Passwords and Devices at NZ Borders

The New Zealand Customs Service has released a discussion paper [PDF] regarding a review of the Customs and Excise Act 1996.

The paper proposes an amendment of the Act to give Customs personnel the power to require people to disclose passwords to their electronic devices when entering New Zealand, with failure to do so in the absence of a reasonable excuse would be an offence punishable with three months imprisonment. The rationale is that the power would be useful in 'helping detect objectionable material' and 'evidence of other offending, such as drugs offences'. It would also allow officials to verify an individual's travel plans, given that tickets and booking details are often held on computers and smartphones.

Officials would also be authorised to compel people to empty their pockets, currently not permitted unless those officials have "reasonable cause". The discussion paper indicates that it is rare for people to refuse to empty their pockets when asked, but "even a small proportion of people refusing to do so can present a significant threat to New Zealand".

Interestingly, enterprises would be permitted to hold their business records overseas with prior approval by Customs, something that would make it easier for "trusted businesses" to take advantage of overseas cloud computing services.

The paper states

When Customs does examine a person’s electronic device, the owner is not legally obliged to provide us with a password or encryption key to access the device. We have found that it is relatively uncommon for someone to refuse to provide this, but if they do refuse it can mean we have no way of uncovering evidence of criminal offending even when we know the device does hold this evidence.

If a person refuses to provide access, it is likely that Customs will seize the device for forensic examination and not return it immediately to the owner (unless there is nothing to suggest the device contains prohibited material). However, some devices cannot be accessed and examined by our Electronic Forensics Unit without password or encryption access. If Customs cannot require access to an electronic device, it is not possible to treat the device in the same way that we treat the examination of accompanying baggage. This undermines the purpose of examining electronic devices and is a barrier to us effectively investigating and prosecuting criminal offending.

The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 empowers us to require a person to provide access (such as passwords, codes and encryption keys) to an electronic device in relation to the movement of cash in breach of that Act. The Search and Surveillance Act also imposes this obligation on owners of devices where a search is performed under that Act; however, searches under that Act usually take place only if criminal offending is suspected.

The paper goes on to discuss options -

Our preferred solutions

Examining electronic devices: Explicitly include electronic devices in the scope of routine baggage searches This option would include an explicit reference to electronic devices in the new Act. Customs officers would continue to be able to examine electronic devices as part of a routine baggage search (if required), but there would be greater transparency for the public. This option would continue the practice of performing an initial examination on electronic devices without a threshold having to be met. This would confirm that Customs treats electronic devices and their content in the same way as physical goods accompanying a person across the border. In our view, this would allow us to adapt to changing technology and new methods of concealing prohibited material, such as objectionable material.

This option would also continue the practice of only performing full forensic examinations of electronic devices and copying the material when evidence of prohibited material or illegal activities is discovered on the device. The search is then escalated to a full forensic search of the device (see the diagram on page 133 for the current escalation process). This aligns with our personal search powers, where there may be an escalation from a routine baggage search to a personal search.

Customs does not examine the content of electronic devices outside of a routine baggage or personal search, and this would not change under this option.

This option is consistent with similar powers available to customs agencies in Australia, Canada, the United States and the United Kingdom. However, developing law in other countries is beginning to place greater weight on the privacy implications associated with information contained on electronic devices, including at the border.

Passwords and encryption: Require a person to provide a password or encryption key on request

Under this option, a new power would be included in the new Act to authorise Customs officers to require access to an electronic device in order to examine that device effectively. Access is likely to be in the form of a password, encryption key, or identification access.

A new offence and penalty would be included for failing to provide the relevant access when required to do so.

This option is consistent with the powers that Customs has under the Search and Surveillance Act 2012, and also the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, to require people to provide access to an electronic device. It also aligns with comparable countries, such as Australia, the United States, Canada and the United Kingdom.

Other solutions we are considering

Examining electronic devices: Allow for the examination of electronic devices but with a threshold

This option would include an explicit reference to electronic devices in the new Act, as with our preferred option for examining electronic devices. But it would only allow Customs officers to examine electronic devices once a threshold has been met (rather than as part of a routine baggage search).

It is likely that this threshold would be similar to that currently provided for invoking our personal search powers, which is a reasonable suspicion that a person is hiding certain material on or about their person. In this case the threshold could instead be reasonable suspicion that an electronic device holds certain material. We believe that having a threshold that must be met before we can examine an electronic device does not allow us to meet the changing risks that electronic goods pose at the border. Under this option, electronic devices would not be treated in the same way as physical goods accompanying a person across the border; instead they would be treated in the same way as people suspected of hiding prohibited goods on their person.

