Every year, about 200,000 people flock to Auckland’s lantern festival, to shuffle shoulder-to-shoulder past the swan lanterns frozen mid-glide on their lilypond, past the polar bears, through multi-coloured archways, under trees festooned with huge illuminated paper flowers; all the while munching on dumplings, satay sticks and shaved ice.

The lanterns are always the same, but in 2015, there was one difference.

If you had a Spark mobile phone, your location was tracked. Your route to Albert Park - from Mt Eden, from Grey Lynn, from Blockhouse Bay, from Glenfield, from Manukau - was retrospectively collected by the telecommunications company, aggregated, packaged up and sold to Auckland Council’s events organisation, ATEED.

The data analysis was done by a relatively new Spark subsidiary - Qrious - which talks on its website about “leveraging the power of publicly available data stores, aggregated anonymised Spark mobile location data and other commercial data sources”, to provide ATEED with what it needed.

On the basis of the Qrious research, which found that most visitors came from inner-city neighbourhoods, ATEED decided to move the festival to the Domain in 2016 rather than a location outside the CBD.

So far, so useful. A little creepy, maybe, but also benign.

Photo: 123rf

But it’s that kind of mass data collection and analysis that has made privacy experts and civil liberties advocates jumpy about just how much we’re now sharing with private companies - and whether proposed changes to privacy laws can even keep up.

Dissemination of personal data has become “ubiquitous and constant”, Privacy Commissioner John Edwards says.

"You wake up in the morning, your iPhone alarm rings - well there's some data generated. You've got your GPS location which is probably being accessed by several of the apps on your phone. You hop in the shower - if you've got a smart meter, the power company knows you've got a wee surge as the hot water heating goes on at that time.

“You pass by security cameras; when you drive your car there'll be sensors transmitting information about the vehicle's performance and of course, your driving.”

The heat has come on in recent years over New Zealand’s membership of the Five Eyes spying alliance - which also includes the US, the UK, Australia and Canada - and what data the government is collecting about its own citizens.

Government agencies have also found themselves in the gun over privacy breaches - most notably ACC’s inadvertent release in 2011 of thousands of clients’ personal data, including information about sexual abuse claimants.

But there has been less domestic scrutiny of what data the private sector is collecting, and what it’s being used for.

It is hard to quantify the rate at which that data generation has grown, Mr Edwards says.

"But all the indices we see tell us that it's just increasing at an exponential scale."

Joining the data dots

Council for Civil Liberties spokesman Thomas Beagle has been keeping a wary eye on who’s collecting what, and for what purpose.

"Should people be worried about this? The answer is yes, no and maybe. It depends on who you are, what they're collecting, and what they're using it for."

Companies increasingly wanted to collect information about people, in order to market to people or join up patterns of behaviour, he says.

"When you’ve got a transport card, for example, they are actually tracking where you're going.

"One of the surprising ones is that shopping malls are increasingly using technology that tracks you through a shopping mall. It wouldn't be hard to take that information ... and see this person had been here, and then here."

Such data isn’t even hard to come by - it can be done simply by keeping track of bluetooth and wifi signals from people’s cellphones.

“To a certain extent, they're [phones] broadcasting themselves - so it's completely passive."

What he’s learned from talking to analysts working with big data, though, is that they’re rarely interested in specific individuals.

“They don't care that I'm Thomas Beagle. They say, 'We've got 10 marketing targets. One of those is middle-class, home-owning white males who listen to music.' They're interested in saying you fit within that class."

“Useful, not creepy” is where Pieta Brown wants to keep things on the spectrum.

“[People] don’t appreciate the feeling that they’re guinea pigs in a social experiment.”

Ms Brown is head of data for Lab360 - the data analytics offshoot of Loyalty NZ, which operates the Fly Buys programme.

Loyalty NZ has access to a wealth of information that’s added to with every swipe of a member’s card, and can be mined to create targeted promotions, Ms Brown says.

“If we have a special vegetarian week at New World, we might want to understand, okay, which of our customers have never bought meat from New World and they’ve also bought other products that indicate they might be more likely to be a vegetarian, such as falafel, vegetarian sausages - and we use those to say, well, we think this special offer is most relevant to this group, so we’ll send it out to them.”

The data is contained within the Flybuys “ecosystem” and not shared with anyone outside that system.

“It’s really important to us that we don’t do anything that makes customers uncomfortable and [that] we take data privacy very seriously.”

In a perfect world, that kind of big data collection and analysis is “brilliant”, Mr Beagle says.

But things get a little blurry when you start to consider what constitutes a breach of privacy.

“I’m allowing them to see what I buy from the supermarket and probably some other information. If they derive from that that I’m pregnant, is that information that I’ve given them permission to collect? I would argue that it isn’t.”

Unwitting oversharing

Photo: RNZ / Michael Greenfield

Blurring the line even further is the question of whether people are aware of just what they have given permission for companies to collect.

