Edited text of the presentation given at Kiwicon 2012 ("New Zealand's Hacker Con") by Tech Liberty co-founder Thomas Beagle.
Do not ask for whom the panopticon watches, it watches for thee
My name is Thomas Beagle and I'm from Tech Liberty. We're a New Zealand lobby group dedicated to protecting civil liberties in the digital age.
I'm going to survey some of the political issues that affect our civil liberties before talking in a bit more depth about where we're up to with mass surveillance in New Zealand.
Let's start with an update on a favourite topic, the government's internet filter. It's doing 1GB of traffic a day while blocking access to 450 sites for 2.5 million internet accounts (well over 90% of NZ's internet).
A recent survey conducted by InternetNZ showed that most people hadn't heard of it and only 9% knew whether their connection was filtered. Something I found heartening was that only 23% thought that it should be the government deciding whether their connection was filtered or not.
As to the filter itself, I'm not sure whether it's good or bad news that not a lot has happened with it in the last year. It's good that the filter doesn't seem to be causing too many problems with Internet reliability and performance. It's good that the scope of what is filtered hasn't been expanded any further. I even guess it's good that they're starting to prepare for that new-fangled IPv6.
There's good news over the Tasman as well, with Australia finally abandoning their compulsory and wide-ranging filter plans in favour of some sort of ISP-run voluntary scheme.
What's not so good is how well our filter has become embedded into NZ's internet – I believe we've now lost the technical argument against it. What's not so good is that there are increasing pressures to provide more facilities for government censorship of the internet - and the filter is ready to be used.
One of those pressures is coming from "digital harms" - the desire to be seen to be doing something about people being cruel to each other via the internet and mobile phones. The Law Commission has done a review and they have recommended the establishment of a Communications Tribunal with the power to issue takedown orders and cease & desist notices.
There's a whole swathe of problems with this.
Firstly, on straight civil liberties grounds it's creating a body with the explicit task of suppressing freedom of expression on the internet. You can argue that some expression should be limited, but it's never that easy or that clear. To give just one example, they want to add denigrating someone's religion to the list of "too offensive" - does that mean I won't be able to describe Scientology as a cult for deluded fools?
The proposal also has major issues with lack of due process, that defendants have no right of appeal, and that it would create significantly different standards for speech online and offline. The proposal is a major extension of government power over the internet and I suggest you read the in-depth article about it on our website.
But, as always with laws about internet issues, the real head-smackingness comes in with the technical side. It's not like the report doesn't acknowledge that the internet is global and that New Zealand courts lack jurisdiction over the entire world, but in the recommendations section it just kind of hand-waves the problem away.
And this is where the long-term threat lies. It's obvious that in many cases the Comms Tribunal is going to be powerless in the face of people with pseudonymous accounts on foreign websites that don't care about some court order issued in New Zealand.
"What to do? Hey, we can already order ISPs to take down material, it's not that big a step to order them to block access to it as well, why don't we use that handy internet filter run by the DIA?"
The filter and the Comms Tribunal are the result of good intentions to solve particular problems, but their very existence provides the necessary infrastructure for more and greater limitations on our rights.
Te Papa and Web Content Filtering
Let's switch to a different type of filtering - web filters for people worried that someone might use their connection for bad things.
We received a complaint from a German tourist that the Te Papa free internet was blocking access to entirely innocuous German political sites. (The filter claimed that they contained "pornography - Japanese"). Te Papa claimed it was all just a screw up and got the sites unblocked, no problem right?
I think there are a number of interesting points here.
Firstly, Te Papa couldn't actually give a coherent explanation of why they were using a web filter. This is an organisation that is no stranger to controversy about offensive content - it's been the subject of a number of complaints related to their exhibits such as the famous "Virgin in a Condom" that attracted complaints from Catholics. They're used to dealing with issues of censorship and free speech, but in this case they just blindly proceeded with filtering, as if it was the default option.
Secondly, Te Papa had no idea what they were blocking, why they were blocking it, or how to change it. They said they were happy that Telstra Clear, that noted protector of free speech and artistic values, could make the decisions for them even though they were clearly doing a bad job.
Thirdly, there was some comment about Te Papa being responsible if people used the connection to watch porn or break the law. I reject the idea that Te Papa is responsible for what people do on the internet.
The lesson here is that people make silly assumptions and we've got to keep challenging them. The first assumption is that people just want to use the internet to do harm and therefore, by default, it must be tightly controlled. The second assumption is that filtering works well. The third assumption is that the provider of a connection is responsible for what people do with it, a position that should terrify any ISP or holder of a shared internet account.
Giving the final word to our German tourist: "Seeing this happen at Te Papa, a flagship of the capital, tells me something about democracy and the importance of free speech and human rights in NZ."
Of course, there is one law that does penalise the holder of a shared internet account - our copyright law.
This year we've seen the first file sharing cases be handed over to the Copyright Tribunal. We were involved in one of them and helped to get the case withdrawn - which, while great for the defendant was a bit disappointing for us. We wanted to see RIANZ lose, not give up!
I'm not going to rehash the case, there's a good article on our website about it, but there a few points I'd like to make.
Firstly, this is exactly the sort of case we feared. A student holds the flat internet account and gets threatened with $2700 worth of penalties for something that one of her flatmates probably did. The student was completely freaked out, cancelled their internet and never wants to be an account holder again. In an age when we increasingly depend on the internet, I don't think that's a desirable outcome.
Secondly, there was no way to prove the truth or otherwise of the allegations. We're talking about a normal person in a flat with normal consumer-grade routers and ... there's no logging, there's no monitoring, there's absolutely no way to prove that you didn't do what the rights holder has claimed you did. Of course the law just makes the assumption that the complainant is telling the truth.
Thirdly, while there was no way to disprove the allegations, it wasn't hard to show that the notices themselves were invalid. They missed key information, Telecom screwed up one so badly they had to withdraw it, and, worst of all, the infringement for the final enforcement notice happened in the stand-down period and therefore the whole basis for going to the Copyright Tribunal was invalid.
I note that I haven't yet seen a 100% correct infringement notice. I would like some more for my collection so please send me any you have!
Anyway it's just bad law and is going to lead to a lot of these sorts of unjust situations, with people becoming increasingly unwilling to share internet connections.
If you do know of someone having problems, send them to us and we'll do our best to help them.
Now it's time to get on to the panopticon - the all-seeing combination of monitoring, surveillance, data collection and analysis. We're increasingly being watched, our digital spore captured and sorted, data about us being matched and conclusions being drawn. This is leading to new challenges for civil liberties campaigners as what might have been innocuous on a small scale becomes intrusive when done on a large scale across society.
In New Zealand it's been a big year for surveillance and it's still an issue that worries people.
You can see that worry in the number of queries we've received about video cameras. People are concerned about cameras at work, cameras where they shop, cameras in toilets, cameras on neighbour's properties.
Furthermore cameras and the illegal use of them by Police was a big factor in having many of the charges dismissed in the trials of the Urewera 17, I mean 4.
Of course, it would be now possible for the Police to get a warrant to do this with the coming into effect of the Search & Surveillance Act. This gives the Police and some other agencies a clear legal framework for spying on people, including sneaking into your home and placing secret recording devices. The Act also gives the Police and other agencies more powers to force people to answer their questions and hand over data, eroding the right to silence.
However, it seems that in many cases the Police don't even need this authority, with companies more than happy to give up the privacy of their customers if the Police ask them to. Trademe has often boasted about their willingness to help, and we saw that the banks were perfectly happy to hand over account details about Kim Dotcom and his associates when requested - even though they weren't suspected of breaking any NZ laws. What about the Privacy Act, you say? Well, you’re protected if you release private information in good faith for the purposes of law enforcement.
Speaking of the Kim Dotcom mega-circus and surveillance, there are still a lot of questions around GCSB's illegal surveillance of them – not to mention the other 58 times they’ve helped the Police and other agencies in the last three years.
Automated Number Plate Recognition
Now we did see one win in the field of surveillance and big data, with the Police backing away from their initial intention to use Automated Number Plate Recognition for tracking people, after they attracted some publicity and the Privacy Commissioner got involved. Now they're just using it for spotting "vehicles of interest" which personally I don't have a problem with.
However there was one interesting point in a letter to me where they said that they saw it would require a warrant to track vehicles that way because of the Search & Surveillance Act.
Now my initial reading of the act thought that this only referred to placing a tracking device on a vehicle, but it's actually a bit less specific than that. Rather it says that you need a tracking warrant to use a "device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person". Can we call a network of ANPR-equipped cameras with a central database a tracking device?
Arguably we can, in which case this must also extend to other forms of electronic-enabled tracking such as looking at EFTPOS transactions and analysing cellphone base station records. I suspect this wasn’t the intention of the Act but I’m pretty happy that the Police will need a warrant to track people in this way.
Why does mass surveillance matter?
Now, why does the panopticon matter? One reporter asked me if I was worried about Police tracking people because I had a criminal record - he didn't seem to understand that one could be opposed to it on principle. I object to mass surveillance for a number of reasons:
Firstly I think that as free people in a free society, we shouldn't be the target of law enforcement without reasonable suspicion. It's just none of their business.
Secondly I think it gives the state too much power over our lives. The knowledge gained can be abused for both official and unofficial purposes.
Finally I think it has a chilling effect on people's behaviour, knowing they're always being watched.
I found an interesting example of that while talking to someone who attended political demonstrations. The Police have started photographing participants at these demonstrations. This person found that intimidating and expressed the view that it would make them less likely to protest again - even though it is generally regarded that political speech should be one of the most highly protected forms of freedom of expression.
Leaks and Hacking
But there's more than just problems with deliberate misuse of this data.
We're storing more and more data about people but at the same time it's been a great year for privacy and security breaches, with honours shared pretty equally between the government and private sectors. The MSD open network, the multiple auction sites, ACC privacy leaks again and again, the various Novopay failures.
It seems that the leaks and screwups are scaling with the quantity of data. The naive might say "Surely this is just a bad run of them?" but people who work in IT and particularly those who work in IT security know that these sorts of problems are the norm, not the exception.
And this turns out to be a problem for civil liberties. While we worry about what can be done with sophisticated analysis of big data sets to track and control people, we also need to worry about data escaping through incompetence and enemy action.
There's a certain set of people who like to argue "if you've done nothing wrong, you've got nothing to fear". There's another set that like to argue "privacy is dead, get over it".
Tell that to the people who are hiding from an abusive ex-partner whose address was made publicly available by the ACC. Tell that to the people who don't want their history of being sexually abused available to anyone who turned up at an MSD kiosk. When designing systems and thinking about security we have to remember that the more of this data that we collect and keep, the more we put at risk.
NZ not doing mass surveillance yet
But I think that the most important point about surveillance in New Zealand is what we're not doing. We're not setting up ANPR in cities to track every vehicle movement like in London. We're not passing laws that say that all internet or cellphone traffic must be passed to the SIS for data mining as has been done illegally in the US and is being done legally in a number of other countries around the world. We're not setting up huge video camera networks with automated threat analysis and facial recognition so that we can more efficiently find and punish the people who act differently.
Even the laws we have passed, such as the Telecommunications Interception Capability Act, tend to be targeted at individuals and require the issuance of a warrant.
Obviously we should be concerned about the Waihopai and Tangimoana listening stations operated by the GCSB. While in theory they're not meant to be monitoring NZ communications, my understanding is that they have US and UK staff there with no such limitations - and no barrier to passing the "interesting" data they capture to the SIS, but sadly we're all a bit in the dark about how this works.
Which leads me to the point that we're in a position where we can do something about these issues *before* some politician decides they need a "tough on crime" boost in the polls. We should be talking now about what we're prepared to let the government do and what standards we demand they follow.
- that we should have the right to know what types of surveillance/data collection are being used.
- that collected data should only be able to be kept for a limited time.
- that there should be mandatory requirements for oversight of the use of this data including, for example, requiring a warrant before being able to query the database.
- that people should have the right to be told, after the fact, that they were being watched or that their data was handed over to law enforcement.
I believe these systems are coming, but we've got a chance in New Zealand to avoid some of the worst excesses that are happening in other countries.
We need help
That completes my talk, but I'm going to take the opportunity to ask you all for help. Last year I asked for people who wanted to join Tech Liberty and that still applies - but what I really want is information leaks. I don't care about tawdry gossip and point scoring in he-said/she-said politics, I'm after solid information from principled whistle-blowers about topics such as:
- people and companies subverting NZ's laws
- the government or politicians lying to the people
- government employees selling out NZ interests to foreign countries - yes, I'm looking at the SIS/GCSB here
I can't offer you money but if we're both careful we should be able to manage anonymity. So if there's anything that you're involved with but feel uncomfortable about - get in touch.
Thanks for listening.