Full text of the Tech Liberty submission to the Intelligence & Security Committee concerning the Government Communications Security Bureau and Related Legislation Amendment Bill.
Tech Liberty has deep concerns about the extent of the powers granted to the GCSB by this Bill, especially when combined with the proposed changes to the Telecommunications (Interception Capability) Act (2004) contained in the TICS Bill.
We do not believe that the GCSB should be spying on New Zealanders. We are particularly concerned with the Bill’s silence on the GCSB’s existing practice of collecting and analysing metadata.
We do not believe that the GCSB is the right agency to have oversight and control of New Zealand’s telecommunications infrastructure in the name of “cybersecurity”.
We do not believe that the Bill makes any significant improvement to the current woefully inadequate oversight procedures.
We submit that this Bill and the TICS Bill should both be rejected. Rather there needs to be a formal review of New Zealand’s domestic and foreign intelligence requirements.
The New GCSB
This bill is a major expansion of purpose for the GCSB and includes an equally major expansion of their powers, including the ability to access any computer or communication system to spy on and monitor both foreigners and New Zealanders.
New Mission - Cybersecurity
The GCSB Act (2003) gives the GCSB the objective of protecting the communications and systems of the New Zealand government.
The GCSB Bill changes this purpose so that it will now have responsibility for protecting the information and telecommunications infrastructures of everyone in the country.
New Mission - Spying on New Zealanders
The GCSB Act (2003) allowed the GCSB to provide advice and assistance to any public authorities or other entities. However, section 14 made it very clear that this assistance was not to include any action for the purpose of intercepting the communications of a New Zealand citizen or permanent resident.
The GCSB Bill now explicitly allows the GCSB to perform interceptions of New Zealanders communications on behalf of the Police, SIS or Defence Force.
It also allows the GCSB to spy on New Zealanders for the purpose of maintaining cybersecurity. (The GCSB claims in the Regulatory Impact Statement that it will need to be able to monitor the communications of New Zealanders to detect whether they are being attacked.)
Mass Surveillance & Metadata
Continuing technical development means that it is now cost-effective to collect masses of innocuous data about people, dump it all into a huge data store and then run sophisticated analysis software over it to extract information about what people do.
Even just looking at metadata (or call associated data as it is described in the TICS Bill) can be incredibly revealing. Taking just the example of phone records, metadata can include: who we call, when we call them, how often we call them, how long we speak for, where we call them from, who they call after we call them, and so on. For example:
... in the world of business, a pattern of phone calls from key executives can reveal impending corporate takeovers. Personal phone calls can also reveal sensitive medical information: “You can see a call to a gynaecologist, and then a call to an oncologist, and then a call to close family members.” And information from cell-phone towers can reveal the caller’s location. Metadata, she pointed out, can be so revelatory about whom reporters talk to in order to get sensitive stories that it can make more traditional tools in leak investigations, like search warrants and subpoenas, look quaint. (Susan Landau quoted in the New Yorker)
Adding additional sources of information such as banking records, electronic toll records and so on increases the amount of information that can be mined from the collected data. Once you start collecting data on everyone, the records can be cross referenced with each other to work out who associates with whom and you end up with a very detailed database about people’s lives.
GCSB access to metadata
In the Kitteridge report the GCSB revealed that they believe that “metadata was not a communication” and that they “could, on request, lawfully obtain and provide information about metadata involving New Zealanders, without the authority of a warrant...”
The current bill provides the ability for the GCSB to apply for warrants and access authorisations that can target any number of people, systems or classes of people and systems. It is clear to us that these warrants and access authorisations are designed to be as wide and open-ended as possible so that the GCSB can actively collect both communications and metadata in an ongoing fashion.
Metadata is important
We reject the idea that metadata is any less important or less worthy of protection than the content of a communication.
We further reject the idea that the GCSB should be able to collect metadata about any person who they are not actively investigating, and that this collection should only be possible subject to a properly issued and specific warrant.
No mass surveillance
We believe that the GCSB should not be creating large databases of information about New Zealander and that we should not be giving them the legal powers to do so.
The GCSB Act should be amended to make it clear that a) metadata is to be subject to the same controls and limitations as communications, b) the GCSB is not permitted to create any databases of information about New Zealanders who are not actively under investigation.
The GCSB and TICS bills combine to give the GCSB a new purpose of being responsible for the security of New Zealand’s telecommunications and data networks. (As noted earlier, the 2003 Act only gave the GCSB responsibilities for securing government communications.) This is a major expansion of the GCSB’s purpose.
No spying for our protection
To do this the GCSB asserts it needs wide powers to spy on New Zealanders in order to “see who is being attacked” (wording from para 36 of the RIS). This is the same type of thinking that would argue for a police camera in every home to see who is being burgled. It is a pathetically transparent justification to get legal clearance to continue spying on New Zealanders.
We reject the idea that we need the GCSB to spy on us for our own protection.
GCSB not the right agency to do cybersecurity
The GCSB is not the right agency to be responsible for cyber security. It will be difficult to trust an agency that has the dual roles of both spying on systems while ensuring that they are protected from others.
This is especially true given that the GCSB has a long history of working with and sharing information with intelligence agencies in other countries such as the US who appear to be actively spying on the communications of New Zealanders.
