Cops laughing all the way to the bank
NZ banks readily hand over confidential information to the police - all they need to do is ask.
On Saturday, the NZ Herald reported that it is common practice for banks to hand over confidential customer data, including account balances and transactions, to the police without the police producing a warrant.
This is possible due to a rather vague clause in the Privacy Act which states that banks (or any other organisation that holds people's private information) can be exempt from the requirement to keep private details private when the cops say that they need the information for "the maintenance of the law". Once they have the information, the police are then free to pass it on to other agencies, such as WINZ or the IRD.
The extent of this practice was revealed in connection with the Kim Dotcom case. Dotcom was denied a $4 million loan shortly after the cops had asked Kiwibank for his account details. Independently of the question why someone as filthy rich as Dotcom needs to apply for a bit of petty cash from Kiwibank, the bank denies that this was the reason for withdrawing his already approved loan. Instead their spokesperson Bruce Thompson engages in a linguistic tight-rope act, saying that a police request "does not influence the bank's position one way or another but is taken into account".
An often cited example for the need for this regulation is the case of a missing person. The police want to establish if the person is still alive by finding out if their bank account has been accessed and may not have time to obtain a warrant. However, Dotcom was not missing and it is hard to believe that the police had no time to get a warrant to get his account details that way. It is more likely they couldn't be bothered explaining their case to a judge. It also doesn't account for Kiwibank's statement that "police sought information from banks on a daily basis".
The worrying thing is that the banks appear to have the same laissez-faire attitude to privacy as the cops have. It is important to understand that releasing confidential customer information without being presented with a search warrant is entirely at the discretion of the banks.
The Herald quotes the Banking Association's policy as: "We have a strict duty to protect the confidentiality of all our customers' and former customers' affairs. We are also obliged in our dealings with our personal customers to observe and comply with the Privacy Act 1993."
How that is reconciled with Kiwibank's admission that they release information "on a daily basis" remains a mystery.
To add insult to injury, according to the Herald, the police refuse to elaborate on the extent of this practice citing privacy reasons. And Banking Ombudsman Deborah Battell is quoted as saying that she has never had any complaints about this issue – which is hardly surprising given that the practice has only now been revealed and banks don't usually tell their customers when the cops come knocking.
A surprisingly critical Editorial in the Herald raises the issue that the police may be routinely using this practice to go on fishing expeditions, resulting in the effected people having their loans declined. Of course having a loan declined by one bank is something that will have to be declared when applying for a loan with another bank.
So far only Kiwibank has been named as eagerly breaching its customers' privacy, but it would be foolish to assume that other banks are different.
Nor is this problem confined to the banks. Operation 8 has revealed the willingness of both Telecom and Vodafone to hand over cell phone call data (including the content of SMS messages) to the police. In some cases the request was done via an informal email, on first-name basis and with the promise that the search warrant would be supplied later.
However, the auction site Trademe has topped this dubious list by providing the details of up to 10,000 users to the police who were investigating 18 people. The police did have a warrant, but Trademe's eagerness to comply was extraordinary.
It all comes down to the question of where an organisation sees itself in society – whether its obligation is to protect its customers who have trusted them with personal information, or to serve the state who might want to prosecute those customers. The actions clearly reflect the loyalties.
And some government agencies don't even need to be prompted by the cops – they simply send confidential client records as email attachments, as the various ACC cases this year have demonstrated.
The Dompost reports, that this year alone, government agencies and private companies have voluntarily reported 71 privacy breaches to the Privacy Commissioner, i.e. they have dobbed themselves in. How many other breaches have taken place is a matter of speculation, although a spokesperson is reported as saying "My guess is by and large most agencies are upfront about this. There's not a lot of subterfuge or malevolence going on in the background with this." A statement that seems odd given that ACC tried to prosecute the person who revealed their initial blunder.
The Privacy Commissioner has received 1142 complaints in the year to June 2012 – almost twice as many as five years ago. The Commissioner has also conducted a poll on privacy issues. One of the results is that 88% agreed that ‘It's extremely important that businesses tell me what they are doing with my personal information’. A similar number (87%) said the same thing about government agencies. Overall people are increasingly worried about their privacy being eroded (67%, 8% more than the previous year).
Also interesting is the regional breakdown: Wellingtonians are more concerned about privacy than people in other areas. Maybe this is due to the physical proximity of certain government agencies...