Office of the Privacy Commissioner | Open Source Intelligence Conference Keynote Address 2022
Privacy Commissioner Michael Webster gave the opening address at the 2022 OSINZ Conference held in Wellington, New Zealand, on October 22, 2022.
Thank you for the opportunity to address the OSINZ Conference 22.
It is timely that we are discussing OSINT and related matters today. As you will know, open source intelligence tools and software packages are now readily available for purchase, along with a multitude of sites rating the “8 or 10 best OSINT Tools”. Third party providers of open source intelligence software and analysis are competing to provide increasingly potent tools, using powerful AI and machine-learning approaches, capable of harvesting vast quantities of data across multiple sources at once. These tools are marketed as being able to make accessible, data from the open, deep and dark web.
So too the number of government agencies using and practicing open source techniques has grown - as illustrated by today’s conference. The purposes that open source intelligence is being used for is infinitely varied – national security, law enforcement, cyber-security penetration testing, uncovering child-exploitation, drug-trafficking. And again, as the people in this room and watching will know, these uses have developed very rapidly.
I see from the programme that there will be later sessions covering such subjects as data and trust, ethics and open source collection, and appropriate management of open source information. I am heartened to see this as, naturally enough given my role, I see personal information privacy as a fundamental right in a free and democratic society.
In her 2018 Sir Bruce Slane Memorial Lecture, then Justice Helen Winkelmann gave a very thoughtful and important speech on privacy, its place in our law, and its value to us all as a right. In it she noted that:
“An invasion of privacy which undermines or negates [an individual’s] dignity can be profoundly harmful for the individual. It can distress, humiliate and shame. In extreme cases, it can destroy the social and economic foundations of an individual’s life.”
Dame Helen also referenced the international treaties and declarations that remind us all of the place of privacy: Article 12 of the Universal Declaration of Human Rights provides that “no one shall be subject to arbitrary interference with his privacy, family, home or correspondence.”
Privacy is also a very important foundation of trust. If you hold personal information, you have an obligation to protect the privacy and mana of those who have entrusted it to you. As well as meeting your legal obligations, taking care of New Zealanders’ personal information helps ensure people – the vast bulk of whom are law abiding citizens - maintain trust and confidence in your organisation.
Increasingly, people share more and more of their personal information online – to access goods and services, to maintain their personal and professional links, and so on – and they have to trust things will be okay, and that their privacy will be protected and respected.
My Office conducted a survey in 2022 on privacy awareness and engagement. The results from that research provide food for thought for all those active in the open source space.
- 61% of those surveyed – almost 2 in 3 – were concerned about information being collected from children online without parental consent.
- The same percentage were concerned about the security of their personal information on the internet.
- 55% were concerned at government agencies sharing personal information without their permission.
- Almost half of New Zealanders say they would avoid doing something on the internet due to concerns that their online activity is being tracked.
There has, over the last year, been ongoing media coverage of cyber-security issues, and major stories about social media monitoring and tracking. We consider that this is having an impact on the way people think about who they give their information to, and whether – once given – how it is being looked after.
Of course, individuals have a right to disclose some personal information in a manner that makes it publicly available, but that does not mean they give up their right to keep some personal information private. It also does not mean that they have given consent to have personal information that they thought was disclosed in a private manner obtained through the application of technology and treated as public.
Nor does it mean, for example, that cyber-hacked personal information that is placed on the dark web has all of a sudden become publicly available information. The individual concerned never had any expectation that this material about themselves would become publicly available.
In her Sir Bruce Slane lecture, Dame Helen noted that:
“Information can be gathered together to create a picture of our behaviours and our beliefs. In many cases, we have consented to the information being harvested and used by the agency collecting the information for a variety of purposes, and by others to whom that agency passes that information. We agree to this when we agree to the privacy policy of the site we visit … We agree happily, usually without reading those terms and conditions. And even if we did read them, can we truly foresee just what it is that we are giving away, given the complexity of the internet-driven economy and the very substantial imbalance of knowledge that exists between the consumer and service providers? … There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy, or had waived it. … There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.
As Privacy Commissioner I have a real interest in online privacy and in the collection, aggregation and use of what is termed “open source” data by both the public and private sectors.
The explosion of new data sources and platforms, together with potent new data scraping, mining, linking and analysis tools, creates new risks of privacy intrusion. There are new risks that in the analogue world we would simply not accept without complementary security protections – including against unreasonable surveillance.
All of this raises some interesting questions.
Have state accountability mechanisms been able to keep up with the rapidly increasing practice of open source information gathering and exchange by government agencies?
Are sufficient safeguards provided to protect the privacy rights of the general public, while allowing for the legitimate use of these undoubted powerful tools for targeting malicious actors?
Earlier, I used the term ‘open source’ – but what do we understand by that phrase? The Privacy Act does not use the term “open source” - the term used is publicly available information. Publicly available information means personal information that is contained in a publicly available publication. Publishing means to make personal information available in any manner including via the internet, other electronic means or storing information electronically, in a way that is accessible to the public.
