Tech Liberty NZ Defending civil liberties in the digital age

TICS – Second spy law passes

Posted on November 5, 2013

The Telecommunications Interception Capability and Security Bill has now passed the third reading in Parliament by a vote of 61 to 59 (National, United Future and ACT voted for it).

See our earlier coverage for more about what's wrong with the TICS Bill and how it has changed over time.

The bill codifies the government's assertion that all digital communications (which is increasingly becoming equivalent to "all communications") must be accessible by government agencies. The limits imposed are minimal and laws such as the GCSB Act override any limits included in TICS anyway.

Furthermore, to ensure that the government can do this, the GCSB will now have oversight of the design and operation of New Zealand's communications networks. They will be able to veto any decision made by the network operators that might impact on security or, more likely, limit their ability to spy as they see fit.

It seems odd that our government is passing these laws at the same time that the world is reacting to the Snowden revelations and people in New Zealand are starting to realise just how New Zealand is tied into these global spy networks through our membership of the Five Eyes (USA, UK, Australia, Canada, NZ).

Rather than take the opportunity to rethink NZ's surveillance on both local and foreign targets, the government has chosen to extend the powers of our spy agencies while refusing to make any significant improvements to their oversight.

We accept the need for some forms of spying and surveillance (especially by the Police to catch law breakers) when they have suitable oversight, but we are generally disappointed that the laws passed over the last few years have been focused on enacting surveillance agencies' wishlists rather than thinking about how to protect New Zealanders' civil liberties.

Changes to the TICS Bill

Posted on October 16, 2013

The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.

The Bill has been modified twice:

  1. The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
  2. A supplementary order paper added by the government on 15/10/2013.

The government has also provided two further documents:

As reported back by the select committee

The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.

Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".

There are no substantive changes worth reporting.

Supplementary order paper 366

As reported in the press release from Amy Adams, the SOP makes the following changes:

  • Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
  • The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
  • The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
  • Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
  • Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.

Tech Liberty comment

The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.

There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.

The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.

One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.

The future

We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.

We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.

We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.

Next: the TICS Bill

Posted on August 22, 2013

The GCSB Bill has now been passed by Parliament.

Next up is the Telecommunications (Interception Capability and Security) Bill also know as the TICS Bill. This is an update of the Telecommunications (Interception Capability) Act (2004) that forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

The bill has passed the first reading and is expected to be reported back from the Law & Order Select Committee on the 20th of September.

Tech Liberty articles

We've written about this bill and also made a written and oral submission to the Law and Order Select Committee. Here's a list of our articles in publication order:

Other articles worth reading

Tagged as: , No Comments

Does the new GCSB Bill give them the power to spy on New Zealanders?

Posted on August 13, 2013

There's been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.

When even Peter Dunne gets it badly wrong in the "Ask Me Anything" article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.

Note: All references to the legislation are to the version reported back by the Intelligence and Security Committee combined with the changes in Mr Dunne's SOP (PDF).

Spying on behalf

Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the "giving assistance" part and it appears to be limited to only doing things that the original agency would have the legal authority to do.

Recent changes include more clarity about the GCSB's assistance being subject to the originating agency's oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.

GCSB spying on New Zealanders

The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). "to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures".

The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).

Interception warrants vs access authorisations

It's worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:

  • one or more specific people or a class of person
  • communications made in one or more specific places or classes of place
  • communications sent from or to overseas

An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of "information infrastructure" which is further defined as "electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks".

Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.

The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.

Doesn't section 14 stop the GCSB spying on New Zealanders?

The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).

The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.

Warrantless spying?

Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)

Putting it all together

So what does all this mean?

Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.

We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to "New Zealand's mobile networks" and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.

This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).

In theory this activity would have to be done as part of their purpose to "protect the security and integrity of the communications and information infrastructures" but we see that this could be interpreted rather widely.

Other issues

There are also a number of other issues around spying on New Zealanders that we haven't directly addressed in this article:

Metadata - There are a number of places in the bill that put limits on intercepting "private communications", but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.

Incidentally gained intelligence - when the GCSB does collect information it shouldn't, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.

Access authorisation for the GCSB - section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?

Sharing data overseas - how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.

Collecting data from overseas - can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn't legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?

What about data that New Zealanders store overseas? - are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?

Feedback and updates

Think we've got this wrong? Feel free to leave a comment with your interpretation. We'll make any necessary corrections or additions as required.

Application of Human Rights to Communication Surveillance

Posted on August 1, 2013

Tech Liberty is proud to be a co-signatory of the International Principles on the Application of Human Rights to Communication Surveillance.

Tech Liberty's purpose is to defend civil liberties in the digital age. One of the key challenges has been the way that advances in technology have made mass surveillance dramatically cheaper and easier to implement. We can see this battle currently being fought with the GCSB and TICS Bills in New Zealand and the recent revelations about pervasive government spying in the USA, UK and other countries.

Speech to the Auckland public meeting against the GCSB Bill

Posted on July 26, 2013

Text of Thomas Beagle's speech to the Urgent Public Meeting to Oppose the GCSB Bill held in Auckland, 25th July, 2013. (Or watch video of all of the speeches.)

 

Introduction

Liberty

I’m from Tech Liberty. We’re a group dedicated to defending civil liberties in the digital age. I want to start by explaining what that means in the context of this bill.

Opposition to the GCSB Bill

Posted on July 22, 2013

Urgent public meeting in Auckland

A public meeting to oppose the GCSB Bill is being held at 7pm Thursday, Auckland 25th July at the Mt Albert War Memorial Hall. Get the flyer (PDF).

TICS Bill – Oral Submission

Posted on July 10, 2013

Text of our submission to the Law and Order Select Committee re the Telecommunications (Interception Capability & Security) Bill.

 

Introduction

I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.

In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. However we fear that technological development is slowly making this lawful intercept regime increasingly irrelevant.

We’ll be addressing this and some other elements of the first two parts of the bill, before talking about the proposal to make the GCSB responsible for cyber security in New Zealand.

GCSB Bill – Oral Submission

Posted on July 3, 2013

Text of our oral submission to the Intelligence and Security Committee concerning the GCSB Bill.

Introduction

I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.

We see many problems with this bill and the thinking that lies behind it, problems that we described in our written submission. Today I want to concentrate on just a few of those that are particularly central to our group’s reason for existing.

Open letter to John Key – the right to know

Posted on June 27, 2013

Dear Mr Key

This letter is partly in response to the findings of the Kitteridge report about the GCSB and their failures to follow the law, but is also mindful of the recent PRISM revelations about the actions of the NSA in the USA, as well as the mass spying revealed to have been carried out by the GCHQ in the United Kingdom. As disturbing as these revelations have been, we cannot help but be shocked that this surveillance was done in secret without the knowledge of the citizens of each country.

We assert that, as citizens of a democratic society, we have the right to know the methods that government agencies use to watch us. Without this knowledge we cannot assert our rights to put appropriate limits on their use.