Remote Working Resources For NZ Lawyers and Small Businesses

Laptop, glasses, book, and pen.
Photo by Trent Erwin on Unsplash

New Zealand is currently in a four-week+ lockdown due to COVID-19 with the majority of the country’s workers working remotely.

Here are some resources and tools lawyers and small businesses might find useful after being pushed into working remotely.

Some of the links in this post are affiliate links, but these are tools I would recommend anyway.

If you’re an employee you should check with your IT policy/manager before using new tools for work.

Other posts in this series:

Video conferencing

Zoom

Zoom logo

What: “Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems.”

Why: You can use it on almost any device (Mac, PC, iPhone, Android, phoning in by telephone), it’s easy to install, your guests don’t need to sign up for an account, you can share your computer screen, and you can easily schedule and send invitations for meetings.

Zoom has a page of resources for beginners and is running daily training as it is so popular because of the current situation.

Website: https://zoom.us/pricing

Price: One-on-one meetings of unlimited length are free. You’ll need a paid account for group meetings longer than 40 minutes at USD $14.99/month (or USD$149.90/year).

Editing PDFs/electronic signing documents/requesting signatures

Choose electronic signing services carefully regarding the intended use of the document. See the Contract and Commercial Law Act 2017. Some documents won’t be able to be signed electronically.

Nitro

Nitro logo

What: “Do more with PDFs

With a rich feature set, intuitive interface, and advanced security, Nitro Pro enables you to quickly and easily create, convert, edit, sign, review, and protect PDF documents—without the hassle.”

Why: No need to print and scan documents to turn them into PDFs, edit out pages or do bates numbering for bundles. You can email documents for signing electronically. A one off cost instead of AUD$234.48/year for Adobe Standard DC.

Website: https://www.gonitro.com/

Price: 14 day free trial then USD$159/person. Send unlimited signing requests.

Secured Signing

Secured Signing logo

What: “Invite other people to sign Docx, Doc, ODT, ODS, Xls, Xlsx, RTF & PDF documents

For many businesses signing contracts or obtaining customer signatures in order to close a deal often proves challenging. The traditional paper process is often time consuming and costly and may take a few days or several weeks to complete. With Secured Signing technology you will be able to close deals and sign contracts within minutes.

Simply create your document, add it to Secured Signing Service and invite your business associate, customers, suppliers, partners or others to sign.”

Why: A New Zealand company. This is the platform that ADLS WebForms signing service is based on. A more robust process than Nitro or HelloSign’s signature request functions. Free for a few documents a month. ID verification (Real Me/NZ passport/NZ driver licence) is extra.

Website: https://securedsigning.com

Price: 3 documents/month are free, then NZD $9.95 + GST month for 10 documents.

ADLS WebForms (based on Secured Signing)

ADLS WebForms logo

What: “WebForms™ is a web-based legal document creation service, creating efficiency for busy professionals seeking to draw on proven legal forms. WebForms protects the integrity of each document, while allowing users to tailor forms to meet the needs of individuals or specific transactions.

Digital Signing is included with WebForms subscriptions. A secure tool, enabling you to provide legal services to your clients remotely.”

Why: If you want to request signatures electronically, don’t mind paying per document, and want RealMe/driver licence verification of signatories.

Website: https://webforms.adls.org.nz/

Price: NZD $3+/document (pdf)

HelloSign

HelloSign logo

What: “HelloSign allows you to electronically request and add legally valid signatures to any document, from new hire agreements to loans, to NDAs. HelloSign is available in an intuitive web interface, a developer-friendly API, or as a Salesforce add-on.”

Why: Email documents for signing, powered by Dropbox. Not necessary if you opt for Nitro above which also includes electronic signing, but useful if you use a different PDF editor.

Website: https://www.hellosign.com/features

Price: 30 day free trial then USD$15/month (or USD$156/year)

Scanning documents without a scanner

Microsoft Office Lens

Microsoft Office Lens app icon

What: “Office Lens trims, enhances and makes pictures of whiteboards and documents readable. Office Lens can convert images to editable Word and PowerPoint files too.”

Why: Made by Microsoft so you can trust it, you can scan documents without a scanner or ask your clients to use it to return documents to you electronically instead of sending you photos.

Website: iPhone download | Android download (or search the App/Play Store)

Price: Free

Email/storage

G Suite by Google

G Suite logo

What: “Simplify how you work. Use G Suite for business email, video conferencing, cloud storage, and file sharing. Get all the tools your team needs to collaborate and get more done.”

