We've been watching the introduction of RealMe with some concern. While it appears that they have done some serious thinking around privacy, there are some real issues around unified online identities that have not been sufficiently discussed.
This introductory article talks about what RealMe is and then asks some questions about how it might be used.
What is RealMe?
RealMe is a government sponsored online identification service. In their own words: "RealMe lets you easily and securely prove your identity online, plus access lots of online services with a single username and password."
It's a renamed version of the iGovt scheme originally set up by the Department of Internal Affairs. it's now run by a combination of the Department of Internal Affairs and NZ Post (a state owned enterprise). The major enabling legislation for RealMe is the Electronic Identity Verification Act (2012).
The aim is that your verified RealMe identity will provide enough assurance that you are who you say you are that governments and commercial organisations will be able to provide products and services online that require the most stringent forms of identification such as passports, bank accounts, student loans and so on.
It's of particular appeal to financial institutions because of their new responsibilities to identify who they're dealing with after the passing of the Anti Money Laundering and Countering Financing of Terrorism Act. Both the BNZ and TSB Bank are now using RealMe with others expected to follow. Here's the full list of organisations using it.
At the end of February 2013 there were 853,100 iGovt logins (although some people had more than one).
We've heard that implementing RealMe within an organisation is both complex and expensive. There is a significant amount of software development that the organisation is required to do, plus RealMe does its own testing to ensure that standards have been met.
Ongoing costs are based on the number of transactions (typically new identifications, RealMe is not necessarily involved once the identity of the person is established the first time). RealMe refused to release details of the pricing, claiming it is commercially sensitive.
Privacy and data management.
There's no doubt that the people who created the system did it with the best of intentions and it seems they've taken privacy needs into account. One important point is that two organisations using RealMe can't share data about a person unless the person has explicitly giving them permission to do so.
However, we have to assume that this will not always be the case. It seems highly likely that at some point the IRD will get a law change to enforce access - we all want to make sure people aren't cheating the tax system, right? And it makes sense that companies might start insisting on you sharing information, in the same way that health insurance companies currently demand access to your health records. You can refuse but then they won't provide services to you.
It's also easy enough for the Police, SIS and GCSB to be able to use the powers granted by their respective laws to access any person's information across systems as well.
A digital identity card
It seems clear that RealMe is rapidly becoming a digital identity card. It's already not voluntary for a number of people who want to access some services such as Studylink. As more government departments and commercial organisations start requiring it, having a verified RealMe identity is rapidly going to become a requirement.
NZ and Australia both rejected the idea of a non-digital national identity card in the 1980s. There were significant public campaigns against them and the proposals were defeated. So far there's been no outcry against this new form of digital identity card.
Of course, there were different attitudes then. In those days the very idea of government departments sharing data about people was highly contentious due to fears that the government might snoop too much or would abuse its power. Now data sharing between govt departments is commonplace and expected. RealMe is going to enable more and better data sharing, with increased confidence about the identity of the people they're sharing information about.
But the bigger issue is - what does it mean to have one verified identity that's used for everything?
Do we actually want to use the same identity for dealing with the government, your bank, Trademe and a variety of social media sites? Will there be increasing pressure to use your 'official' identity everywhere? We see advantages in being able to present different faces to people - to the people you work with, your parents, your children, your friends, your community. Is this under threat?
We already know that the world has problems with governments over-surveilling people on the internet. We fear that this surveillance already has a chilling effect on democratic dissent. Will improving it by forcing use of a single identity and further enabling data matching be worth the gains?
What does robust and pervasive online identification enable? How will these services be used in 5, 10 or 20 years time?
For example, one of the big problems with law on the internet is proving just who did something. You can trace a downloaded file to an IP address but you don't know which person there actually did the copyright infringing download. Or maybe you want to find out who anonymously published the suppressed name of the accused in a trial.
A government of the future might look at these problems and decide that internet use should be keyed to your RealMe identity, thus undermining anonymity on the internet. It wouldn't be a trivial task but it's also not impossible and would enable the government of the day to track everything you do on the internet. We don't believe that the government needs this power and we see this level of mass surveillance as a threat to our privacy and our democracy.
RealMe has some real advantages - verified identities will make it easier for people to access government and commercial services online, helping us realise some of the promises of the internet revolution. But we're concerned about measures that increase government power over people and we fear that RealMe might be one of those measures.
Over the next few months we're planning to explore some of the issues around RealMe. In particular, we want to answer the following two questions:
- Is RealMe a threat to our liberty now or in the future?
- If so, how can we mitigate it so that we get the benefits without the costs?
Your ideas and contributions would be welcome.
The Harmful Digital Communications Bill has been reported back and the select committee has made a few changes.
The Bill has added the definition of IPAP (Internet Protocol Address Provider - roughly an internet service provider) from section 122A(1) of the Copyright Act and then in section 17(2A) gives the District Court the ability to order an IPAP to release the identity of an anonymous communicator to the court. Of course, this would only reveal the name of the person who owns the internet account that was used and not the name of the person who used it, so the utility of this will be limited.
The Approved Agency (still unnamed, still expected to be Netsafe) would be subject to the Ombudsmen Act, the Official Information Act and the Public Records Act in respect of the functions performed under the bill. This is a welcome change as it's important that any agency performing state functions is covered by the bills that help provide proper oversight.
There have also been minor changes allowing the courts to vary orders made previously, clearing up which teachers can apply on behalf of pupils, and allowing threats to be treated as possible grounds for an order to be made.
Safe harbour improvements
The major change has been to the section 20 Safe Harbour provisions of the Bill that were dumped into the previous version at the last minute.
The original proposal was terrible - content hosts (pretty well anyone who allows the public to submit comments such as on a blog or forum) would be protected from legal action if they removed material immediately after receiving a complaint. It was obvious that this would be abused by those trying to silence people who they disagreed with.
The good news is that some complaints will be changed from "takedown on notice" to "notice and notice". This means that upon receiving a complaint, the content host will forward it to the original author of the complained about material (i.e. the person who wrote the comment). If the author agrees or doesn't respond, the material will be taken down, but if they disagree with the complaint the material will be left up - and the content host will still be protected from legal action under the safe harbour.
However, this does not apply when the original author cannot be identified (or if the author either doesn't want to respond or can't respond within the 48 hour time limit). Indeed, the phrasing of the act reads as if content hosts must remove material when in reality they only need do so if they wish to be protected by the safe harbour provisions.
Disturbingly a number of other suggested improvements were not picked up by the select committee. In particular we supported the ideas that complainants should have to make their complaint a sworn statement and that complainants would have to have been harmed by the material themselves.
So while this is a significant improvement, we still fear that these provisions will be abused by serial complainers, internet busybodies and those who want to suppress their "online enemies" by any means possible.
What hasn't changed
What's more serious is what hasn't changed. You can read our articles and submissions to see our full critique of the Bill but there are three points we wish to mention.
Firstly, the Bill sets a different standard for the content of speech online and offline. While we do understand that online communications might require a different approach in available remedies, we firmly believe that the standard of speech should be the same. We note that the internet isn't only for "nice" speech, it's increasingly the place where we all exercise the freedom of expression guaranteed to us by the NZ Bill of Rights Act.
Secondly, rather than fixing the horribly broken section 19 - causing harm by posting digital communication - the penalties have been increased. This section completely fails to recognise that some harmful communications have real value to society. For example, the idea that someone might be fined or jailed because they harmed a politician by posting online proof that the politician was corrupt is just horrendous. We honestly believed that the lack of a public interest or BORA test was a mistake but it seems that the Select Committee really does want to criminalise all harmful online speech. This neutered and ineffectual internet is not one we wish to see.
Thirdly, we worry that the bill will be ineffectual where it might be needed most while being most effective where it's most problematic to civil liberties. Many of the example harms mentioned in the original Law Commission report would not be helped by this Bill - they happen overseas, or they happen too fast, or the people being harmed are just too scared to tell anyone anyway. The Approved Agency will be able to do a lot in the cases where anything can be done, but we're not convinced of the need for the more coercive elements of the Bill.
There is no doubt that some people are being harmed by online communications. There is definitely a good argument to be made that the government could do something useful to help those people. We're not convinced that the approach taken by the Law Commission and the Government is effective and we're quite sure that it includes a number of unreasonable restrictions on the right to freedom of expression guaranteed to us all by the NZ Bill of Rights Act.
It seems inevitable that the Bill will be passed in its current form if there's time before Parliament closes for the elections. We can but hope that a future government will repeal it and have another go.