A more practical alternative may be to limit a threshold to escalated searches. For example, a preliminary or cursory search of a device could be conducted as part of a routine baggage search, but any further search, such as cloning, forensic analysis, and copying of the content on the device, could be subject to a threshold. This threshold would probably be based on what material is found on the device during the preliminary examination.

Passwords and encryption: Apply the Search and Surveillance Act to Customs’ powers to examine electronic devices

This option would extend the scope of section 130 of the Search and Surveillance Act 2012 to apply to Customs’ examinations of electronic devices at the border. That particular section places a duty on a person to assist with access to an electronic device when required to do so by an officer exercising a search power that relates to data held on the device. This section does not currently apply to Customs’ examination of goods powers.

This option would extend section 130 to cover whichever option is adopted for the examination of electronic devices. This would enable Customs to require a person to provide the relevant access to the electronic device without the need for a separate provision in the Customs and Excise Act.

The offence for failing to comply with this obligation without reasonable excuse would also apply, and, if convicted, the person would be liable to a maximum prison term of three months.

Reporting requirements also accompany the search powers in the Search and Surveillance Act: any person who exercises a warrantless search power (such as searching an electronic device) must report in writing on the search as soon as practicable. Customs’ chief executive would also be required by that Act to report on the exercise of these powers in every annual report to Parliament under this option.

However, these reporting requirements would create unrealistic obligations for Customs, as there could potentially be electronic device examinations a number of times each day. When the Search and Surveillance Act was passed, Parliament deliberately did not extend that Act to all of Customs’ powers because the border environment is unique. If this option is adopted it may be possible to exclude the reporting requirements from Customs’ use of this power.

Status quo

Retaining the status quo would mean that Customs would be hampered in responding to changing risks related to technology. Because the Customs and Excise Act does not explicitly refer to electronic devices, it can be difficult for the public to identify when Customs can search these devices.

This option would not restrict Customs from continuing to examine electronic devices as part of routine baggage searches at the border. But we would not have the power to require a person to provide access to that device, and there could be a lack of transparency for the public.

Currently, there are costs and other impacts associated with us not being able to require access to electronic devices, both for Customs and for the device’s owner. These include: prolonged questioning by Customs officers; devices being seized for extended periods; and Customs being unable to examine the devices efficiently to identify evidence of criminal offending. In some cases, searches may be escalated unnecessarily because a person has refused to provide a password.

Who would be affected by change

The issue of access to electronic devices mainly affects international air passengers.

Most people voluntarily give Customs access to their electronic device when requested, and options involving legislative change would target the handful of people who refuse to provide access. However, the number who refuse may increase as technology continues to develop.

Customs recognises that accessing a person’s smartphone or laptop can be a sensitive and personal matter, as many people will have personal items such as family photos or emails on their devices. The options we have identified raise issues of individual privacy and the need for protection against unreasonable search, and those considerations need to be balanced against the need to protect the community from harm.

Whichever option is adopted, the power to examine electronic devices will continue to be constrained by the protection in the New Zealand Bill of Rights Act 1990 against unreasonable search. The collection or use of any personal information will also continue to be governed by the Privacy Act 1993. Specifically, personal information collected from electronic devices will be used only for the purposes for which it was collected. This is achieved by limiting any initial examination to a cursory screening, rather than a full forensic analysis.

Kraus

I shudder to think what Karl Kraus would have made of the following abstract

The implicate or quantum connectivity of the coevolving phenomena of the cosmos, the ontohermeneutic complementarity relations between ourselves and the vast and minute systems we coconstitutingly participate, observe, prolong, and contextualize, and the eco-reciprocities among all forms of life afford us an understanding of ourselves as fractal or microcosmic embodiments and performances of what is irreducibly nondual anthropo-cosmogenesis. And if cosmogenesis is a self-referential process having nothing external to itself from which to obtain gain or satisfaction, we may analogously interpret our noninstrumentalizing contemplative experiences in complete attentiveness without regard to external payoffs as the fractal play of its creatively emergent self-delighting anthropocosmic self-awareness in the human dimensionality. Our attentive, noninstrumentalizing, and nonobjectifying contemplativity aconceptually presences connectivity and reciprocity in an aperspectivally transparent enactment of anthropocosmic ongoing-wholing whose meaning is the being of its own self-delighting. The sustainability of cocreative anthropocosmogenesis on Earth flourishes where our conduct and intrinsically rewarding contemplativity are consonant with and recreate the spontaneous coevolutionary play of intrinsically rewarding creatio continua unreduced, unobstructed, unfragmented, and uneclipsed by partial, excessively dualizing perspectives and related efforts for extrinsic gain.

