Posts Tagged ‘Privacy Act’

The Impunity Files, Police Edition: Trolling for Rawshark.

datePosted on 08:37, December 15th, 2015 by Pablo

By now it is well known that in their effort to find the source of the information upon which Nicky Hager’s book Dirty Politics was based, the NZ Police searched and seized computers, phones and personal records from Mr. Hager’s home. They also intimidated Mr. Hager’s daughter (who was home at the time) by forcing her to dress in front of an officer and relinquish her personal computer. In addition, they asked a number of service providers to give them access to Mr. Hager’s personal details without a warrant or production order. Most of the service providers refused or asked for a warrant but at least one, the financial corporation Westpac, gave up eight month’s worth of Mr. Hager’s transaction records without asking the Police for a legal instrument compelling them to do so.

News of this caused a brief furore amongst civil libertarians, privacy advocates, some journalists and a few business people. But as with much that the Police does that is borderline in terms of legality, the issue soon dropped from the public eye. Few if any follow ups have been published and for all intents and purposes the Police have emerged unscathed from yet another episode of operating with impunity and contempt for the law.

I have had opportunity to review Police documentation regarding the case released under Discovery (79 pages in total). Readers are invited to read the full dossier released by the High Court over at Scoop, which also has an interesting newspaper story detailing the genesis of the investigation into Mr. Hager.

Much in the Police documents is redacted but there is plenty to consider nevertheless. In the spirit of public interest journalism (although I am not a journalist by training, inclination or employment), I have decided to add a bit more to the public domain on this case. As it turns out, the Police did more than ask various service providers to give them access to Mr. Hager’s private information, and they got things rolling just before and then accelerated  the investigation very quickly after a complaint was laid about the source of the material from which Dirty Politics was constructed (the infamous or heroic hacker known as Rawshark, depending on how you view things).

On August 22, 2014, amid the sequels to the publication of Dirty Politics and the speculation as to the identity of the hacker who accessed the information from a notorious right-wing blogger that detailed his unsavoury connections to government officials and corporate interests, Rawshark tweeted what most observers saw as a satirical or diversionary tweet saying that s/he was on vacation in Vanuatu. Rather than take it with a grain of salt, and after the blogger formally complained on August 25, 2014, the NZ Police fired up their investigative resources and on September 18, 2014 a detective constable by the name of Rachelle (I shall leave her last name out), who was assigned to the case by a superior named Simon (again, I shall leave his surname out for the moment), telephoned Immigration New Zealand (INZ) for information on all NZ residents and citizens who had traveled to Vanuatu around that time.

I should note that this very same detective Simon was the police officer who made the “enquiry” of Westpac about Mr. Hager’s financial details on September 24, 2014. In the days that followed the Police were able to obtain detailed information on Mr. Hager’s property holdings from Wellington City Council as well as full details of his Westpac bank accounts and credit cards. Although some of this information was available through the Council web site, on at least one occasion detective constable Rachelle was able to obtain information directly from the Council without a warrant or production order (this information is available on pages 25-26  of the Discovery documents that I have read. (KEB Vol 4 Part 1C file pages 1468-69).

One has to wonder what relevance Mr. Hager’s property valuations and rate payments have with regard to the search for Rawshark. If the figures were obtained for a future asset seizure in the event Mr. Hager is found guilty of a crime, we have to remember that he has not been charged, much less convicted of any such thing. A search for aspects of his worth with an eye to future seizure implies a presumption of guilt on the  part of the Police before any charges have been laid against Mr. Hager. To say the least, that is a perversion of natural justice.

During the September 18, 2014 conversation with detective constable Rachelle, a female senior INZ officer replied that it would be difficult to compile a list of all New Zealanders who traveled to Vanuatu during the referenced time period because INZ only had data on those who traveled directly to Vanuatu from NZ and did not hold information on those who may have stopped off elsewhere (such as Fiji) on their way to the holiday destination. She sent the Police an OIA form to fill out (which was completed and returned that day) in order to assist the INZ side of the investigation. A day later, on September 19, 2014, she emailed detective constable Rachelle and wrote that there was nothing more that INZ could do “on their end” and suggested that the Police “might want to try Customs.”

That was a good tip.  Detective constable Rachelle noted then that she would speak to someone at Customs who was working on organised crime to find out the best source for that information. On September 23, 2014, after approaching NZ Customs, the NZ Police received from them spreadsheets containing the names of 2500 NZ citizens or residents who travelled directly from NZ to Vanuatu in the two weeks prior and after August 22, 2014. The spreadsheets were then sent to an officer Nichola (again, no last name needs to be published at this time) “at intel to see what plan we can come with in relation to analysing this information.”

