Tech Liberty NZ Defending civil liberties in the digital age

The GCSB’s brake on innovation

Posted on February 24, 2015

It started with a Tweet from Steve Cotter, CEO of REANNZ:

Before we go any further let's unpack some of those acronyms and add one more:

So this is a statement by the CEO of a government owned company whose purpose is to "establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand" saying that they can't do the research and development work they need to do because the bureaucrats in the NCSC at the GCSB are holding them back.

Apparently the NCSC were willing to help, but the law was inflexible enough that making any significant change - like you might want to do quite frequently on an experimental network - was going to require the full notification and authorisation procedure. When asked for an exemption the reply was that this would be extremely unlikely to be granted.

But wait, there's more

Apparently Google has also been involved with research and development into SDN in New Zealand. We've been told by multiple sources that they were so annoyed by the TICSA's requirements and the NCSC's administration of them that they have closed the New Zealand section of this project and redeployed the hardware to Australia and the USA. This can only be seen as a loss to New Zealand.

This is a problem

We think it's a real worry that companies like Google and REANNZ, who are both pushing the boundaries of network research, are giving up in New Zealand due to the constraints imposed by government legislation.

It's exactly the sort of thing we worried about in our submission to the government about the TICS Bill:

It will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions.

Some people have suggested that these companies, REANNZ and Google, just needed to work harder to jump through the NCSC's hoops. The reality is that they obviously thought that this was not worth the effort and they abandoned the work. How many other companies in New Zealand are experiencing these exact same problems and deciding to just give up... or spend their research dollars in countries with a friendlier environment?

We stand by our original position that a spy agency can't intercept traffic on one hand and then provide security advice on the other. We don't believe that New Zealand's national security is enhanced by giving the GCSB more control of our telecommunications networks than any other spy agency has in any other comparable country. We don't believe that network operators should have to answer to a layer of micro-managing government bureaucracy to run their businesses. We think that this is in direct contravention of the GCSB's statutory objective of contributing to the economic well-being of New Zealand.

The TICS Act is proving to be a brake on innovation. It needs to be changed.


More on the story from Juha Saarinen at the NZ Herald.

Tagged as: , , , 2 Comments

Does the new GCSB Bill give them the power to spy on New Zealanders?

Posted on August 13, 2013

There's been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.

When even Peter Dunne gets it badly wrong in the "Ask Me Anything" article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.

Note: All references to the legislation are to the version reported back by the Intelligence and Security Committee combined with the changes in Mr Dunne's SOP (PDF).

Spying on behalf

Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the "giving assistance" part and it appears to be limited to only doing things that the original agency would have the legal authority to do.

Recent changes include more clarity about the GCSB's assistance being subject to the originating agency's oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.

GCSB spying on New Zealanders

The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). "to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures".

The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).

Interception warrants vs access authorisations

It's worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:

  • one or more specific people or a class of person
  • communications made in one or more specific places or classes of place
  • communications sent from or to overseas

An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of "information infrastructure" which is further defined as "electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks".

Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.

The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.

Doesn't section 14 stop the GCSB spying on New Zealanders?

The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).

The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.

Warrantless spying?

Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)

Putting it all together

So what does all this mean?

Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.

We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to "New Zealand's mobile networks" and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.

This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).

In theory this activity would have to be done as part of their purpose to "protect the security and integrity of the communications and information infrastructures" but we see that this could be interpreted rather widely.

Other issues

There are also a number of other issues around spying on New Zealanders that we haven't directly addressed in this article:

Metadata - There are a number of places in the bill that put limits on intercepting "private communications", but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.

Incidentally gained intelligence - when the GCSB does collect information it shouldn't, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.

Access authorisation for the GCSB - section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?

Sharing data overseas - how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.

Collecting data from overseas - can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn't legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?

What about data that New Zealanders store overseas? - are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?

Feedback and updates

Think we've got this wrong? Feel free to leave a comment with your interpretation. We'll make any necessary corrections or additions as required.

Speech to the Auckland public meeting against the GCSB Bill

Posted on July 26, 2013

Text of Thomas Beagle's speech to the Urgent Public Meeting to Oppose the GCSB Bill held in Auckland, 25th July, 2013. (Or watch video of all of the speeches.)

 

Introduction

Liberty

I’m from Tech Liberty. We’re a group dedicated to defending civil liberties in the digital age. I want to start by explaining what that means in the context of this bill.

Opposition to the GCSB Bill

Posted on July 22, 2013

Urgent public meeting in Auckland

A public meeting to oppose the GCSB Bill is being held at 7pm Thursday, Auckland 25th July at the Mt Albert War Memorial Hall. Get the flyer (PDF).

GCSB Bill – Oral Submission

Posted on July 3, 2013

Text of our oral submission to the Intelligence and Security Committee concerning the GCSB Bill.

Introduction

I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.

We see many problems with this bill and the thinking that lies behind it, problems that we described in our written submission. Today I want to concentrate on just a few of those that are particularly central to our group’s reason for existing.

Submission: GCSB Bill

Posted on June 21, 2013

Full text of the Tech Liberty submission to the Intelligence & Security Committee concerning the Government Communications Security Bureau and Related Legislation Amendment Bill.

Summary

Tech Liberty has deep concerns about the extent of the powers granted to the GCSB by this Bill, especially when combined with the proposed changes to the Telecommunications (Interception Capability) Act (2004) contained in the TICS Bill.

We do not believe that the GCSB should be spying on New Zealanders. We are particularly concerned with the Bill’s silence on the GCSB’s existing practice of collecting and analysing metadata.

We do not believe that the GCSB is the right agency to have oversight and control of New Zealand’s telecommunications infrastructure in the name of “cybersecurity”.

We do not believe that the Bill makes any significant improvement to the current woefully inadequate oversight procedures.

We submit that this Bill and the TICS Bill should both be rejected. Rather there needs to be a formal review of New Zealand’s domestic and foreign intelligence requirements.

Will the GCSB ban Apple from New Zealand?

Posted on June 17, 2013

Apple recently released a statement about their cooperation with law enforcement. It includes:

For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.

[Update: see this discussion about whether this is entirely true.]

Does this mean that Apple will not be complying with New Zealand law?

GCSB’s new powers for wide-spread spying on New Zealanders

Posted on June 9, 2013

There have recently been a number of revelations about the US government spying on its citizenry and other people around the world (a good summary). Many people have been shocked to find out the extent of the US's spying and access into theoretically private systems.

What many New Zealanders don't realise is that the NZ government is currently changing both the GCSB Act of 2003 and the Telecommunications Interception Capability Act of 2004 to allow similar levels of access to New Zealand communications for the GCSB (Government Communications Security Bureau).

Current law

The current TICA law already gives the GCSB, Police or SIS the technical capability to intercept all NZ communications if they have a valid warrant.

The GCSB can get warrants to spy on the communications of foreign people and organisations, although they can spy without a warrant if it doesn't require the installation of any device (e.g. wireless/satellite/radio/mobile).

TICS - Telecommunications Interception Capability and Security Bill

The new TICS Bill clarifies and expands on these interception capabilities. It also allows them to be extended to service providers (people who offer "goods, services, equipment, and facilities that enable or facilitate telecommunication") such as email providers, Trademe forums, Mega, etc.

TICS continues the existing regime where these interception powers can only be accessed with a valid warrant, but keep reading for the new exceptions to this in the GCSB Bill.

Furthermore, the TICS Bill also creates a new role for the GCSB, ensuring the security of New Zealand's telecommunications infrastructure. This includes wide powers of oversight and control of how communications networks are managed and implemented in order to "protect New Zealand's national security or economic wellbeing".

GCSB - Government Communications Security Bureau and Related Legislation Amendment Bill

The new GCSB Bill gives the GCSB three purposes (we'll come back to these):

  • 8A - Information assurance and cybersecurity. (Expanded from protecting government communications to a much wider responsibility for New Zealand's communications.)
  • 8B - Intelligence gathering, analysis and sharing. (Similar to the existing law except that it adds "gathering information about information infrastructures" to the existing spying on foreign people/organisations.)
  • 8C - Helping the Police, SIS and Defence Force by providing advice and assistance in helping them execute their own legally obtained warrants. (This is entirely new.)

The bill doesn't significantly change how the GCSB can apply for an interception or search warrant, but it does add a whole new class of "access authorisation". To quote section 15A(1)( b)

The Director may apply in writing to the Minister for the issue of an access authorisation authorising the accessing of 1 or more specified information infrastructures or classes of information infrastructures that the Bureau cannot otherwise lawfully access.

These authorisations are granted at the whim of the Minister (although see below) and are incredibly wide-ranging and open-ended. There are no recommendations of limits (other than what the Minister sees fit to impose) and there is no automatic expiry. And just in case you thought that the TICA/TICS law might provide some protection, the GCSB Bill goes on to add section 15A(5):

This section applies despite anything in any other Act.

Most importantly these new access authorisations can be used for purpose 8A (cybersecurity) as well as 8B (information gathering). As paragraph 36 of the Regulatory Impact Statement explains: "an amendment will also be required to allow the GCSB to see who (namely NZ individuals and companies) is being attacked". That is to say, the GCSB believes that it needs to be able spy on New Zealanders to maintain ther security. Based on what we know from recent reports in GCSB activities, we assume that the GCSB particularly intends to collect communications metadata (i.e. who speaks to who, when and how often but not what they say).

If you had any doubts about whether this applies to NZ communications, section 15B then further clarifies that for any access authorisations "for the purpose of intercepting the private communications of a New Zealand citizen or permanent resident of New Zealand under section 8A (cybersecurity)" the authorisation must be approved by the Commissioner of Security Warrants as well as the Minister.

And finally if you were hoping that section 14, which controls the ability of the GCSB to target New Zealanders would provide any protection, this only applies when the GCSB is performing duties under section 8B (intelligence gathering) and not section 8A (cybersecurity).

Putting it all together

The GCSB believes it needs to monitor the communications of New Zealanders in order to ensure that it can protect them from attacks.

TICA and TICS establish the technical capability for the GCSB to spy on any communications, subject to the limits in that law and the GCSB Act.

A section 15A(1)(b) access authorisation can give GCSB power to access any communications system it wants for the purpose of spying or information security, irrespective of any legal controls in any other law. This will allow it access to the facilities provided by TICS/TICA.

The GCSB will be spying on New Zealanders.

Conclusion

These new laws are not some minor adjustments to the work of the GCSB and how interception works. They are not just about letting the GCSB provide technical assistance to the Police, SIS and Defence Force.

While people in the USA are getting upset about the revelations of the extent of NSA spying there, these new laws give the GCSB far greater control of New Zealand communications networks, and practically unlimited capacity to intercept New Zealand communications.

These new laws are the point at which New Zealand switches from being a society that investigates "bad guys" subject to judicial oversight, to being a surveillance state where the government is always watching and recording everyone just in case they're thinking about doing anything wrong.

We don't want to live in that society. We believe that these new laws contravene the right in the NZ Bill of Rights to be free from unreasonable search and seizure, and will have a chilling effect on the rights to free expression and freedom of association.

We think that these laws need to be stopped.

Does the TICS Bill really give the GCSB control and oversight of NZ telecommunications?

Posted on May 10, 2013

After our recent article looking at the TICS (Telecommunications Interception Capability & Security Bill), we were contacted by Brad Ward, the Programme Manager of the Telecommunication Review at the Ministry of Business, Innovation and Employment (MoBIE).

He had some issues with what we wrote, and in particular he rejected our claim that the bill gave the GCSB sweeping new powers of oversight and control over NZ telecommunictions networks, writing that (emphasis added):

The new formal framework for network security does not give “sweeping powers of oversight and control” to the GCSB, and it does not give the GCSB “final control of network design and operation.”

The GCSB already works in partnership with network operators on network security issues, to agree on measures that are proportionate and risk-based. The Bill will formalise and build on this existing approach.

The Bill emphasises that network operators and the GCSB are to work cooperatively and collaboratively on identifying and addressing network security risks.

In the event that the network operator and the GCSB are unable to agree, the Bill establishes a Ministerial direction power that can be used where significant national security concerns are involved, and as a last resort. This Ministerial power relates to network security issues.

The GCSB would apply to the Minister responsible for the GCSB to direct a network operator to take specific steps to prevent, mitigate or remove the security risk.

