Inland Revenue (IRD) has confirmed it will look into the safety of how it anonymises the taxpayers' details it provides to Facebook and other social media platforms.
IRD is giving hundreds of thousands of taxpayers' details to social media platforms for marketing campaigns, despite legal and computer experts saying it is not safe.
It earlier said all the details were fully protected by anonymisation using a "hashing" process, in which letters are replaced by numbers.
'Hashing' substitutes long strings of letters and numbers for taxpayers' names, dates of birth, address, phone, and email contacts, which have been provided by IRD in lists of up to half a million people at a time - 30-50 times a month - to Facebook, Instagram, LinkedIn and Google for targeted ad campaigns.
Associate Professor of Commercial Law Gehan Gunasekara says it is not true that the details were fully anonymised just because of the 'hashing'.
But Revenue Minister Simon Watts said he had been advised that it did protect the identities of those involved.
"This process is irreversible and therefore ensures the protection of identities," Watts said in a statement.
"They probably think that's all they need to do, but best practice has moved on... and regulators all over the world have pointed to the weakness of that method," Gunasekara said.
Top US and European regulators have consistently warned that hashing did not adequately protect personal data.
IRD told RNZ that "off the back of these enquiries and comments from the US Federal Trade Commission and European Data Protection Supervisor, we have begun looking further into the use of hashing to ensure it is still safe to use".
The minister also used this same line.
Software developer and cyber security consultant Jonathan Wright said the claim that identities were fully anonymised was "misleading at best".
He said back in 2018 - when he had a run-in with his bank over hashing - he found simple tools online that could reverse it and re-identify the data, "in sub-one second".
"Hashing has never been a secure mechanism," Wright told RNZ.
Jack Yan - a marketing consultant who calls himself an early adopter, then early sceptic, of social media - came across IRD in the advertising preferences section of the platforms many years ago.
"Yeah, I spotted IRD... we began seeing organisations' names pop up about mid-decade, and IRD was an early one."
Yan had his own frequent run-ins with Facebook over privacy settings, and held out hope IRD's reconsideration of hashing would lead to real change.
"Let's hope something comes of this review because Facebook... has a real tendency to make promises but never follow up on them."
Wright said the social media companies were dictating the changes.
"The tools that they are using to share data are provided by Facebook and social media companies."
The only way to make it safe was to stop the practise, but that would also halt targeted advertising campaigns, unless the companies came up with another method. But Wright said both sides benefited as things currently stood.
The "most disturbing" thing was that taxpayers lacked the sort of choice a consumer had to pick a service with a stricter privacy policy, so the government should step up, he added.
But the minister said his advice was that IRD's hashing operated within the guidelines of the New Zealand Information Security manual.
"Officials have also assured me that they continuously review their processes to ensure New Zealand's data is safe."
IRD said its targeted advertising increased compliance in campaigns seeking:
- Student loan customers who have debt owing
- GST customers who had returns or a debt due
- Income tax debtors, including those who would benefit from an instalment arrangement
- Working for Families customers
Queenstown employment consultant David Buckingham has complained to IRD about the situation.
"Our biggest government department and our biggest corporations in New Zealand... are doing this on a wholesale level.
"It's not us who are giving over our details. It's a third party who are giving over our details without our knowledge," Buckingham said.
"The kind of campaigns that might take place essentially allows these companies to have a level of profile that... we don't know about, and... if we did know about it, we wouldn't want to consent."
Wright said when he challenged his bank in 2018, it suggested it might look at letting customers opt out - but never did.
IRD's other defence was that it only dealt with social media companies it trusted to do the right thing, such as delete the hashed data quickly. Yan questioned if this was trust was misplaced.
The Taxpayers' Union said IRD was in violation of millions of hardworking New Zealanders' privacy.
The Office of the Privacy Commissioner said it had not had any privacy concerns raised about the use of hashing.
"We can't and don't have oversight of every piece of technology in use by every agency."
While it could give guidance, it was up to individual agencies to ensure customers' data was protected, including when passed to a third party.
Protections within the social media platforms themselves could be used to avoid re-identification, the office said.