Text of our oral submission to the Intelligence and Security Committee concerning the GCSB Bill.
I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.
We see many problems with this bill and the thinking that lies behind it, problems that we described in our written submission. Today I want to concentrate on just a few of those that are particularly central to our group’s reason for existing.
Firstly, as a civil liberties group we are concerned that this bill significantly expands the powers of the GCSB. There has been a lot of spin one way or another on this issue, but we see:
- The GCSB’s new purpose of protecting NZ’s cybersecurity being used as an excuse to give them broad oversight and control of the country’s telecommunications networks.
- New permission to use their equipment and people to assist the SIS, Police and, oddly, the Defence Force.
- The ability to spy on New Zealanders for a number of reasons including both of those purposes just mentioned.
- Incredibly wide-ranging warrants and access authorisations that can be granted over classes of people and systems with little meaningful oversight.
We believe that these powers combine with what is left unsaid in the bill to prove a real threat to the security and well-being of New Zealanders. In particular we fear that this bill will allow significant mass surveillance.
Information is power
It’s commonly said that ‘information is power’, and government surveillance leads to an accumulation of information that changes the power balance in our society. Knowing that everything is being watched tends to make dissent more timid, limiting our freedom of expression and the effective working of our democracy.
People still believe in privacy and at times will do things that are lawful and reasonable but that they may not want their friends, peers or workmates to know about. It’s not illegal to have an affair or be in the closet, but this information can be used to wreck lives - or compel obedience. Can we trust a government agency to collect this sort of information and not abuse it?
This is not because we believe that the people who work for and oversee the GCSB are bad people, it’s because we believe that they, like the rest of us, are all too human.
What sort of threats must our country be facing to warrant these measures?
The Cold War is over. The last terrorist attack in New Zealand was nearly 30 years ago. We have no significant enemies. The internet provides some interesting challenges in terms of scammers and hackers but even there the impact is small scale.
The arguments made for this bill tend to be either non-existent or censored, hiding behind the idea that we can’t be trusted to know the threats that face our country, an assertion we find to be self-serving and weak.
Bringing this back to civil liberties and the NZ Bill of Rights - can the powers being granted by this Bill and the consequent impact on our rights and freedoms be demonstrably justified as necessary in a free and democratic society?
We believe that concentrating this sort of power in the hands of a government agency is a far greater threat to our personal security than any paranoid dreams of overseas terrorists and Nigerian internet scammers.
Metadata & Mass Surveillance
I now want to talk about two of the issues that are fundamentally important to Tech Liberty. The first is metadata and the second, connected but not the same, is mass surveillance.
The availability of cheap information storage, fast networks, and powerful data processing tools has materially changed how surveillance is done in the modern era. There is now so much data that can be captured and analysed, that what was once harmless is now, when done on a massive scale, a threat to our liberty.
We’ve been hearing a lot about metadata recently in the revelations about PRISM in the USA and the spying done by the GCHQ in the United Kingdom.
As you probably all know by now, metadata is the information that describes other data. In a phone call, the conversation is regarded as the data while the numbers called, when it was, how long they talked for, where they were, etc is regarded as the metadata. The same principle applies to email, texts, web-surfing, and so on.
Some people seem to take the view that metadata isn’t important or doesn’t deserve protection. We saw in the Kitteridge report that the GCSB has viewed metadata as something they can access, free of the constraints that applies when they intercept communications.
But this view is wrong.
We recently saw the power of metadata in NZ’s parliament when the number, frequency and timing of emails were used to make assumptions about behaviour that led to a resignation, even though the content of those emails wasn’t revealed.
Metadata can be used to work out who you associate with, make assumptions about your health, your hobbies, your politics, where you go and what you do when you’re there. It can be used to find out all sorts of things about you - possibly even reveal things you don’t know about yourself.
Metadata is in some ways more useful to spy agencies than the communications themselves. Metadata is consistent, neatly formatted, and far easier for a computer to analyse than messy hard to interpret human conversation.
Metadata is an important part of modern surveillance and spying and there is no doubt that the GCSB has been involved in its collection and analysis - but this Bill doesn’t mention it.
It doesn’t clarify the rules around when and who the GCSB can collect metadata about. There’s no mention of where they can and can’t get it from, or how long they can keep it, or … anything else. There’s no indication that Kitteridge’s recommendation that metadata be treated the same as communications has been accepted.
The second thing enabled by our new and cheaper technology is mass surveillance - the ability to collect communications and metadata about everyone. Why bother targeting when you can collect everything easily, store it cheaply and then mine that stored data for interesting correlations?
The justification is that by collecting all of this data you can do a better job of spotting the “bad guys” because they behave differently. I’m not sure that this holds up in New Zealand where we basically don’t have any terrorists for our systems to detect patterns from. Are we going to single out the French for special attention?
We see mass surveillance as a betrayal of the idea that in our society you should be free from government spying unless there is a demonstrably good reason that you should be subject to it, and that this spying is subject to sufficient oversight.
And, once again, mass surveillance builds up a database of information about innocent people that is open to misuse and abuse.
Unfortunately the GCSB bill really says very little about mass data collection, especially if it’s “only” metadata. There are very few or no limits on what can be collected, how it can be used, and who the derived information can be shared with.
Broad warrants and access authorisations
One answer might be that the Bill says very little because it doesn’t authorise it and therefore the GCSB can’t do it, but we don’t think that stands up to scrutiny.
When we look at the bill, we can’t but help notice the potential for incredibly broad warrants and access authorisations in section 15A.
In (1)(a) we see warrants that can be granted for “communications made or received by classes of persons” with very little limitation on how these “classes of persons” can be defined.
Even more worrying is the access authorisations in (1)(b) that allow the bureau to ”access one or more specified information infrastructure”.
In case you don’t know what an “information infrastructure” is, it includes “electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks”. In other words, it includes every form of electronic communication and the associated metadata.
A single access authorisation could be granted to give access deep into our telecommunications networks to enable the GCSB to collect whatever data they see fit. This access authorisation could be open ended, without limit and, as 15A(5) makes clear, not to be limited by any other law.
You may look at this GCSB Bill and see some mild tweaking of the current law, we look at it and see it as the moment that New Zealand changes from being a society that investigates “bad guys” subject to judicial oversight, to being a surveillance state where the government is always watching and recording everyone just in case they're thinking about doing anything wrong.
No mass surveillance
We believe that there are simple solutions to these problems and that they should be incorporated into this bill.
- The first is that metadata must be treated the same as communications and should have the same limitations.
- Secondly, that the GCSB should be explicitly forbidden from creating any databases of information about New Zealanders who are not actively under investigation.
- Thirdly, that the warrants and access authorisations must be much more tightly defined and controlled to ensure that they are appropriately targeted.
Now there’s a chance you’re sitting there thinking that we’ve got this all wrong, that the Bill doesn’t provide for these things that we fear. If this is the case, the bill must be very badly drafted because a large number of people and groups who have looked at it have come to very similar conclusions. In this case the bill needs to be rewritten to make these limits clear.
However, if it is the intention of this committee and the government to allow the GCSB to engage in these activities, which we certainly hope it isn’t, they should be properly codified and defined in the law with appropriate limits and controls, rather than being left to be read between the lines.
Finally we wish to make a brief submission on oversight.
Civil liberties recognises that our freedoms and rights may need to be intruded on in certain circumstances. At the same time we believe that these intrusions must be done as openly as possible and with suitable oversight. We also believe we have a right to know what form those intrusions take.
The GCSB has highly intrusive powers that are exercised in secret. This secrecy means that these powers are open to abuse in a way that doesn’t apply to most other government agencies and we’ve already seen that the GCSB struggles to obey the law meant to limit its behaviour.
Currently operational oversight consists of the Minister (typically the Prime Minister who we can expect to be generally very busy) and their direct appointee, the Inspector General of Intelligence.
The new regime suggested in this bill is that operational oversight will consist of the Minister and the Inspector General of Intelligence. In other words, except for slight tweaking around the powers and appointment of the Inspector General, nothing has changed.
We do not find this reiteration of a failed model to be an acceptable level of openness and oversight. We need an expanded and significantly better system of operational oversight that doesn’t rely on one politician and their direct appointees, ideally one with some involvement of the judiciary and possibly civil society. This bill does not provide it.
In conclusion, while we have made some suggestions for how this bill can be improved, we think that this will not go far enough.
We see the powers being given to the GCSB as being more of a threat to the security of New Zealanders than the perceived problems that these powers are meant to fix.
Some may argue that we are being naive and that we would change our minds if we could see what horrors our intelligence services protect us from. We would argue that in New Zealand we’re lucky that we don’t have to be scared all the time, and we don’t want to be railroaded by politicians naive enough to believe the self-serving scare stories told to them by the bureaucrats in the intelligence agencies.
We ask the committee to reject this bill, we believe that New Zealand needs a full enquiry into what we want our intelligence agencies to do and the powers that we need to give them.