Quis custodiet ipsos custodes?

by Pete

Quis custodiet ipsos custodes?  Who watches the watchmen?

How would you feel if The Herald, Fairxfax, The Press, The Dominion Post, Mediaworks, TV3… and so on, had access to all the people in your contact list?   How about, all the web sites you visit?   How about all the other software you run?   How about your bookmarks?

It’s all a matter of trust.  (Part 1)

Trust is a big thing these days.  Information about us is recorded everywhere, often without our knowledge.  And some of it is shared.  Also without our knowledge.

Finally, some organisations actively set out to gather information from and about you, and they may not be upfront as to why they do it, what they do, and how they use the information afterward.

One area in our lives where information is just sucked out of us at a great rate of knots is through our electronic Internet-connected devices.

For example, I knowingly give Google access to all my emails, all my photos, all my contacts, because as an organisation they have told me they do it, they told me how they are going to use it, and I have the ability to remove any or all of it from their control at any time.  I also trust them to stop using my information if I withdraw it.

Similarly, I provide information to my insurance company.  They need a lot of it to assess the risk they are taking on.  I understand this.  I also understand that they will not take that information and use it in a way that isn’t related to risk assessment for my policies, or using it for generalised demographical statistical analysis.

Here is a question I’d like you to ponder:

How would you feel if The Herald, Fairxfax, The Press, The Dominion Post, Mediaworks, TV3… and so on, had access to all the people in your contact list?   How about, all the web sites you visit?   How about all the other software you run?   How about your bookmarks?  

A few days ago the Stuff.co.nz app for Android updated, and had the following additional permissions:


I contacted Fairfax but over 48 hours later, I’m yet to get a reply.  I’m assuming they don’t want to talk about this.

My question to them was:  What is the justification for a news app to have access to a person’s browsing history and bookmarks, when the app’s purpose is to deliver news from the Fairfax news server to the user … to read?

There may be a perfectly sensible answer to this, but as they have not bothered to reply, we’re now down to having to question the purpose, and possibly our ability to imagine what is being done with this information might be worse than reality.

Even so, do you trust a news gathering organisation to deal with information that you have given them access to in a way that you will be OK with?


It’s all a matter of trust.  (Part 2)

As I was already working on this story, it was rather interesting to get this from a reader:

On 3 December I joined Neighbourly.
On 10 December Fairfax announced it had bought 22.5% of Neighbourly.
On 10 December I received an email from Stuff Nation thanking me for signing up.
I haven’t joined Stuff Nation and would not.

Neighbourly tells me it must be a coincidence.

Stuff Nation hasn’t replied.

Maybe some of your readers have seen a similar coincidence?


As the people at Fairfax appear to not respond to anyone asking what they are up to with our personal data, it is starting to get to the point where we have to wonder what is going on, what the plan is, and where it is going to end?

We have seen in recent times through various court cases and other media behaviour that the likes of the NZ Herald, TV3, etc, and organisations like NZME, Fairfax and Mediaworks operate under a very specific set of rules of engagement, being

If the information has been legally obtained by the media organisation, then the media organisation will delve into it looking for anything of public interest.  If the information was stolen, or captured for purposes other than use by the media organisation, and in fact is clearly not to be used by the media organisation using all reasonable moral and ethical standards, then the discovery of information that is of public interest survives as the most important consideration.  Morals, ethics and privacy do not survive the public interest test.

The last 18 months or so have been as fascinating as they have been chilling for media and public alike.  We’ve seen courts tell journalists that they aren’t.  We’ve seen courts tell bloggers that they are journalists.  We’ve seen courts say journalists must reveal sources in spite of legal protections in law.   We’ve seen a process where anonymous people work hand in hand with media to publish information on the Internet, unchecked, unverified, and the media then pick it up, no matter that the information was a severe breach of privacy, and at times obtained through crime.  The mere fact it was obtained by crime makes it worthy of public interest.  Not much of a test, is it?

This against a backdrop of very loud complaints about “state powers” on surveillance being extended so the government agencies can keep a legal eye on about 80 people of concern.


It’s all a matter of trust.  (Part 3)

Would you let David Fisher have unrestricted access to your computer?   Would you let Andrea Vance have unrestricted access to your phone?

How is this any different to Fairfax clearly going on the path of obtaining your consent to access browser history and bookmarks?  They have the ability to see that you bookmarked pages on Alzheimer’s.  Or they can see you ordered an ISIS flag over the Internet.  (or belong to the Sex Toy of the Month club).

Do you TRUST Fairfax not to go proactively looking for things?  You have after all agreed to let them look.  It is legal.

Do you TRUST Fairfax not to use anything that they justify is “in the public interest”?