Why: Powered by Google, global and resilient. Email, calendar, and file storage that doesn’t rely on your physical server. Google Hangouts is a Zoom alternative.

Website: https://gsuite.google.com/pricing.html

Price: 14 day free trial then USD$6/person/month (basic) or USD$12/person/month (business). Non-profits can use G Suite for free.

Password management

LastPass

LastPass logo

What: “The best way to manage passwords. Just remember your master password and LastPass remembers the rest. See for yourself how easy password management can be.”

Why: LastPass as in the last password you’ll have to remember. It sounds counterintuitive, but you and your team storing all your work passwords in an (encrypted) database online means you can use secure, long, and unique passwords for each service. Accounts are compromised in data breaches all the time (look up your email here – if you’re using the same password everywhere a domino analogy would apply). Web browser plugins and phone apps available.

Passwords can be securely shared using the team plan.

Website: https://lastpass.com

Price: Personal is free, teams is USD$4/person/month for 5-50 users.

Protect your devices

Malwarebytes

Malwarebytes logo

What: “Crushes cyberthreats. Restores confidence. Traditional antivirus simply doesn’t cut it anymore. Malwarebytes crushes the latest threats before others even recognize they exist.”

Why: Protect your devices from malware. Ransomware will ruin your day and possibly your business especially if you don’t have up-to-date backups. Works with Windows Defender*. If you. have an IT provider they are probably taking care of this for you on work devices – ask.

Website: https://www.malwarebytes.com/pricing/

Price: Free version or Premium from USD$49.99/device/year after 14 day trial.

Caution on relying on the free version: “The free version of Malwarebytes for Windows is great for getting rid of existing infections, but some infections, like ransomware, only need a moment to wreak havoc on your PC. To stop infections before they happen, stay one step ahead with the Real-Time Protection of Malwarebytes Premium.”

*To get Malwarebytes Premium and Windows Defender working together, in Malwarebytes go to Settings -> Security -> untick ‘Always register Malwarebytes in the Windows Security Center’.

Set a passcode, encrypt your devices and all those other things CERT NZ recommends

CERT NZ logo

What: CERT NZ is “here to improve cyber security in New Zealand. We work alongside other government agencies and organisations — both locally and internationally — to help New Zealand better understand and stay resilient to cyber security threats.”.

See their information on COVID-19 and working from home quick reference guide (pdf).

Back up your data

Backblaze

Backblaze logo

What: “Backblaze helps you protect business data. Easily deployed across laptops and desktops. Centrally managed. Securing all your user data for just $60/year per computer for unlimited backup.”

Why: Automatically backup your data to the cloud and protect yourself from natural disasters, theft, ransomware etc. Not necessary if your files are on a server and your IT people take care of offsite backups.

Website: https://www.backblaze.com/business-backup.html

Price: 15 day free trial then USD$60/computer/year.

Secure communication

Signal

Signal app logo

What: “Millions of people use Signal every day for free and instantaneous communication anywhere in the world. Send and receive high-fidelity messages, participate in HD voice/video calls, and explore a growing set of new features that help you stay connected. Signal’s advanced privacy-preserving technology is always enabled, so you can focus on sharing the moments that matter with the people who matter to you.”

Why: Mobile networks are under strain with phone calls and texts and using an app like Signal over Wi-Fi or mobile data avoids this. Send texts/photos, call, and video chat. Encrypted (your telco almost certainly keeps a record of your text messages) and recommended by Edward Snowden. Clients can easily download it for free. Not WhatsApp (owned by Facebook).

Website: https://signal.org/ | iPhone download | Android download (or search Signal in the App/Play Store)

Price: Free

Phone plan

2degrees $19 monthly plan

2degrees mobile logo

What: 1.25 GB carryover data (hotspotting – using your phone’s data on your laptop – included), 200 carryover minutes, unlimited texts to New Zealand and Australia. Unlimited calling to 2degrees mobiles.

Why: Free calling to your team (if they’re also on 2degrees), no contracts, one hour of free data a day, and unused minutes/data rollover to the next month.

Website: https://www.2degreesmobile.co.nz/mobile/prepay/

Price: $19/month/phone. If you need more minutes the $40/month plan has unlimited minutes and 4GB carryover data.

Expense tracking

Expensify

Expensify logo

What: “Expensify is the world’s leading application for expense management, receipt scanning, and business travel. Snap a photo of your receipt using SmartScan and Expensify takes care of the rest.”