The Minister can receive any submissions on this directly from the network operator, and is required to consult with the Minister for Communications and Information Technology and the Minister of Trade.

When exercising the direction power, the Minister is required to take into account the principle that the direction should be proportionate to the network security risk. This means considering whether costs would be higher than reasonably required to address the risk, and whether there would be undue harm to competition or innovation in telecommunications markets.

Looking at the law

Firstly, while it is nice that the Bill suggests that network operators should work in partnership with the GCSB over security, the reality is that there is no choice. Let's quote section 45(1):

A network operator must engage with the Director as soon as practicable after becoming aware of any network security risk, or proposed decision, course of action, or change that may raise a network security risk.

A network security risk is defined as: "any actual or potential security risk arising from (a) the design, build, or operation of a public telecommunications network; or (b) any interconnection to or between public telecommunications networks in New Zealand or with telecommunications networks overseas".

Further more in section 47(1) (edited for clarity/length), "a network operator must notify the Director of any proposed decision, course of action, or change made by or on behalf of the network operator regarding procurement of..., changes to..., and ownership control... of anything that falls within an area of specified security interest."

This applies to areas of specified security interest which are defined in section 45(1) as (slightly edited for clarity) "network operations centres, lawful intercept equipment, any part of a public telecommunications network that manages or stores aggregated customer information or administration authentication credentials, and any place in a network where data aggregates in large volumes being either data in transit or stored data".

The compliance process

So, what happens after this engagement/notification if the GCSB thinks it would raise a network security risk? Sections 49 to 54 have the process:

  1. Director of the GCSB notifies the network operator and then again in writing in s49(1)(a) and s49(2)
  2. Network operator must immediately stop work. s49(1)(b)
  3. Network operator can propose an alternative. a49(3)
  4. GCSB considers the network operator's proposed alternative and possibly accepts it. s50(1) and s50(2)
  5. Network operator must implement the response. s51
  6. If the GCSB is not happy with the proposal it may refer the matter to the Minister (the Prime Minister normally has responsibility for the GCSB) to make a direction. s52
  7. Network operator may choose to make a submission to the Minister. s53(2)(b)
  8. The Minister must consult with the Minister for Communications & Information technology and the Minister of Trade. s54(3)
  9. The Minister may direct the network operator to either cease/refrain from an activity or make changes to or remove any system or operation on the network. s54(2)
  10. If the network operator refuses to comply with an s54 Ministerial direction, this is treated as serious non-compliance. s82(b)
  11. The GCSB can servce an enforcement notice on the network operator. s85(2)
  12. The GCSB can apply to the High Court for a court order. s86(1)
  13. The High Court can make an order (subject to normal apeals). s87
  14. The High Court can make the network operator pay a fine of up to $500,000 and/or $50,000 per day of continuing non-compliance. s92 and s93

In other words, the Bill may suggest that the GCSB and network operators should cooperate, but the content of the law and the procedure I have just outlined makes it very clear to everyone involved where the power really lies. Indeed, the expectation that network operators will do what they're told is so clear that we wouldn't expect any fines to be issued because there won't be a lot of point fighting any directions from the GCSB.

But it's only security issues!

Now one might claim as Brad Ward has that "This Ministerial power relates to network security issues."

However when it comes to network design and operation, everything has an impact on network security. What you buy, what systems they run, who you buy them from, how they get delivered to you, where they're installed, how they're configured, who you've employed, how well they're trained, etc, etc, etc - network security is not one attribute but is a product of the system as whole.

Conclusion

We stand by our original statement that the TICS Bill as written will give the GCSB sweeping powers of oversight and control over New Zealand telecommunications networks.

One final point of interest is - why is a government bureaucrat trying to deny this is the case? Does the Bill as written not reflect the intention of the people who wrote it, or is this a case of the government trying to pull the wool over people's eyes?

Govt proposes GCSB control over NZ communications in new TICS Bill

Posted on May 8, 2013

The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).

This article is a summary of the major parts of the TICS Bill.

The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

Summary of major elements of the TICS Bill

Interception

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.

The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).

Encryption and decryption

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

Network security

There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.

The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.

Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".

The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.

Compliance

All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.

The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.

The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.

Liability and protecting classified information

People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.

Analysis and comment

The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.

Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.

There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?

We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.