The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.
The Bill has been modified twice:
- The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
- A supplementary order paper added by the government on 15/10/2013.
The government has also provided two further documents:
- A comparison of the original 2004 TICA law and the TICS Bill (PDF).
- An infographic showing how law enforcement interacts with the interception requirements.
As reported back by the select committee
The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.
Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".
There are no substantive changes worth reporting.
Supplementary order paper 366
As reported in the press release from Amy Adams, the SOP makes the following changes:
- Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
- The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
- The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
- Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
- Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.
Tech Liberty comment
The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.
There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.
The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.
One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.
We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.
We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.
We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.