Why: Create expense reports by taking photos of receipts. The Expensify robots automatically grab the merchant, cost etc. from the photo. Apps for iPhone and Android and you can forward email receipts.

Website: https://expensify.com

Price: Free for 5 “smart scans” a month or a paid plan is NZD$8/person/month after a six week free trial.

Health and safety

ACC Habit at Work

ACC logo

What: “Use this tool to prevent and manage discomfort, pain and injury in the office environment”

Why: Home-based workers are still your workers. With a slightly old-school design this tool from ACC covers how to set up workstations properly and prevent injury.

Website: http://www.habitatwork.co.nz/index.html

Price: Free

Headspace

Headspace logo

What: “Live a healthier, happier, more well-rested life in just a few minutes a day with the Headspace app.”

“There are a lot of unknowns in the world right now. But one thing is certain — Headspace is here for you. To help support you through this time of crisis, we’re offering some meditations you can listen to anytime.

These are part of a larger collection in the Headspace app — free for everyone — called Weathering the storm. It includes meditations, sleep, and movement exercises to help you out, however you’re feeling. It’s our small way of helping you find some space and kindness for yourself and those around you.”

Why: Headspace brings mindfulness meditation, including specific COVID-19 resources, to your pocket in these uncertain times.

Website: https://www.headspace.com/

Price: There is a free version, or Headspace Plus is USD$12.99/month after a one week free trial.

NZLS Legal Community Counselling Service

Vitae logo

What: “Anyone who works in a legal workplace can contact Vitae if they want to access the Legal Community Counselling Service.

The Law Society has engaged Vitae to provide short-term, solution-focussed counselling by trained and accredited clinicians (counsellors, psychologists or psychotherapists). The service is individual and confidential.”

Why: Free, professional, independent counselling. Your practising certificate fees fund this. Available to lawyers and law firm staff.

Website: https://www.lawsociety.org.nz/practice-resources/practising-well/legal-community-counselling-service

Price: Free (two to three sessions).

Get extra technology

Noel Leeming, JB Hi-Fi, The Warehouse and other retailers can now sell essential items online, like phones, computers, headsets and printers. PB Tech is selling monitors.

Destroy confidential documents

DIY

If you don’t have a shredder, save up documents until you’re back into the office.

If there’s no safe place to store them, and you’re not collecting your mail you could mail them to your PO Box.

Manage your mail

NZ Post business mail redirection

You can’t do it now as PostShops are closed, but if there’s another lockdown, redirect your business mail to where you will be. For personal mail you can set up a redirection online.

Price: $130 for two months (business).

Forward your faxes

Your multifunction device/photocopier probably has an option to forward your faxes to an email address automatically (but you may not be able to activate this remotely). Google the model number and a phrase like ‘fax to email’.

Hide your phone number

Man holding phone
Photo by NordWood Themes on Unsplash

Using your personal phone? See the Privacy Commissioner’s page on hiding your phone number (e.g. from clients) when making calls. Doesn’t work for text messages.

Updated 19 April 2020: Added Secured Signing.

Secret SIS Search Warrants and Telco Data Retention

This phone is tapped

The SIS and police confiscated digital devices belonging to Former Fijian cabinet minister Rajesh Singh last week “in connection with an alleged plot to assassinate Fiji’s leader Voreqe Bainimarama”.

A woman from the SIS turned up with three plain clothed police officers and said she had a search warrant. But she couldn’t show Rajesh it or give him a copy because it was classified. Because you know, wanting to know why people are raiding your house is a completely unreasonable request.

Idiot/Savant asks why, if the alleged plot was actually reasonable, was Rajesh or someone else not arrested. @civillibertynz points out that this secret warrant wouldn’t even need to be presented in court later on.

The laptop and phone were returned later in the day, assumedly after being copied. I wonder if the SIS are allowed to install spyware?

Data retention by NZ telecom providers

I also wonder whether they needed physical access to the phone for what they were looking for. Telecom companies here are very vague about how long they keep user data for. It doesn’t seem like customer facing staff (and thus customers) are generally privy to the period of time information is actually kept.

Telecom says text message content is stored for two to three months. Vodafone says up to six months. 2degrees said six months, but that the technical team could access archives further back than that (a detail I wonder if others didn’t mention).

I requested my data from 2Degrees and they sent me every text message I had sent involving 2Degrees (18+ months worth), including nine months of text messages I had sent to 2degrees customers when I was on another network.

