Data leak shows contempt for patient privacy

The career of a Member of Parliament may be over after admitting to receiving and sharing information about COVID19 patients with the media. Clutha-Southland Member of Parliament Hamish Walker has admitted receiving information from former National Party President and – now – former Acting Chief Executive of the Auckland Rescue Helicopter Trust, Michelle Boag.

I as a politics following New Zealander have heard of some dumb stuff happening in the New Zealand Parliament. However the announcement yesterday that a former Party President passed on private information relating to COVID19 patients to a National Party M.P., who then disclosed them to the media is right there with the worst. The stupidity of this is quite extraordinary. A former National Party President and a sitting Member of Parliament havet torpedoed their careers and brought potentially massive shame onto National as a party.

As there was knowing leakage of private information that did not have the consent of the person whose privacy had been breached, it is very likely that New Zealand privacy law has been broken. The Privacy Commissioner believes that the acts are indefensible, saying that people have a right to expect their information is kept private and not circulated among those with no legal necessity to know. As a result I believe the New Zealand Police should investigate Mr Walker and Ms Boag.

In Mr Walker’s case, his actions, coming just days after he made a comment about New Zealanders returning from overseas that was widely construed as racist, have made his tenure as a Member of Parliament untenable. For the purpose of not bringing Clutha-Southland as an electorate and Parliament as a democratically elected institution, in which New Zealanders place a lot of stock, Mr Walker must resign from Parliament.

Ms Boag’s reputation as C.E.O. of a medical N.G.O. Auckland Rescue Helicopter Trust is in tatters too as a result of her decision to pass on the details to Mr Walker. She has since resigned from her job.

But the consequences might not stop there. I have already stated that I believe the Police should investigate both of them. If for no other reason than to establish what Mr Walker and Ms Boag did, a criminal investigation should be launched. The prospect of criminal charges being brought against one or both of them is very real and would be widely supported by the New Zealand public.

For National, coming on top of Michael Woodhouse’s claim that a homeless man managed to talk his way into a COVID19 quarantine facility, this is hugely damaging to their credibility. To come in an election year with the election 10 1/2 weeks away and the Government riding high in the polls, is the last thing leader Todd Muller or the National Party Board needed.

For the Government, this is a chance to make more political hay. It will also be encouraging for the supporters of National’s rivals in Clutha-Southland. Although I don’t expect National to lose the seat – it would be kind of like Christchurch East going to National – leakage of party votes to other parties there is almost a certainty.

The monumental District Health Board data hack

As many as 913,000 patients may have had their records accessed in a massive data breach of New Zealand District Health Boards. The hack, which is thought to have also affected Public Health Organizations, was concentrated on the Tu Ora Compass’s computer system. As officials try to contain the damage, it raises – yet again – some damaging questions about the cyber security of Government agencies in New Zealand.

I have long thought that New Zealand has been too slack with data security in Government agencies. It is a recurring problem that has at some point or another affected Inland Revenue Department, Accident Compensation Corporation, Department of Work and Income, to name just a few. All of these agencies have been breached in the last decade, with some of the breaches involving thousands of files being misused or misplaced.

But back to what I think might be one of the biggest data hacks in all New Zealand history. Whilst it is good that the Chief Executive has apologized, it is not enough and there are major failings. Glaring questions need to be rapidly answered by the Ministry, the Chief Executive and those responsible for the maintenance of the data. Very quickly the Chief Executive must find out what steps can be immediately taken to tighten up the security of M.o.H. systems and equally quickly the M.o.H. system administrators must action those recommendations.

The breach appears to affect the lower North Island, particularly people in Wellington, Kapiti Coast  and Wairarapa. 648,000 are thought to be affected, but given the data goes back over a decade and includes people who have deceased, the number of affected patients might be close to 1 million people.

Ministry of Health have to own this incident. If they cannot, Chief Executive Martin Hefford should hand his resignation in, for it was his responsibility to make sure M.o.H. had the correct procedures and personnel.

New Zealanders should be short on  patience with Government agencies treating cyber security so poorly as to let this happen. But I have the feeling that after a brief burst of indignation, people will merely shrug their shoulders and life will carry own as if it never happened. The agencies will heave a sigh of relief and say “we got through that one – I am sure we will be fine in the future”, instead of holding those who failed in their roles to account.

It is this kind of resigned behaviour, touched with a bit of “She’ll be right”, implying things will sort themselves out instead of New Zealanders ensuring that the situation before them improves that prevents this nation getting better. We can be a lot better at these issues, but until we start dragging officials over the coals for indiscretions there will not be any progress.

Tuia privacy breach reminiscent of National-era breaches

It has come to my attention that the database handling the registrations of people and organizations wishing to participate in the Captain Cook 250th Anniversary was breached.

Officially this one was put down to a “coding error” in the website.  But in the last couple of days it has emerged that the website provider was not on the list of approved providers for Government departments, which according to Labour M.P. Priyanka, has since changed. Prime Minister Jacinda Ardern has since made a rule that only those providers on a list vetted and approved

The Chief Executive of the Ministry of Culture and Heritage, Bernadette Cavanagh must be aware that her future in the role is severely tainted by this failure. The fact that she has not been shown the door or had it formally suggested to her may be because – although quite serious – this is at the lower end of the scale of privacy breaches when recent examples are brought to light.

The more serious breaches I am thinking of are a slew that affected several Ministries and Departments during the National-led Government of Prime Minister John Key. Thousands, if not tens of thousands of people were affected. Under that Government there were notable breaches at Ministry for Social Development including its umbrella agency Work and Income New Zealand; Accident Compensation Corporation and others.

