Not a scam - But the Nz Govt should be ashamed.

Forums › Off topic › Not a scam - But the Nz Govt should be ashamed.

1 | 2 | 3 | 4

8 posts

Wannabe Geek

#940930 26-Nov-2013 11:31

Kyanar:
nunz:
Zeon: I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

It's probably not a good look with inviting links etc. but you are taking this complaint way overboard.....

minor point first then major point.
Point A

1 - It is commercial - TSB, Kiwibank, Insurance etc makes it commercial.
2 - It doesn't have to be commercial to be spam. Spam act states.

Section 6. A
Meaning of commercial electronic message

For the purposes of this Act, commercial electronic message—

(a) means an electronic message that—

(i) markets or promotes—

(A) goods; or

(B) services; or

(C) land; or

(D) an interest in land; or

(E) a business or investment opportunity; or

it could be excluded on the grounds of section 6B which states the email can be excluded as it ...

provides the recipient with information about goods or services offered or supplied by—

(A) a government body; or

(B) a court or tribunal; or

however this included information aobut goods nad services provided by TSB, Kiwibank, Post office, insurance etc - which makes it commerical again.

Point B

BUT PLEASE NOTE ---

the majority of my objection is not around the spam act, that was a minority point, it is around the issues of security and privacy that this email blew through.It is about not teaching people to follow third party links of dubious quality. it is not about unfettered sharing of details which is only legal if legislated explicitly between govt depts nad it is about giving our details to a third party, over seas, marketing company with a flawed history of security - including major breaches of private third party information.

If real.govt.nz wants to contact people and let them know, that's fine. get the relvant govt dept that I do have contact with to tell me. If they want to send direct, that is legal. dont use american marketing companies and dont promote comemrcial interests. TSB is blatantly promoted in this email, over and above even Kiwi bank which was / is a govt supported bank.

and again - do the damn thing right - not half baked redirects, third pary HTTPS certificates etc. for crying out loud, what type ofIAAS cant even identify itself?

Good lord you're taking this overboard. For a start, DIA does not charge anything for third parties to participate in the RealMe service. Second, the New Zealand Government does not even have a trusted root CA certificate in Windows (in fact, almost no governments do) - and frankly I'd prefer they don't, since if they did then it would be oh so ridiculously easy to MitM NZers personal communications (for children, or terrorists, or something) - so they have to purchase one from a third party, such as Verisign. Third, it's not a commercial email - it's an email telling you that iGovt is now Realme, and you can use it for stuff. OH NO THE WORLD IS ENDING.

I agree - SPF records match - its an authorised sender, for a government body. They even supplied an unsubscribe, which they didn't need to do. No real call to action, just informational - it has a link, but it's not asking for any credit card details. RealMe is all about a single login for government services. I don't see what the problem is. Just because they used a email provider doesn't mean they've compromised the data in any way. campaign monitor, constant contact etc are all overseas....

Nil Einne

469 posts

Ultimate Geek

#941403 27-Nov-2013 02:47

I don't want to get in to this long discussion but I do agree with two (or three depending on how you count) key points that have already been made:

1) There are only a relatively small number of trusted root CA certificates in key OSes and browsers. Many governments don't have CA that are commonly trusted. Take a look at
e.g. 1 Mozilla (http://www.mozilla.org/projects/security/certs/included/),
e.g. 2 iOS (http://support.apple.com/kb/ht5012) and
e.g. 3 (Windows http://social.technet.microsoft.com/wiki/contents/articles/14217.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-e-g.aspx)
for example and see how few there are with 'government' in them (particularly when you're talking about overlap).

The NZ government doesn't have a root CA certificate trusted by default by common software that I know of. So unless they want to encourage people to start manually adding certificates, surely an even worse idea from a security standpoint, they have to get any certificates signed by someone who is trusted CA in most browsers/OSes. None of this should news if you know much about computer or internet security.