It’s all a matter of trust.  (Part 4)

Where the wheels come off is that Fairfax have not stated, in advance, what they are capturing, why, what it is being used for, how, and what happens when you stop using their App?   Does the information get destroyed, etc.

By not front footing it, but instead advancing their information gathering through stealth, they fail the “Trust” test.

Your obvious remedy is to stop using the software.  Or don’t sign up to “Stuff Nation”, or other web sites.  But that doesn’t stop the advance of media organisations entering our private lives at a level that is unprecedented.  Worse, they now have access to information you may simply not understand they have access to.

This is a long bow to draw, but I want to use this example:  Say I do not run any of this software, and I have kept myself completely safe and separated from Fairfax’s attempts to get my information.  I am safe, right?

Nope.  Because in interacting with other people, I leave a digital footprint on their devices also.  And if they have allowed Fairfax access, my privacy is still in danger, especially if I am a person “of public interest”.

An example may help.  Two other Stuff Fairfax app permissions are:  See what activity is on the device, and See what apps are running.   This may be completely innocent, but in the absence of Trust, I can see a situation where I can call someone, and the phone can be queried as to who called, when and for how long  (app activity, apps that run).

Imagine John Key has an Android phone with stuff.co.nz loaded, and I don’t.  Yet if I call John Key, stuff.co.nz could conceivably know about it.

NO, I AM NOT SAYING THAT’S WHAT THEY ARE DOING.  Please refer to the “long bow to draw” caveat.  But even so, it comes down to trust.

And do you trust self-interested media organisations to deal with legally obtained information in such a way that they do not go trawling?


Fishing expeditions

Search warrants are not granted because police think it would be interesting to have a look through your home.  They need to have a reasonable suspicion.  They need to explain that to a judge.  These are the checks and balances we expect to be in place.

There is no such mechanism in place for media.   Right now, “media case law” and practices clearly show that fishing expeditions for “public interest” material through private data are completely legal.   And… they are doing it.

The only barrier is that the media organisation can’t go and start sniffing around your information without your permission.  They get around that by accessing your phone, computer, etc with your permission.  And in the event someone else obtained your private data against your will or knowledge, they can still go dig around that to see if there is anything that stands the “public interest” test.

If all that fails, they have a mechanism where they can have a hands-off relationship with someone who will publish it to the Internet.  At that point, the Public Interest case is immediately established, and everything is fair game.


Where from here?

This is where it gets tricky.   I have had access to emails that were private to someone.  They were given to me to look through because I held a genuine belief that it may back up suspicions I have about this individual breaking the law.  I didn’t steal the emails.  I don’t know if they were obtained illegally, but it is fair to say that very few people would want their emails to be “out there”, let alone in the hands of a media organisation.

I think the clear difference is how access to the private data occurs.  If the media organisation is the one doing the digging, even if it does so legally, that’s probably a step too far.   There has to be a leak or a whistle blower.  The media org should not be digging around private information looking for a story.  The story should already exist.   And the public interest test needs to be larger than “Oh, but he is a public figure, everything he does is in the public interest”.

I have no answers.  I only have problems.

And personally, I can see this getting worse before it gets better.

Quis custodiet ipsos custodes?

It appears hackers and citizen journalists are joining the throng of people searching for and through private lives to expose to the public.   The danger to journalists is that those who live by the sword may very well end up dying by the sword as their own private lives will get unpacked.   I mean, there has to be public interest about what was in the emails between Andrea Vance and Peter Dunne, right?  And what about the private emails between David Fisher and Kim Dotcom?  Public Interest Gold!

And that would be work related.  What about a journalist’s affairs?  Or drug taking.


I see a turbulent few decades coming up where we’re going to try and get our heads around the issues of privacy and the media in the Internet age.   The courts will severely lag behind in understanding the issues at hand (as we’ve seen!), and it’s going to be a mess before it gets any better.

In the mean time, you can make it harder on them by removing as much of your life from electronic devices as you can, and being extremely discerning as to “who” you let into your phone or other devices.

But to be honest, I see it as a losing battle.  With hackers in the mix, medical records, school databases and many other sources of information are accessible to anyone who has the determination to do so.

One thing is for sure:  we can not rely on media to have our best interest at heart when it comes to privacy.  Media and privacy are diametrically opposed.


THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

  • Wheninrome

    I am sure Angry Andy will have something to say about this, it will make him even angrier and more finger pointy.
    We just know that the Greens and Labour would do something about this, they have said they (particularly the Greens) are opposed to surveillance of the population, so it follows they would instantly sort out this issue.
    I look forward to a Private Members Bill being extracted from the Ballot Box early next year in this regard.

  • digby

    Is this not just the media using this information to target the ads that you see on their site so they can maximise their ad revenues?

    • Excitedly awaiting Whodunnit

      That would be their angle i believe. But once the have that data who knows what else it will be used for- or sold to.

