Tech Liberty NZ Defending civil liberties in the digital age

TICS – Second spy law passes

Posted on November 5, 2013

The Telecommunications Interception Capability and Security Bill has now passed the third reading in Parliament by a vote of 61 to 59 (National, United Future and ACT voted for it).

See our earlier coverage for more about what's wrong with the TICS Bill and how it has changed over time.

The bill codifies the government's assertion that all digital communications (which is increasingly becoming equivalent to "all communications") must be accessible by government agencies. The limits imposed are minimal and laws such as the GCSB Act override any limits included in TICS anyway.

Furthermore, to ensure that the government can do this, the GCSB will now have oversight of the design and operation of New Zealand's communications networks. They will be able to veto any decision made by the network operators that might impact on security or, more likely, limit their ability to spy as they see fit.

It seems odd that our government is passing these laws at the same time that the world is reacting to the Snowden revelations and people in New Zealand are starting to realise just how New Zealand is tied into these global spy networks through our membership of the Five Eyes (USA, UK, Australia, Canada, NZ).

Rather than take the opportunity to rethink NZ's surveillance on both local and foreign targets, the government has chosen to extend the powers of our spy agencies while refusing to make any significant improvements to their oversight.

We accept the need for some forms of spying and surveillance (especially by the Police to catch law breakers) when they have suitable oversight, but we are generally disappointed that the laws passed over the last few years have been focused on enacting surveillance agencies' wishlists rather than thinking about how to protect New Zealanders' civil liberties.

Changes to the TICS Bill

Posted on October 16, 2013

The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.

The Bill has been modified twice:

  1. The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
  2. A supplementary order paper added by the government on 15/10/2013.

The government has also provided two further documents:

As reported back by the select committee

The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.

Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".

There are no substantive changes worth reporting.

Supplementary order paper 366

As reported in the press release from Amy Adams, the SOP makes the following changes:

  • Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
  • The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
  • The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
  • Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
  • Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.

Tech Liberty comment

The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.

There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.

The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.

One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.

The future

We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.

We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.

We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.

Next: the TICS Bill

Posted on August 22, 2013

The GCSB Bill has now been passed by Parliament.

Next up is the Telecommunications (Interception Capability and Security) Bill also know as the TICS Bill. This is an update of the Telecommunications (Interception Capability) Act (2004) that forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

The bill has passed the first reading and is expected to be reported back from the Law & Order Select Committee on the 20th of September.

Tech Liberty articles

We've written about this bill and also made a written and oral submission to the Law and Order Select Committee. Here's a list of our articles in publication order:

Other articles worth reading

Tagged as: , No Comments

TICS Bill – Oral Submission

Posted on July 10, 2013

Text of our submission to the Law and Order Select Committee re the Telecommunications (Interception Capability & Security) Bill.

 

Introduction

I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.

In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. However we fear that technological development is slowly making this lawful intercept regime increasingly irrelevant.

We’ll be addressing this and some other elements of the first two parts of the bill, before talking about the proposal to make the GCSB responsible for cyber security in New Zealand.

Does the TICS Bill really give the GCSB control and oversight of NZ telecommunications?

Posted on May 10, 2013

After our recent article looking at the TICS (Telecommunications Interception Capability & Security Bill), we were contacted by Brad Ward, the Programme Manager of the Telecommunication Review at the Ministry of Business, Innovation and Employment (MoBIE).

He had some issues with what we wrote, and in particular he rejected our claim that the bill gave the GCSB sweeping new powers of oversight and control over NZ telecommunictions networks, writing that (emphasis added):

The new formal framework for network security does not give “sweeping powers of oversight and control” to the GCSB, and it does not give the GCSB “final control of network design and operation.”

The GCSB already works in partnership with network operators on network security issues, to agree on measures that are proportionate and risk-based. The Bill will formalise and build on this existing approach.

The Bill emphasises that network operators and the GCSB are to work cooperatively and collaboratively on identifying and addressing network security risks.

In the event that the network operator and the GCSB are unable to agree, the Bill establishes a Ministerial direction power that can be used where significant national security concerns are involved, and as a last resort. This Ministerial power relates to network security issues.

The GCSB would apply to the Minister responsible for the GCSB to direct a network operator to take specific steps to prevent, mitigate or remove the security risk.

The Minister can receive any submissions on this directly from the network operator, and is required to consult with the Minister for Communications and Information Technology and the Minister of Trade.

When exercising the direction power, the Minister is required to take into account the principle that the direction should be proportionate to the network security risk. This means considering whether costs would be higher than reasonably required to address the risk, and whether there would be undue harm to competition or innovation in telecommunications markets.

Looking at the law

Firstly, while it is nice that the Bill suggests that network operators should work in partnership with the GCSB over security, the reality is that there is no choice. Let's quote section 45(1):

A network operator must engage with the Director as soon as practicable after becoming aware of any network security risk, or proposed decision, course of action, or change that may raise a network security risk.

A network security risk is defined as: "any actual or potential security risk arising from (a) the design, build, or operation of a public telecommunications network; or (b) any interconnection to or between public telecommunications networks in New Zealand or with telecommunications networks overseas".

