produce a well
-
founded trust by people in government and business
;
this trust will
then
with
stand the occasion
al

passing
tremor
from
,

on the one hand
,

security scares
,

and
on the other
,

privacy violations
.




At a practical operational level, d
ata management is now a reputational issue. It is
part of every organis
ation’s shop front and branding;
it is part of day to day
standards and risk management.




One of the prevailing attitudes
over the past decade
has been:

-


Done is better than perfect




B
ut doing things at high speed can lead to lots of
mistakes.




The Facebook “move fast and break
things” mantra informed a lot of web
development over the past 5 years, and we’re only seeing things mature now.


[SLIDE 8: EEEK]




The game is about trust
. P
rivacy

is as

important to people as it has ever been and
perhaps more so because they are refusin
g to have their right to privacy taken for
granted. People need to trust the digital environment and they won’t do that unless

OPC/1724
/
A330223


10

they are sure that their personal information is being properly safeguarded
.
In New
Zealand t
he
high profile breaches,
GCSB Bil
l,
and
the Vance/Dunne issue have
raised the game still further in many people’s minds.

[SLIDE 9: DATA BOMB
]




If we don’t get it right civil disobedience along the lines of
Anonymous
, Snowden and
Assange will become

increasingly common
with no real establ
ishment response
to
allay citizen fears that the
rebels
have a real point. Ned Kelly was not all that bright
because he forgot to protect his legs with his armour, and he was a thief and
murderer

to boot
; but

in spite of that he beca
me
a folk hero because

he personified a
spirit of freedom, and there were injustices and provocations that people identified
with
.




It’s time to give serious attention to
a bu
g bounty
to be offered
by
g
overnment and
big traditional businesses such as banks. Let’s get the army of
well
-
intentioned
geeks on our side.
If Facebook can do it, then so can our big institutions.




I believe the new ethics for business and government, and even social life will be

the
ethics of good information control. It will be about people regaining control over their
inform
ation and therefore their lives.

It will be about individuals and organisations
treating others information with respect.




In the IT industry you have a particular responsibility to make sure people can keep
control. I know
some
of you may feel this is an obstacle or even unimportant.
But I

know also that many of you
,

in that crucial decade
we have just been through
, have
re
alised
that information is power; that power is in your hands;

and that the time has
come to take responsibility and operate in a way which respects people’s rights and
their information.




Individuals must be aware, make choices and retain control where
ver they can.
Where they cannot, privacy commissioners and governments have to watch, monitor
and control (2007 AR).

[SLIDE 10: TURKEYS]