Gordon Campbell on MBIE’s social media scamFirst published on Werewolf
Back in December 2017, MBIE signed a three year contract worth $112,000 with the Wellington private security firm ZX
Security Ltd, to train large numbers of its staff on how to create and maintain false identities on social media - in
order to harvest information from the general public
Reportedly, 70 staff have already been trained in these techniques, and the contract is set to run until 2021.
It would be bad enough if the security services were engaging in this kind of activity. MBIE though, has responsibility
for immigration, building and housing, energy, tourism, financial markets and competition regulation and economic
development. Given the ambit of MBIE’s work, almost any form of social activity could qualify as being part of MBIE’s
brief, so the privacy threats posed by this training programme are extensive. The current oversight safeguards seem
threadbare to non-existent.
Using fake profiles with detailed backstories suggests they are trying to capture people's private or friend-locked
information….[Under] the new "reasonable expectation of privacy" standard, [this] may also constitute a "search" under s21
of the Bill of Rights Act, and therefore be illegal without explicit statutory authority (which in turn, poses a legal
threat to every case MBIE has used such information in).
The Law Commission recommended that harvesting public information be covered by a statutory policy statement, setting
out the purposes for which it could be done. They also suggested that using false profiles to access private,
"friends-only" information be treated as a covert operation requiring a warrant. The fact that MBIE is doing this
suggests we need such regulation as quickly as possible, to restrict such government spying to proper investigative
purposes, rather than the current free-for-all.
Exactly. So far, the defences being offered by Duty Minister [and ACC Minister] Iain Lees-Galloway do not address these wider regulatory issues
MBIE says it's all to do with online safety for workers involved in investigations and the Government says so long as
it's all above board it is sometimes necessary.
Documents show MBIE spent $112,000 on a contract with ZX Security Limited to teach staff how to take material from
online platforms like Facebook and LinkedIn, maintain multiple online personas and extract GPS coordinates from photos.
Duty Minister [and ACC Minister] Iain Lees-Galloway says sometimes going incognito is required for the job. "Government
agencies do need the ability to carry out investigations for instance, investigating tax evasion or ACC fraud," he says.
"Where investigations are being carried out, they have to be carried out in a lawful and appropriate fashion we expect
to hear back from MB once they have reviewed this work they are doing."
This ‘explanation’ is inadequate. IRD is the department funded and empowered to investigate tax evasion. How then does
IRD’s investigative unit interact with what looks like a similar (and relatively unknown tax evasion group) doing the
same thing at MBIE? As for ACC fraud… apparently, anyone seeking to befriend an ACC claimant on Facebook or Linked In
should now be regarded as a potential MBIE snoop engaged in analysing social media postings and scanning online photos
for GPS co-ordinates. These may (for example) reveal the injured party may have been out tramping, or engaged in other
activity that could be later used against them in the assessment of their ACC claim. Does Lees-Galloway think such
spying activity is consistent with the ACC scheme originally envisaged by Owen Woodhouse?
Too Much, Too Many
It is not as if the ZX Security training programme is coaching a small crack unit of MBIE investigators. In year one, 70
MBIE staff were trained in these undercover skills, and a four year contract has been signed for the entire programme.
By completion date in 2021 that means MBIE would have trained 280 staff in fake social media skills that they would be
being expected to use online. Even allowing for staff turnover, that can only mean that these privacy-penetrating skills
are being mainstreamed into MBIE’s general work in its areas of responsibility. Should tourists (for example) expect
that their social media posts are being watched by the Kiwi version of Big Brother, for signs they intend overstaying
their visas – and do tourists now have reason to fear that a night of revelry shared with an apparent friend online
might be used against them if they should lodge a subsequent claim for residency?
To date, Shane Jones has been the only politician to raise concerns about MBIE’s decision to train its staff in how to
fake their identities online. At the end of the month, MBIE is being expected to report back on its programme.
Hopefully, MBIE’s rationale will be challenged by someone external to the organisation. MBIE can hardly be trusted as
the main evaluator of its own scheme. In the recent past, it hired the notorious Thompson+ Clark security firm to
investigate those opposed to its policies, and got heavily criticised in December by the State Services Commissioner for
doing so. As RNZ reported less than a month ago
The entire Ministry of Business Innovation and Employment (MBIE) was… found to have breached the State Services
Standards of Integrity and Conduct (code of conduct) by failing to maintain an appropriate level of objectivity and
impartiality. MBIE led the charge in a change to the Crown Minerals Act 2013 creating offences for damaging or
interfering with structures or ships being used offshore in mining activities.
The design of Operation Exploration was influenced by the concept of "issue motivated groups". The Minerals Exploration
Joint Intelligence Group (MEJIG) was set up and tasked with identifying activities that might lead to interference with offshore petroleum and minerals exploration.
Thompson and Clark was a key participant in MEJIG.
The Commissioner found that Thompson and Clark established a very close relationship with Operation Exploration and the
information it provided - particularly surveillance of Greenpeace - was most likely paid for by the private sector with
interests in petroleum and minerals exploration. The Commissioner has asked MBIE to consider whether Operation
Exploration should be discontinued and requested that the chief executive review MBIE's internal policies to ensure they
are consistent with the code.
In other words, MBIE has shown it can’t be trusted to respect free speech and/or the democratic right to protest. Surely
then, it cannot be allowed to abuse privacy on social media in the ways this training programme explicitly sets out to
do. Any costs involved in breaking the contract with ZX Security have to come out of MBIE’s own operating budget. In the
meantime…if Big Brother asks to be your friend on Facebook, it needs to tell you who it is.
Footnote One. Interesting that MBIE put the ZK Security contract up on its website a year after it was signed, and just as the SSC
released its damning report on the governmental use of private security firms. The timing looks less like transparency
than an attempt by MBIE to pre-empt a future scandal by getting the information out (a) just as the SSC hammer fell and
(b) while the media was otherwise engaged with the SSC report findings.
Footnote Two: So what is known about ZX Security? According to Deloittes, it is the 40th fastest growing company in New Zealand
. Here is its founder/CEO Simon Howard talking briefly on Youtube about the company’s use of interns
. And here is Howard again at a 2017 conference talking at much greater length about the threats posed by ransomware and phishing, and related matters
According to its publically available Linked In profile, the company’s current employees are Simon Howard, Laura-Jane
Howard, Claudio Contin and David Robinson.
Friends You Can Trust
Fake friends are no new thing. Eighty years ago, the Sons of the Pioneers were warning that this new fangled idea of
getting an old age pension could attract friends of the wrong sort:
Digital friends come and go, but there are more trustworthy alternatives. Roy Rogers, a graduate of Sons of the
Pioneers, spells out the options: