The International Working Group on Data Protection in Telecommunications is a bit of a mouthful, so it is shortened to “The Berlin Group,” referring to the Berlin Data Protection Office, which initiated the working group in 1983, and has provided its secretariat ever since.
It meets twice a year, once in Berlin, and once away, and this spring’s “away” meeting happened to coincide with the Global Privacy Summit.
The meeting begins with a round of “country reports”:
It is a genuine working group. Somehow 32 delegates from 20 data protection authorities, together with selected experts and advocates manage to work through quite complex papers to reach agreed positions on emerging privacy issues that connect with telecommunications. At this session we discussed papers on:
New Zealand proposed a paper: “Towards International Principles or Instruments to Govern Intelligence Gathering”. After input from Canada and Berlin, it was accepted at the same meeting it was proposed (reportedly only the second time in the last 10 years that a paper has done so, the other being New Zealand’s paper on Transparency Reporting in 2014). I’ll post about our paper, what it means, and what comes next, later.
Apple and differential privacy
Tuesday’s half day session began with a presentation from Apple on its “differential privacy” a mathematically and conceptually challenging system it has for getting the value of user data, without compromising privacy.
Did you ever wonder how your iPhone knew what emoji to suggest when you typed in that you were “pumped” about something? Me neither – I just made that up, but it is the kind of thing that might happen.
Your phone will contribute data to Apple’s analytics to improve predictive text, emoji recommendations or a range of other applications in ways which gives Apple very good information about trends (suddenly everyone is pumped, and using a fist emoji, for example) without collecting a creepy history of all your texts. It’s complicated. There is a differential privacy engine in your phone, which is the first filter. It’s only going to send information about a couple of autocorrects, or emojis each day. Those are hashed and randomized so that only really significant aggregate trends appear in Apple’s analytics – all the rest just drop off, or are seen as effectively statistical static. And Epsilon had a lot to do with it. (OK - I didn’t really understand).
Department of Homeland Security
I was interested in understanding the effect of President Trump’s Executive Order purporting to reverse privacy protections extended to non-US citizens and residents over many years. Section 14 of this executive order says
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Others had told me over the last week that the drafting leaves ambiguities which are difficult to interpret, but that the practical effect of the order might not be that significant for New Zealand travellers. Others had noted that as a matter of law, a discretion that exists in a statute could not be overridden by an Executive Order and, as such, section 14 might not be enforceable.
My contacts at DHS were, as you would expect, professional, neutral and circumspect. They did note that it would be open to New Zealand to seek inclusion in the Judicial Redress Act, which is the basis under which Europeans continue to enjoy the benefits of access to remedies, including Privacy Act protections. That is something worth pursuing, and which I will look into when I get back.
The other question I had was, do New Zealanders have to give over social media account details, and passwords, when they enter the States, as some have reported? Once again – this seems to have been the topic of some panic and misreporting, since the idea was first floated by the Secretary of Homeland Security at a House Homeland Security Committee hearing on February 7, 2017.
The answer is (at this stage) “No”. Social media account information is sought on an “optional” basis on visa forms, but is not required. There is no policy requiring social media account details, or passwords, and as part of the process of assessing any such proposal the DHS would undertake a full privacy impact assessment, like this one.
All options would be on the table were such a policy to be considered. The Secretary’s comments were prompted by concerns that border officials might not have an equal quality of information about citizens from all countries.
The policy to require further information as a condition of entry might only apply to those countries for which the US authorities do not have good arrangements in place already, or could involve exempting “visa exempt” countries from any such requirement, which would include New Zealand. At this stage, there seems to be no basis for New Zealanders to delete their accounts, or be overly concerned about border officials asking to review social media history.
That being said, if you have any problems at the border, and feel aggrieved by being delayed or subjected to extra screening, you are entitled to file a complaint or enquiry via the DHS TRIP Programme.
It’s been a packed and intense schedule, and I’m looking forward to heading home tomorrow. See you next week!
Image credit: Tara Siuk via Flickr