Gav's Blog

Yesterday I received NZ Posts infamous survey in the post and was staggered at the depth of questions it was asking. I still have not decided on the most appropriate form of response to NZ Post using said survey. In the meantime, I have raised a number of issues to the Minister for State Owned Enterprises, Simon Power, about what I believe is a very inappropriate survey being undertaken by an agency of the Crown. The Privacy Commissioner also recently released a media statement on the survey. I see ConsumerNZ has also come out against the survey.

To: The Honourable Simon Power, Minister for State Owned Enterprises (s.power@ministers.govt.nz)
Copied: Commerce Commission (info@comcom.govt.nz), Office of the Privacy Commissioner (enquiries@privacy.org.nz)

As the Minister for State Owned Enterprises, I wish to register with you my distaste at the current business tactics of New Zealand Post. The New Zealand Post survey, whilst not illegal from a privacy perspective, is highly inappropriate for an agency of the Crown. State Owned Enterprises (SOEs) should not be collecting any more information than is required to undertake their business with citizens of New Zealand.

I wish to raise the following issues for you to consider and take action to resolve:

1. NZ Post is using trust as a competitive advantage

NZ Post is promoting itself as a ‘trusted’ organisation that places itself at a competitive advantage over other businesses that may be attempting to collect the private information of New Zealand citizens. E.g.

Taken from The New Zealand Post survey – privacy policy.

“We are a trusted New Zealand organisation who touches thousands of New Zealanders every day. To protect the privacy and confidentiality of your personal information we always ensure that our policy and processes comply with the following…”

Yet at the top of the same page…

“By undertaking the New Zealand Post Survey, you and your partner’s name and contact details may be provided to organisations from New Zealand and overseas…”

How can we trust NZ Post if they have openly stated that they will provide information to organisations overseas? Surely that is a breach of trust in an agency of the Crown?

I believe it is highly inappropriate for NZ Post to be using its privileged SOE position to be undertaking such an invasive survey. Many Kiwi’s may implicitly trust NZ Post more than any other commercial entity undertaking the collection of personal information for marketing purposes – and this may result in a higher number of survey returns. Kiwi’s should have the expectation that agencies of the Crown will not undertake such activities and only focus on their core business.

2. NZ Post is leveraging their delivery network in an anti-competitive manner

Any of NZ Posts competitors that want to undertake the same survey – would have to pay for postage and delivery using NZ Post’s network. My understanding is that only NZ Post has the reach for mail delivery to undertake a survey of this extent. I am assuming that NZ Post is undertaking this survey at cost or cheaper, effectively leveraging their existing mail delivery infrastructure. This may place NZ Post in the position of being the only NZ organisation that could actually afford to undertake such an endeavour. I believe this is anti-competitive as NZ Post is making use of an effective postal monopoly to undertake this survey, greatly reducing the costs they would have to pay when compared to other New Zealand businesses – a number of which exist in the Direct Marketing industry, and would no doubt love to enjoy the advantages that such a rich database of private information about Kiwi’s would provide for direct marketing purposes.

In light of these issues, I believe that as Minister for State Owned Enterprises, you should direct NZ Post to stop collecting private information for the sole purpose of direct marketing. In addition, all information that has already been collected should be destroyed.

This is not an activity that State Owned Enterprises should be using their privileged, trusted and often monopolistic positions to be undertaking. It gives them an unfair competitive advantages over other New Zealand businesses that operate in this and related areas (to be clear – none of which I have interests in).

I look forward to a timely response in this matter.

Yours sincerely,

Gavin Treadgold

I find it hard to believe that the Institution of Professional Engineers in New Zealand is actually silly enough to promote the use of GPS technology to track vehicles and use that to institute user-pays billing on our roads. I have no problem with finding ways to deal with traffic congestion, and getting more people out of cars and into other forms of transport where possible and appropriate. But my problem is this.

The institution has released a report saying change is needed to the system where motorists pay for road use with a flat-rate excise tax. The report advocates the use of GPS systems to gather information on vehicle movements and charge accordingly. (from above linkie)

The privacy issues with GPS are a mile wide. To be able to implement congestion charging, which is often based on managing peak traffic at certain times, it is necessary to know exactly where a car is, and at what time – the basic information stored in a GPS tracklog. To be able to bill the driver, would this then mean that a GPS unit in a car is going to have to collect and send this information to some billing server that is able to process it, and analyse location and time, from which it will then produce the bill. Of course, this data would then likely have to be kept in case of any billing disputes – which means what is potentially very private and sensitive data is not going to disappear any time soon.

Of course, it may spur a whole lot of interest in DYI GPS jammers. In the meantime, you may want to check out a previous article I wrote on protecting your privacy with GPS tracklogs. GPS units produce private data, and the proposal from IPENZ is nothing more than a lame technical solution that shows a complete disregard for privacy.

Note – this has been written based only on news reports and not reading the IPENZ report in depth. Either it hasn’t been posted on their website yet, or it has only been made available to IPENZ members. I have emailed their media contact, but haven’t heard back yet.

I have become interested in the ways that you can protect potentially private or sensitive information that may be contained in tracklogs uploaded to any public site. I am primarily writing this article from an OSM perspective, but it is really valid for any site that you may upload a tracklog to.

A GPX tracklog consists of a lot of sections of code that look something this – a trackpoint.