Remember that running a CA is no small feat if you want to earn and keep that trust see
e.g. 1 US government request to Mozilla (https://bugzilla.mozilla.org/show_bug.cgi?id=478418),
e.g. 2 some of the discussion surrounding the US government outstanding request to Mozilla (https://bugzilla.mozilla.org/show_bug.cgi?id=478418),
e.g. 3 KISA/ Korean government connected CA request to Mozilla including something which looks like an email sent to Microsoft by a Korean professor (https://bugzilla.mozilla.org/show_bug.cgi?id=335197),
e.g. 4 Mozilla pending CAs (http://www.mozilla.org/projects/security/certs/pending/),
e.g. 5 problems for Netherland government connected CA (http://www.theinquirer.net/inquirer/news/2107413/microsoft-mozilla-ban-dutch-government-root-certificate) and
e.g. 6 some of the controversy surrounding the Mozilla decision to add the CNNIC/Chinese goverment connected CA including recent discussion about the NSA etc (https://bugzilla.mozilla.org/show_bug.cgi?id=542689)
as examples of the possible problems, work and time it may take.

Now if you really think they should set up a CA, that's up to you, but I don't see how it was a good way to make the point. Particularly considering as history shows (and isn't exactly surprising), it could easily take them several years before they have sufficient trust that they don't have to rely on a third party, more so if there are issues that complicate the matters. (Remember that even having earned the trust, you probably want to wait at least a year, maybe more, for that trust to propogate via updates etc.)

2) It's unlikely this is covered by Unsolicited Electronic Messages Act 2007. Remember, the government is generally good at making sure they aren't covered by laws they don't want to be covered by. (Remembering of course, we are generally considered to have parliamentary sovereignty here in NZ.) And trying to say it's commercial because people have to pay money or the involvement of NZ Post isn't likely to work if they've structured it in a way that it's still seen as a government service. And the fact that it's realme.govt.nz and is using a DIA certificate and the email itself was sent by the DIA tells you all you need to know really. You can say whatever you want about this not being the main point, but the fact of the matter it was mentioned in the first post and the follow ups have tried to justify the reasons why it's covered by the law so it's seems this is a valid point of discussion.

I would add that as others have said, igovt is now part of RealMe https://www.realme.govt.nz/faqs/what-about-my-igovt-logon , the fact that igovt has its own TOU https://www.realme.govt.nz/changelog/ doesn't change this. So even if it weren't a government service and so were covered by the Act, I strongly suspect this would be enough for at least one email. In other words, if a service you use has merged with another service, and you agreed to receive emails for that original service, I find it unlikely the Act will prevent the new merged service emailing you to let you know of this.

If you don't like either aspects of the Act (not covering government stuff or not covering emails about a merged service), that's up to you, but again I don't think this thread is good place to complain about those general points.

nunz

1421 posts

Uber Geek
Inactive user

#941841 27-Nov-2013 16:56

Kyanar:
nunz:
Zeon: I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

It's probably not a good look with inviting links etc. but you are taking this complaint way overboard.....

minor point first then major point.
Point A

1 - It is commercial - TSB, Kiwibank, Insurance etc makes it commercial.
2 - It doesn't have to be commercial to be spam. Spam act states.

Section 6. A
Meaning of commercial electronic message

For the purposes of this Act, commercial electronic message—

(a) means an electronic message that—

(i) markets or promotes—

(A) goods; or

(B) services; or

(C) land; or

(D) an interest in land; or

(E) a business or investment opportunity; or

it could be excluded on the grounds of section 6B which states the email can be excluded as it ...

provides the recipient with information about goods or services offered or supplied by—

(A) a government body; or

(B) a court or tribunal; or

however this included information aobut goods nad services provided by TSB, Kiwibank, Post office, insurance etc - which makes it commerical again.

Point B

BUT PLEASE NOTE ---

the majority of my objection is not around the spam act, that was a minority point, it is around the issues of security and privacy that this email blew through.It is about not teaching people to follow third party links of dubious quality. it is not about unfettered sharing of details which is only legal if legislated explicitly between govt depts nad it is about giving our details to a third party, over seas, marketing company with a flawed history of security - including major breaches of private third party information.

If real.govt.nz wants to contact people and let them know, that's fine. get the relvant govt dept that I do have contact with to tell me. If they want to send direct, that is legal. dont use american marketing companies and dont promote comemrcial interests. TSB is blatantly promoted in this email, over and above even Kiwi bank which was / is a govt supported bank.

and again - do the damn thing right - not half baked redirects, third pary HTTPS certificates etc. for crying out loud, what type ofIAAS cant even identify itself?

