New Zealand's Mandatory Buyback Program Leaked Gun Owners' Personal Info

Law enforcement betrayed the trust of gun owners who were doing their best to comply with government-mandated confiscation.


Law-abiding gun owners who complied with New Zealand's mandatory gun buyback program and surrendered their assault weapons to the government discovered Monday that their privacy had been compromised by poor website security.

This week, the police website for New Zealand's mandatory military-style semi-automatic assault weapons (MSSA) buyback was taken offline after a gun dealer told law enforcement that he was able to access users' personal information through the site. This info included the names, addresses, dates of birth, gun license numbers, and bank account details of users. As many as 38,000 site users may have been affected, and the website will remain shut down until police can guarantee that the information is secure. Law enforcement currently believes that only dealer users had access to the sensitive information, not the public.

New Zealand implemented its gun buyback program after a March 15 attack on two mosques in Christchurch left 51 people dead. Six days after the attack, Prime Minister Jacinda Ardern announced that all military-style firearms, like the ones the killer had used, would be banned, in addition to large-capacity magazines and any parts that would make a gun readily convertible into an MSSA (such as telescoping stocks). The ban passed through New Zealand's parliament, 119-1, in April. Those who owned these guns or accessories were ordered to surrender them to the government.

The Guardian reported that the security breach was made public when the Council of Licensed Firearms Owners (COLFO), a gun lobby group, revealed that 15 people had reached out to them claiming that they were able to access users' personal information through the buyback portal. The group posted screenshots of the information one of the users had shared with COLFO (the identifying information has been redacted).

COLFO tells Reason that the organization is currently in the process of contacting the 19 individuals who claim to have been able to access sensitive information on the buyback website to "ascertain the extent of the access" each individual had.

New Zealand's deputy police commissioner, Mike Clement, placed the blame for the breach on SAP, the German company that custom-built the website for the buyback. Clement said that SAP had unintentionally provided some users with greater access to other users' personal data than should have been possible when it updated the site and that he could not "offer an absolute ironclad" assurance that users' information had not been abused.

SAP has since claimed responsibility, stating that 66 gun dealer users had accidentally been given access to other users' private information as a result of human error last week.

New Zealand's buyback program gives citizens the option to surrender their weapons to gun dealers after they fill out an online form with details about their firearms. New Zealand has no reliable registration records of MSSAs because previous laws made the country's registration process relatively easy to skirt, so the form helps fill in those gaps. The individual then surrenders their arms to a dealer, who turns the surrendered items over to law enforcement. Dealers are not supposed to have access to individuals' personal information. In other words, law enforcement betrayed the trust of gun owners who were doing their best to comply with a government-mandated confiscation program.

Roughly 43,000 weapons had been turned in through the buyback so far. The program seeks to completely eradicate the estimated 175,000 MSSAs in private hands by December 20, after which police will begin prosecuting people who have not surrendered their weapons. With only 16 days of the buyback left, only about 25 percent of the guns estimated to be in private hands have been voluntarily surrendered. The owners of the other 75 percent of New Zealand's MSSAs could face up to three years in prison or a $4,000 fine if they fail to meet the deadline.

The police already think that many people will refuse to surrender their newly-banned firearms. A data breach compromising the personal information of gun owners who complied with the law will surely encourage further noncompliance from those who were already resistant to the idea of turning in their guns.