The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
Hi everybody. I'm Thomas Beagle from Tech Liberty. We're a lobby group dedicated to protecting civil liberties in the digital age.
I'm going to talk about how the government is protecting us by using technology to make us safer and happier people – while possibly not caring so much about our freedom.
Now, in the tech field we often laugh about the government and the law being one step behind - I bet more than one of you has looked at the new copyright law and thought "Ha, they're cracking down on torrenting but these days I get all my content via usenet!"
The problem is that this goes both ways. Sometimes it's the government that is using the new technology and the it's the laws we use to protect ourselves that haven't caught up with it yet.
Automated Number Plate Recognition
I'm going to start with automated number plate recognition because there's a good chance many of you won't have heard of it and it provides a good example of the way digital technology is changing things. But what is it?
It's pretty simple really - it's a camera that gets installed in a police car. It recognises the number plates of passing cars and checks them against a central database. Get a match to a "vehicle of interest" and the police can pull over the car and have a little chat with the driver.
Now you might think that sounds pretty innocuous, it's just automating an existing manual process. And it means that the police will spend less time and money catching more bad guys. How could anyone have a problem with that?
Of course, you lot have probably already worked out the problem. It's more than just a simple database lookup - it also includes the date, the time and the place. And it’s doing it for every car. And it’ll end up being installed in every police car. So the police are going to end up with an ever-growing database of car sightings that will let them know where you have been.
Tracking someone used to be hard.
Automated number plate recognition is going to make tracking easy. You don't need a whole team of people, you don't need to install a GP tracking device, you don't need to get a court order to access mobile phone data - you just install ANPR devices everywhere and then you can ask the database whatever you like. Because you're storing historical data, you can even go back in time - "Where did car X go on the night of May 5th?"
It's the sort of information that a totalitarian regime would love to have. It's the sort of information that an over-zealous police force obsessed with green or brown terrorism would use. But is it the sort of information that we want our government to have about everyone?
At one time the answer would have been no. When tracking devices became practical, the law was changed to make the police have to have a warrant before they could use them. Of course, the law change was partly to enable police to trespass to install the devices, but us civil liberties types have to take what we can get. This new automated number plate recognition system could be implemented without the need for any law changes or any oversight - and the NZ police are trialling it at the moment.
Another example of how the government’s use of tech is outpacing the laws we use to protect ourselves - the common or garden search warrant. Let's say that you're suspected of embezzling funds, or armchairs, from the company you work for. A complaint is made, the police investigate, they get a search warrant and kick down your door.
In the old days you'd expect them to take any sort of financial papers, documents, etc, etc. But would they take your old love letters or the family photo album? Of course they wouldn't, and the terms of the search warrant wouldn't let them.
Things are different now - sure they'll take any papers they find but they're also going to take your computer and any other digital storage on the premises. And, well I don't know about you, but my entire life is on that computer. My business files, my letters, my medical records, my family photos, ... my not so family photos... all in the hands of the police. All available to be indexed and searched with the police able to keep a copy indefinitely.
Once again, the law hasn't changed but the digitisation of information means that the effect of the law is much more oppressive.
And while I'm on the subject of searching computers, did you know that Customs have the power to seize any digital device or storage coming into the country and examine the contents? They can even take copies of the device for review later.
This is not just theoretical – they have been doing it. We got a complaint from someone about them taking his netbook as he returned from holiday in Samoa, and of course there were the Switched on Gardening people who had their phones and laptops taken every time they crossed the border.
In theory Customs can only do this to look for contraband or censored works, but it seems very likely that they are using this power at the behest of the police to do the searches that the police legally can't. You might want to bear this in mind the next time you cross the border.
The question has to be - do we want to live in a society where our movements and secrets are open to the authorities? It's traditional to mention Orwell's 1984 at this point - not least because it is such a terrifying view of the surveillance state that we're rapidly developing the ability to implement.
How do we decide what is acceptable and what isn't Trying to come up with answers to this question is one of the reasons we founded Tech Liberty. We saw that one of the best ways to look at this is through some rather old rights such as freedom of speech, the right to due process, the freedom from unreasonable search, and the recent addition of the right to privacy. And some of our new laws are stomping all over them.
But I promise this isn't a recruitment session! Instead let's start running through some of the things happening at the moment in New Zealand.
Control of the internet
The big one is control of the internet. Over the past 7 years there has been a three way legal combo attack that, as far as I'm concerned, means that the government has largely won.
The first part of this combo is the Telecommunications Interception Capability Act of 2004, known as TICA. It simply says that communications companies - telcos and ISPs - must provide facilities for law enforcement and intelligence agencies to be able to intercept communications - phone calls, data, etc. Sure, they have to have a warrant, but as our judges have declined just 1 of the hundreds of applications for interception warrants in the last three years, I think we can assume that that isn't too difficult to get.
Second is the internet filter implemented by the Department of Internal Affairs. There is no law enabling this and therefore use of the system is "voluntary" by the ISPs - but I note that in the UK they made moves to make a similar system mandatory after some of the smaller ISPs failed to realise they were meant to volunteer. Right now over 90% of New Zealanders get their internet through a connection that is censored by the government and, unlike the rest of our censorship laws, they refuse to tell us what has been blocked.
Finally, our new copyright law to stop the evils of infringing file sharing has two interesting provisions. The first is that ISPs are obliged to keep records of which account had which IP address at any one time. Secondly the government has decided to skip all that messy having to prove you actually did something bad, and has decided that they can penalise the account owner for anything done through their internet account.
So, this three way combo means that the government has established that it has the right to control where we can go on the internet, it has the right to monitor what we do, and if someone does anything it doesn't like, the government has someone it can punish.