The passenger information was presumably sourced from Air Vanuatu and/or Air New Zealand, who code share the three weekly flights between Auckland and Port Villa. No warrant or production order was issued for the release of this information, and it is unclear as to who and how Air Vanuatu and/or Air New Zealand were approached, or whether they were approached directly at all. This information is detailed on pages 70-71 (KEB Vol 4 Part 1C file pages 1525-26) of the Police documents released under Discovery in the case Mr. Hager has brought against them.

It is unclear whether the Police ever came up with a plan to analyse the personal information of the 2500 NZ citizens and residents that flew to Vanuatu from NZ in the two weeks before and after August 22, 2014. What is clear is that it was done, at a minimum, in violation of the Privacy Act because the data was obtained without a warrant or production order. Moreover, it is not clear what was ultimately done with the information about the 2500 people whose details were obtained by the Police. Was it analysed? Did any of it lead to further inquiries or action? Was it stored? Was it destroyed? Was some records kept and others not? The bottom line is that this information was obtained based upon a “courtesy” request, not a lawful order, and was part of a trolling exercise that began before a complaint was laid and not as a result of specific or precise information related to the Hager investigation. Both procedurally and substantively, obtaining this travel-related data of 2500 NZ citizens and residents was unlawful.

Given that Rawshark appears to be a pretty savvy hacker who knows how to cover his/her tracks, it is arguable that any of the 2500 people whose privacy was violated by Customs and the Police (and perhaps Air Vanuatu and/or Air New Zealand) had anything to do with obtaining the material for Dirty Politics. Beyond the issue of what was done with their personal information, the question is whether they have been told by any of these agencies about their records being accessed. After all, they have nothing to fear if they have nothing to hide, so it would seem natural that the Police and/or the other entities involved in the privacy breach would let the 2500 travellers know that their private records are safe. That is important because these records could well be more than passport details and could include ticket purchase location details, credit card information etc. At this point we do not know the full extent of the Police handling of this private information, but the privacy breach is a pretty big one in any event so the duty to inform those affected is great.

Published information is that the senior officer in charge of the investigation into Rawshark is Assistant Commissioner Malcolm Burgess. It appears that Mr. Burgess was contacted by email by the rightwing blogger on August 19, 2014 and immediately assigned the matter to the National Criminal Investigation Group (see the NZ Herald article on November 14, 2015 by David Fisher). That is odd because at the time no formal complaint had been made–that did not happen until August 25, 2014. In fact, it appears that an investigative plan of action was drawn up before the blogger made his formal complaint, then quickly put into action once he did.

In any case, perhaps Mr. Burgess is a “hand’s off” manager who did not know what those under him were doing, particularly detective Simon. But it would be interesting to see how he feels about the way the information on Vanuatu travellers was accessed given that it appears to have shed no light on Rawshark’s identity and seems to have violated the Privacy Act. In other words, it looks like it was a useless and illegal fishing expedition, which should be a concern for him as the senior office in charge.

I understand the importance of chasing all leads and avenues of inquiry in criminal investigations. I understand the notion of professional courtesy amongst security agencies. I understand the utility of informal agreements between government offices. I understand that institutional cultures may see legal requirement more as a challenge rather than as an obligation. I understand that sometimes investigatory overkill in one case is needed to serve as a deterrent to others who might seek to pursue similar courses of action.

But I also know, from both my academic writing on democratic governance and my professional experience while working in security branches of the US government, that at its institutional core democracy is about self-limitation and the universal rule of law, to which can be added the bureaucratic axion “CYA.” Yet when it comes to the NZ Police in this case and others, it seems that an institutional culture of impunity far outweighs respect for the self-limitations imposed by law when it comes to decision-making on matters of policy and operations.

Perhaps the Privacy Commissioner and other civil rights groups might want to take another look into this case because it is not just Mr. Hager who has had his rights violated by the Police investigation into Rawshark’s identity (in what to my mind is more a case of journalistic intimidation rather than a legitimate investigation into criminal wrong-doing). As much as I would like to believe that the Independent Police Conduct Authority (IPCA) would seize the opportunity to examine the particulars that I have outlined, its track record suggests otherwise.

One thing is certain: there are 2500 people in NZ who got a lot more than they bargained for when they booked direct flights to Vanuatu in the middle of last year.