IRD previously admitted its practice of sharing encrypted details with social media platforms. Photo: Supplied
Inland Revenue (IRD) has put a full stop to sharing taxpayers' details with social media platforms for marketing.
It follows 8000 taxpayers protesting to Inland Revenue about its practice of sharing their encrypted details to enable targeted ad campaigns.
IRD commissioner Peter Mersi told media on Tuesday they believed the system was fully secure, and it was a cost-effective way of getting tax information to targeted groups, but the strength of public opinion meant they would no longer use it.
"Whether we are really confident about the data is sort of irrelevant at the moment. There are a number of people who feel a degree of discomfort - people really feel that by us sharing information with platforms, their personal data is at risk, there are people who believe that. It would be remiss of me if I didn't really take that into account."
IRD found two cases of unintended disclosure of people's details, that were not properly hashed, in reviews running since September.
In the first, 268,000 taxpayers were involved, and IRD would write to them to explain and apologise in the next 24 hours, Mersi said. In the second case, it was harder to determine the numbers and who was affected.
Neither breach was serious enough to meet privacy law requirements for notification, he said.
People's details went through a "hashing" process to anonymise it when it went to Facebook, Google, Instagram and Linkedin. IRD stood by hashing and its other security measures as "sufficient", Mersi said.
A "concerted campaign" directly suggesting some of the details were leaked or misused had taken place, Mersi said.
"Some of that has been misrepresented."
Asked who was in this campaign, Mersi mentioned the Taxpayers' Union and some media reporting.
"There is no evidence that any customer details, hashed or unhashed, have ever been used by social media platforms for anything other than the purpose agreed."
The marketing practice was of "real benefit" in getting targeted messages to taxpayers, and IRD's website made it clear what was going on, he added.
David Buckingham, a Queenstown employment relations consultant who spotted IRD doing this and complained several months ago, said it was a welcome move by IRD as far as it went.
"It doesn't do anything for those people who have already had their data breached," he said. "Facebook is already able to use the information gathered to profile these consumers."
It was not believable that the social media companies would delete the taxpayers' details provided to them "simply because IRD says that they will", Buckingham said.
Practice 'indefensible' - Taxpayers' Union
Jordan Williams of the Taxpayers' Union lobby group said IRD's change of heart came as no surprise.
"It was indefensible to use taxpayer data for social media marketing, and we're glad to have Commissioner Mersi give our supporters credit for stopping future data leaks.
"But we remain extremely concerned that IRD continue to mislead New Zealanders about both the security of the practice and how Facebook could use the data to identify individual taxpayers and student loan debtors."
The group set up an online tool for people to help find out if the department had shared their details with the platforms.
In responses to complaints, IRD emailed people to say it could not tell them individually if they had been due to "the large number of ad campaigns" that would involve searching through.
Williams said they had sought to meet the officials over this.
"Perhaps Mr Mersi doesn't understand how social media targeted campaigns work, or he's being misled by his own social media team," he said.
"It's bluff, denial and bluster instead of straight answers."
Mersi told the news conference the department would now have to find other ways to reach its customers. "We are removing one tool from the kit."
He was not aware of social media targeted marketing being used by other public agencies, he said.
An email obtained by RNZ, from IRD to scores of public agencies - from Defence through to Treasury and MPI - after the story ran in September, advised them they might be getting queries about this and outlined what the department's key messages to the media had been so far.
"Do any of your teams use custom audiences?" the email asked.
IRD Commissioner apologises
The Commissioner said he did not believe IRD would have lost any trust or confidence, but he was extending IRD's apology to all taxpayers.
"I'm apologising to all taxpayers because I can't tell you which of those taxpayers were included in that second instance of the unintended disclosure ... I don't even know the number.
"We've always believed that the processes we've been using have been appropriate ... I come back to the integrity of the system. And it's important to us that we retain the confidence of the New Zealand taxpayer."
IRD has shared details with platforms since 2014, starting first with Facebook and adding Google around 2019. It did a privacy threshold assessment in 2016 - and another just days after RNZ broke the story in September - that both found medium risks.
It had been using the latest hashing technology and other security measures throughout, though "we could have a long debate about that", Mersi said.
"There are different views on how easy it is once you get the hashed data, to unhash it."
International regulators have stated for several years that hashing is insufficient to encrypt personal information.
IRD decided to stop the practice before it found the two unintended disclosure cases, he said. An Official Information Act request revealed the first breach, and the review the second.
"There has been a concerted campaign to elevate the risks ... to suggest that the use of custom lists raises the risk that personal information is being shared with platforms in an inappropriate fashion."
The Taxpayers' Union quite directly suggested "leaked or sold or we've been lying about the ... way in which we've been using the information - none of that is true", Mersi said.
"I don't know whether there have been others. Certainly there have been articles in the media that have questioned the appropriateness of using hashing, the appropriateness of using customer audience lists."
This interest generated concerns among the public, Mersi said.
"Some of that has been misrepresented ... I am not saying all of it has, but certainly the way in which some of that has been presented has raised concerns for individuals about whether it is appropriate for us to do that."
Later he added: "It might just be that people have become less comfortable with social media platforms over time, and it's expressing a more general social view, I don't know."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
