Gordon Campbell on MBIE’s social media scam

zx-imageBack in December 2017, MBIE signed a three year contract worth $112,000 with the Wellington private security firm ZX Security Ltd, to train large numbers of its staff on how to create and maintain false identities on social media – in order to harvest information from the general public.

Reportedly, 70 staff have already been trained in these techniques, and the contract is set to run until 2021.

It would be bad enough if the security services were engaging in this kind of activity. MBIE though, has responsibility for immigration, building and housing, energy, tourism, financial markets and competition regulation and economic development. Given the ambit of MBIE’s work, almost any form of social activity could qualify as being part of MBIE’s brief, so the privacy threats posed by this training programme are extensive. The current oversight safeguards seem threadbare to non-existent.

Yesterday, No Right Turn pointed out some of the wider risks involved:

Using fake profiles with detailed backstories suggests they are trying to capture people’s private or friend-locked information….[Under] the new “reasonable expectation of privacy” standard, [this] may also constitute a “search” under s21 of the Bill of Rights Act, and therefore be illegal without explicit statutory authority (which in turn, poses a legal threat to every case MBIE has used such information in).

The Law Commission recommended that harvesting public information be covered by a statutory policy statement, setting out the purposes for which it could be done. They also suggested that using false profiles to access private, “friends-only” information be treated as a covert operation requiring a warrant. The fact that MBIE is doing this suggests we need such regulation as quickly as possible, to restrict such government spying to proper investigative purposes, rather than the current free-for-all.

Exactly. So far, the defences being offered by Duty Minister [and ACC Minister] Iain Lees-Galloway do not address these wider regulatory issues.

MBIE says it’s all to do with online safety for workers involved in investigations and the Government says so long as it’s all above board it is sometimes necessary.

Documents show MBIE spent $112,000 on a contract with ZX Security Limited to teach staff how to take material from online platforms like Facebook and LinkedIn, maintain multiple online personas and extract GPS coordinates from photos.

Duty Minister [and ACC Minister] Iain Lees-Galloway says sometimes going incognito is required for the job. “Government agencies do need the ability to carry out investigations for instance, investigating tax evasion or ACC fraud,” he says.

“Where investigations are being carried out, they have to be carried out in a lawful and appropriate fashion we expect to hear back from MB once they have reviewed this work they are doing.”

This ‘explanation’ is inadequate. IRD is the department funded and empowered to investigate tax evasion. How then does IRD’s investigative unit interact with what looks like a similar (and relatively unknown tax evasion group) doing the same thing at MBIE? As for ACC fraud… apparently, anyone seeking to befriend an ACC claimant on Facebook or Linked In should now be regarded as a potential MBIE snoop engaged in analysing social media postings and scanning online photos for GPS co-ordinates. These may (for example) reveal the injured party may have been out tramping, or engaged in other activity that could be later used against them in the assessment of their ACC claim. Does Lees-Galloway think such spying activity is consistent with the ACC scheme originally envisaged by Owen Woodhouse?

Too Much, Too Many

It is not as if the ZX Security training programme is coaching a small crack unit of MBIE investigators. In year one, 70 MBIE staff were trained in these undercover skills, and a four year contract has been signed for the entire programme. By completion date in 2021 that means MBIE would have trained 280 staff in fake social media skills that they would be being expected to use online. Even allowing for staff turnover, that can only mean that these privacy-penetrating skills are being mainstreamed into MBIE’s general work in its areas of responsibility. Should tourists (for example) expect that their social media posts are being watched by the Kiwi version of Big Brother, for signs they intend overstaying their visas – and do tourists now have reason to fear that a night of revelry shared with an apparent friend online might be used against them if they should lodge a subsequent claim for residency?

To date, Shane Jones has been the only politician to raise concerns about MBIE’s decision to train its staff in how to fake their identities online. At the end of the month, MBIE is being expected to report back on its programme. Hopefully, MBIE’s rationale will be challenged by someone external to the organisation. MBIE can hardly be trusted as the main evaluator of its own scheme. In the recent past, it hired the notorious Thompson+ Clark security firm to investigate those opposed to its policies, and got heavily criticised in December by the State Services Commissioner for doing so. As RNZ reported less than a month ago:

The entire Ministry of Business Innovation and Employment (MBIE) was… found to have breached the State Services Standards of Integrity and Conduct (code of conduct) by failing to maintain an appropriate level of objectivity and impartiality. MBIE led the charge in a change to the Crown Minerals Act 2013 creating offences for damaging or interfering with structures or ships being used offshore in mining activities.

The design of Operation Exploration was influenced by the concept of “issue motivated groups”. The Minerals Exploration Joint Intelligence Group (MEJIG) was set up and tasked with identifying activities that might lead to interference with offshore petroleum and minerals exploration. Thompson and Clark was a key participant in MEJIG.

The Commissioner found that Thompson and Clark established a very close relationship with Operation Exploration and the information it provided – particularly surveillance of Greenpeace – was most likely paid for by the private sector with interests in petroleum and minerals exploration. The Commissioner has asked MBIE to consider whether Operation Exploration should be discontinued and requested that the chief executive review MBIE’s internal policies to ensure they are consistent with the code.

In other words, MBIE has shown it can’t be trusted to respect free speech and/or the democratic right to protest. Surely then, it cannot be allowed to abuse privacy on social media in the ways this training programme explicitly sets out to do. Any costs involved in breaking the contract with ZX Security have to come out of MBIE’s own operating budget. In the meantime…if Big Brother asks to be your friend on Facebook, it needs to tell you who it is.

Footnote One. Interesting that MBIE put the ZK Security contract up on its website a year after it was signed, and just as the SSC released its damning report on the governmental use of private security firms. The timing looks less like transparency than an attempt by MBIE to pre-empt a future scandal by getting the information out (a) just as the SSC hammer fell and (b) while the media was otherwise engaged with the SSC report findings.

Footnote Two: So what is known about ZX Security? According to Deloittes, it is the 40th fastest growing company in New Zealand. Here is its founder/CEO Simon Howard talking briefly on Youtube about the company’s use of interns. And here is Howard again at a 2017 conference talking at much greater length about the threats posed by ransomware and phishing, and related matters.

According to its publically available Linked In profile, the company’s current employees are Simon Howard, Laura-Jane Howard, Claudio Contin and David Robinson.

Friends You Can Trust

Fake friends are no new thing. Eighty years ago, the Sons of the Pioneers were warning that this new fangled idea of getting an old age pension could attract friends of the wrong sort:

Digital friends come and go, but there are more trustworthy alternatives. Roy Rogers, a graduate of Sons of the Pioneers, spells out the options: