The IRD have released more information in relation to the social media lists that generated media attention recently.
They have paused the usage of custom audience lists since 12 September.
They will reconsider their stance after an internal review.
The Chief Information Security Office (CISO) is currently performing the internal review of the hashing. They will check the privacy and security implications of providing the lists to social media companies.
The Government Communications Security Bureau (GCSB), has guidelines on information assurance and systems security. The IRD says their hashing of data operates within these guidelines.
The custom audience list is segmented over the various entitlements people may have.
Examples of audience lists include: Student loans, Working for Families and GST customers.
The reason for the segmentation is to assist the IRD in sending targeted reminders to people. The targeted reminders are to remind people who may need it to comply with their tax obligations on time.
All information that is uploaded to the social media companies is hashed. The hashed information cannot be read without being decrypted first. This ensures it is not readable if someone views the hashed data.
Identifiers used in the hashed data include first name, surname, date of birth, email address, phone number, city, postal code and country.
The IRD mentions that If you have not given information to the social media platform, or you do not have an account with them, then the hashed data will not match, and it is deleted.
If you are still seeing information on social media from the IRD it will be because it is not a targeted ad campaign. The IRD are able to use geographical targeting or take out an advert that everyone sees on social media so they can reach a wider range of people.
There is no option to opt-out of being included in a custom audience list.
The Privacy Act 2020 allows personal information to be used for more than one purpose. It doesn’t require you to give permission every time your personal information is used or disclosed. If an organisation obtains your information for one purpose, it can use it for another purpose in some circumstances.
The IRD mentions that no tax or financial information is included in the custom audience list. Due to the number of campaigns the IRD have run, there is no way to check if your data has been included in any ad campaigns.
It is highly likely that you would have been targeted if any of the following have applied to you:
- are likely eligible or receive Working for Families
- have a New Zealand student loan
- have an overdue tax return or bill.
They also mention that if you do not want to see ads from the IRD, you can login to your profile and stop the IRD from showing you ads.
This misses the point of the data being given to the social media companies in the first place.
The main issues have been that people are forced to provide the IRD data which has then been given to social media companies.
A concern some social media users will have is they do not trust the social media giants. They could have entered false information like an incorrect date of birth when setting up their account.
The Social media companies will now know if data you have provided them is incorrect as the hashed data is not matching the very accurate IRD data.
We are unsure what happens to the data when there is only a partial match.
Do social media companies use a rainbow table to update the information they now know about you?
For the full IRD explanation on what is happening to the custom data lists, please click here:
https://www.ird.govt.nz/about-us/social-media/about-custom-audience-lists
Our previous post on the hashing of data can be found here:
Leave a Reply
You must be logged in to post a comment.