Research published by Victoria University researchers in 2014 found that only a quarter of people both read and understood privacy statements they encountered on the internet.

44 percent said they either ignored the statements completely or did not read them.

The same research paper found that while people were generally quite private about what they shared with social networking sites and commercial websites - beyond basic details like their name and email address - a small percentage still shared information including their Facebook log-in details, citizenship, health information, mobile phone number, and even financial information and criminal convictions.

Auckland University Professor of information privacy law Gehan Gunasekara says people are more savvy nowadays about sharing things online like credit card details.

"But [they're] less cautious about the lesser stuff. It's that lesser stuff, though, that can be predictively analysed and modelled and so on."

Thomas Beagle believes that people are generally aware that a lot of information is being captured.

"A lot of them are reasonably relaxed about it."

Therein lies a strange paradox, he says - as more and more information has become available to collect, people have become conversely complacent about its collection.

“It's really weird; we seem to trust our government a lot more, we seem to trust companies a lot more, but we're not sure where it's all going."

Auckland woman Brie Moses has been wondering about that lately, though.

"I was on Facebook recently and I realised they were showing me a photo that wasn't already on my newsfeed and that I wasn't even tagged in, that had come from my camera roll.

"I thought, if they can get that just by my subscribing to Facebook, which is a separate app, what else can they get?"

Photo: RNZ / Supplied

Does she read privacy statements when she comes across them?

"Never."

That leaves her exposed to potentially sharing more than she realises, she says.

"You want to say you read through them but ... you just assume that there's nothing bad in the terms and conditions. You're opening yourself up to it ... but you would hope that they would have a line somewhere."

It’s not just what private companies are doing with the data that people need to consider, Thomas Beagle says.

“There's a surprising amount of government agencies making queries to private companies, and saying, 'Can you get me data about this person, or all these people here, or all the people of this type who have done this in the last while.”

Suddenly, the government becomes a kind of “uber-aggregator”, he says.

“They can take all these different little silos, collect it, aggregate it, map it against people - and then they've got an increasingly global view of what you're doing."

He concedes it all sounds “a bit tinfoil hat”.

But there have been real, and recent, examples - most notably, Westpac bank’s decision to hand over ten months’ of journalist Nicky Hager’s banking information to the police, without a court order.

The Hager case prompted the Privacy Commission to launch a transparency project, to gauge how often companies used an exception in the Privacy Act that lets them hand over private information if they believe it will help “the maintenance of the law”.

It found that in just three months, 12,000 requests were made of the 10 companies included in the project - fewer than 500 requests were turned down.

A new privacy regime

Despite the rapid pace of change, laws and regulations have been slow to keep up.

The Law Commission made recommendations for an overhaul of the Privacy Act in 2012, which were accepted by the government in 2014 - but nearly three years later a bill is yet to be introduced to Parliament.

The recommendations include making it mandatory to report privacy breaches to the Privacy Commission, and introducing compliance notices the Commissioner can issue to organisations who are in breach of privacy obligations.

But it’s been so long that even the recommended changes have been outpaced by technological advances in the meantime, John Edwards says.

“In my view it’s timely to revisit the Law Commission’s package of recommendations … and examine if there are now emerging gaps and weaknesses or emerging best practice that should now be incorporated into the bill.”

One of the conundrums Mr Edwards highlights is the ‘re-identification’ of data - being able to combine anonymised datasets in such a way that makes it possible to identify individuals.

Photo: Supplied

Pieta Brown says that’s a concern for private companies that deal in big data too.

“It’s very hard to foresee what kind of future data mash-ups might be possible, or what future technologies may enable.

“You may release a dataset for a certain purpose that can then be identified in the future - so I think questions around where the onus sits in terms of anonymisation and re-identification will become quite important.”

Gehan Gunasekara wants to see a principle of “privacy by design” added to the Act, so rather than having a reactive system, privacy is built into services and products.

He gives the example of smart TVs.

"It would listen to your voice commands but someone could then hack into it and listen to everything you were saying while you were watching. That wouldn't happen if you had privacy by design and proper encryption."

Justice Minister Amy Adams is turning her mind to some of those issues.

Speaking to the Wellington Privacy Forum earlier this year, she singled out Fitbits as one example of a creeping intrusion into people’s privacy.

“These little devices collect mass data from wearers. I’ve seen reports of these data sets being cross-referenced so that people are re-identified purely on the way they walk.

“They could also be used by marketers to gain useful insights to offer tailored goods and services to specific people and customer segments.

“But are we okay with that?”

Much stronger legal protections are the only answer, Thomas Beagle says.

“We actually can have a surveillance society... There's nothing stopping us from doing that, we're rapidly heading towards it because it is so easy and cheap.

“The only thing that can stop us is actually the decision not to do it.”