<trkpt lat="-43.502053000" lon="172.576317000">
<ele>16.480000</ele>
<time>2008-05-06T08:37:46Z</time>
</trkpt>

A trackpoint contains two key pieces of information – the time (in UTC – the Z after the time refers to this), and the location in latitude and longitude. A whole pile of these trackpoints are then added together to produce a tracklog. This of course presents a privacy risk as anyone that has access to the tracklog might be able to assume that the person that uploaded the tracklog was at that location at the time specified. And with GPS, this can be recorded to a high level of accuracy.

So, what we need to do is look at ways to protect some of this information. I’ll write here about two techniques that I have used to protect information in tracklogs by editing them before uploading them to public websites. For most public websites, the most important information is location, and time is less important. So we need to take a two-pronged approach to tracklog privacy protection.

1. Delete track points that we might have privacy concerns with.
2. Remove timestamps that we don’t want people knowing the time we were there.

Deleting Trackpoints
1. Protecting it manually. I have been using the free GPSTrackMaker to load and edit tracklogs before uploading them to OSM. This is a manual and sometime laborious process. I use this to remove any trackpoints around the final locations of puzzles/multi-caches that I have visited, and also to remove trackpoints close to home/home/friends etc. I also use it to touch up the tracklogs such as those areas that spray trackpoints around a wide area that don’t mean anything – such as in urban canyons in Wellington. This can result in quite a ‘rich’ tracklog, especially if you delete those areas where the trackpoints are not that accurate due to GPS signal error.

2. Automating deletion of trackpoints. There are also a number of locations that one may always want to remove from a tracklog before making it publicly available. Locations such as home and work spring to mind. I was looking for a way to automate the removal of these locations using GPSBabel. Using nothing more than co-ordinates near your home and a radius, you can easily set up a filter to remove all points that fall with the circle using the following GPSBabel command. Note that the following command is needlessly complex as a little workaround is required to use the radius filter on trackpoints (you have to convert tracks to waypoints, do the radius filter on waypoints, and then convert the waypoints back to tracks – ugly but it works).

gpsbabel -t -i gpx -f in.gpx -x transform,wpt=trk -x nuketypes,tracks -x radius,distance=0.3K,lat=-43.0,lon=172.5,exclude,nosort -x transform,trk=wpt -x nuketypes,waypoints -x track,pack,split=30m,title="LOG %Y%m%d" -o gpx -F out.gpx

It is possible to build a batch file that removes multiple locations such as home, work and friends, that requires very little input. Note that this process does not destroy the original tracklog that you keep, rather it creates a new tracklog with the sensitive data removed.

Removing Timestamps
For whatever reason, it makes some sense to also remove timestamp information from tracklogs – I won’t go into the reasons here. Here is a little unix script that I use to change the timestamp information. Usually I don’t mind people knowing what day I was somewhere, but I’m not that keen on them always knowing the time. So, I will remove either minutes/seconds, or minutes/seconds/hours as have every timestamp appear as midnight.

If you want to set it so that all times are set to the start of the hour e.g. hh:00:00, use this.

#!/bin/sh
for f in *.gpx; do
sed 's/:[0-9][0-9]:[0-9][0-9]Z/:00:00Z/g' < $f > ${f%.gpx}-clean.gpx
done


If you want to set it so that all times are set to midnight e.g. 00:00:00, use this.

#!/bin/sh
for f in *.gpx; do
sed 's/T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z/T00:00:00Z/g' < $f > ${f%.gpx}-clean.gpx
done


Naturally, this isn’t the easiest to do, but it is getting easier. It would be great if someone was able to write a tool/webpage that was able to do this sort of cleaning of tracklog data before uploading it to public websites.

I just heard today that the Department of Internal Affairs is consulting on an opt-in single sign-on identity verification service (IVS) that may be used by government agencies to identify us online when interacting with said agencies.

I have included my submission below for reference.

We would like to know whether you are likely to use the Internet to verify your identity with a government agency.

Yes – but it must work on any operating system and web browser. I use a variety of operating systems and web browsers including:

• Operating Systems – Apple OS X, Fedora Core Linux, and Microsoft Windows
• Browsers – Firefox and Safari

I will not be able to use the service if it is tied to Microsoft Internet Explorer/Windows platform. I expect that all the good work that the State Services Commission has been doing on standards and interoperability will be applied to IVS as well.

We would like to hear from you regarding the type of services you might want to access that require you to verify your identity.

• Inland Revenue for management of personal/business taxes, KiwiSaver?
• Government Electronic Tender Service (GETS)
• NZ Qualifications Authority for NZQA Learner’s Record
• Local Government

We would like to know what you think of being able to verify your identity with businesses and other organisations.

I would support the service being made available to local government.

I am initially dubious about IVS being made available to businesses until such time as more details are made available. I trust the Government to run their IT systems to a higher level of security than most businesses. I am also concerned that if the IVS was made available to non-governmental users, that uptake may well make the IVS to be more than an opt-in service – businesses may use incentives that Government cannot to strongly promote registration and use of the service.

I would however support a limited number of business sectors to utilise the IVS – in particular those that provide online financial services such as banks, fund managers and sharebrokers. It is preferable to have them using a national framework rather than having a token for each organisation AND government on my keyring. Note that this would present some risks – in particular the risk of a distributed-denial-of-service (DDOS) attack against the IVS infrastructure. If the IVS does grow to become widely used, and includes the financial sector, then a DDOS against poorly planned IVS infrastructure may have significant negative consequences – even if just in perception of the service. Naturally, as IVS grows in usage, it would have the potential to become national critical infrastructure and would need to be managed as such.
Read the rest of this entry »