Bugs in the beef

'Global trends in antimicrobial use in food animals' by Thomas P. Van Boeckel, Charles Brower, Marius Gilbert, Bryan T. Grenfell, Simon A. Levin, Timothy P. Robinson, Aude Teillant and Ramanan Laxminarayan in (2015) Proceedings of the National Academy of Science comments

Demand for animal protein for human consumption is rising globally at an unprecedented rate. Modern animal production practices are associated with regular use of antimicrobials, potentially increasing selection pressure on bacteria to become resistant. Despite the significant potential consequences for antimicrobial resistance, there has been no quantitative measurement of global antimicrobial consumption by livestock. We address this gap by using Bayesian statistical models combining maps of livestock densities, economic projections of demand for meat products, and current estimates of antimicrobial consumption in high-income countries to map antimicrobial use in food animals for 2010 and 2030. We estimate that the global average annual consumption of antimicrobials per kilogram of animal produced was 45 mg.kg, 148 mg.kg, and 172 mg.kg for cattle, chicken, and pigs, respectively. Starting from this baseline, we estimate that between 2010 and 2030, the global consumption of antimicrobials will increase by 67%, from 63,151 ± 1,560 tons to 105,596 ± 3,605 tons. Up to a third of the increase in consumption in livestock between 2010 and 2030 is imputable to shifting production practices in middle-income countries where extensive farming systems will be replaced by large-scale intensive farming operations that routinely use antimicrobials in subtherapeutic doses. For Brazil, Russia, India, China, and South Africa, the increase in antimicrobial consumption will be 99%, up to seven times the projected population growth in this group of countries. Better understanding of the consequences of the uninhibited growth in veterinary antimicrobial consumption is needed to assess its potential effects on animal and human health.

 The authors note that

Antimicrobials are used in livestock production to maintain health and productivity. These practices contribute to the spread of drug-resistant pathogens in both livestock and humans, posing a significant public health threat. We present the first global map (228 countries) of antibiotic consumption in livestock and conservatively estimate the total consumption in 2010 at 63,151 tons. We project that antimicrobial consumption will rise by 67% by 2030, and nearly double in Brazil, Russia, India, China, and South Africa. This rise is likely to be driven by the growth in consumer demand for livestock products in middle-income countries and a shift to large-scale farms where antimicrobials are used routinely. Our findings call for initiatives to preserve antibiotic effectiveness while simultaneously ensuring food security in low- and lower-middle-income countries. 

Sharing

'Does Sharing Mean Caring? Regulating Innovation in the Sharing Economy' by Sofia Ranchordas in (2015) Minnesota Journal of Law, Science & Technology comments 

Sharing economy practices have become increasingly popular in the past years. From swapping systems, network transportation to private kitchens, sharing with strangers appears to be the new urban trend. Although Uber, Airbnb, and other online platforms have democratized the access to a number of services and facilities, multiple concerns have been raised as to the public safety, health and limited liability of these sharing economy practices. In addition, these innovative activities have been contested by professionals offering similar services that claim that sharing economy is opening the door to unfair competition. Regulators are at crossroads: on the one hand, innovation in sharing economy should not be stifled by excessive and outdated regulation; on the other, there is a real need to protect the users of these services from fraud, liability and unskilled service providers.

This dilemma is far more complex than it seems since regulators are confronted here with an array of challenging questions: firstly, can these sharing economy practices be qualified as "innovations" worth protecting and encouraging? Secondly, should the regulation of these practices serve the same goals as the existing rules for the equivalent commercial services (e.g. taxi regulations)? Thirdly, how can regulation keep up with the evolving nature of these innovative practices? All these questions, come down to one simple problem: too little is known about the most socially effective ways of consistently regulating and promoting innovation. The solution of these problems implies analyzing two fields of study which still seem to be at an embryonic stage in the legal literature: the study of sharing economy practices and the relationship between innovation and law in this area.

In this article, I analyze the challenges of regulating sharing economy from an ‘innovation law perspective’, i.e., I qualify these practices as innovations that should not be stifled by regulations but should not be left unregulated either. I start at an abstract level by defining the concept of innovation and explaining it characteristics. The "innovation law" perspective adopted in this article to analyze sharing economy implies an overreaching study of the relationship between law and innovation. This perspective elects innovation as the ultimate policy and regulatory goal and defends that law should be shaped according to this goal. In this context, I examine the multiple features of the innovation process in the specific case of sharing economy and the role played by different fields of law. Electing innovation as the ultimate policy target may however be devoid of meaning in a world where law is expected to pursue many other — and often conflicting — values. In this article, I examine the challenges of regulating innovation from the lens of sharing economy. This field offers us a solid case study to explore the concept of "innovation", think about how regulators should look at the innovation process, how inadequate rules may have a negative impact on innovation, and how regulators should fine tune regulations to ensure that the advancement of innovation is balanced with other values such as public health or safety. I argue that the regulation of innovative sharing economy practices requires regulatory "openness": less, but broader rules that do not stifle innovation while imposing a minimum of legal requirements that take into account the characteristics of innovative sharing economy practices, but that are open for future developments.