I wonder whether in practice this Telecommunications Information Privacy Code rule is being followed:

“A telecommunications agency that holds telecommunications information must not keep that information for longer than is required for the purposes for which the  information may lawfully be used.”

I understand that there’s no legal requirement for telcos to keep a hold of this data at all (section 40).

Whose interests are being served by keeping information for such an unnecessary amount of time, especially when customers have no idea it’s happening?

And whose interests are being served when a secret search warrant is served on an ex-foreign cabinet minister in relation to a dubious overseas assassination plot?

Image credit: tenaciousme

I Know What You Downloaded Last Summer

YouHaveDownloaded.com
I'm a good boy.

YouHaveDownloaded.com

An interesting site popped up near the end of last year called YouHaveDownloaded.com. You might not have visited it, or even heard of it, but if you’ve been using torrents, it might have heard of you.

The site is quite simple, it tracks torrents and the people (IP addresses) downloading them, much like copyright holders do (or hire companies to do for them). They claim to be tracking roughly 4%-6% of all torrent downloads and 20% of torrents from public trackers, like The Pirate Bay.

The difference to the copyright holders is that this site makes the information is collects public. You can see what it thinks the IP address you’re using has been used to torrent, or any other IP address you can think of. It might not be right, or it might be spot on.

This site just highlights what is going on all the time. Torrenting is a very public activity unless you’re making an effort to protect your privacy (like using a proxy or VPN from a reputable provider). Privacy is not the default on the interwebs.

IP addresses are more like PO Boxes than physical addresses — most people have dynamic IP addresses that regularly change, and add in the fact that some people have insecure Wi-Fi, the results on the site aren’t that accurate.

The site brings up an interesting statistic, especially if it’s true: “About 10% of all online shoppers, in the US, are torrent users as well.” In the future will advertisers link an IPs torrenting history to an advertising profile. Is this already happening?

The removal form

The site provides a form that supposedly enables people to request removal from the site. Don’t use it.

Previously it asked people to sign in using their Facebook accounts, and the CAPTCHA to get to the non-Facebook removal form didn’t work (ie. they wanted to link your data with a real name, cue warning bells). Now it seems like Facebook has revoked their access to use Facebook logins (they say Facebook logins are “Temporarily disabled due problems with Facebook”), so it brings up the removal form, which asks for a name and an email address.

I’m not saying this is what the people behind the site are doing, but this would be all the information they would need, in addition to the information they have on torrents associated with your IP address, to send an extortionate email your way. Or sell your data (probably not to copyright holders, because they hire people to do this for them already).

Here’s what their removal terms are (and yeah, the rest of the site is worded like this too):

Removal Terms
The Details: By submitting a request to have your download activity removed from our database, you are acknowledging that the activity was, in fact, carried out by yourself. This means that you are only submitting a request to have the details of your own personal activity deleted. Any unrecognized activity, such as files you did not download or do not remember downloading, are not — I repeat, are not to be included in your removal request. Why is this imperative? Well, we actually don’t have to explain ourselves…sorry.

The important part is that you understand these terms and conditions before hitting that beautiful button that will erase your criminal back ground, at least for now. Wait, you did remember to read these terms before making the decision to submit a removal request, right? Of course you did, everyone reads the fine print.

Other Important Things to Consider: We make no guarantees that your information will not appear on any other databases. We may have erased your bad behavior but, keep in mind that your data on this site is aggregated public domain. So, if by chance, another sadistic group of people decides to open a similar web site, we have no control over what they do with your information. Furthermore, if you continue to involve yourself in activity like this, your future download history will, without a doubt, appear in our database again and we may not be as nice about it next time.

If any part of these terms is still unclear, please visit your local elementary school and ask to repeat grades 3 through 5.”

Giving the people or company behind the site any more information about yourself is not a good idea, even if they claim that the site is a joke and you shouldn’t take it seriously.

And anyway, if your IP address is listed on the site, it must be because of the person that used it previously. Right?

The only redeeming feature of the site? You can look up the content companies that take people to court for illegal file sharing.

Foodstuffs/New World Are Installing RFID Analytics In Their Stores

Foodstuffs/New World are using RFID technology on trolleys to track customer movement around the store.

Blue and purple RFID tag

Hi Matt,

Yes they are RFID receivers designed to pick up the signals from the front of most of our trolleys (although they are not currently active due to an issue with the some of the receivers). The project is being done by Foodstuffs so that they can better understand customer movements around the store. This will enable them to design better supermarkets in the future.

