Govt proposes GCSB control over NZ communications in new TICS Bill
The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).
This article is a summary of the major parts of the TICS Bill.
The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
Summary of major elements of the TICS Bill
Interception
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.
The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).
Encryption and decryption
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
Network security
There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.
The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.
Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".
The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.
Compliance
All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.
The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.
The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.
Liability and protecting classified information
People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.
Analysis and comment
The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.
Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.
There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.
RIANZ withdraws again and copyright notices insufficient
Three brief items about the Copyright Act and the Copyright Tribunal:
1. RIANZ withdraws from another defended hearing
Another defended hearing was scheduled to go to the Copyright Tribunal this month but RIANZ has withdrawn the complaint (info from phone call to Copyright Tribunal). No further details of the case are known, so was it another fatally flawed case like the first withdrawn case or is RIANZ just not prepared to fly down to Christchurch to appear before the Tribunal?
2. Second Copyright Tribunal Decision
A second decision has been made with the Copyright Tribunal ordering a 50 year old father to pay $557 to RIANZ for sharing two songs (one twice). As in the last judgement, the evidence would appear to show that the defendant did not really understand the process nor what they had been accused of - rather it seems likely that their 8 and 12 year old sons might have done it. There is also evidence to show that they didn't understand the first two notices they received enough to be able to take action to prevent the third enforcement notice.
3. Copyright Act working as intended - kind of
Finally we come to a case where the Copyright Act did work as intended - but only after the intervention of Tech Liberty. We received a communication from someone who had received an initial detection notice.
Just got this and as a 52 year old single mum I can't understand what they mean about that the alleged infringed song has been communicated to the public? Is the infringement about the song being downloaded of shared publicly or both? I'm horribly confused. My teenage daughter says she can't stand the song and I don't even know the song. Perhaps my older 2 adult children or my boarders have done this? Any advice would be very much appreciated.
Her confusion is quite understandable when you look at the notice (identifying details removed):
Notice Number: xxxxxxxxx
Infringement Notice Date: xxxxxx
Notice Type: Detection Notice
Infringing IP Address: xxx.xxx.xxx.xxx
Infringing Date: xx/xx/xx
Name of the file: Chris Brown - Beautiful People.mp3
Unique identity of the file:
Copyright Owner: Sony Music Entertainment Incorporated
Type of Copyright Work: Sound recording (14(1)(b))
Restricted Act: Copyright has been infringed by this account holder communicating the work to the public (16(1)(f))
File Sharing Application: Azureus 4.5.0.4
What is this meant to mean to someone who doesn't understand what file sharing is? The information included by Slingshot may have explained the law but made a very poor effort at explaining what she was accused of. We rewrote it for her:
They're saying that someone at your house has installed a piece of software called Azureus (also called Vuze) and they've used that to download a song called Beautiful People by Chris Brown. The Azureus software not only downloads the song, it also uploads it to other people who want it (this is why it's called peer to peer file sharing). Sony/RIANZ have detected this upload and have made a complaint to Slingshot who have passed it on to you.
The response came quickly:
Thank you so much for getting back to me and for taking the time and all the information, very much appreciated. :) I have found out that one of my son's friends has done this and he says he won't do it again. He is a good family friend so thats fine. I will get the guys to delete the Azurus or Vuse and to check for any other peer to peer programs.
Surely a good outcome for RIANZ with a junior copyright infringer stopped after the first warning.
But it seems that the current format of the notices is not good enough. Non-technical people don't understand what they're accused of and have no idea what they should do to stop it happening again. And, after all, it's often the non-technical people who are the account holders while someone else sharing the same account may be the one doing the infringing.
It seems clear from these first few cases that the notices need to be improved so that they do a better job of explaining both the accusation and what they need to do to stop it happening again.
What’s wrong with the Communications (New Media) Bill and can it be fixed?
The Law Commission's proposed Communications (New Media) Bill (PDF) is the result of their report on Harmful Digital Communications. They are proposing:
- The creation of a new criminal offence that targets digital communications which are "grossly offensive or of an indecent, obscene or menacing character and which cause harm". Harm is said to include physical fear, humiliation, mental and emotional distress.