Further more in section 47(1) (edited for clarity/length), "a network operator must notify the Director of any proposed decision, course of action, or change made by or on behalf of the network operator regarding procurement of..., changes to..., and ownership control... of anything that falls within an area of specified security interest."

This applies to areas of specified security interest which are defined in section 45(1) as (slightly edited for clarity) "network operations centres, lawful intercept equipment, any part of a public telecommunications network that manages or stores aggregated customer information or administration authentication credentials, and any place in a network where data aggregates in large volumes being either data in transit or stored data".

The compliance process

So, what happens after this engagement/notification if the GCSB thinks it would raise a network security risk? Sections 49 to 54 have the process:

  1. Director of the GCSB notifies the network operator and then again in writing in s49(1)(a) and s49(2)
  2. Network operator must immediately stop work. s49(1)(b)
  3. Network operator can propose an alternative. a49(3)
  4. GCSB considers the network operator's proposed alternative and possibly accepts it. s50(1) and s50(2)
  5. Network operator must implement the response. s51
  6. If the GCSB is not happy with the proposal it may refer the matter to the Minister (the Prime Minister normally has responsibility for the GCSB) to make a direction. s52
  7. Network operator may choose to make a submission to the Minister. s53(2)(b)
  8. The Minister must consult with the Minister for Communications & Information technology and the Minister of Trade. s54(3)
  9. The Minister may direct the network operator to either cease/refrain from an activity or make changes to or remove any system or operation on the network. s54(2)
  10. If the network operator refuses to comply with an s54 Ministerial direction, this is treated as serious non-compliance. s82(b)
  11. The GCSB can servce an enforcement notice on the network operator. s85(2)
  12. The GCSB can apply to the High Court for a court order. s86(1)
  13. The High Court can make an order (subject to normal apeals). s87
  14. The High Court can make the network operator pay a fine of up to $500,000 and/or $50,000 per day of continuing non-compliance. s92 and s93

In other words, the Bill may suggest that the GCSB and network operators should cooperate, but the content of the law and the procedure I have just outlined makes it very clear to everyone involved where the power really lies. Indeed, the expectation that network operators will do what they're told is so clear that we wouldn't expect any fines to be issued because there won't be a lot of point fighting any directions from the GCSB.

But it's only security issues!

Now one might claim as Brad Ward has that "This Ministerial power relates to network security issues."

However when it comes to network design and operation, everything has an impact on network security. What you buy, what systems they run, who you buy them from, how they get delivered to you, where they're installed, how they're configured, who you've employed, how well they're trained, etc, etc, etc - network security is not one attribute but is a product of the system as whole.

Conclusion

We stand by our original statement that the TICS Bill as written will give the GCSB sweeping powers of oversight and control over New Zealand telecommunications networks.

One final point of interest is - why is a government bureaucrat trying to deny this is the case? Does the Bill as written not reflect the intention of the people who wrote it, or is this a case of the government trying to pull the wool over people's eyes?

Govt proposes GCSB control over NZ communications in new TICS Bill

Posted on May 8, 2013

The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).

This article is a summary of the major parts of the TICS Bill.

The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

Summary of major elements of the TICS Bill

Interception

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.

The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).

Encryption and decryption

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

Network security

There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.

The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.

Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".

The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.

Compliance

All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.

The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.

The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.

Liability and protecting classified information

People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.

Analysis and comment

The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.

Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.

There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?

We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.

The GCSB’s brake on innovation

Posted on February 24, 2015

It started with a Tweet from Steve Cotter, CEO of REANNZ:

Before we go any further let's unpack some of those acronyms and add one more:

So this is a statement by the CEO of a government owned company whose purpose is to "establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand" saying that they can't do the research and development work they need to do because the bureaucrats in the NCSC at the GCSB are holding them back.

Apparently the NCSC were willing to help, but the law was inflexible enough that making any significant change - like you might want to do quite frequently on an experimental network - was going to require the full notification and authorisation procedure. When asked for an exemption the reply was that this would be extremely unlikely to be granted.

But wait, there's more

Apparently Google has also been involved with research and development into SDN in New Zealand. We've been told by multiple sources that they were so annoyed by the TICSA's requirements and the NCSC's administration of them that they have closed the New Zealand section of this project and redeployed the hardware to Australia and the USA. This can only be seen as a loss to New Zealand.

This is a problem

We think it's a real worry that companies like Google and REANNZ, who are both pushing the boundaries of network research, are giving up in New Zealand due to the constraints imposed by government legislation.

It's exactly the sort of thing we worried about in our submission to the government about the TICS Bill:

It will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions.

Some people have suggested that these companies, REANNZ and Google, just needed to work harder to jump through the NCSC's hoops. The reality is that they obviously thought that this was not worth the effort and they abandoned the work. How many other companies in New Zealand are experiencing these exact same problems and deciding to just give up... or spend their research dollars in countries with a friendlier environment?

