Legal Beagle by Graeme Edgeler

Read Post

Legal Beagle: Crowdsourcing Project Cortex

43 Responses

First ←Older Page 1 2 Newer→ Last

  • Graeme Edgeler,

    You'd have thunk, for a blog post I specifically asked for comments in, that I'd remember to turn comments on.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Alex Coleman,

    Wellington • Since Nov 2006 • 247 posts Report

  • linger, in reply to Graeme Edgeler,

    thunk = the sound your brain makes when you try to make it do anything in the wee small hours. (Hence also references to Cortext protection; Protect Cortext.)

    More seriously – now look out for these organisations to hurriedly update their terms and conditions…

    Tokyo • Since Apr 2007 • 1944 posts Report

  • Ian Dalziel,

    Hmmm Cortex, a few thoughts….

    Cortex sounds similar to Gore-Tex©
    - blocks transit of hard water in, yet allows vapour out…
    okay, maybe a stretch….
    (and we all know John Key swears by PTFEs as well as PPPs.
    PTFE expands to Polytetrafluoroethylene – which makes Key’s favourite compound – itself an anagram of ‘ no left’ – spooky!!)

    and here’s hoping it’s not impacting the ‘core business’ of Auckland-based web application developers – er, Cortex…

    Anatomically a cortex is just an outer layer – so it’s much like the other ‘thin skinned’ responses from this government, then.

    Jagose’s ‘jargon’, referring to ‘Cortex products’ tries to reinforce Key’s earlier assertions that Cortex is just a ‘Norton’s Anti Virus’ kinda thang…
    They may have our backs, (and back-ups), but who has theirs?

    I note the National Party – despite all its high flying corporate connections, only has a privacy policy and doesn’t mention ‘monitoring for public good’ in any way.

    National respects your privacy.
    We endeavour to take all reasonable steps to keep secure any information that you submit to this website. Information you submit may be used for site customisation.
    By becoming a web user, subscribing to email newsletters, submitting comments, or contacting us via the site, you agree to receive emails from the National Party or its elected representatives. You can opt out of email newsletters by using the unsubscribe link at the bottom of each email.

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Graeme Edgeler, in reply to linger,

    (Hence also references to Cortext protection; Protect Cortext.)

    I typed that pretty much every time, and did correct a lot of them, but it was after midnight, and I had to get up at 5:00am!

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • izogi, in reply to Ian Dalziel,

    Cortex sounds similar to Gore-Tex©
    - blocks transit of hard water in, yet allows vapour out…

    Gore-Tex© also doesn’t work anywhere near as effectively as it’s marketed in typical New Zealand conditions, for what it’s worth. It’s mostly marketed and sold here because NZ just latches onto global demand trends, and it’s easier not to specialise. You can draw what metaphors from that as you will.

    Wellington • Since Jan 2007 • 1142 posts Report

  • Bill Eaton,

    IRD T&C and Privacy Policy seem quite clear and I could not see anything like this. T&C cover:
    www.ird.govt.nz
    www.kiwisaver.govt.nz
    www.whatstax.govt.nz

    Auckland • Since Sep 2014 • 15 posts Report

  • Bill Eaton,

    Orcon (ISP) have wonderfully vague T&C including this labile (sic) one:

    13.6 We may appoint subcontractors to discharge any of our obligations under our Terms and Conditions
    provided that we will at all times remain primarily labile to you for those subcontractors’ acts and omissions.

    As a matter of fact, Orcon does virus screening for emails and their wide-ranging definition of network "abuse" by customers would imply a wide-ranging monitoring ability to detect and trace that.

    Auckland • Since Sep 2014 • 15 posts Report

  • Graeme Edgeler,

    Found one!

    While the Ministry of Defence has not met the preconditions for protection by Cortex, the New Zealand Defence Force has something. It doesn’t mention monitoring for cyber defence in particular, but I guess we can’t be too picky:

    The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.

    As have the New Zealand Army:

    The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.

    The Royal New Zealand Navy:

    The Royal New Zealand Navy systems to which this web site connects and related equipment may be subject to monitoring.

    And the Royal New Zealand Air Force:

    The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.