    • ex-JAFA

      That would be a legitimate use, and would be disclosed up front or promptly in response to a query about it. Instead, the silence is deafening.

      It’s only prudent to assume that you’re being asked to give them permission to trawl through your data, cross reference it with what they get from anyone with whom you’ve ever had contact, and either expose details of your life you’d rather keep private or use it as the basis for a very wonky dot-joining exercise played out for the world to see.

  • peterwn

    Some years ago, Greenpeace tried to take over out Forest and Bird. The moderates in Forest and Bird recognised the implications and stopped it happening. Imagine if Greenpeace had succeeded and in one fell swoop gained ‘members’ and membership information of F&B people who had no intention of supporting Greenpeace.

  • Davo42

    Saw that update a couple of weeks ago, permission denied. Stuff you Stuff, you can get stuffed.

    • Korau

      How can you be sure that denying permission will actually deny permission. There is malware where the pop up box gives two choices (yes and no) but both buttons lead to yes.

      I had a similar query when offered an app from my power supplier (Powershop). The permissions sought were far too wide in my opinion, so I queried the company. They replied:

      “Here’s an explanation of why we ask for these permissions.

      Storage – this is asked for so that you can modify or delete the contents of your USB storage. You can cache certain images to so that they load faster for you.

      Camera – this is asked for to take pictures and videos and is required for you to turn the flashlight on and off while inputting meter readings on the device with camera flash.

      Your social information – this is asked for so that you can use your contacts to refer to Powershop through the Friend get Friend promotion. The app will only ever access your contacts if you choose to use them for this promotion.

      Your accounts – this is asked for to control things like vibration or to prevent phone from sleeping): This is required to send you push notifications for things like new Power packs, meter reading reminders, or auto payment/purchase reminders.”

      On balance I was not satisfied, so uninstalled the app.

      • Davo42

        Disabled the App to be sure.

  • Woody

    Thanks Pete for pointing out the insidious creeping imposition on our lives by stealth. I am pleased that when checking my devices, I have not installed Stuff but no doubt I have inadvertently allowed other apps similar access without being fully aware. I will be taking more note of the access being asked for in future.

  • Captain Darling

    People should worry less about the SIS and more about this insidious invasion of privacy. And this is but one example, there are probably dozens of organisations that have similar settings.

  • Sally

    Twelve months ago I uninstalled the Herald and Stuff apps. Couldn’t understand why they needed my contact database. The Herald often have competitions for free giveaways, all it is for collecting data.
    Now days it pays to question why an organisation wants your email, phone number etc. It is then your decision whether to give it to them.

    • niggly

      Hmmm, so the NZ Herald and Stuff are into “big data” collections themselves.

      That sure is at odds with their hostile view of such data collection by the intelligence agencies such as the NSA and even tried to implicate this was happening by the GCSB by repeating false allegations by activists!

  • caochladh

    Various councils around Auckland were into selling data, but Len has taken it to a new level. I wonder how much cash it generates and where it shows in the revenue accounts?

  • Salacious Crumb

    This latest furore over the Sony boss’s emails shows it up all again. Where has been the narrative that these were illegally obtained ie STOLEN yet the media outlets gleefully reported them.

    It this is how it is going to be then I would love to know who in the media are doing who, who’s smoking what and how much they were backhanded to publish a story.

    Afterall they are in the public eye so it must be in the public’s interest. Surely?

  • Will Travers

    I briefly joined Neighbourly but left when it became apparent that they wanted my full home address and full name. Their angle was that it stops people becoming abusive. My concern was that that is a lot of personal information to be broadcasting online and holding in databases that may not be secure. Call me paranoid and I realise identity theft is rare but I will avoid increasing the risk.

    • SlightlyStrange

      I’m considering leaving Neighbourly now that it has been part-purchased by Fairfax. Their response to a local neighbours concerns was not convincing.

      “If any Fairfax journalist signed up to Neighbourly stumble across a thread in their neighbourhood that they think would be a good story, they’ll simply be required to contact the Neighbourly team (most likely myself) for help coordinating an interview/s.”
      Which does seem to indicate that its reliant on a journalist living in your neighbourhood (or wider set of neighbourhoods), which I guess technically they could have anyway. But I don’t trust them not to trawl, since they now own a chunk of the site, and so therefore “own” the data that it stores.
      I’ve not particularly gained anything from the website, I don’t know if I’ll bother staying.

  • SlightlyStrange

    From what I have gathered with that Stuff Nation email, (I didn’t get one, though I did get one from Essential Mums), it was more to do with the fact that you now have access to all sectors with one login, but it was a badly worded email – I know several other people who have had the same problem, but thankfully for them they know people inside Stuff personally, and so have managed to get an answer.
    Still, looks a doozy.
    And darn that I allow auto updates on my apps. Am off to figure out how to stop that, and to delete the stuff app.