The level of oversight and control given to the GCSB in this new role will also make others reluctant to trust New Zealand telecommunications infrastructure. For example, will companies that trade with New Zealand be willing to use New Zealand hosted services such as Xero, knowing that the GCSB will be able to get at their financial records?
No GCSB spying on New Zealanders
We support the clear intentions of the GCSB Act (2003) in that the GCSB should not be spying on New Zealand citizens and permanent residents. We note that the only assistance that the GCSB could give to other agencies in the original act was to help them secure their own systems and communications.
The GCSB’s main purpose has always been spying on our neighbours in the Pacific and sharing the information received with our intelligence allies. We believe that bolting on this ability to assist the Police, SIS and Defence Force is inappropriate and will weaken the clarity of purpose of the GCSB.
This lack of clarity of purpose can be seen in the recent Kim Dotcom/Megaupload case where it appears that the GCSB got involved in spying on people who were merely being accused of providing tools to allow people to breach copyright.
The tools and mentality used to do this kind of work is very different from that used by the Police and SIS in protecting New Zealand and New Zealanders from threats. Technically the types of investigations undertaken by the Police and SIS target people who have drawn their attention in some way, whereas the GCSB tends to trawl everything looking for information.
We further believe that the SIS and Police should well be able to develop their own technical capabilities and can then operate them in accordance with the rules and controls that they are used to working under. The need for highly technically skilled police staff and resources will grow quickly, so must be addressed appropriately by the agencies responsible. Using a NZ spy agency instead is insufficient and inappropriate, and opens up the police work undertaken to disrepute.
Recent events have shown that oversight of the GCSB has been failing. The current oversight regime relies on the Minister and the Inspector-General of Intelligence both doing their job but clearly illegal behaviour has been ignored, issues have not been followed up, and the Minister has been shown to be ignorant of what has been happening within the bureau.
This bill makes some minor changes to the powers of the Inspector-General but we are still being asked to rely on an oversight model that has already shown that it is not fit for purpose. We note that both the Inspector-General of Intelligence and the Commissioner of Security Warrants are both appointed by the very Minister that is the only other significant check on the GCSB.
The GCSB has major powers of intrusion into the lives of New Zealanders. This bill in combination with the TICS bill greatly expands the powers of the GCSB and their scope of operations. These invasive powers need oversight that is not only effective but can be trusted.
We need an expanded and significantly better system of oversight that doesn’t rely on one politician and their direct appointees. This bill does not provide it.
When considering any bill with as much impact on civil liberties as this one, there are a number of questions that need to be answered:
Is this bill necessary? We do not believe that the Government has presented any credible argument for the GCSB to have these powers to spy on us. The last person killed by terrorists in New Zealand died nearly 30 years ago. While cybercrime is annoying for those who suffer from it, even the most excitable claims about the total cost are low compared to other forms of crime in New Zealand.
Are these measures proportional? The creation of a mass surveillance state with government agencies that collect data about us and analyse it is a major step in changing the nature of our society. People act differently when they are being watched and there is a chilling effect on freedom of expression. The government has failed to show that these losses are proportional to any perceived benefit we will get from giving up our privacy in this way.
Are the powers granted the minimum required? Any surveillance should be limited to the minimum required to address the immediate requirement. This would normally mean targeting a person or group of people after it has been shown that there is a reasonable requirements to do so. This bill fails to do so by enabling mass surveillance regardless of reasonable suspicion.
Is there appropriate transparency? The bill does not provide enough reporting about what the GCSB is doing and to the extent it is doing it. A simple accounting of the number of interception warrants and access authorisations does not provide sufficient insight into the activities of the GCSB.
Is there proper oversight? All oversight in the GCSB bill is provided by the Minister for the GCSB and two functionaries appointed by that same minister, an arrangement that has already been demonstrated to be inadequate. There is no judicial oversight, no independent auditor or board of trusted citizens to review these decisions.
Throw this bill out and start again
We believe that this bill is a serious threat to New Zealand’s democracy. It enables the GCSB to engage in mass surveillance of the New Zealand people in a matter more fitting to East Germany or China.
The GCSB might argue that they need these powers to protect us - but we believe those decisions are up to the people of New Zealand. We reject their claims and find their proposed solution to be an unacceptable overreach.
We have not provided a list of individual improvements that can be applied to this bill as we believe the entire bill needs to be thrown out and the process started again, along with the Telecommunications Interception Capability and Security Bill.
- A general review of New Zealand’s intelligence organisations, domestic and foreign. This should focus on establishing our needs before deciding on what agencies and laws we need.
- Establishing an independent cyber-security organisation with a coordinating and consultative role rather than intrusive and coercive.
- Providing sufficient resources to the Police and SIS to enable them to do their own technical work without relying on the spy powers of the GCSB.
- Banning our surveillance agencies from doing mass surveillance of innocent people.
- Accepting that metadata (or ‘associated call data’) is as important to privacy as the content of communications and providing it with the same protection.
- Establishing independent and effective oversight of surveillance carried out by all of New Zealand’s agencies with surveillance powers.
- Applying the same standards that we apply to data collection about New Zealanders to information received from foreign countries about New Zealanders.
- Setting strict limits on what data about New Zealanders can be shared with overseas agencies.