- The establishment of an Agency (i.e. Netsafe) that will be able to assist and advise people suffering from unpleasant digital communications.
- The establishment of a Communications Tribunal that will be able to respond to complaints and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices."
- Amendments to the Harassment Act, Human Rights Act, Privacy Act and Crimes Act to ensure that the provisions of these laws can be applied to digital communications.
- New requirements for NZ schools to work harder at stopping bullying of all kinds.
While sympathetic to the aims, we have some serious questions about the law and the thinking that lies behind it. This article discusses some of the problems that we see, talks about ways to resolve them and asks whether the problems are too great for some parts to be worth pursuing. We have arranged our arguments thematically and finish with our conclusions and recommendations.
Kiwicon – The government is your friend
The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
Website takedowns: a followup
We recently wrote about how an offensive website was taken offline by complaints.
In particular, we talked about the tactics that were used to take them down and whether they were a good thing for the internet or not. The two tactics described were:
- Complaining to the ISP that the site breached their terms of service. We said this risks reducing opinion on the internet to the level of whatever a company's PR department finds acceptable.
- Using copyright complaints over the site's use of a photo without permission. Taking down an entire site over what is arguably a reasonable use of an image is an affront to freedom of speech and shows how dangerous these US-style shoot-first-ask-questions-later copyright laws are.
The article attracted a fair bit of comment both for and against the use of these tactics. We also received some new information and thought it was worth posting a followup.
Taking down websites you don’t agree with
This is a post about the tactics used to take down a New Zealand website hosted in the the USA and what they mean for the Internet. (Update post.)
The website
Soon after the Christchurch quake, a website (christchurchquake.net) was published that said the quake was God's punishment for Christchurch's tolerance of homosexuality, with God being especially annoyed by Gay Ski Week. The website also made a number of other very odd claims concerning a conspiracy of "Phoenician-descended swamp lesbians" headed by Helen Clark that had taken over New Zealand.
The takedown
The site is no longer available (Google cache here). This is because a number of people found the site highly offensive, and some of them decided that they would do what they could to get the site taken off the Internet.
The author of the site could not be identified so most action was aimed at getting Bluehost, a company based in the US state of Utah, to take it down. Two main tactics were employed:
Letter to Simon Power About Copyright Infringement
Tech Liberty was a co-signer on this letter to Simon Power about the Copyright (Infringing File Sharing) Amendment Bill.
The three main areas covered by the letter and briefing are:
- Avoiding the possible reversal of burden of proof when people are accused of infringement (section 122MA).
- Account holder liability for shared internet connections when the account holder would have no way of controlling the users of the connection.
- Mechanism for activating the suspended "account suspension" provisions.
See our other articles about copyright issues in general and this law in particular.
ACTA: Bad for Civil Liberties
We've been writing about the ACTA (Anti Counterfeiting Trade Agreement) treaty for a while. We believe that copyright law and enforcement will need to change but also believe that everyone should participate in creating new laws, not just big business and their proxies. As such, we strongly objected to the secrecy around the negotiations and called for New Zealand to withdraw. We also made a submission to the Ministry of Economic Development about the digital enforcement provisions section.
The secrecy around ACTA caused problems for critics because, while much of the contents had been leaked, it was difficult to analyse the draft treaty without solid information. This all changed after the last meeting in Wellington, where global public pressure forced them to release the current draft (pdf) of the treaty.
Now we have the text to look at, were our fears justified? In this article we concentrate on some of the ways that the draft ACTA treaty encroaches on our civil liberties.
Media Release: Tech Liberty welcomes planned Section 92A revision
New section 92A of Copyright Act does a far better job of balancing civil liberties and copyright enforcement.
Commerce Minister Simon Power released a statement revealing an intended framework and policy to replace Section 92A of the Copyright Act. This section, meant to come into force this year, was suspended after a broad coalition of rights holders, ISPs, and stakeholders opposed the original vague and ill-defined wording.
Internet Name Suppression Workshop
InternetNZ hosted a workshop about name suppression in the digital age.
The following notes were made at the session. They give a general idea of what was discussed but should not be taken as definitive or complete.