Data Protection

'The Trouble with European Data Protection Law' by Bert-Jaap Koops in International Data Privacy Law (Forthcoming) comments

The trouble with Harry, in Alfred Hitchcock’s 1955 movie, is that he's dead, and everyone seems to have a different idea of what needs to be done with his body. The trouble with European data protection law is the same. In several crucial respects, data protection law is currently a dead letter. The current legal reform will fail to revive it, since its three main objectives are based on fallacies. The first fallacy is the delusion that data protection law can give individuals control over their data, which it cannot. The second is the misconception that the reform simplifies the law, while in fact it makes compliance even more complex. The third is the assumption that data protection law should be comprehensive, which stretches data protection to the point of breaking and makes it meaningless law in the books. Unless data protection reform starts looking in other directions — going back to basics, playing other regulatory tunes on different instruments in other legal areas, and revitalising the spirit of data protection by stimulating best practices — data protection will remain dead. Or, worse perhaps, a zombie.

Healthcare IoT

The thin 'The Healthcare Internet of Things: Rewards and Risks' by Jason Healey, Neal Pollard and Beau Woods for the Atlantic Council and Intel Security [PDF] comments

The Internet of Things (IoT) of digital, networked technology is quickly moving to the forefront of society, the global economy, and the human experience.

The IoT sometimes refers to colossal, impersonal concepts like connecting electricity grids to the Internet for economic or environmental considerations. But the IoT can be intensely personal as well. In the world of healthcare, software engineers are weaving networked medical devices into the fabric of the IoT. These devices, which can be worn or even implanted inside the body, are used to medicate, treat diseases, and maintain general health and wellness.

This report, a collaboration between Intel Security and Atlantic Council’s Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security, explores security risks and opportunities that networked medical devices offer to society. It also provides recommendations for industry, regulators, and medical professionals to maximize value to patients while minimizing security risks arising from software, firmware, and communication technology across these devices.

Individuals wear networked devices to learn more about themselves, their diet, their exercise regimen, and their vital signs. Doctors can adjust and optimize implanted medical devices, such as pacemakers, quickly and accurately— and often with no need for intrusive medical procedures. In hospitals, new devices network to provide more effective and less expensive monitoring and treatments. According to one estimate, these technologies could save $63 billion in healthcare costs over the next fifteen years, with a 15-30 percent reduction in hospital equipment costs.

The analysis in this report draws attention to the delicate balance between the promise of a new age of technology and society’s ability to secure the technological and communications foundations of these innovative devices. The rewards of networked healthcare come with four main overlapping areas of concern, including accidental failures that erode trust. Should any high-profile failures take place, societies could easily turn their backs on networked medical devices, delaying their deployment for years or decades. Protecting patient privacy and sensitive health data is a second immediate concern, as malicious online hackers consider healthcare information especially valuable. A case in point: the number of information security breaches reported by healthcare providers soared 60 percent from 2013 to 2014—almost double the increase seen in other industries—according to PricewaterhouseCooper’s (PwC) Global State of Information Security Survey 2015.

Intentional disruption is also a concern because networked medical devices face the same technological vulnerabilities as any other networked technology. Hacktivists, thieves, spies, and even terrorists seek to exploit vulnerabilities in information technologies (IT) to commit crimes and cause havoc. However, when a networked device is literally plugged into a person, the consequences of cybercrime committed via that device might be particularly personal and threatening.

Even more dangerous than the potential for targeted killings, though also far less likely, is the threat of widespread disruption. Theoretically, a piece of targeted malware could spread across the Internet, affecting everyone with a vulnerable device. Such a scenario has materialized in business IT and industrial control systems; the sophisticated Stuxnet attack against Iran’s nuclear program is one example of this.

The current focus in medical device development and production is on manufacturers’ preferences and patients’ needs. Industry and government should also focus on implementing an overarching set of security standards or best practices for networked devices to address underlying risks.

Several recommendations will help foster innovation while minimizing security risks. This report makes the case that industry must build security into devices from the outset, rather than as an afterthought. As McAfee’s then-CTO Stuart McClure testified before the US House Committee on Homeland Security in 2012, “Cybersecurity has to be baked into the equipment, systems and networks at the very start of the design process.”