Regards

>Hi
>
>I noticed Symbol(?) units installed on the ceiling in the store. I’m just curious as to what they are for. Are they using RFID technology?
>
>Kind regards
>
>
>Matt Taylor

Image credit: Tim

“Where would your government be without child porn?”

If it didn’t exist, the government would surely invent it.

Because it’s a great excuse for an internet censorship machine.

This isn’t a debate about whether child sex abuse is right or wrong. You know it’s wrong, I know it’s wrong, we all know it’s wrong. This is a debate about censorship.

Censorship causes blindness

New Zealand has an internet blacklist. A list of content that, if your internet service provider has decided to be part of the filtering project, you can’t access. Images of child sexual abuse are meant to be the only stuff blocked, but the list is secret, censorship decisions happen in private and if international experience is anything to go by, other content has a habit of turning up blacklisted.

What the filter is

Its full name is the Digital Child Exploitation Filtering System. It’s run by the Department of Internal Affairs. It’s powered by NetClean’s WhiteBox, which was supplied by Watchdog Internationalwhich provides filtered Internet access for families, schools and businesses”.

The DIA say that they’re contractually constrained to only use the filter to block child sexual abuse material.

They say that:

“The filtering system is also a tool to raise the public’s awareness of this type of offending and the harm caused to victims. The Group agreed that this particular aspect of the filter needs to be more clearly conveyed to the public.”

So basically, it’s to make it seem like they’re doing something, because it doesn’t actually prevent people from accessing child sex abuse images.

The list is maintained by three people (pdf) (mirror), and sometimes there is a backlog of sites to investigate: “The Group was advised that the filter list comprises approximately 500 websites, with several thousand more yet to be examined.”

How it works

A list of objectionable sites is maintained by the Department. If someone using an ISP that’s participating in the filter tries to access an IP address on the filter list, they’ll be directed to the Department’s system. The full URL will then be checked against the filtering list. If the URL has been filtered, users end up at this page. The user can appeal for the site to be unfiltered, but no appeals have been successful yet (and some of the things people have typed into the appeal form are actually quite disturbing).

Is my internet being filtered?

The internet of 2.2 million ISP clients is being filtered.

It’s voluntary for ISPs to participate in because it wasn’t introduced through legislation, however big ISPs are participating:

  • Telecom
  • TelstraClear
  • Vodafone
  • 2degrees

Others are:

  • Airnet
  • Maxnet
  • Watchdog
  • Xtreme Networks

I assume, for the ISPs providing a mobile data service, the filter is being applied there too.

Why the filter is stupid

Child pornography is not something someone stumbles upon on the internet. Ask anyone who has used the internet whether they have innocently stumbled upon it. They won’t have.

It’s easy to get around. The filter doesn’t target protocols other than HTTP. Email, P2P, newsgroups, FTP, IRC, instant messaging and basic HTTPS encryption all go straight past the filter, regardless of content. Here’s NetClean’s brochure on WhiteBox (pdf), and another (pdf). Slightly more technical, but still basic tools like TOR also punch holes in the filter. The filter is not stopping anyone who actually wants to view this kind of material.

A much more effective use of time and money is to try to get the sites removed from the internet, or you know, track down the people sharing the material. Attempts to remove child sex abuse material from web hosts will be supported by a large majority of hosts and overseas law enforcement offices.

It is clear that the DIA don’t do this regularly. They’re more concerned with creating a list of URLs.

From the Independent Reference Group’s December 2011 report:

“Additionally 18% of the users originated from search engines such as google images.”

Google would take down child sex abuse images from search results extremely fast if they were made aware of them. And it is actually extremely irresponsible for the DIA not to report those images to Google.

Update: The DIA say they used Google Images as an example, and that they do let Google know about content they are linking to.

“The CleanFeed [the DIA uses NetClean, not Cleanfeed] design is intended to be extremely precise in what it blocks, but to keep costs under control this has been achieved by treating some traffic specially. This special treatment can be detected by end users and this means that the system can be used as an oracle to efficiently locate illegal websites. This runs counter to its high level policy objectives.” Richard Clayton, Failures in a Hybrid Content Blocking System (pdf).

It might be possible to use the filter to determine a list of blocked sites, thus making the filter a directory or oracle for child sex content (however, it’s unlikely people interested in this sort of content actually need a list). Theoretically one could scan IP addresses of a web hosting service with a reputation for hosting illegal material (the IWF have said that 25% of all websites on their list are located in Russia, so a Russian web host could be a good try). Responses from that scan could give up IP addresses being intercepted by the filter. Using a reverse lookup directory, domain names could be discovered that are being directed through the filter. However, a domain doesn’t have to contain only offending content to be sent through the DIA’s system. Work may be needed to drill down to the actual offending content on the site. But this would substantially reduce the effort of locating offending content.