Some of the breaches affected some of our most vulnerable people – victims of domestic violence, handicapped children and people with terminal illnesses. In at least one instance it was put down as an “operational matter”, which I deduced was political speak for internal issue or more to the point: “none of your business”. No one in a senior management role was fired though the case certainly existed for their departure.

So, what could be done to prevent further breaches in the future. Several things actually:

  1. Regularly check who has what access rights to particular information
  2. Ensure that multiple layers of increasing security are in place, cutting off certain groups or individuals when their access rights fail to meet a certain threshhold
  3. Require password changes to not be simple ones like password123
  4. Install software to monitor potential outside attacks

Much of this is actually just plain common sense. But the number of large companies, government organizations and so forth where pass words are as weak as the example above is probably likely to surprise. Use a pass word that is something like !computer0 – the use of numerical digits and special characters significantly complicates the process of cracking a password for a hacker. A method of getting everyone to change their password on a regular basis could be to set a expiry mechanism that means after a given time – say a month – the password simply stops working and a new one has to be established.

Make sure your anti virus software is working. If you have Windows 10, the default Windows Defender is considered adequate for what most people are going to use their computer for. W.D. is known to clash with exotic anti-virus software such as Bitdefender, or Norton Antivirus and may slow your machine down if it finds itself competing with one.

New Zealand needs to draw a line on New Zealander’s privacy

New Zealander’s spend much of their internet time using the services of a few very large tech giants. Facebook, Amazon, Google, Microsoft, Yahoo! are some of them.

I am no exception. I have this blog, which requires an e-mail account, which I have with G-Mail. I have a Facebook page for this blog as well as my own private profile. I have a Twitter profile. Across the course of my presence on the internet, I have downloaded applications from Google Play, both free and otherwise.

In order to supply those services and products it is understandable that they will need to store some basic data about their users. They will need to know that their users are verified and not some sort of computer bot. They will need data specific to the types of services and products they supply.

What is not so easily acceptable – and which should be the subject of honest, robust debate – is whether these companies should be able to build up a vast profile of ones internet footprint. Below is an example from Britain of how Google was able to do so.

A contributor to The Guardian wrote an article a few months ago about how much Google and Facebook for example were able to store about him. The results he found were rather startling. Google was able to store every single search, purchase, e-mail sent/received, app downloaded that he had done for nearly the last 10 years, in his case dating back to 2009. At the time of him publishing the article Google had 5.5 gigabytes of information about his activities.

A few weeks ago I deleted my Google + accounts. Aside from having barely used them since they were formed, wanted to reduce the footprint across which Google could collect data about me. Yesterday I became aware of how to check Google’s knowledge of the ads it displays that one might have clicked on – deliberately or accidentally. Over the next few days I am going to see how far I can reduce my Google Ads footprint.

Google is not the only tech company I am trying to reduce my online profile with. Facebook, long accused – justifiably so – of being in breach of the privacy laws of various national jurisdictions, has been issued ultimatim’s to fix the breaches and demonstrate having done so, for face sanctions.

In my case I have removed photos from prior to 2016. I have family and friends who used to be quite active on Facebook, who have stopped posting and have simply walked away from their accounts. Others have deleted their accounts outright when they have concluded that Facebook has access to too much of their private lives.

I am but a gnat against the likes of Google and Facebook, but I honestly believe that if first world nations made these companies respect their privacy laws, there might be a fighting chance of an overall sea change in how these companies view the world. If New Zealand took a stand and told these companies they would face sanctions for non-compliance, their contemptuous outlook might change. It would have a precedent to follow – other nations have already attempted to lay down the law to Facebook. How long before they try it on Google and the others?

Hopefully not long.


Body scanners coming to New Zealand: Overkill or good?

After a trial that has been conducted at Wellington Airport, Advanced Imaging Technology (A.I.T.) is going to be rolled out at key airports across New Zealand.

The civil libertarian in me has some concerns about how invasive the imaging will be. Will it pick up full body contours, or will it pick up just an outline of ones body and mark on it anything that appears suspect? Will the imagery be erased once the person going through the scanner is dealt with, or will it be kept on record somehow?

I personally find it frustrating that other countries are somehow dictated too by Federal Aviation Authority rules. When one reads signage on aircraft, even in New Zealand it will often refer to the F.A.A. To me the F.A.A.’s jurisdiction starts/ends at the United States border and that the authority I should be answering to is our own Civil Aviation Authority.

Yes, I realize that aviation has not been the same since 11 September 2001. Yes I realize that peoples perceptions of safety as well as airlines perceptions of safety were never going to be the same after that day. But why should other nations succumb to America’s paranoid obsession with all things “security” in the context of national security, especially when so many of America’s national security issues are of their own making?

But okay. The flip side of the coin is somewhat different if the supposed benefits can be proven. And Aviation Security (AVSEC) are meant to keep our airports as safe as they reasonably can. If the images detect narcotics, guns that police officers forgot to take off their belt when they went through, the plastic knife that may have been put in for some other reason and completely forgotten about, and so on then, yes they are doing their job.

If it means someone who planned to enter the waiting lounge and shoot the place up, is stopped, then the scanners have paid their way.

Perhaps I should be more lenient. New Zealand customs and AVSEC officers are not like their Canadian and American counterparts. Generally New Zealand border and airport security are much more friendly, polite and helpful. They don’t hiss like snakes, which I experienced in Los Angeles last year. If an AVSEC officer is over zealous, his/her colleagues are more likely to pick up on the problem and perhaps rein their wayward colleague in.

So, the question I pose is quite a simple, yet fundamental one in the context of border security:

Is it over kill to have full body scanners at New Zealand airports? If yes, why? If not, why not?

Let the debate begin.