The report recommends continued improvements to private-private and publicprivate collaboration. More coordination, not more regulation, is warranted. Regulators do not always keep pace with technological progress. They should have feedback from a full set of stakeholders through transparent collaborative forums that assure the regulator’s independent functioning without creating concerns of collusion with industry. Likewise, industry officials should continue to improve communication among themselves.

The ultimate aim of enhanced cooperation is to change the current approach to the security elements of these devices. Security considerations, along with the devices’ ability to improve patients’ lives, must become an integral part of the process of conceiving and manufacturing these devices.

The report also recommends an evolutionary change to the regulatory approval paradigm for medical devices in order to encourage innovation while meeting regulatory policy goals and protecting the public interest. Some medical device makers continue to push old technologies and resist innovation because they know regulators will approve the old technology. A more streamlined regulatory approval process could remedy this problem. An improved process should encourage security by design, as well as the ability to patch systems after they are deployed.

Lastly, this report recommends an independent voice for the public, especially patients and their families, to strike a better balance between effectiveness, usability, and security when devices are implemented and operated.

Red Tape Rhetoric

Under the rubric 'Reinventing the approach to regulation' the Australian Government Annual Deregulation Report 2014 states

For a long time there has been a concern within the Australian community that businesses, community organisations, families and individuals are being burdened with unnecessary regulation. Between 1990 and 2013, the Commonwealth Parliament created an average of 170 new acts each year. The proliferation of new laws has produced too high a compliance burden on the community. Although it is important to note that the Commonwealth Parliament is not the sole rule maker in Australia, clearly the Commonwealth has a major role to play in addressing community concerns and perceptions. 

The need for cultural change 

As part of a comprehensive response to tackling Australia's economic and fiscal challenges, the Coalition Government committed to a concise plan to reduce the regulatory burden and change the culture towards regulation in government and the community. This plan to boost productivity and reduce regulation aims to strike the best balance between necessary and appropriate regulation that supports markets, innovation and investment in the economy while also strengthening the efforts of the Government to remove costly red tape where it is unwarranted or unnecessary. 

The Government's plan entails a number of commitments to directly improve the development, administration and assessment of regulation and to establish processes to reduce the overall red tape burden. These include:

• relocating the Government's deregulation functions to the Department of the Prime Minister and Cabinet (PM&C) so that reducing red tape becomes a high policy priority;

• a clear measurable commitment to reduce the cost to businesses, community organisations, families and individuals of complying with Commonwealth regulations by new decisions totalling at least $1 billion annually; 

• setting aside at least two full parliamentary days each year which are dedicated to repealing counterproductive, unnecessary or redundant legislation; 

• undertaking a stocktake to assess the overall stock of Commonwealth regulations; establishing Ministerial Advisory Councils (MACs) for each portfolio Minister to consult on deregulation; 

• providing incentives to motivate the Australian Public Service (APS) to cut red tape, such as linking remuneration of senior executive service (SES) public servants to quantified and proven reductions in regulations; 

• improving Australian Government regulatory gate keeping requirements, including the introduction and compliance with a requirement that all submissions to Cabinet must be accompanied by a Regulation Impact statement (RIs); 

• establishing deregulation as a standing item on the Council of Australian Governments (COAG) agenda; and 

• clarifying the Government's expectations for each regulator and establishing a Regulator Performance Framework to assess and audit the performance of individual regulators.

In addition to these overarching changes, the Government also made a number of specific, substantive commitments to reduce regulation in particular areas. These have included:

• abolishing the Carbon Tax to ease the administrative burden of taxation compliance for Australian business and households while continuing to reduce growth in emissions; 

• repealing the Minerals Resource Rent Tax to remove the significant administrative and compliance burden on mining companies, including those not even liable for the tax; 

• reducing the red tape burden on business by removing the requirement for employers to be the paymaster in the Paid Parental Leave scheme and instead make payments through the Department of Human services; 

• reduce the compliance costs for small business financial advisers and consumers who access financial advice; streamlining grant application processes; and 

• establishing a One-stop shop for environmental approvals.

Since coming to office, the Government has also committed to the general principle that Australia should adopt international standards and risk assessments to reduce the need for duplicative Australian approvals when products or services have already been approved by trusted overseas regulators. The changes, which were announced as part of the Government's Industry Innovation and Competitiveness Agenda in October 2014, are aimed at removing duplication and reducing delay for Australian businesses and consumers. To monitor progress in meeting its red tape objectives, the Government pledged to detail its progress in an annual report on deregulation to the Parliament. This report provides an overview of the Government's progress against these commitments in 2014.4