Privacy concerns are mounting over Inland Revenue’s data-sharing practices with social media platforms, as an expert says Kiwis should have more control over how their information is shared by government agencies.
The personal details of hundreds of thousands of Kiwis has been handed to platforms such as Facebook and Google to help better target Inland Revenue Department (IRD) ads. The agency has long asserted that the practice involves anonymising personal information.
But an IRD spokesperson said officials are now reviewing whether it’s “still safe” to use the process after warnings from US and European regulators that information could still be linked back with people’s identities.
Despite the concerns, the agency told 1News it would continue to share people’s information with online platforms while it reviewed its practices — which included Google, Meta-owned Facebook and Instagram, and LinkedIn.
RNZ first reported on concerns about the practice yesterday.
‘Brief privacy analysis’ carried out in 2016
Data privacy law researcher Kent Newman said he was worried IRD didn’t have its own mechanism for people to opt out of information being shared with tech platforms.
The details shared directly include “hashed” versions of people’s names, email addresses, phone numbers, dates of birth, geographic information and gender. But that didn’t include the information that could be gleaned from the ads themselves.
Newman said: “People expect the Government to safeguard their information, not to disclose it to global advertisers against their will.”
A “brief privacy analysis” was written on the custom audience list feature eight years ago, with officials rating it a medium risk overall, documents showed. In June, 1News requested IRD provide all privacy impact assessments it had carried out on the practice.
IRD argued the use of the data increased the “compliance of collecting tax revenue and dispersing payments by targeting only customers who need to see” ads with specific messaging.
What does it mean to ‘hash’ information?
Hashing was a type of cryptographic security method that turned identifiers into randomised code and could not be directly reversed.
For example, IRD might take the phone numbers of people owing income tax and scramble that info into garbled strings of characters through the “hashing” process.
This list of hashed numbers is then securely shared with Facebook, which compared it to its own list of hashed phone numbers from its users. When there were matching hashes between the two lists, Facebook showed the user (linked to the matching hashed phone number) ads from IRD about setting up a payment plan for their tax debt.
Other examples included targeting businesses, taxpayers who claimed Working for Families credits, and people who had student loan debt.
The practice was disclosed in the agency’s online privacy policy.
Newman said hashing was better than nothing as it would exclude matching with people who had never had their information shared with platforms at all, but that it was still “wrong” to share data without explicit consent and when people distrusted companies such as Meta.
He said, unlike private businesses, the public couldn’t opt out of using IRD.
“If I don’t trust Nike, I buy Adidas. If I don’t trust IRD, I have no option but to give them my information, so people are compelled to use these government services,” Newman said.
“When we poll users about privacy protection, the public wants privacy takeouts. They want to be able to go online and not have their data shared and used inappropriately.”
IRD said the practices fully complied with its obligations under the Privacy Act to protect personal information but Newman argued its actions had been far from best practice.
“For the sake of those that do match, you are disclosing their interests and their personal information.”
Advertising ‘profiling’ possibility ‘unsettling’
University of Auckland associate professor Gehan Gunasekara said he was “unsettled” to learn about IRD’s practices but was surprised by some of the shock from the public.
“People might get the wrong end of the stick here, in some way interpreting that IRD is selling your information or trading it. That’s not what’s going on here,” he said.
“The more subtle risk is that by using these ad services, these companies might be able to form profiles about people.”
Social media companies built profiles of their users with the data they collect and then used those profiles to help better target ads.
But IRD said it was “satisfied” that the information it shared with platforms was deleted when the hashing process was completed.
Gunasekara expected the Privacy Commissioner would look into any potential issues around privacy legislation.
“They don’t have to wait for a complaint. They’ve got enough powers to look into it if they think that there is something that is contrary to the Privacy Act.”
But he suggested that there needed to be more specialised watchdogs looking at online privacy, adding that the Government’s Chief Privacy Officer role had recently been disestablished under the coalition’s public sector job cuts.
“Perhaps we need a digital regulator to look at those kinds of really difficult highly technical issues because the Privacy Commissioner’s office deals with a range of issues.”
IRD to review practices
A spokesperson for Inland Revenue told 1News it was examining how it used the custom audiences feature on social platforms.
“Each social media platform has its own privacy principles in place that it must adhere to. These privacy principles were reviewed by IRD to ensure that customer information is protected and only used for the intended purpose,” they said in a statement.
As for concerns about opting out, IRD claimed it “didn’t have the ability to identify customers” who didn’t want hashed versions of their data shared with social platforms.
Last week, the agency declined an OIA request from 1News for any correspondence with taxpayers trying to opt out of information sharing for ad targeting, saying they didn’t hold the information as users “update their ad preferences directly through Meta”.
It also said no complaints had been received over the practices.
A spokesperson said: “IRD does not have the ability to identify customers who would like to opt out of advertising. However, customers can opt out of being shown specific ads by editing their advertising preferences in the social platforms they use.
“IRD only has access to information that is publicly available on social media platforms.
“IRD continuously reviews our processes to ensure what it is doing is safe.
“Off the back of these enquiries and comments from the US Federal Trade Commission and European Data Protection Supervisor, we have begun looking further into the use of hashing to ensure it is still safe to use.”
The Privacy Commissioner was approached for comment yesterday.
In a statement sent on Tuesday morning, a spokesperson said
