sharetrader
Results 1 to 7 of 7
  1. #1
    On the doghouse
    Join Date
    Jun 2004
    Location
    , , New Zealand.
    Posts
    9,860

    Default NZ IRD, facebook, data privacy leak incident

    I am not a newbie investor, but I am definitely a newbie in a situation like this.

    I got an old fashioned letter today, telling me that I am tied up in this IRD data leak. Apparently my first name, last name, email addresses, mobile numbers, date of birth, age country, city and postcode were disclosed to facebook (Meta) in an insecure data transmission. Now that is interesting because AFAIK I have never disclosed to the IRD my mobile phone number or e-mail address. Be that as it may, what I don't understand is 'why was my information sent to Meta in the first place' given:

    1/ I was not behind in any tax payment.
    2/ I do not have any oustanding student loans.
    3/ I am not, and never have been, a member of facebook.
    4/ I do not reside overseas, and the IRD already has my local NZ contact information.

    So why did the IRD send my information off to facebook at all? It seems unfathomable that the IRD should have done this! I see that I have the right to make a complaint to the privacy commissioner about this behaviour. But should I?

    SNOOPY
    Last edited by Snoopy; 11-11-2024 at 08:57 PM.
    Watch out for the most persistent and dangerous version of Covid-19: B.S.24/7

  2. #2
    ShareTrader Legend
    Join Date
    Dec 2009
    Location
    Everywhere
    Posts
    7,854

    Default

    Quote Originally Posted by Snoopy View Post
    I am not a newbie investor, but I am definitely a newbie in a situation like this.

    I got an old fashioned letter today, telling me that I am tied up in this IRD data leak. Apparently my first name, last name, email addresses, mobile numbers, date of birth, age country, city and postcode were disclosed to facebook (Meta) in an insecure data transmission. Now that is interesting because AFAIK I have never disclosed to the IRD my mobile phone number or e-mail address. Be that as it may, what I don't understand is 'why was my information sent to Meta in the first place' given:

    1/ I was not behind in any tax payment.
    2/ I do not have any oustanding student loans.
    3/ I am not, and never have been, a member of facebook.
    4/ I do not reside overseas, and the IRD already has my local NZ contact information.

    So why did the IRD send my information off to facebook at all? It seems unfathomable that the IRD should have done this! I see that I have the right to make a complaint to the privacy commissioner about this behaviour. But should I?

    SNOOPY

    Been reading a Reddit group on this same issue.

    Interesting comment flowing out from this -

    Good luck when one party is the Taxman and many further Buckets full of Good Luck
    needed awakening the peacefully resting Privacy Commission bods up

    Once awakened the thought of facing the claws of the Taxman might scare them somewhat,
    but if they did decide to make a few careful moves - what's the maximum award poaaible ?

    The question remains - if IRD had all the relevant taxpayer contact details etc - then why didn't
    they just contact those on the list direct, rather than feeding it (& obviously making a hash
    of doing so in the process) to the foreign owned Social Media companies ?

    As a presumably responsible organisation entrusted with a fair bit of personal & private
    Income,Tax and other detail - how could Inland Revenue have allowed their interactions
    with Social Media to result in this sort of scale of privacy breach ?
    Last edited by nztx; 12-11-2024 at 12:30 AM.

  3. #3
    Member Popeye's Avatar
    Join Date
    Jul 2020
    Location
    New Zealand
    Posts
    32

    Default

    That is shocking to hear. If it were me, I would lodge a complaint. It sounds like they have taken the liberty of harvesting your contact details from other sources, then unbeknownst to you, went and passed them on to Meta for no good reason. They did not even give you the courtesy of informing you that they had updated your contact details for you, and give you the opportunity to confirm or change said information.

    This is unconscionable behavior by a government department, and terrible judgment to justify their sharing of data based on their self-graded anonymisation skills. What right do they have to subject their captive "clients" to any level of such privacy risk in the first place? In your case, it sounds like they could have sent you an email or telephoned you anyway, not that they had cause to.

    Lodging a complaint will send them a message to think much, much harder before doing anything so supid in future. If this is how the stuffy old IRD behave, imagine the liberties tech companies outside of our shores and legal framework could (will) be taking! Take it for granted they will all be trying to cross match every piece of information available on their users to get a better picture of the marketing target.
    Last edited by Popeye; 12-11-2024 at 08:59 AM.

  4. #4
    Permanent Newbie
    Join Date
    Mar 2010
    Posts
    2,738

    Default

    Go for it Snoopy.

    It appears either IRD was making some extra cash selling your information to Meta and Trade Me or else they were giving it away free at the taxpayers expense.

    Either way I would be happy to see the people at IRD who thought this was a good idea strung up on some gallows on the steps of parliament.

    https://www.rnz.co.nz/news/national/...a-data-sharing

    Just sharing your name and email address would not be that helpful they could also be disclosing your income level if it is to help marketing firms identify and target the correct demographic for their f*cking ads.

    If a govt collected data on people like facebook and google there would be outrage, but people seem happy as long as they get the free search engine and the free calls. To have IRD sell your information to them is outrageous.

    No wonder we lose faith in public institutions

  5. #5
    Legend
    Join Date
    Apr 2003
    Location
    Wellington, New Zealand
    Posts
    5,356

    Default

    I made a privacy request to the IRD (thank you for helping NZ taxpayers union) for the very same reason and got a stock standard answer back as follows (as you can see they are lying and obfuscating):


    Thank you for your recent information request submitted via the Taxpayer’s Union website. You requested the following:
    Was any of my personal information (including, but not limited to, my name, email address, contact information, the fact I am a New Zealand taxpayer, date of birth) included in the data provided to social media companies including, but not limited, to Meta (Facebook/Instagram), LinkedIn, Google in the last three years?
    If so, please tell me what information was provided, the date it was provided, to what entities, and the reasons for the same.

