- Can the Police also search your mobile phone or other smart device if you're arrested?
- Can the Police force you to unlock it if it is secured by a password or fingerprint?
We asked the Police and while the answers aren't as in-depth as we'd like, we thought we'd share what we got combined with our own analysis.
Firstly, if the Police can legally search you (they have a warrant, you're in the vicinity of a legal search being executed, you're suspected of being involved in certain classes of crime, etc), section 125(1)(l) of the Search & Surveillance Act explicitly allows them to search your phone or other data device.
Furthermore, section 130 of that Act can be used to compel assistance (i.e. you must unlock it) if they are doing a legal search. Note that the "no self incrimination" clause is generally understood to refer to the information used to unlock, not the information that is revealed by being unlocked.
The Police also have access to a range of tools used to access the information on such devices. In 2013 the Police Electronic Crime Group searched 1309 mobile phones and other devices. This number doesn't include any searches at the District level (stats are not recorded) or by officers on the street persuading people to let them examine their phone.
Secondly, section 88 allows the Police to do a warrantless search of someone who has been arrested if they have reasonable grounds to believe that they have a thing that may be used to harm someone, be used to escape, or may contain "evidential material relating to the offence in respect of which the arrest is made".
It would seem that this clause would allow the Police a large amount of leeway to come up with some vaguely plausible explanation as to why they need to search your digital device if you're arrested. e.g. they could require the information on it to track your movements or who you communicated with before you were arrested.
From our brief analysis, supported by the information from the Police, it seems that the NZ Police can upon arrest:
- Search your mobile phone or other electronic device if they can formulate a plausible reason to do so.
- Oblige you to unlock it.
Does anyone have a counter view?
How long can the Police hold the data for?
Who can they share the data with?
What limits as to reasonableness will the judiciary impose when it comes up in court?
The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.
The Bill has been modified twice:
- The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
- A supplementary order paper added by the government on 15/10/2013.
The government has also provided two further documents:
- A comparison of the original 2004 TICA law and the TICS Bill (PDF).
- An infographic showing how law enforcement interacts with the interception requirements.
As reported back by the select committee
The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.
Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".
There are no substantive changes worth reporting.
Supplementary order paper 366
As reported in the press release from Amy Adams, the SOP makes the following changes:
- Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
- The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
- The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
- Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
- Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.
Tech Liberty comment
The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.
There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.
The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.
One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.
We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.
We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.
We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.
Text of Thomas Beagle's speech to the Urgent Public Meeting to Oppose the GCSB Bill held in Auckland, 25th July, 2013. (Or watch video of all of the speeches.)
I’m from Tech Liberty. We’re a group dedicated to defending civil liberties in the digital age. I want to start by explaining what that means in the context of this bill.
Text of our submission to the Law and Order Select Committee re the Telecommunications (Interception Capability & Security) Bill.
I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.
In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. However we fear that technological development is slowly making this lawful intercept regime increasingly irrelevant.
We’ll be addressing this and some other elements of the first two parts of the bill, before talking about the proposal to make the GCSB responsible for cyber security in New Zealand.
There have recently been a number of revelations about the US government spying on its citizenry and other people around the world (a good summary). Many people have been shocked to find out the extent of the US's spying and access into theoretically private systems.
What many New Zealanders don't realise is that the NZ government is currently changing both the GCSB Act of 2003 and the Telecommunications Interception Capability Act of 2004 to allow similar levels of access to New Zealand communications for the GCSB (Government Communications Security Bureau).
The current TICA law already gives the GCSB, Police or SIS the technical capability to intercept all NZ communications if they have a valid warrant.
The GCSB can get warrants to spy on the communications of foreign people and organisations, although they can spy without a warrant if it doesn't require the installation of any device (e.g. wireless/satellite/radio/mobile).
TICS - Telecommunications Interception Capability and Security Bill
The new TICS Bill clarifies and expands on these interception capabilities. It also allows them to be extended to service providers (people who offer "goods, services, equipment, and facilities that enable or facilitate telecommunication") such as email providers, Trademe forums, Mega, etc.
TICS continues the existing regime where these interception powers can only be accessed with a valid warrant, but keep reading for the new exceptions to this in the GCSB Bill.
Furthermore, the TICS Bill also creates a new role for the GCSB, ensuring the security of New Zealand's telecommunications infrastructure. This includes wide powers of oversight and control of how communications networks are managed and implemented in order to "protect New Zealand's national security or economic wellbeing".
GCSB - Government Communications Security Bureau and Related Legislation Amendment Bill
The new GCSB Bill gives the GCSB three purposes (we'll come back to these):
- 8A - Information assurance and cybersecurity. (Expanded from protecting government communications to a much wider responsibility for New Zealand's communications.)
- 8B - Intelligence gathering, analysis and sharing. (Similar to the existing law except that it adds "gathering information about information infrastructures" to the existing spying on foreign people/organisations.)
- 8C - Helping the Police, SIS and Defence Force by providing advice and assistance in helping them execute their own legally obtained warrants. (This is entirely new.)
The bill doesn't significantly change how the GCSB can apply for an interception or search warrant, but it does add a whole new class of "access authorisation". To quote section 15A(1)( b)
The Director may apply in writing to the Minister for the issue of an access authorisation authorising the accessing of 1 or more specified information infrastructures or classes of information infrastructures that the Bureau cannot otherwise lawfully access.