Child sex abuse sites could identify DIA access to sites and provide innocuous images to the DIA and child sex abuse images to everyone else. It is possible that this approach is already happening overseas. The Internet Watch Foundation who run the UK’s list say in their 2010 annual report that “88.7%­ of all­ reports­ allegedly­ concerned­ child­ sexual abuse­ content­ and­ 34.4%­ were­ confirmed­ as such­ by­ our­ analysts”.

Someone could just use an ISP not participating in the filter. However people searching for this content likely know they can be traced and will likely be using proxies etc. anyway. Using proxies means they could access filtered sites through an ISP participating in the filter as well.

It is hard (practically, and mentally) for three people to keep on top of child sex abuse sites that, one would assume, change locations at a frequent pace, while, apparently, reviewing every site on the list monthly.

The filter system becomes a single point of attack for people with bad intentions.

The DIA, in their January 2010 Code of Practice (pdf) even admit that:

  • “The system also will not remove illegal content from its location on the Internet, nor prosecute the creators or intentional consumers of this material.” and that
  • “The risk of inadvertent exposure to child sexual abuse images is low.”

Anonymity

The Code of Practice says:

“6.1          During the course of the filtering process the filtering system will log data related to the website requested, the identity of the ISP that the request was directed from, and the requester’s IP address.
6.2          The system will anonymise the IP address of each person requesting a website on the filtering list and no information enabling the identification of an individual will be stored.”

“6.5          Data shall not be used in support of any investigation or enforcement activity undertaken by the Department.” and that

“5.4          The process for the submission of an appeal shall:
•    be expressed and presented in clear and conspicuous manner;
•    ensure the privacy of the requester is maintained by allowing an appeal to be lodged anonymously.”

Anonymity seems to be a pretty key message throughout the Code of Practice.

However…

In response to an Official Information Act request, the DIA said:

“When a request to access a website on the filtering list is blocked the system retains the IP address of the computer from which the request originated. This information is retained for up to 30 days for system maintenance releases and then deleted.” [emphasis mine]

Update: The DIA says that the IP address is changed to 0.0.0.0 by the system.

The site that people are directed to when they try to access a URL on the blacklist (http://dce.net.nz) is using Google Analytics. The DIA talk the talk about the privacy and anonymity around the filter, but they don’t walk the walk by sending information about New Zealand internet users to Google in the United States. It’s possible this is how the DIA gets the data on device type etc. that they use in their reports. Because anyone can simply visit the site (like me, just now) those statistics wouldn’t be accurate.

DCE filter Google Analytics

From the Independent Reference Group’s August 2011 (pdf) minutes:

“Andrew Bowater asked whether the Censorship Compliance Unit can identify whether a person who is being prosecuted has been blocked by the filtering system. Using the hash value of the filtering system’s blocking page, Inspectors of Publications now check seized computers to see if it has been blocked by the filtering system. The Department has yet to come across an offender that has been blocked by the filter.”

I’m not exactly sure what they mean by hash value, but this would seem to violate the “no information enabling the identification of an individual will be stored” principle.

Update: They are searching for the fingerprint of content displayed by the blocking page. It doesn’t seem like they could match up specific URL requests, just that the computer had visited the blocking page.

And, from the Independent Reference Group’s April 2011 (pdf) minutes:

“For all 4 of the appeals the complainant did not record the URL. This required a search of the logs be carried out to ensure that the site was correctly being blocked.”

Appeals are clearly not anonymous if they can be matched up with sites appellants have attempted to access.

Update: The reviewers look at the URLs blocked shortly before and after the appeal request to work out the URL if it isn’t provided.

9000 URLs!

The DIA earlier reported that there were 7000+ URLs on their blacklist. This dropped to 507 in April 2011, 682 in August 2011, and 415 in December 2011. Those numbers are much closer to the 500 or so URLs on IWF’s blacklist.

Where did these 6500 URLs disappear to (or more accurately, why did they disappear?). What was being erroneously blocked during the trial period, or was 7000 just a nice number to throw around to exaggerate the likelihood of coming across child sex abuse images (though, even with 7k sites, the likelihood still would have been tiny)?

Scope creep

Firstly, we weren’t going to have a filter at all:

‘“We have been following the internet filtering debate in Australia but have no plans to introduce something similar here,” says Communications and IT minister Steven Joyce.

