Kia ora koutou,
The privacy hot topic in New Zealand over the last couple of weeks has been surveillance, with the use of “surveillance for hire” by both public- and private-sector organizations coming under fire.
On 14 Oct., it was revealed by RNZ that New Zealand’s Ministry of Business, Innovation and Employment had been using Cobwebs Technologies — a surveillance firm “run by Israeli ex-spies and military commanders” — since 2019 to monitor major social media platforms for threats and covertly collect personal information. The ministry stated that the targeted use of Cobwebs' powerful technology was “appropriate in light of the risks the tool is used to mitigate.” However, RNZ noted that it remained unclear just who the target was. Alarmingly, Cobwebs was one of seven such firms Meta disabled in 2021. The privacy commissioner had no input into the ministry's use of Cobwebs, and stated that it had requested assurance from MBIE that the use of the firm was lawful, necessary and proportionate.
In rather timely development, New Zealand Privacy Commissioner Michael Webster then delivered a keynote address to the Open Source Intelligence Conference 21 Oct. OSINT tools use powerful artificial intelligence and machine learning "capable of harvesting vast quantities of data across multiple sources at once" and make "accessible, data from the open, deep and dark web."
Government agencies are using these tools for a variety of reasons, including national security and law enforcement, with the MBIE case above being just one example. The commissioner considered that the explosion of new data sources and new data scraping tools created new risks of privacy intrusion, “that in the analogue world we would simply not accept." The commissioner made some very useful remarks about the scope of the term “publicly available information” in the Privacy Act 2020, and how this correlates to the term “open source,” which will be very useful for privacy professionals looking to navigate this emerging playing field. It is well worth a read.
A clear theme from the privacy commissioner on the topic of “surveillance for hire” is that the collection of personal information should not be driven by the available technology, but by a clear need to collect information in order to carry out lawful functions. This is a helpful reminder of the role privacy professionals play in tempering the rapid uptake of new technology, to ensure agencies can meet their lawful objectives in a way that does not unduly erode personal privacy.
It’s now less than a month until the IAPP ANZ Summit, so make sure you’re registered, and I hope to see many of you in person in Sydney where we can chat about surveillance for hire and all the other privacy issues currently on our minds.
Enjoy the digest, stay safe and be kind.
Ngā mihi.