The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).
This article is a summary of the major parts of the TICS Bill.
The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
Summary of major elements of the TICS Bill
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.
The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).
Encryption and decryption
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.
The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.
Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".
The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.
All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.
The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.
The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.
Liability and protecting classified information
People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.
Analysis and comment
The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.
Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.
There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.
Please send any updates or other useful links and we'll incorporate them. Last updated: 10/9/2012.
- What's wrong with the Communications (New Media) Bill and can it be fixed?
- Law Commission - Harmful Digital Communications
- Powers of the Proposed Communications Tribunal
Lawyer Steven Price
Lawyer John Edwards
Stephen Bell at Computerworld
Mike O'Donnell from Trademe at Stuff
David Farrar at Kiwiblog
Chris Barton at NZ Herald
Richard Boock at Stuff
- Negotiation is the new black - the "Approved Agency"
- Trolls provide motivation for greater regulation
- Workshops on the Communications Bill are worth attending
Police Minister Judith Collins
The Law Commission has released Harmful Digital Communications (PDF) - the rushed report into the "adequacy of current sanctions and remedies". According to the summary they are proposing:
- The creation of a new criminal offence that targets digital communications which are "grossly offensive or of an indence, obscene or menacing character and which cause harm". Harm is said to include physical fear, humiliation, mental and emotional distress.
- The establishment of a Communications Tribunal that will be able to respond to complaints and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices." It is also envisioned that Netsafe would take a larger role in being a first port of call for people seeking help.
- Amendments to the Harassment Act, Human Rights Act, Privacy Act and Crimes Act to ensure that the provisions of these laws can be applied to digital communications.
- New requirements for NZ schools to work harder at stopping bullying of all kinds.
The last two of these seem innocuous so our response will concentrate on the first two.
New "digital communications" offence
While it is undoubtedly true that the internet has allowed people to be nasty to each other on a wider scale than before, we are still not convinced that new laws are needed.
This is especially true when the Commission believes that the law should forbid offensive speech that has only got as far as causing someone "significant emotional distress", a rather low bar when adolescents or other excitable people are involved. (The Commission acknowledges that this goes beyond the current bounds of NZ criminal and civil law.)
We are also concerned when it is proposed to make something illegal on the internet that wouldn't be illegal if it was published in some other way. Does it really make sense that the same message might be legal on a billboard in the middle of Auckland but illegal if it was then posted to the Trademe Forums? As we say in our founding principles, "We believe that our civil liberties don't just disappear when using the internet."
It seems like that the new law will mainly be used as just another threat/weapon by people already engaged in internet battles.
All in all, we view this proposed new law with suspicion and fear that it will limit freedom of expression and cause more problems than it solves.
Establishment of a Communications Tribunal
It is always a concern when a new body with the power to censor is created, epecially when it is envisioned that it should be "speedy, efficient and cheap". When you realise that it's going to be tasked with censoring communications on the global internet, you have to wonder just what they were thinking.
Even reading the summary paper you get the feeling that the Law Commission doesn't think the Communications Tribunal is going to do much good, citing problems with identifying people and establishing jurisdiction overseas. Obviously it's only really going to have jurisdiction in New Zealand and this is just going to drive people's nastiness offshore.
Furthermore, the Tribunal will consist of one of a number of selected District Court judges, and they're going to have the power to order ISPs and web administrators to take down content. This can be significantly more difficult than it sounds and seems like a significant threat to freedom of expression, especially in those cases where the original author cannot be found therefore cannot defend themselves.
The Communications Tribunal seems to be a "at least we tried" measure, doomed to failure in all but a very narrow range of cases. We question whether it is worth doing at all.
We look forward to reading the full report and the proposed legislation and giving a fuller response when this is available.