Good lord you're taking this overboard. For a start, DIA does not charge anything for third parties to participate in the RealMe service. Second, the New Zealand Government does not even have a trusted root CA certificate in Windows (in fact, almost no governments do) - and frankly I'd prefer they don't, since if they did then it would be oh so ridiculously easy to MitM NZers personal communications (for children, or terrorists, or something) - so they have to purchase one from a third party, such as Verisign. Third, it's not a commercial email - it's an email telling you that iGovt is now Realme, and you can use it for stuff. OH NO THE WORLD IS ENDING.

you need to read the post again - carefully. THe clue aobut what annoyed me is in the words types on the page - but just in case you miss it again....

DIA does charge for businesses to use the service.
I never mentioned a trusted windows cert - its a third party (ie DIA) cert that realme is using. provided by verisign but not for realme. (and remember realme is an IAAS provider - they need to be spot on with this stuff).
Third - Its a commercial email promoting businsses

FINALLY - THE BIG CLUE - I'LL TYPE THIS SLOWWWWLLLYYYY FOR YOU - it wasn't the commercial side that annoyed me, its the fact it actively encouraged people to do dumb link clicking for financial / identity transactions off a half assed email sent by a security flawed third party USa provider who has a history of leaking info to spammers and who should never be told anything by the NZ Govt re their dealings with Nz citizens.

If you want your Govt to teach people clicking on third party redirects is ok for identity and financial transaction then feel free to click here: https://realme.govt.nz/FAQ/Security

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#941848 27-Nov-2013 17:07

This all looks...much ado about nothing

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#941928 27-Nov-2013 23:00

nunz:
you need to read the post again - carefully. THe clue aobut what annoyed me is in the words types on the page - but just in case you miss it again....

DIA does charge for businesses to use the service.
I never mentioned a trusted windows cert - its a third party (ie DIA) cert that realme is using. provided by verisign but not for realme. (and remember realme is an IAAS provider - they need to be spot on with this stuff).
Third - Its a commercial email promoting businsses

FINALLY - THE BIG CLUE - I'LL TYPE THIS SLOWWWWLLLYYYY FOR YOU - it wasn't the commercial side that annoyed me, its the fact it actively encouraged people to do dumb link clicking for financial / identity transactions off a half assed email sent by a security flawed third party USa provider who has a history of leaking info to spammers and who should never be told anything by the NZ Govt re their dealings with Nz citizens.

If you want your Govt to teach people clicking on third party redirects is ok for identity and financial transaction then feel free to click here: https://realme.govt.nz/FAQ/Security

I'm going to go ahead and ignore your blatant personal attacks there (I would suggest having a read of the FUG though - it's fascinating!)

First things first, the SSL certificate issued to Realme is an EV certificate, which CA policies require be issued to an organisation not to a brand name - as Realme is a brand name for a DIA service, the certificate can only be issued to the Department of Internal Affairs. "Realme", not being a company or government department, cannot get a certificate assigned to itself.

Secondly, link tracking is common, and even if it wasn't, the information that third party gets is merely your email address - and I can guarantee they had it already via another company you deal with anyway.

insane

3240 posts

Uber Geek

ID Verified

Trusted

#941940 28-Nov-2013 00:30

I see on their website they are even advising about the mail out

"Look out for our email

RealMe is emailing its login customers (up until Friday 6th December) encouraging customers to upgrade to a RealMe verified account. The email is sent from noreply@realme.govt.nz.

Please note: RealMe will never send you an email asking you for your password."

On a scale of one to ten this isn't too bad, I've seem far more sloppy efforts. I'd rather them not waste more $$$$ on consultants per mail out, that would IMO be even worse.

charsleysa

597 posts

Ultimate Geek

#941987 28-Nov-2013 08:51

So quite a few people don't really seem to actually know what RealMe is.

RealMe (previously known as iGovt) is an identity service provided by the government. It's just like a driver's license except it doesn't allow you to drive and is in digital format.

Anyone who signed up to RealMe (including when us was still iGovt) has agreed to have emails sent to them by the service. They are also allowed to update the terms of service at any time without prior notice (um yea this is the same with almost every TOS you agree to, ever read your ISP's TOS?).

The fact that they changed the name was more for Marketing and clarification purposes as they were no longer going to use it just for government services.

If you don't like the service then don't use it. They are catering for those that accept change and move to digital forms of communication and identity verification.

Regards
Stefan Andres Charsley

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#942267 28-Nov-2013 14:07

allan:
loceff13: exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

Yes it is a direct replacement

Why did it need replacing?

I used it when I registered a Trade Mark and the only downside was that, because TM registration takes so long, I forgot how to log in...!

The sooner we can just have secure retina or DNA readers attached to our computers and do away with all the vast numbers of user names, passwords etc we are all supposed to remember (which are all supposed to be different..!) the better.

I have to say that I wouldn't be placing much faith in a system organised by the DIA and NZ Post, based on personal experience.

nunz

1421 posts

Uber Geek
Inactive user

#942503 28-Nov-2013 20:36

KiwiNZ: This all looks...much ado about nothing

Then dont waste your time reading or commenting on it - thanks for nothing, literally.

nunz

1421 posts

Uber Geek
Inactive user

#942506 28-Nov-2013 20:40

Kyanar:
nunz:
you need to read the post again - carefully. THe clue aobut what annoyed me is in the words types on the page - but just in case you miss it again....

DIA does charge for businesses to use the service.
I never mentioned a trusted windows cert - its a third party (ie DIA) cert that realme is using. provided by verisign but not for realme. (and remember realme is an IAAS provider - they need to be spot on with this stuff).
Third - Its a commercial email promoting businsses

FINALLY - THE BIG CLUE - I'LL TYPE THIS SLOWWWWLLLYYYY FOR YOU - it wasn't the commercial side that annoyed me, its the fact it actively encouraged people to do dumb link clicking for financial / identity transactions off a half assed email sent by a security flawed third party USa provider who has a history of leaking info to spammers and who should never be told anything by the NZ Govt re their dealings with Nz citizens.

If you want your Govt to teach people clicking on third party redirects is ok for identity and financial transaction then feel free to click here: https://realme.govt.nz/FAQ/Security

I'm going to go ahead and ignore your blatant personal attacks there (I would suggest having a read of the FUG though - it's fascinating!)

First things first, the SSL certificate issued to Realme is an EV certificate, which CA policies require be issued to an organisation not to a brand name - as Realme is a brand name for a DIA service, the certificate can only be issued to the Department of Internal Affairs. "Realme", not being a company or government department, cannot get a certificate assigned to itself.

Secondly, link tracking is common, and even if it wasn't, the information that third party gets is merely your email address - and I can guarantee they had it already via another company you deal with anyway.

Again you missed the point.

Having the Government teach people to click on third party redirected links for financial and identity purposes is DUMB!!! it teaches people to follow dubious links and exposes people to a raft of risk factors.

2 - I don't care if they had my email address another way, the govt has a legal obligation to not provide overseas marketing companies with my email address.

nunz

1421 posts

Uber Geek
Inactive user

#942520 28-Nov-2013 20:43

Kyanar:
nunz:
you need to read the post again - carefully. THe clue aobut what annoyed me is in the words types on the page - but just in case you miss it again....

....

FINALLY - THE BIG CLUE - I'LL TYPE THIS SLOWWWWLLLYYYY FOR YOU - it wasn't the commercial side that annoyed me, its the fact it actively encouraged people to do dumb link clicking for financial / identity transactions off a half assed email sent by a security flawed third party USa provider who has a history of leaking info to spammers and who should never be told anything by the NZ Govt re their dealings with Nz citizens.

If you want your Govt to teach people clicking on third party redirects is ok for identity and financial transaction then feel free to click here: https://realme.govt.nz/FAQ/Security

I'm going to go ahead and ignore your blatant personal attacks there (I would suggest having a read of the FUG though - it's fascinating!)
.....

For every finger point towards me ......
you wrote
"Good lord you're taking this overboard. ..." , ""OH NO THE WORLD IS ENDING. .."
both characterise me as histrionic or over zealous or ... personal attack, not factual comment. however if you feel offended I typed things slowly for you, my apologies.

nunz

1421 posts

Uber Geek
Inactive user

#942521 28-Nov-2013 20:45

insane: I see on their website they are even advising about the mail out

"Look out for our email

RealMe is emailing its login customers (up until Friday 6th December) encouraging customers to upgrade to a RealMe verified account. The email is sent from noreply@realme.govt.nz.