Now this is currently being done with a fairly light hand - they only filter "the really bad stuff", they have to get a warrant to monitor or intercept, and no account holders have been fined yet (although the first notices have just gone out) - but it means that the tools are in place and ready to be extended as required.
For example, currently it's the Department of Internal Affairs who choose what to censor and I believe them when they say that they want to limit the use of the filter to child pornography... but they're not the only ones with influence. How about the courts - a judge in the UK has just ordered British Telecom to use their "really bad stuff" filter to block access to a file sharing site - because the tech is available. Or what happens if there's another media scandal about bomb-making instructions on the internet and some politician thinks that the government must come up with a solution - again, the technology is there and ready to be used.
Of course, you're all sitting here thinking "haha, I am elite masterhacker and I use encryption and VPNs, they'll never catch me!". And to a certain extent you're right - the careful and technically savvy person can avoid some of these things to a greater or lesser extent (although of course, your VPN has to come out in a legal jurisdiction somewhere...). But while this is all right for you and me, what about everyone else in New Zealand? Don't they deserve some freedom and privacy as well? When governments oppress people, it affects all of society.
What else is happening? I think we can safely assume that the number of surveillance cameras, both govt and private, continues to rise. At some point the promise of facial recognition might even live up to its marketing claims.
But there are also special cameras. Customs have been trialling the naked body scanners even though the Aviation Crimes Act expressly forbids use of technology that shows the naked form. Customs claims that the law only applies to the use of scanners to detect weapons and other threats, whereas they're using them to detect contraband. In other words, either they're lying - or they're willing to invade your privacy by taking naked pictures of you to find counterfeit Rolex watches.
Of course, we do have the Privacy Act. People and companies can't just give your private info away, right? Well, first you have to worry about the jurisdiction that your data is in - services based overseas may not have the protections we do.
But even in New Zealand the act includes a provision that you're allowed to release information "to avoid prejudice to the maintenance of the law". You may think that the police would need a warrant or court order to get Trademe to release information about you, but they're happy to admit that they will give the police any assistance that they request. Do you know whether the NZ companies you deal with will stick up for your privacy?
The Law Commission has just finished the review of the Privacy Act and we're expecting to see a bill to modify the law soon. The good news is that they intend to make the Privacy Commissioner a little less toothless. More interestingly, they've recommended making it a responsibility to notify people if security is breached and personal data is stolen. I think this is a good idea and, for any black-hats out there, it's going to make cracking the right targets just that much more satisfying when they're obliged to put out a press release telling everyone about it.
TICA and Search & Surveillance
Speaking of reviews, earlier I mentioned TICA, the Telecommunications Interception Capability Act. There's a general perception that the law doesn't work well, with both law enforcement and comms companies struggling with the lack of specifics. The Ministry of Economic Development is planning a review of the law next year. I think it's going to be one to keep a sharp eye on as law enforcement is never shy about asking for more powers.
The best example of that is undoubtedly the Search & Surveillance Bill. The Law Commission was asked to review and revise our rather chaotic laws around search & surveillance. Now, they could have had a serious look at what sort of invasive powers we let the government have in a free and democratic society - but instead they just gave the police and everyone else whatever they asked for. I still find it hard to believe that they thought it appropriate that even the local city council could apply for a search warrant to put a hidden video camera in your bedroom.
The original version was so over the top, and so badly drafted that it got sent back to be rewritten somewhat, and you can tell it’s still bad because then the govt chickened out and put the rewritten version on hold until after the election. Some of the things I'm particularly unhappy about are the lack of notifications - how can you challenge the government for doing an illegal search if you never find out that it was done? There’s also further erosion of the right to silence through the extension of production and examination orders to more types of crimes.
But one part you should all be aware of is related to searching computer systems. If you have "relevant knowledge" of the system being searched, you can be compelled to assist in the execution of a search. Refuse? You could be jailed for up to three months.
Now this could be unpleasant for a number of reasons - who wants to be caught up in someone else's drama just because you're a sysadmin or work at an ISP? But what if the assistance you're asked to provide is "Crack the encryption on these files"? How well do you think the average judge will understand that cracking a well designed encryption system isn't exactly trivial? After all, they watch TV, they know hackers can get into anything with few minutes work.
Why do we get these laws and why are they often so bad?
The final thing I want to talk about is - where do these laws come from and why are they often so bad?
Wikileaks very clearly showed that our new copyright laws are a result pressure from the US. And they’re still going – now it's the promise of a free trade treaty, the Trans Pacific Partnership, where the cost of joining and getting better access for our agricultural products will be gutting Pharmac and implementing stronger IP laws.
Then there's our local politicians who need to be seen to be doing something and are always happy to pander to the law and order trolls to get votes. Don't you trust our brave boys in blue? Of course they need more powers to stop these evil islamic Greenpeace terrorists!
Unfortunately "something" is often ineffective or has undesirable consequences. We end up with King Canute laws - someone is standing on the beach and ordering the tide to stop coming in, and it's not doing a lot of good.
Will our new copyright laws stop file sharing? No, but they have undermined our right to a fair trial.
Will the internet filter stop children being abused? Of course not, but it has given the government a new system designed for mass censorship.
Will naked body scanners stop terrorist attacks? Well, we don't have any terrorists so maybe this one will be effective!
Kiwicon is a very technical conference but these aren't technical problems with technical solutions. Instead they're political problems and the solutions also have to be political. The good news is that in New Zealand we do have, no matter how much people sneer at it, a working democracy.
You can get involved, you can give an opinion, you can help educate our politicians, you can influence our laws.
And this is the point where I say that Tech Liberty needs more people who want to be involved in that political process, that we have a website at techliberty.org.nz, and thanks very much for listening.