These authorisations are granted at the whim of the Minister (although see below) and are incredibly wide-ranging and open-ended. There are no recommendations of limits (other than what the Minister sees fit to impose) and there is no automatic expiry. And just in case you thought that the TICA/TICS law might provide some protection, the GCSB Bill goes on to add section 15A(5):
This section applies despite anything in any other Act.
Most importantly these new access authorisations can be used for purpose 8A (cybersecurity) as well as 8B (information gathering). As paragraph 36 of the Regulatory Impact Statement explains: "an amendment will also be required to allow the GCSB to see who (namely NZ individuals and companies) is being attacked". That is to say, the GCSB believes that it needs to be able spy on New Zealanders to maintain ther security. Based on what we know from recent reports in GCSB activities, we assume that the GCSB particularly intends to collect communications metadata (i.e. who speaks to who, when and how often but not what they say).
If you had any doubts about whether this applies to NZ communications, section 15B then further clarifies that for any access authorisations "for the purpose of intercepting the private communications of a New Zealand citizen or permanent resident of New Zealand under section 8A (cybersecurity)" the authorisation must be approved by the Commissioner of Security Warrants as well as the Minister.
And finally if you were hoping that section 14, which controls the ability of the GCSB to target New Zealanders would provide any protection, this only applies when the GCSB is performing duties under section 8B (intelligence gathering) and not section 8A (cybersecurity).
Putting it all together
The GCSB believes it needs to monitor the communications of New Zealanders in order to ensure that it can protect them from attacks.
TICA and TICS establish the technical capability for the GCSB to spy on any communications, subject to the limits in that law and the GCSB Act.
A section 15A(1)(b) access authorisation can give GCSB power to access any communications system it wants for the purpose of spying or information security, irrespective of any legal controls in any other law. This will allow it access to the facilities provided by TICS/TICA.
The GCSB will be spying on New Zealanders.
These new laws are not some minor adjustments to the work of the GCSB and how interception works. They are not just about letting the GCSB provide technical assistance to the Police, SIS and Defence Force.
While people in the USA are getting upset about the revelations of the extent of NSA spying there, these new laws give the GCSB far greater control of New Zealand communications networks, and practically unlimited capacity to intercept New Zealand communications.
These new laws are the point at which New Zealand switches from being a society that investigates "bad guys" subject to judicial oversight, to being a surveillance state where the government is always watching and recording everyone just in case they're thinking about doing anything wrong.
We don't want to live in that society. We believe that these new laws contravene the right in the NZ Bill of Rights to be free from unreasonable search and seizure, and will have a chilling effect on the rights to free expression and freedom of association.
We think that these laws need to be stopped.
We've been keeping track of the Police use of new surveillance and tracking technology. We asked them what they've been doing with drones and here are the more interesting/informative answers (Police letter, 19th February 2013):
- The Police currently have one aerial drone.
- They don't have a specific budget for it and claim not to know how much they've spent on it so far.
- They say that they can use it for tracking people and cars but promise to do it in accordance with the Search & Surveillance Act. We note that our interpretation of this says that they need a tracking warrant to use an electronic tracking system but we don't know if the Police agree with this.
- The Police believe that their current policy concerning video recording operations and events also covers their use of drones.
- The Police have been contacted by the Privacy Commissioner re their use of drones and will be meeting with them soon.
- The Police expect their drone trials to finish by the end of 2013.
You may also wish to read this article about drones by David Beatson at NZ Pundit.
We're going to be following up to get more information. If there's any questions you want asked, please leave them in the comments.
One of the most common topics of the emails we receive at Tech Liberty is the placement of video cameras. People worry about them where they work, in the street, and on their neighbour's properties.
This guest post is from Yuri Wierda, a licensed security consultant, and he's concerned about the increasing popularity of security cameras in public toilets:
I have personally refused to install cameras in toilets and have talked a few clients out of doing it. I believe cameras in toilets are immoral and may be illegal. Part of my responsibility when advising people on security is ensuring that they themselves don't break the law.
The argument for cameras in toilets has been that it reduces vandalism.
While there may be signs advising people that there is a camera I do not believe that it justifies it or complies legally. There are several situations where signs will not provide informed consent.
- Someone may get changed in the toilet and not see the sign.
- Someone may be blind or illiterate.
- Someone may be intellectually disabled.
- Children may be visiting the toilet unaccompanied.
This creates several privacy and legal issues:
- The intellectually disabled and children CANNOT legally provide consent to being filmed in the nude or partly clothed. Toilets are places where people adjust their clothing and may be partially clothed. Children and intellectually disabled people will not expect there to be a camera filming them. Filming such an event is illegal (s216G to s216N of the Crimes Act) and potentially can (and should) result in serious criminal charges.
- People who have not seen the sign or were unable to read it cannot provide informed consent.
I am appalled that the police has provided advice that it is not illegal.
See update at end of post.
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Update 5th August 2013
The Police have announced they will be deploying new red-light and speed cameras. We asked them if these new cameras would support ANPR. Their response:
There are no current plans to deploy either digital red-light cameras or speed cameras that support Automatic Number Plate Recognition.