As part of our ongoing look at elements of the Harmful Digital Communications Bill (general critique and safe harbours), we now turn to the new offence of causing harm by posting digital communication (section 19). This is a criminal offence and is not related to the rest of the bill with its 10 principles, Approved Agency and quick-fire District Court remedies. It's quite simple:
(1) A person commits an offence if:
- the person posts a digital communication with the intention that it cause harm to a victim; and
- posting the communication would cause harm to an ordinary reasonable person in the position of the victim; and
- posting the communication causes harm to the victim.
"harm" is defined in the interpretation section as "serious emotional distress".
Unfortunately this new offence is actually very wide and may well capture many communications that are of immense value to society - or at least shouldn't be made illegal.
Let's consider the case where someone takes a photo of a politician receiving a bribe and, shocked at their corruption, posts that photo to the internet. This communication would:
- be posted with the intention of harming the victim (the prospect of facing criminal charges or being obliged to resign could be assumed to cause the victim distress).
- would cause harm to any reasonable person in the position of the victim (any reasonable person would not like having evidence of their criminal corruption exposed to the world).
- could be easily proved to have caused harm (serious emotional distress) to the victim.
The penalty? Up to 3 months in jail or a fine not exceeding $2000.
In section 19(2) the judge gets some guidelines about how to assess whether the communication causes harm, but nowhere is there the idea that some communications that cause harm might actually have some societal value or would otherwise come under freedom of expression. There are no available defences such as that the communication may be in the public interest, counts as fair comment, or exposes criminal wrongdoing.
And just in case you thought that whether the communication is true or not should matter, section 19(4)(a) clarifies that "...or otherwise communicates by means of a digital communication any information, whether truthful or untruthful, about the victim;"
This is obviously a terrible law and will have a detrimental effect on freedom of expression and public discourse in New Zealand. How will our journalists and citizen journalists be able to expose wrong doing when broadcasting it on electronic media such as the internet, radio or TV is a criminal act if it hurts the wrong-doer's feelings?
This law wouldn't be acceptable if it applied to speech in a newspaper, it's not acceptable online.
Section 19 isn't complete worthless - it also criminalises the communication of "intimate visual recordings" in an attempt to harm someone. This seems worth keeping but the parts of section 19 concerning speech need to be either removed or significantly modified to protect freedom of expression.
The safe harbour provisions in the Harmful Digital Communications Bill are a serious threat to online freedom of speech in New Zealand.
How it works
Anyone can complain to an online content host (someone who has control over a website) that some material submitted by an external user on their site is unlawful, harmful or otherwise objectionable. The online content host must then make a choice:
- Remove the content and thereby qualify for immunity from civil or criminal action.
- Leave the content up and be exposed to civil or criminal liability.
The content host has to make its own determination about whether a piece of given content is unlawful (which may be very difficult when it comes to subjective issues such as defamation and impossible to determine when it concerns legal suppression), harmful or "otherwise objectionable".
Furthermore, there is:
- No oversight of the process from any judicial or other agency.
- No requirement for the content host to tell the person who originally posted the content that it has been deleted.
- No provision for any appeal by the content host or the person who originally posted the material.
- No penalty for people making false or unreasonable claims.
We can safely assume that most content hosts will tend to play it safe, especially if they're large corporates with risk-averse legal teams, and will take down material when requested. They have nothing to gain and plenty to lose by leaving complained about material online.
Serious ramifications for freedom of speech
Don't like what someone has said about you online? Send in a complaint and wait for it to be taken down.
This applies to comments on blogs, forums on auction sites, user-supplied content on news media sites, etc, etc. These are exactly the places where a lot of important speech occurs including discussions about politics and the issues of the day. The debates can often be heated, and some sites are well known for encouraging intemperate speech, but these discussions are becoming and increasingly important part of our national discourse.
This law will make it too easy for someone to stop arguing and start making complaints, thereby suppressing the freedom of expression of those they disagree with.
The jurisdiction problem
Of course, this will only apply to websites that are controlled by people who have a legal presence in New Zealand. Overseas websites will continue to maintain their own rules and ignore New Zealand law and standards of online behaviour.
As currently written, these safe harbour provisions are just a bad idea. They're too open to abuse and we believe they're more likely to be used to suppress acceptable speech than to eliminate harmful or "otherwise objectionable" speech. As a very minimum, the complaint should have to be approved by the Approved Agency referred to in the other parts of the Bill.
That said, the whole idea of removing "otherwise objectionable" speech is also quite worrying. The Harmful Digital Communications Bill already has an expansive set of rules about what sort of harmful speech shouldn't be allowed online and this "otherwise objectionable" seems to extend it even further. One of the principles we stand up for here is that civil liberties such as freedom of expression are as important online as they are offline, and this law goes far beyond anything in the offline world.