We stand by our original position that a spy agency can't intercept traffic on one hand and then provide security advice on the other. We don't believe that New Zealand's national security is enhanced by giving the GCSB more control of our telecommunications networks than any other spy agency has in any other comparable country. We don't believe that network operators should have to answer to a layer of micro-managing government bureaucracy to run their businesses. We think that this is in direct contravention of the GCSB's statutory objective of contributing to the economic well-being of New Zealand.

The TICS Act is proving to be a brake on innovation. It needs to be changed.


More on the story from Juha Saarinen at the NZ Herald.

Tagged as: , , , 2 Comments

HDC Bill: oral submission

Posted on March 26, 2014

We made an oral submission to the Justice and Electoral Select Committee about the Harmful Digital Communications Bill as a follow-up to our written submission.

This oral submission concentrated on two misconceptions that we see as underpinning the bill: that speech should never harm anyone, and that different rules should apply to speech online and offline.

We then discussed problems with the effectiveness of the bill - and how it might not be that useful for victims of digital harms but might be quite handy for people who want to suppress the views of others.

Submission: Harmful Digital Communications Bill

Posted on February 21, 2014

Text of the Tech Liberty submission to the Justice and Electoral Select Committee concerning the Harmful Digital Communications Bill. (Or download PDF of original version with footnotes.)

Summary

We believe that this Bill is based on false premises about the nature of freedom of expression and the differences between digital and non-digital speech. We see the Bill as being a well-meaning but misguided threat to the civil liberties of New Zealanders. We fear that the Bill will be ineffective in too many cases where it might be needed most, while being too effective in the cases which are most problematic to civil liberties.

We support the establishment of an agency to assist those harmed by harmful communications and believe that this will go a long way to resolving the types of situations that can be resolved.

We believe that the court proceedings are unfair and unlikely to be of much use. We support the discretion and guidelines given to the court in making a judgement, but believe that the procedures of the court need to better take into account the requirements for a fair trial.

The safe harbour provisions for online content hosts are unreasonable. While online content hosts do need protection from liability, the suggested mechanism amounts to a way that any person can get material taken down that they don’t like for any trivial reason. This section needs to be completely rethought in the context of overseas experiences to ensure that freedom of expression is properly protected.

The new offence of causing harm is poorly conceived and criminalises many communications that are of value to society. If not removed in its entirety, defences and an overriding Bill of Rights veto should be added.

We have also made comments on the changes to the Harassment and Crimes Acts.

Safe harbours in HDC Bill are a threat to freedom of expression

Posted on November 21, 2013

The safe harbour provisions in the Harmful Digital Communications Bill are a serious threat to online freedom of speech in New Zealand.

How it works

Anyone can complain to an online content host (someone who has control over a website) that some material submitted by an external user on their site is unlawful, harmful or otherwise objectionable. The online content host must then make a choice:

  1. Remove the content and thereby qualify for immunity from civil or criminal action.
  2. Leave the content up and be exposed to civil or criminal liability.

The content host has to make its own determination about whether a piece of given content is unlawful (which may be very difficult when it comes to subjective issues such as defamation and impossible to determine when it concerns legal suppression), harmful or "otherwise objectionable".

Furthermore, there is:

  • No oversight of the process from any judicial or other agency.
  • No requirement for the content host to tell the person who originally posted the content that it has been deleted.
  • No provision for any appeal by the content host or the person who originally posted the material.
  • No penalty for people making false or unreasonable claims.

We can safely assume that most content hosts will tend to play it safe, especially if they're large corporates with risk-averse legal teams, and will take down material when requested. They have nothing to gain and plenty to lose by leaving complained about material online.

Serious ramifications for freedom of speech

Don't like what someone has said about you online? Send in a complaint and wait for it to be taken down.

This applies to comments on blogs, forums on auction sites, user-supplied content on news media sites, etc, etc. These are exactly the places where a lot of important speech occurs including discussions about politics and the issues of the day. The debates can often be heated, and some sites are well known for encouraging intemperate speech, but these discussions are becoming and increasingly important part of our national discourse.

This law will make it too easy for someone to stop arguing and start making complaints, thereby suppressing the freedom of expression of those they disagree with.

The jurisdiction problem

Of course, this will only apply to websites that are controlled by people who have a legal presence in New Zealand. Overseas websites will continue to maintain their own rules and ignore New Zealand law and standards of online behaviour.

Conclusion

As currently written, these safe harbour provisions are just a bad idea. They're too open to abuse and we believe they're more likely to be used to suppress acceptable speech than to eliminate harmful or "otherwise objectionable" speech. As a very minimum, the complaint should have to be approved by the Approved Agency referred to in the other parts of the Bill.

That said, the whole idea of removing "otherwise objectionable" speech is also quite worrying. The Harmful Digital Communications Bill already has an expansive set of rules about what sort of harmful speech shouldn't be allowed online and this "otherwise objectionable" seems to extend it even further. One of the principles we stand up for here is that civil liberties such as freedom of expression are as important online as they are offline, and this law goes far beyond anything in the offline world.

We hope to have more comment and analysis on other aspects of the Harmful Digital Communications Bill soon.