NZ companies lost in the fog on release of private data
employer Trade Me came under fire for acquiescing to a sizeable data request from the Inland Revenue Department (IRD).
The IRD originally asked for the details of close to a million customers. Trade Me pushed back several times before finally releasing the details of about 40,000 of its 3 million members.
To read some of the coverage at the time, it sounded like it was a shocking discovery and one that was likely ill judged.
The truth is that many government agencies have strong empowering legislation and you would be a mug to think they did not use those powers on private sector companies – whether they be banks, internet service providers (ISPs) or online venues.
The point that seemed lost in some of the coverage (particularly in the radio pieces I heard) was that the whole episode came to light only because Trade Me reported the disclosure in its 2013 transparency report.
Transparency reporting has come of age in the past five years as people increasingly live their lives online and the companies that enable that have come under the radar of enforcement agencies.
In simple terms it is a summary of the legal requests that companies receive requiring disclosure of individual client data. This may range from a telco being asked for the details of an offensive caller, through to a bank being asked for details of a beneficiary who drives an Aston Martin, through to Trade Me being asked about the details of a customer who has sold 20,000 items but still maintains they are not ‘‘in trade’’.
Transparency reporting is a compelling idea for three reasons.
First, it shows a company is taking privacy seriously and provides insight into how its privacy policy translates into privacy action.
Second, it puts the acid on the requesting agencies, making them aware they too will be under the spotlight and any tendency to take fishing trips for data will become obvious. Last, it heightens public awareness of the extent to which their lives can be monitored.
The curious thing to me is the way New Zealand has yet to catch up. If my brief research is right, there are two local companies that provide transparency reporting – Trade Me and NetSafe.
Vodafone do some sort of corporate responsibility report but it is not transparency reporting.
Most of the global web giants – Twitter, Google and Facebook among them – provide high level transparency reporting for New Zealand. Not the detailed reporting that Netsafe and Trade Me provide but a hell of a lot better than the rest of our locals.
It is kind of ironic that foreigners are more upfront than most natives about how they deal with our personal information.
This leaves a truckload of local companies – including banks, ISPs, telcos and software as a service (SaaS) providers – who are providing citizen information to enforcement agencies on the quiet.
To be clear, provision is not necessarily a bad thing but right now we are in the dark about the size of such provision and the recipients. And I reckon we have a right to know.
The United States has taken a lead here, with more than 20 of the largest technology companies now regularly publishing transparency reports. Twitter even went to the trouble of suing the US Federal Bureau of Investigation when it tried to curb its transparency reporting. I reckon it is time for New Zealand to catch up.
British newspaper magnate Viscount Northcliffe once noted that news is something someone wants suppressed. Judging by the dearth of local transparency reporting I guess there is a good amount of news still to come out.