Are we a surveillance society?
||The Government Communications Security Bureau and related Legislation Amendment Bill (GCSB Bill) has excited much interest throughout New Zealand, and not just among the legal fraternity.
Should we all be concerned at the imminent extension of state intrusion into our private lives? The present article does not propose to examine this question (except to highlight certain aspects of its wording).
Instead, it briefly explores the ramifications, for privacy and security laws alike, of the rapidly developing technologies that confront us.
In this new environment, terms such as “metadata”, “RFIDs” (radio frequency identifier device) and “swipe logs” are now part of our daily vocabulary but, as usually occurs, the law has yet to fully recognise and deal with these and other developments.
Metadata includes the data collected and digitally stored from every phone call log (of numbers called and call duration), Internet addresses visited and logs left by RFIDs and swipe cards (their ease of retrieval was highlighted recently in relation to the information about journalists visiting Parliament).
Metadata is personal information by any definition. It reveals far more about an individual – who their contacts are, what their interests and movements are – than the mere interception of the content of their conversations or e-mails themselves.
Consider, for instance, (in an example given by United States privacy scholar Daniel Solove) a person who buys a wig online and also visits a website about cancer; if we knew that the person also phoned a medical specialist that week, we could make a reasonable assumption concerning their medical condition.
The so-called “Internet of things” and the concept of “Big Data” are forcing a re-evaluation of the definition of personal information. This includes geo-location data emitted from portable devices and vehicles, and information gleaned from household appliances such as televisions, toasters and even the shower.
Such information transmitted from smart meters will enable those situated far away to know how many people are at home and even which room they are in.
Existing legal paradigms must be considered against this backdrop. The prevailing “notice and consent” approach towards privacy is no longer practicable. Often, the collection of the information is automated and hard-wired into the device itself without the user and service provider being aware of it.
Technology already exists whereby information transmitted from cell phones instantly communicates with electronic message boards enabling them to flash tailor-made advertisements to the individual as he or she approaches. Traditional notions of information security are also under threat as information transmitted from devices may not reside at any location but may be dispersed among several companies and usually stored in various cloud services.
Current privacy laws (such as the Privacy Act 1993) and freedom of information laws are technology-neutral through, for instance, incorporating the concept of “information” irrespective of the means by which it is stored.
The laws are nonetheless based on one-dimensional and vertical relationships that entail individuals giving their personal information to agencies and personal information being transferred from one agency to another.
However, instead of point-to-point information flows, information is now commonly distributed among a number of data centres and is accessible globally over the Internet or via private networks. The Law Commission’s recommendations for reform of the Privacy Act do not address the latest international trends such as those requiring agencies to adopt privacy by design and implement privacy impact assessments.
The GCSB Bill, on the other hand, is aimed specifically at addressing the new environment. Section 7 retains subjective aspects of the existing law such as the objectives of the Bureau being, in addition to national security, the international relations and wellbeing and the economic wellbeing of New Zealand.
These concepts are able to be interpreted by the Government of the day and pose an obvious risk for those – such as trade unions and environmentalists – that might differ from the Government in their political and social views.
Technology is clearly the focus of the Bureau’s new functions, stipulated in s 8, of “information assurance” and “cybersecurity”. On the other hand, s 8B adds the priority of “intelligence gathering and analysis” not just about foreign persons and organisations but also about “information infrastructure” in New Zealand. This key definition is discussed below.
Information gathered under this category may be provided to the Minister and “any person or office holder (whether in New Zealand or overseas) authorised by the Minister to receive the intelligence.” Likewise, co-operation, advice and assistance may be provided to any other entity authorised by the Minister.
It is important to acknowledge that the functions under s 8B differ markedly from those set out under s 8C which authorises the Bureau’s co-operation with other entities to facilitate their own functions.
These include the Police, Defence Force and the Security Intelligence Service. They remain subject to safeguards listed in subsection (2) such as being subject to their normal oversight and legal constraints. None of these apply, however, to intelligence gathering and analysis under s 8B.
Furthermore, the injunction in s 14 against the interception of domestic communications of New Zealand citizens and residents does not extend to intelligence gathering and analysis of information infrastructure in New Zealand.
This is a crucial distinction. “Private communications” also retains its existing meaning (contained also in the Crimes Act 1961, made famous by the Teapot investigation involving the Prime Minister and John Banks in 2011).
The content of private communications of New Zealanders may be off limits under the GCSB Bill, but metadata is not.
The definition of information infrastructure “includes electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks.”
The use of an inclusive, rather than comprehensive, definition is technology-neutral. It certainly permits access to the “Internet of things” but, more ominously, could encompass future developments.
It is not too far-fetched to suggest, given the pace of developments to date, that the means might soon exist for devices (say Google’s Glass) to decipher one’s thoughts via the electromagnetic emissions from one’s brain activity. The definition of information infrastructure and s 8B would undoubtedly extend to any such application.
In this brave new world, the term “thought police” might assume sinister proportions of which even Orwell would struggle to comprehend.
Gehan Gunasekara is an associate professor in commercial law at the University of Auckland specialising in information privacy law. He advised the Law Commission during its Review of the Privacy Act and is co-teaching a post-graduate course on Privacy Law at the University of Auckland Law School in September.