“The technology for internet filtering causes delays for all internet users. And unfortunately those who are determined to get around any filter will find a way to do so. Our view is that educating kids and parents about being safe on the internet is the best way of tackling the problem.”’

Then it was said that:

“The filter will focus solely on websites offering clearly illegal, objectionable images of child sexual abuse.”

and

Keith Manch said the filtering list will not cover e-mail, file sharing or borderline material.” [emphasis mine]

One would assume from “images of child sexual abuse” that they would be, you know, images of children being sexually abused. However, it seems that CGI and drawings (Hentai) have made the list.

From the minutes of the Independent Reference Group’s October 2010 meeting:

“Aware that the inclusion of drawings or computer generated images of child sexual abuse may be considered controversial, officials advised that there are 30 such websites on the filtering list [that number is now higher, 82 as of December 2011]. Nic McCully advised that officials had submitted computer generated images for classification and she considered that only objectionable images were being filtered.”

The arguments around re-victimization kind of fall apart when you’re talking about a drawing.

And from the borderline material file:

“The Group was asked to look at a child model website in Russia. The young girl featured on the site appears in a series of 43 photo galleries that can be viewed for free. Apparently the series started when the girl was approximately 9 years old, with the latest photographs showing her at about 12 years old. The members’ part of the site contains more explicit photos and the ability to make specific requests. While the front page of the website is not objectionable, the Group agreed that the whole purpose of the site is to exploit a child and the site can be added to the filter list.”

Clearly illegal, objectionable images of child sexual abuse? No, but we think it should be filtered so we went and did that.

Dodgy DIA

The DIA was secretive about the filter being introduced in the first place. Their first press release about it was two years after a trial of the system started. I wonder how many of those customers using an ISP participating in the trial knew their internet was being filtered during that time?

The Independent Reference Group is more interesting than independent. Steve O’Brien is a member of the group. He’s the manager of the Censorship Compliance Unit. To illustrate this huge conflict of interest, he is the one who replies to Official Information Act requests about the filter. Because the Censorship Compliance Unit operate it.

The Group was advised that the issue of Steve O’Brien’s membership had been raised in correspondence with the Minister and the Department. Steve O’Brien offered to step down if that was the wish of the Group and offered to leave the room to allow a discussion of the matter. The Group agreed that Steve O’Brien’s continued membership makes sense.” [emphasis mine]

That was the only explanation given. That it makes sense that he is a member. Of the group that is meant to be independent.

Additionally, the DIA seems to have accidentally deleted some reports that they should have been keeping.

From Tech Liberty:

“Last year we used the Official Information Act to ask for copies of the reports that the inspectors [have] used to justify banning the websites on the list. The DIA refused. After we appealed this refusal to the Ombudsman, the DIA then said that those records had been deleted and therefore it was impossible for them to give them to us anyway. The Department has an obligation under the Public Records Act to keep such information.

We complained to the Chief Archivist, who investigated and confirmed that the DIA had deleted public records without permission. He told us that the DIA has promised to do better in the future, but naturally this didn’t help us access the missing records.”

List review

The Code of Practice says:

“4.3    The list will be reviewed monthly, to ensure that it is up to date and that the possibility of false positives is removed. Inspectors of Publications will examine each site to ensure that it continues to meet the criteria for inclusion on the filtering list.”

It’s unlikely this actually happens.

Here’s some statistics of how many URLs have been removed.

December 2011
267 removed

August 2011
0 removed

April 2011
108 removed

It’s impossible that between April and August there were no URLs to remove.

In the Independent Reference Group’s December 2011 report it seemed like the following was included because it happens so rarely:

“The list has been completely reviewed and sites that are no longer accessible or applicable (due to the removal of Child Exploitation Material) have been removed.”

The Independent Reference Group has the power to review sites themselves. But in at least one case, they chose not to:

“Members of the Group were invited to identify any website that they wish to review. They declined to do so at this stage.”

 

The filter isn’t covered by existing law and didn’t pass through Parliament. Appropriate checks and balances have not taken place. The DIA did this on their own.

By law, the Classification Office has to publish its decisions, which they do. The DIA’s filter isn’t covered under any law, and they refuse to release their list. The DIA say that people could use the list to commit crimes, but the people looking for this material will have already found it.

What if the purpose of the filter changes? The DIA introduced it without a law change, the DIA can change it without a law change. What if they say “if ISPs don’t like it, they can opt out of the filter”? How many ISPs will quit?