We hope to have more comment and analysis on other aspects of the Harmful Digital Communications Bill soon.
The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.
The Bill has been modified twice:
- The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
- A supplementary order paper added by the government on 15/10/2013.
The government has also provided two further documents:
- A comparison of the original 2004 TICA law and the TICS Bill (PDF).
- An infographic showing how law enforcement interacts with the interception requirements.
As reported back by the select committee
The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.
Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".
There are no substantive changes worth reporting.
Supplementary order paper 366
As reported in the press release from Amy Adams, the SOP makes the following changes:
- Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
- The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
- The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
- Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
- Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.
Tech Liberty comment
The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.
There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.
The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.
One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.
We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.
We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.
We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.
The GCSB Bill has now been passed by Parliament.
Next up is the Telecommunications (Interception Capability and Security) Bill also know as the TICS Bill. This is an update of the Telecommunications (Interception Capability) Act (2004) that forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
The bill has passed the first reading and is expected to be reported back from the Law & Order Select Committee on the 20th of September.
Tech Liberty articles
We've written about this bill and also made a written and oral submission to the Law and Order Select Committee. Here's a list of our articles in publication order:
- Govt proposes GCSB control over NZ communications in new TICS Bill
- Does the TICS Bill really give the GCSB control and oversight of NZ telecommunications?
- GCSB’s new powers for wide-spread spying on New Zealanders
- Will the GCSB ban Apple from New Zealand?
- Tech Liberty written submission
- Tech Liberty oral submission
Other articles worth reading
- Submissions to the Law & Order Select Committee.
- The NBR's Chris Keall writes about TICS's protectionist twist.
- Vikram Kumar writes about secret Ministerial orders.
- Vikram Kumar, disappointed by telco submissions, asks whether ISPs should be privacy crusaders.
- Vikram Kumar - The duty to assist.
- Vikram Kumar - Service provider's view of the TICS Bill jackboot.
- Human Rights Commission's Report to the Prime Minister re the GCSB and TICS Bills (PDF).
- Internet NZ's submission to the Law & Order Select Committee and their prepared remarks for the oral submission.
- Ian Apperly writes about the cost of the TICS Bill to NZ's IT industry.
- Ian Apperly - Why the TICS Bill could put NZ ICT companies out of business.
- Microsoft's submission warns that the TICS Bill is a threat to the industry and may lead to a withdrawal of services.
- Paul Brislen - intercept bill takes a cavalier approach to privacy.
There's been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.
When even Peter Dunne gets it badly wrong in the "Ask Me Anything" article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.
Spying on behalf
Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the "giving assistance" part and it appears to be limited to only doing things that the original agency would have the legal authority to do.
Recent changes include more clarity about the GCSB's assistance being subject to the originating agency's oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.
GCSB spying on New Zealanders
The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). "to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures".
The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).
Interception warrants vs access authorisations
It's worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:
- one or more specific people or a class of person
- communications made in one or more specific places or classes of place
- communications sent from or to overseas
An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of "information infrastructure" which is further defined as "electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks".
Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.
The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.
Doesn't section 14 stop the GCSB spying on New Zealanders?
The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).
The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.
Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)
Putting it all together
So what does all this mean?
Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.
We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to "New Zealand's mobile networks" and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.
This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).
In theory this activity would have to be done as part of their purpose to "protect the security and integrity of the communications and information infrastructures" but we see that this could be interpreted rather widely.
There are also a number of other issues around spying on New Zealanders that we haven't directly addressed in this article:
Metadata - There are a number of places in the bill that put limits on intercepting "private communications", but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.
Incidentally gained intelligence - when the GCSB does collect information it shouldn't, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.
Access authorisation for the GCSB - section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?
Sharing data overseas - how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.
Collecting data from overseas - can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn't legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?
What about data that New Zealanders store overseas? - are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?
Feedback and updates
Think we've got this wrong? Feel free to leave a comment with your interpretation. We'll make any necessary corrections or additions as required.
Text of Thomas Beagle's speech to the Urgent Public Meeting to Oppose the GCSB Bill held in Auckland, 25th July, 2013. (Or watch video of all of the speeches.)
I’m from Tech Liberty. We’re a group dedicated to defending civil liberties in the digital age. I want to start by explaining what that means in the context of this bill.