It seems to me that implicit in the term “publish” and “make available” is the concept of deliberate or conscious disclosure of personal information by the individual concerned. If I publish information on an open Facebook page that is accessible to anyone, I would be “publishing it to the world”. If, on the other hand, I share this information with a closed Facebook group of my close friends I am deliberately not making it publicly available. Likewise it seems to me that there is a distinction that can be made between a “tweet” and a “direct message”. One is intentionally published for public response, the latter is directed to the recipient and the recipient only.
If a person goes to the trouble of using all of the privacy protective mechanisms available on a social media site, is it okay for a sophisticated data mining tool to penetrate these defences and scrape the data anyway? In every case the question needs to be asked: “what was the individual’s reasonable expectation of privacy?” and given this, would collecting this information be unfair or unreasonably intrusive and therefore a breach of Information Privacy Principle 4?
One of the phrases I have heard again and again since I have taken up this role is: “you could collect that information, but should you?” There may well be widespread consensus that you have a public policy problem that needs to be solved, but is the action you are proposing to take to deal with that problem – action that impacts on individuals’ right to privacy - lawful, necessary and proportionate?
A growing concern is that the reality of open source information usage could appear to run counter to these propositions. As Professor Dana Boyd says in Privacy and Publicity in the Context of Big Data, what is in the public domain has been redefined to “accessible and available for any purpose under any circumstance”.
And the power of the open source tools now available means that pretty much everything – whether it has been consciously disclosed (published) or not - is accessible and available. To reference the much quoted computer science researcher, Professor Gene Spafford:
“The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker and surrounded by nerve gas and very highly paid guards. Even then I wouldn’t stake my life on it.”
If this is true, then it places even more responsibility on the users of OSINT to use the technology with care, to collect only what is lawfully available – not just what is accessible. As the privacy regulator for Aotearoa New Zealand I will be looking for demonstrations that OSINT is being collected within the guardrails of lawful, necessary and proportionate.
It can sound a bit trite, but it’s true: with great power comes great responsibility. Let’s look at some scenarios.
Is information that has been hacked and stolen from a website, and placed on the dark web for sale, “open source” information? It has been illegally taken and has certainly not been published by the individuals themselves. It may be subject to a court injunction – as in the case of the Waikato DHB cyber-attack.
Ransom-ware attacks are happening more and more frequently. The data that is being taken is generally of ordinary everyday citizens – their identity information, their medical records, their financial data. The bulk of these people will not be terrorists, drug traffickers or purveyors of child exploitation.
Another scenario: as a teenager you posted some embarrassing photos that you want to remove from social media, or perhaps you had radical views about animal welfare and attended a protest or two and made some posts about that.
If a person makes a deliberate decision to unpublish this information about themselves from their social media, should it be able to be recovered? Is the deleted personal information considered “open source” or “publicly available” simply because the “the web never forgets” or OSINT tradecraft includes how to recover this content? This raises a number of issues, including around the responsible and lawful use of OSINT tools, focused on legitimate targets, with appropriate oversight.
Thus far I have focused on the collection of “open source” or “publicly available” information. Regardless of whether the information is publicly available – once it is collected it is subject to all of the protections provided to personal information. This includes accuracy, safe storage, appropriate retention and deletion, ability of individuals to ask for access to their data and so on. Where agencies are contracting with a third party to process and/or store this information, the principal remains liable under the Privacy Act. Prudent attention to contracts is essential.
To return to my earlier question: have state accountability mechanisms been able to keep up with the rapidly increasing practice of open source information gathering and exchange?
As you will all know, we are part way through a Review of the Intelligence and Security Act 2017. If we look back to the creation of that Act, I note that following a review of the NZSIS and the GCSB and their legislation, and submissions by my predecessor to the Select Committee, the new Intelligence and Security Act 2017 removed the previous total exemptions that these agencies had under the Privacy Act and instead made them subject to the majority of the Information Privacy Principles. At the same time the Privacy Commissioner was given an oversight role alongside the Inspector General of Intelligence and Security.
These decisions were taken to address the fundamental issue of how to maintain trust and confidence in agencies who could not be completely transparent about their activities. As a result of the 2017 legislation, the Minister of Intelligence and Security was also required to publish Ministerial Policy Statements. The statement on the collection and use of publicly available information states:
“In making decisions related to obtaining, collecting and using publicly available information, GCSB and NZSIS must have regard to the following principles: respect for privacy, necessity, proportionality, least intrusive means, respect for freedom of expression, including the right to advocate, protest or dissent, legality and oversight.”
This is an extremely useful set of principles - not just for these two agencies, but for all state agencies that use OSINT.
The use of this open source information can have real life impacts for those who are inadvertently and inappropriately caught up in its use by agencies. It can undermine the trust and confidence that citizens have in their country, and in the agencies they deal with. Whether we are customers of private sector businesses, clients of government agencies, or citizens of Aotearoa New Zealand, the efforts made to respect and protect our personal information will impact on our trust and confidence in those agencies and institutions. Promoting and protecting individual privacy will contribute to strengthening and maintaining a free and democratic society.
Thank you.