The only positive is that the filter is opt in for ISPs. Please support the ISPs that aren’t using the filter. Support them when they’re accused of condoning child pornography, and support them when someone in government decides that the filter should be compulsory for all ISPs.

 

Side note: why does all of the software on the DIA’s family protection list, bar one, cost money? There is some excellent, or arguably better, free software available. There’s even a free version of SiteAdvisor, but the DIA link to the paid one. Keep in mind that spying on your kids is creepy. Talk to them, don’t spy. The video for Norton Online Family hilariously and ironically goes from saying “This collaborative approach makes more sense than simply spying on your child’s internet habits [sitting down and talking — which is absolutely correct]” to talking about tracking web sites visited, search history, social networking profiles, chat conversations and then how they can email you all about them. Seriously. Stay away.

Image credit: Andréia Bohner

THAT’S A RECORDING DEVICE!

Spilt tea

Someone has finally released the teapot tapes, the recording of John Key and John Banks talking at a Newmarket café, inadvertently recorded by cameraman Bradley Ambrose. This should have happened before the election.

Stuff are probably referring to the partial phone number John Key gives out when they say the authenticity of the tape is confirmed by information in the tape.

Here’s Steven Price on why it’s okay to link to.

Apparently police want to talk to six people who were in the café during the talk, because, you know, they probably recorded the conversation as well! (Or they can provide better details than the camera footage the police have?)

Mirrors: YouTube, SoundCloud and here.

Highlights:
(first four based on XboomcrashbangX’s comment on YouTube)

2:40 National Party are working with someone they would rather not. They are careful not to mention who.

4:08 A lot of Winston Peters’ constituents/supporters will have died.

6:10 John Key purposely doesn’t text John Banks so that it appears they are not working too closely, so they can say that they haven’t been in contact.

6:52 Don Brash is a strange fellow.

7:22 Is that yours? That’s a recording device!

7:40 What’s that? Someone’s recording device. Let’s take it with us.

10:30 It’s right here and it’s still going. [something about turning it on/off.] Take the batteries out.

Image credit: Lee Jordan

Follow Up: Personal Information In Emails, Library Edition

Deleting messages

I posted a while ago about a security issue with TelstraClear’s webmail. Mainly that someone could access an email account through the referring URL gathered through visitor analytics tools available for most websites.

This made me think about the personal information that I have in my email account.

The library here in Christchurch includes users’ addresses in the header of all emails that they send out automatically (reminders about due books, holds, etc). I gather libraries around the country do this.

This always struck me as strange, because there’s no need to include this information.

An address isn’t the most private information in the world, but if someone broke into my email account, it’s something I wouldn’t like them to have.

So I asked the library about it. Here’s their response:

“Thank you for your recent query as to why postal address details are included in Christchurch City Libraries customer email notifications.

SirsiDynix, the integrated library system provider used by Christchurch City Libraries, have responded that identical address information is shown on both notification options [email and snail mail] because the reports draw on the same User Address information. Their opinion is that modifying the script to suit emailed notices would harm the report’s ability to print the needed addresses for mailed notices.

Unfortunately in-house report customisation is not currently a viable option because of time and financial constraints but we would certainly re-evaluate should there be further customer demand. We are not aware of any likely changes to the SirsiDynix system in the near future.”

No dice.

Image credit: Fiona Bradley

The War On Youth: Pak’nSave Responds

Pak'nSave shoppersTheir reply to “Random” Pak’nSave Bag Searches. No comment on women with handbags or what happens if I did have something in my bag that I had bought from another supermarket.

Dear Matt,

I can confirm that our bag policy is applicable regardless of a customer’s age and is simply designed to prevent an ongoing shoplifting issue which we are trying to manage. We have a prominent sign in-store which clearly states that ‘We reserve the right to check all bags and may require you to leave large bags with a staff member while shopping.’

While I do appreciate having your bag checked is an inconvenience, unfortunately due to the level of shoplifting we experience in-store, it is an unavoidable part of how we are forced to do business, we would certainly prefer to not check customer’s bags but sometimes even with cameras and other security measures we are left with no option. I apologise if you felt you were unfairly treated and I hope you will continue to shop at my store.

My staff remain committed to giving our customers the best possible shopping experience, and by endeavouring to keep shoplifting to a minimum we hope we can deliver the lowest everyday prices.

Kind regards,

Steven McDonald
Owner
PAK’nSAVE Riccarton

Image credit: Naomi