From Nine To Noon
, 9:09 am today
A cyber-security expert is sounding a warning about government organisations use of a Facebook business tool, 'Workplace
Click a link to play audio (or right-click to download) in either
The New Zealand Transport Agency has adopted Workplace by Facebook as its internal communications tool, and other
agencies, including the Social Development Ministry are trialling it.
However the Privacy Commissioner said those using it had to abide by strict safety rules set by the government's chief
Director of Waikato University's Cyber Security Research Lab, Doctor Ryan Ko, said while Facebook claimed to be
compliant with international standards, users could never know exactly how their data might be being harvested by the
"On [Facebook's] websites they mention they are compliant with several standards so they are accountable to several
global standards like ISO 27,001 and American standards SOC 2 and SOC 3."
"But the way the data is being harvested internally can never be known directly to the users at this point because the
... software they are providing for the users, is just telling them the real-time activity monitoring and so on but
doesn't provide a full provenance of what has happened to the data of the entire lifetime, [for example] what you have
"Those things are just collected and the scary thing is when someone malicious uses the data, that's where the mess
Dr Ko said if he was in the government's shoes, he probably wouldn't be considering non-New Zealand companies for the
storage and processing of data.
"The [information] on Facebook may be housed in servers in many different countries around the world and sometimes the
exact location is not disclosed to the client so that's a problem where, because data is stored in another country, it's
under another jurisdiction."
"[That means] people such as the Privacy Commissioner and the Courts of New Zealand are limited in what they can do to
bring somebody to account so this is a problem because if technical implementation is in the cloud, it is stored all
over the world, it falls in a different jurisdiction and basically New Zealanders are sitting ducks."
However Privacy Commissioner John Edwards told Nine to Noon there were some important differences between Facebook's
social media product and its business offering.
"Facebook is free and always will be because you're paying with your information. The other product is a commercial
product and one of a suite of cloud services increasingly being embraced not only in government but across the economy
and that's not inherently a bad thing."
Mr Edwards said public agencies should make sure they were meeting the requirements set by the government's chief
digital officer, including not to post on any public cloud service information classified above a certain security level
and also to look closely at the provider's terms and conditions.
"When my Norwegian counterpart looked at [Workplace By Facebook] in 2016 he said although [it] encourages dialogues on
terms and conditions, the standard terms are at times unclear and may allow Facebook to use personal data for commercial
"So it's really important for a company or government agency to understand what's going to happen with that data and
then to limit what can go on it according to that."
Mr Edwards said it would be utterly unacceptable for third parties to be able to access government information to assist
with lobbying or a business pitch, so it was up to agencies to do thorough due diligence and impact assessments before
using any such product.
He said organisations using the Facebook tool also had other protections besides legal ones.
"There's technical protections as well so you can enquire about how the data is stored, is it encrypted at rest, is it
encrypted in transmission, who holds the keys for that encryption."
"Those are the kinds of enquiries the government's chief digital officer invites any government agency to go through and
assess according to their risk."
Mr Edwards said a planned reform of the Privacy Act would have more focus on the obligations of agencies when they
transferred information out of jurisdiction, which meant the liability chain would be even more clearly linked back to
the New Zealand-based agency.