    Along with both the Cadet Forces and Veterans Affairs.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Alfie,

    Vodafone possibly uses Cortex – section 3 of their Privacy policy.

    3. Sharing your information
    There may be times when we need to disclose your personal information to third parties (some of which may be based outside of New Zealand). If we do this, we will only disclose your information to:

    Much of this section contains some pretty broad strokes and Cortex could almost be covered by the general “suppliers” clause.

    3.2 those who provide to us or our group companies products or services that support the services that we provide, such as our dealers and suppliers;

    But 3.9 is probably the relevant section.

    3.9 anyone who assists us in protecting the operation of the Vodafone networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;

    Do I win a kewpie doll or something?

    Dunedin • Since May 2014 • 1440 posts Report

  • Graeme Edgeler,

    Find one, and then Google does your work for you!

    Two further possible Cortex-protectees:

    The Charities Service!
    And
    The New Zealand Debt Management Office!

    Similar language appears in the Privacy Statement on the website of The Maori Land Court which says "The Ministry of Justice systems to which this web site connects and related equipment may be subject to monitoring." However, the Ministry of Justice website states, however, that the monitoring done is Google Analytics.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Graeme Edgeler,

    And more:

    there is language sufficient to fulfil the precondition about disclosure of monitoring at the National Infrastructure Unit within treasury, but not Treasury itself.

    And the Energy Safety unit within Worksafe NZ says "WorkSafe New Zealand systems to which this website connects and related equipment may be subject to monitoring." However, Worksafe NZ, disagrees, carrying no language capable of fulfilling the disclosure pre-condition, as does the Ministry of Business, Innovation and Employment of which both are a part.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Idiot Savant,

    AgResearch is a no (note: I did not have written permission for that link; Public Address may wish to delete it to avoid packs of rabid AgResearch lawyers trying to enforce the world's most stupid website TOU)
    Landcare is a no.
    NIWA is a no (also here)
    Plant & Food is a no.
    GNS doesn't even appear to have a privacy statement.
    Scion is a no.
    Callaghan Innovation is a no.

    So much for "research institutions".

    Palmerston North • Since Nov 2006 • 1717 posts Report

  • steve black,

    If I take a strict reading of what we are supposed to be told in the terms and conditions:

    You’ll be told that your communications will be screened or may be screened for cyber defence purposes.

    and compare that to the phrasing we've seen so far

    may be subject to monitoring.

    then the sites found so far are failing to say what use the monitoring is for. What happened to the "for cyber defence purposes" guys?

    sunny mt albert • Since Jan 2007 • 116 posts Report

  • Graeme Edgeler, in reply to steve black,

    compare that to the phrasing we’ve seen so far

    may be subject to monitoring.

    then the sites found so far are failing to say what use the monitoring is for. What happened to the “for cyber defence purposes” guys?

    They are indeed. I wonder if there is any agency that is as explicit as Ms Jagose implied they need to be as a precondition to receiving cyber protection services from the GCSB as part of Cortex? My guess, is probably not.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Mark Robinson,

    The Aotearoa People's Network which provides free WiFi through Public Libraries has required acceptance of conditions including "monitoring" for years.

    NZ • Since Nov 2013 • 2 posts Report

  • Alex Coleman, in reply to Graeme Edgeler,

    My guess, is probably not.

    I'm wondering if Paddy Gower is following this. 'You told me this, but Oh Noes', is pretty much his brand.

    Wellington • Since Nov 2006 • 247 posts Report

  • Frank Macskasy,

    There's this reference in Spark NZ (The Telco Formerly Known As Telecom)'s T&C;

    "The Operator and Spark Digital reserve the right to disclose end user information that it believes, in good faith, is appropriate or necessary to take precautions against liability; to protect the Operator and Spark Digital and others from fraudulent, abusive, predatory, or unlawful uses or activity; to investigate and defend against any third party claims or allegations; TO ASSIST GOVERNMENT ENFORCEMENT AGENCIES; or to protect the security or integrity of the Platform."

    Also more I've written on the subject (which may or may not be useful - especially the bit about the National Cyber Policy Office (NCPO) and something called "Connect Smart".

    http://thedailyblog.co.nz/2015/10/04/the-mendacity-of-ms-una-jagose-spymaster

    Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report

  • Mark Foster,

    Almost all of these generic 'you may be monitored' clauses (including the ones from NZDF and such) may simply refer to internal monitoring capabilities from within their security departments. The presence of a generic statement is not a tie to the GCSB.