    • johcar

      Deleting the app is a good idea – it IS Stuff, after all!!!

      As far as auto updates are concerned, if an app has changed the terms since you first installed it, the app is required to seek permission to update (which overrides the auto-update function). So you get a chance to see the new permissions you’re agreeing to…

  • niggly

    Pete – perhaps you should write to the Privacy Commission to bring it to their attention? I’m sure they would equally be concerned, but better still they would issue a formal response, which you can publish on WOBH!

  • R&BAvenger

    I had an email from Stuff but no longer log in to their website and I will certainly never be installing their app on my phone. A FREED app however, would be a different thing :-)

  • Its not just online privacy we need to think about either our buying history is being collected as well which can provide a pretty accurate synopsis of our life. I read of one story where a department store knew a woman was pregnant before her father did. We wouldn’t allow the government to collect that sort of information about us without a very good clearly stated reason, but commercial enterprises do it all the time.

    • Whitey

      Oh, it gets creepier than that. I’ve heard of the store you mentioned. There were a couple of instances when the marketing department sent out targeted advertising before the woman herself knew she was pregnant.

  • Ratchette

    Two months ago I departed Heathrow Terminal 5 which has all the architectural charm of a massive cow shed, but I digress. I chose to purchase a magazine from W H Smith. There were no real people to receive payment, instead a bank of serve yourself terminals. To complete the sale I was required to scan my boarding card which of course contains personal information, passport details and more. I asked the assistant why I needed to scan the boarding pass ? I received a ‘stock reply’ which proved she had no idea. I gave her the correct cash and left her to sort it out. Boots the chemist required the same procedure to purchase a bottle of water.
    Be careful out there.

  • ElZorrodePlata

    Most people just accept the warning that an application can access contacts, browsing history, etc without question. If Fairfax has an app that collects bookmarks, browsing history, and say contacts, SMS info and call history, they could create a database of people and relationships that could be used to create stories all with your permission. No laws broken, as you have agreed to submit the information. If you look at the permission warning in the body of the article, it’s requesting additional permissions, so the important question remains, what are the other permissions.

    It’s like one of the large US food producers, as a condition of using their website you waive all legal rights to sue for damages etc. So if you register on their site to obtain nutritional information about a product because you believe that it’s caused a near fatal health issue for a loved one, you have just waived all rights for any future compensation.

    Be careful what you agree to when installing an app or registering on a website!

    • Ratchette

      For a number of years I have resorted to writing letters, using fax’es and actually talking to people. Writing a letter to government or council then following it up with a fax (which can be sent from your computer) produces some really interesting results. I also use cash and refuse to give my phone number or any personal details. I regularly delete Facebook (not deactivate) this might not be of any advantage to me, but I do it anyway.

      I have a ‘smart phone’ which has no SIM card. I can usually find a hot spot wherever I happen to be. I do have mobile phones (two) which I use exclusively for phone calls. The mobile phones are cast offs given to me by family members who have upgraded !

  • Wallace Westland

    I’ve seen similar permissions on various apps I use or did use.
    Once that permission appears the app is uninstalled and I don’t care what it is. I have nothing to hide in fact my phone would bore the average person to death as would my computers.
    I resnt however the implication that someone who I’ve never met can take a look at my kids photos and my holidays etc so I simply don’t let them. Ever!

  • Dave

    I agree this is the kind of thing ordinary everyday people need to worry about. Whilst the SIS will worry about foreign spies and terrorists, i can see the likes of the Horrid Herald and Stuff, and other media organisations looking through anything they like, should i “become newsworthy” Imagine making a comment on one of their respective sites. it comes to their attention, so under the authority YOU GAVE THEM, they decide to dig to find a story. This could also become newsworthy, if you are seen shaking the PM’s hand, or assist an old lady to cross the road. The response could be very stressful and all gained legally under their terms and conditions.

    Imagine the headline. Good citizen has dark past……. Whilst Mr X skidded his truck to a halt, jumped out and assisted the old lady across the road, then helped her load her groceries into her old car, we can exclusively reveal, Mr X has a dark past. Our investigations reveal he has read WOBH 5 times in the last week, visited a banking site, placed bets on his online TAB account, and had a skype chat with a lady named Bevan.

  • Teletubby

    I am very particular about keeping my work life and private life completely seperate, therefore I was surprised to recently see Facebook imploring me to be friends with several people who are business associates and whom I have no mutual FB friends. The only place I can see that FB has got the names of these people is by their app on my phone reading my contacts list. I guess I must have given the app permission to do so but surprise, surprise there doesn’t seem to be an option to rescind that permission