Please note: RealMe will never send you an email asking you for your password."

On a scale of one to ten this isn't too bad, I've seem far more sloppy efforts. I'd rather them not waste more $$$$ on consultants per mail out, that would IMO be even worse.

I'm not a realme customer. no logon, no relationship with realme as far as I can tell. they got me email address from another Govt dept. and they dont need to ask for my password. Scammers just need to get people to put their usernames nad passwords into a site to get what they want.

nunz

1421 posts

Uber Geek
Inactive user

#942522 28-Nov-2013 20:48

Geektastic:
allan:
loceff13: exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

Yes it is a direct replacement

Why did it need replacing?

I used it when I registered a Trade Mark and the only downside was that, because TM registration takes so long, I forgot how to log in...!

The sooner we can just have secure retina or DNA readers attached to our computers and do away with all the vast numbers of user names, passwords etc we are all supposed to remember (which are all supposed to be different..!) the better.

I have to say that I wouldn't be placing much faith in a system organised by the DIA and NZ Post, based on personal experience.

Not retina or finger print scanners - unless of course I could borrow your eyeball sometimes :) DNA is easy to fudge, we are dropping it all the time.

passwords are really quite a secure system (if you use them properly).

It's like those stupid tap and Go cards - surly there is no danger in having a card someone can swipte nad tap as many times as they want to without any form of decent identification. Human interaction - you really cant beat it.

charsleysa

597 posts

Ultimate Geek

#942523 28-Nov-2013 20:50

nunz:
insane: I see on their website they are even advising about the mail out

"Look out for our email

RealMe is emailing its login customers (up until Friday 6th December) encouraging customers to upgrade to a RealMe verified account. The email is sent from noreply@realme.govt.nz.

Please note: RealMe will never send you an email asking you for your password."

On a scale of one to ten this isn't too bad, I've seem far more sloppy efforts. I'd rather them not waste more $$$$ on consultants per mail out, that would IMO be even worse.

I'm not a realme customer. no logon, no relationship with realme as far as I can tell. they got me email address from another Govt dept. and they dont need to ask for my password. Scammers just need to get people to put their usernames nad passwords into a site to get what they want.

Have you ever used iGovt? As it is now RealMe.
Also all Studylink accounts have been ported to RealMe ready accounts AFAIK.

Regards
Stefan Andres Charsley

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#943482 30-Nov-2013 19:17

nunz:
I'm not a realme customer. no logon, no relationship with realme as far as I can tell. they got me email address from another Govt dept. and they dont need to ask for my password. Scammers just need to get people to put their usernames nad passwords into a site to get what they want.

Did you, or did you not, have an iGovt account? You seem to be very careful to avoid answering that question which you were asked three times. If yes, then you do indeed have a relationship with the Department of Internal Affairs (who operate Realme, stop trying to refer to it as a separate organisation to confuse the issue - it is DIA). Having a Studylink account means you have one, by the way - for the avoidance of doubt.

If yes (and the answer will be Yes, because otherwise the government with the exception of the GCSB doesn't have your email address) then they are perfectly entitled to email you, even via third party contract agencies - as per the terms of service you agreed to.

It's probably important to note that Realme promotional emails are a lot difference from the transactional emails. Transactional emails are always sent directly from them, and do not include link tracking. Only the promotional emails (which do not really entice you to do anything but look at the site) actually include the link tracking being argued against. And this is par for the course - Westpac, ASB, and so forth also do this. Hell, even PayPal does it now (no, seriously. Sigh).

Side note, saying you're taking this overboard is by no means a personal attack, simply a statement of opinion. However, saying "I'LL TYPE THIS SLLLLOOOOOWWWWLLLLYYYY FOR YOU" is a direct attack on the intelligence and literacy of the person you are speaking to, and therefore is a personal attack. For the avoidance of doubt, what this means is that your post was a personal attack. Apology accepted.

1 | 2 | 3 | 4