    I suspect those related to agencies who routinely handle classified material may be in another class, but consider that for the ISP's and Telco's etc - many of them have internal IA capabilities who may need to monitor their services (and be disclaimed as such) to be effective. Or have I missed something?

    Auckland • Since Oct 2015 • 4 posts Report

  • BenWilson,

    Um...presumably you're all joking? Because:

    In terms and conditions of use, for example.

    is not the same is "In the terms and conditions of use, period". You can't infer the absence of Cortex from absence of the terms and conditions saying so. That's even if you're going to hold someone's casual statement in an interview as some kind of binding contract. Someone in the job of professional spying...just the kind of person I'd be trusting to tell the truth, the whole truth and nothing but the truth, right? And even then, she carefully caveated it with "for example". If you weren't told in the terms and conditions, but instead some other completely unspecified way, how could you ever prove it had never happened? And whose head would it be on anyway?

    By all means attempt to find the reach of Cortex by examining terms and conditions. I think you will discover nothing. Some will tell you you're being spied on. Others will not tell you, but do it anyway. Others won't be doing it, even though they might claim to be. How could you ever know the truth of the matter? Can we even claim that our definitions of the terms are sufficiently tight that there even is a truth to the matter?

    But this is a meme, right? I'm spoiling the gag...sorry..as you were.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Graeme Edgeler, in reply to BenWilson,

    Um…presumably you’re all joking? Because:

    In terms and conditions of use, for example.

    According to Jagose's speech, an organisation obtaining the capability must consent to receiving it – and ... advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes...

    Now, I am a person who has interacted with DPMC computer systems, I have sent emails to the DPMC, and I have used the content submission forms on the DPMC website. If they have informed me that my interactions with their systems may be accessed for cyber security services, I have missed it. If they are going to do this, there aren't many options: it could be in their terms and conditions; it could be in their privacy policy, it could be a note on the page of the form you fill in to submit a query, but it has to be somewhere. And it's in none of those places.

    If such advice isn't somewhere where I, as a person who has interacted with their computer systems, can see it, I have having difficulty seeing how they can have met the pre-condition for access to Cortex. They are required to advise those who may interact with their computer systems that their communications may be accessed for cyber security purposes.

    Now, with some organisations, there is a lack of clarity because the terms may be silent, and maybe they've got Cortex, and just haven't said. But many of the agencies I've looked at aren't in that position. For example, with the DPMC, we're not just dealing with silence. The DPMC have a privacy policy in which they state that they do not disclose personal information voluntarily provided to them with any third parties. Use of Cortex in the way described by Jagose in her interview with Patrick Gower on The Nation is inconsistent with that.

    Now, is it possible that either Jagose was misleading us, or the DPMC is misleading us in its privacy statement? Of course. How would I know? But whether this blog post is pointing out the absurdity of Cortex not protecting the DPMC, or if it is pointing out that the DPMC etc. are lying by providing a privacy statement which forswears use of Cortex, or if it is pointing out that Jagose is wrong when she described the pre-conditions of the use of Cortex, I'm pretty happy with it, because those seem to be the only options.

    You're right that I'm not going to be able to use this process to know which one of those three options is correct, but that one of them is true is noteworthy enough.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report

  • Frank Macskasy, in reply to BenWilson,

    Ben, what's your alternative solution?

    Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report

  • Sacha,

    Interesting question. Welcome Frank.

    Ak • Since May 2008 • 19745 posts Report

  • Frank Macskasy,

    Thanks, Sacha.

    Te Whanganui-a-Tara • Since Oct 2015 • 3 posts Report

  • Bill Eaton,

    Well, it has been interesting looking. Who knew there is a website called protectivesecurity.govt.nz ? There is a search box there that does not know about "cortex". There is a 562 page Information Security Manual there. All quite "open" really if probably outdated already. You are in a maze of twisty little passages...

    Auckland • Since Sep 2014 • 15 posts Report

First ←Older Page 1 2 Newer→ Last

Post your response…

This topic is closed.