    You asked for this information under the Privacy Act 2020 and the Official Information Act 1982.

    Inland Revenue takes privacy very seriously. We have not leaked or sold any taxpayer information.

    We advertise on social media because it is an effective tool to inform customers of their tax obligations or entitlements like Working for Families and FamilyBoost. Using custom audience lists on social media allows organisations to securely upload de-identified information (referred to as hashed information) for direct marketing purposes. We have used custom audience lists on Meta (Facebook and Instagram), LinkedIn and Google.

    On 12 September we paused the use of custom audience lists while we undertake an internal review of this practice. This will be led by our Chief Information Security Office. We did this due to public concern and to provide reassurance we take your concerns seriously. We are also working with the Office of the Privacy Commissioner who are assessing whether there are any privacy issues with hashing.

    Information requested

    Due to the large number of ad campaigns we do to ensure people are aware of their tax obligations and entitlements, it’s not reasonably practicable for us to search to see which campaigns you may have been included in. We don’t hold this information in a way that enables it to be readily retrieved.

    Substantial manual collation would be required to review the lists to confirm whether you were included in a direct marketing campaign. This would require significant time and resources. We are refusing your information request under section 44(2)(a) of the Privacy Act as the information is not readily retrievable and section 18(f) of the Official Information Act as the information cannot be made available without substantial collation.

    We’ve also considered if this information can be provided under the Tax Administration Act 1994. However, as the information is not readily available it’s not reasonable or practicable to give you the information.

    If you were included in a custom audience list, the information in the source file may include name, date of birth, city, postcode, country, phone number or email address. This information is hashed within our browser before being securely uploaded to the social media platform. For example:
    John.doe@ird.govt.nz would become this when hashed: 6b22a874552aa8aeb2d24119911571cd93c30db477d56cf952 cb4487a34c80ac
    • Their date of birth would become this: c452d4c1b8a97a0a868b7764278afd360001e656d6f3301a43 52ca5c2d539e29
    Hashed data from our list is only used if it can be matched with information you have already provided on your social media account. If you have not given information to the social media platform, or you do not have an account with them, then the hashed data will not match, and it is deleted. Any hashed data that does match is automatically deleted by the platforms after the match is completed.

    You may have been included in a previous campaign if:
    1. You have a social media account with Facebook or LinkedIn or have a Google account, and
    2. Any of the following apply, you:
    • are likely eligible or receive Working for Families
    • have a New Zealand student loan
    • have an overdue tax return or bill.
    Thanks for getting in touch. Your concerns let us know how the use of direct marketing can affect our customers.

    Want to find out more?

    More information on our use of custom audience lists, including how this complies with the Privacy Act 2020, is on our website at www.ird.govt.nz/customaudiencelists. This page will be updated when the review has been completed or if we have further information to share.

    If you are not satisfied with our decision on your request, you have the right to make a complaint to the Office of the Privacy Commissioner (www.privacy.org.nz) or the Ombudsman (www.ombudsman.parliament.nz).




    Ngā mihi,

    Dawn Swan
    Privacy Officer, Enterprise Design & Integrity

  6. #6
    Member Popeye's Avatar
    Join Date
    Jul 2020
    Location
    New Zealand
    Posts
    32

    Default

    That is quite interesting, blackcap. The IRD must have been sharing some sort of hash master key with the SM platforms in order for the information to be "matched with information you have already provided on your social media account". How else could they do it?

    It seems to boil down to, you are considered fair game for the IRD if you have already put yourself out there on publicly viewable social media platforms. This would presumably also be the explanation as to how they gathered contact information on Snoopy without asking him first.

    The ability to maintain privacy seems to be reducing over time. I can foresee a future when people are required to carry their mobile phones (or whatever they get replaced by) around with compulsory apps loaded and running for some "public benefit". All it takes is some sort of emergency to herd people to temporarily (it is always sold as a temporary requirement) give up their rights or submit to government intrusion. My rule of thumb is, if it can be done, someone will give it a go at some point in time. With the best of intentions, of course.

    In this case, I think the IRD should make a more comprehensive explanation of what they did, how they protected privacy, and what process they went through. So they can be properly critiqued and held to account. I also would like the ability to define and limit the ways they are able to communicate with me, such as only email or only phone etc. I do not want them spraying around "hashed" information about me on the basis that they have given themselves a pass mark on their privacy protections. The best protection is not to share anything with anyone ever!

  7. #7
    Permanent Newbie
    Join Date
    Mar 2010
    Posts
    2,738

    Default

    Quote Originally Posted by Aaron View Post
    Go for it Snoopy.

    It appears either IRD was making some extra cash selling your information to Meta and Trade Me or else they were giving it away free at the taxpayers expense.

    Either way I would be happy to see the people at IRD who thought this was a good idea strung up on some gallows on the steps of parliament.

    https://www.rnz.co.nz/news/national/...a-data-sharing

    Just sharing your name and email address would not be that helpful they could also be disclosing your income level if it is to help marketing firms identify and target the correct demographic for their f*cking ads.

    If a govt collected data on people like facebook and google there would be outrage, but people seem happy as long as they get the free search engine and the free calls. To have IRD sell your information to them is outrageous.

    No wonder we lose faith in public institutions
    Whoops its not good but does not sound quite so bad after reading blackcaps post, perhaps I should understand something before going off the deep end, although that is not my way and understanding requires effort.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •