Tech Liberty NZ Defending civil liberties in the digital age

Submission: Harmful Digital Communications Bill

Posted on February 21, 2014

Text of the Tech Liberty submission to the Justice and Electoral Select Committee concerning the Harmful Digital Communications Bill. (Or download PDF of original version with footnotes.)

Summary

We believe that this Bill is based on false premises about the nature of freedom of expression and the differences between digital and non-digital speech. We see the Bill as being a well-meaning but misguided threat to the civil liberties of New Zealanders. We fear that the Bill will be ineffective in too many cases where it might be needed most, while being too effective in the cases which are most problematic to civil liberties.

We support the establishment of an agency to assist those harmed by harmful communications and believe that this will go a long way to resolving the types of situations that can be resolved.

We believe that the court proceedings are unfair and unlikely to be of much use. We support the discretion and guidelines given to the court in making a judgement, but believe that the procedures of the court need to better take into account the requirements for a fair trial.

The safe harbour provisions for online content hosts are unreasonable. While online content hosts do need protection from liability, the suggested mechanism amounts to a way that any person can get material taken down that they don’t like for any trivial reason. This section needs to be completely rethought in the context of overseas experiences to ensure that freedom of expression is properly protected.

The new offence of causing harm is poorly conceived and criminalises many communications that are of value to society. If not removed in its entirety, defences and an overriding Bill of Rights veto should be added.

We have also made comments on the changes to the Harassment and Crimes Acts.

Govt proposes GCSB control over NZ communications in new TICS Bill

Posted on May 8, 2013

The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).

This article is a summary of the major parts of the TICS Bill.

The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

Summary of major elements of the TICS Bill

Interception

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.

The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).

Encryption and decryption

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

Network security

There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.

The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.

Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".

The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.

Compliance

All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.

The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.

The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.

Liability and protecting classified information

People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.

Analysis and comment

The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.

Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.

There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?

We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.

RIANZ withdraws again and copyright notices insufficient

Posted on February 12, 2013

Three brief items about the Copyright Act and the Copyright Tribunal:

1. RIANZ withdraws from another defended hearing

Another defended hearing was scheduled to go to the Copyright Tribunal this month but RIANZ has withdrawn the complaint (info from phone call to Copyright Tribunal). No further details of the case are known, so was it another fatally flawed case like the first withdrawn case or is RIANZ just not prepared to fly down to Christchurch to appear before the Tribunal?

2. Second Copyright Tribunal Decision

A second decision has been made with the Copyright Tribunal ordering a 50 year old father to pay $557 to RIANZ for sharing two songs (one twice). As in the last judgement, the evidence would appear to show that the defendant did not really understand the process nor what they had been accused of - rather it seems likely that their 8 and 12 year old sons might have done it. There is also evidence to show that they didn't understand the first two notices they received enough to be able to take action to prevent the third enforcement notice.

3. Copyright Act working as intended - kind of

Finally we come to a case where the Copyright Act did work as intended - but only after the intervention of Tech Liberty. We received a communication from someone who had received an initial detection notice.

Just got this and as a 52 year old single mum I can't understand what they mean about that the alleged infringed song has been communicated to the public? Is the infringement about the song being downloaded of shared publicly or both? I'm horribly confused. My teenage daughter says she can't stand the song and I don't even know the song. Perhaps my older 2 adult children or my boarders have done this? Any advice would be very much appreciated.

Her confusion is quite understandable when you look at the notice (identifying details removed):

Notice Number: xxxxxxxxx
Infringement Notice Date: xxxxxx
Notice Type: Detection Notice
Infringing IP Address: xxx.xxx.xxx.xxx
Infringing Date: xx/xx/xx
Name of the file: Chris Brown - Beautiful People.mp3
Unique identity of the file:
Copyright Owner: Sony Music Entertainment Incorporated
Type of Copyright Work: Sound recording (14(1)(b))
Restricted Act: Copyright has been infringed by this account holder communicating the work to the public (16(1)(f))
File Sharing Application: Azureus 4.5.0.4

What is this meant to mean to someone who doesn't understand what file sharing is? The information included by Slingshot may have explained the law but made a very poor effort at explaining what she was accused of. We rewrote it for her:

They're saying that someone at your house has installed a piece of software called Azureus (also called Vuze) and they've used that to download a song called Beautiful People by Chris Brown. The Azureus software not only downloads the song, it also uploads it to other people who want it (this is why it's called peer to peer file sharing). Sony/RIANZ have detected this upload and have made a complaint to Slingshot who have passed it on to you.

The response came quickly:

Thank you so much for getting back to me and for taking the time and all the information, very much appreciated. :) I have found out that one of my son's friends has done this and he says he won't do it again. He is a good family friend so thats fine. I will get the guys to delete the Azurus or Vuse and to check for any other peer to peer programs.

Surely a good outcome for RIANZ with a junior copyright infringer stopped after the first warning.

But it seems that the current format of the notices is not good enough. Non-technical people don't understand what they're accused of and have no idea what they should do to stop it happening again. And, after all, it's often the non-technical people who are the account holders while someone else sharing the same account may be the one doing the infringing.

It seems clear from these first few cases that the notices need to be improved so that they do a better job of explaining both the accusation and what they need to do to stop it happening again.

What’s wrong with the Communications (New Media) Bill and can it be fixed?

Posted on September 2, 2012

The Law Commission's proposed Communications (New Media) Bill (PDF) is the result of their report on Harmful Digital Communications. They are proposing:

  • The creation of a new criminal offence that targets digital communications which are "grossly offensive or of an indecent, obscene or menacing character and which cause harm". Harm is said to include physical fear, humiliation, mental and emotional distress.
  • The establishment of an Agency (i.e. Netsafe) that will be able to assist and advise people suffering from unpleasant digital communications.
  • The establishment of a Communications Tribunal that will be able to respond to complaints and provide "speedy, efficient and cheap access to remedies such as takeown orders and cease & desist notices."
  • Amendments to the Harassment Act, Human Rights Act, Privacy Act and Crimes Act to ensure that the provisions of these laws can be applied to digital communications.
  • New requirements for NZ schools to work harder at stopping bullying of all kinds.

While sympathetic to the aims, we have some serious questions about the law and the thinking that lies behind it. This article discusses some of the problems that we see, talks about ways to resolve them and asks whether the problems are too great for some parts to be worth pursuing. We have arranged our arguments thematically and finish with our conclusions and recommendations.

Kiwicon – The government is your friend

Posted on November 7, 2011

The government is your friend and wants you to be happy.

This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.

Website takedowns: a followup

Posted on March 18, 2011

We recently wrote about how an offensive website was taken offline by complaints.

In particular, we talked about the tactics that were used to take them down and whether they were a good thing for the internet or not. The two tactics described were:

  1. Complaining to the ISP that the site breached their terms of service. We said this risks reducing opinion on the internet to the level of whatever a company's PR department finds acceptable.
  2. Using copyright complaints over the site's use of a photo without permission. Taking down an entire site over what is arguably a reasonable use of an image is an affront to freedom of speech and shows how dangerous these US-style shoot-first-ask-questions-later copyright laws are.

The article attracted a fair bit of comment both for and against the use of these tactics. We also received some new information and thought it was worth posting a followup.

Taking down websites you don’t agree with

Posted on February 28, 2011

This is a post about the tactics used to take down a New Zealand website hosted in the the USA and what they mean for the Internet. (Update post.)

The website

Soon after the Christchurch quake, a website (christchurchquake.net) was published that said the quake was God's punishment for Christchurch's tolerance of homosexuality, with God being especially annoyed by Gay Ski Week. The website also made a number of other very odd claims concerning a conspiracy of "Phoenician-descended swamp lesbians" headed by Helen Clark that had taken over New Zealand.

The takedown

The site is no longer available (Google cache here). This is because a number of people found the site highly offensive, and some of them decided that they would do what they could to get the site taken off the Internet.

The author of the site could not be identified so most action was aimed at getting Bluehost, a company based in the US state of Utah, to take it down. Two main tactics were employed:

Internet Name Suppression Workshop

Posted on February 3, 2011

InternetNZ hosted a workshop about name suppression in the digital age.

The following notes were made at the session. They give a general idea of what was discussed but should not be taken as definitive or complete.

Letter to Simon Power About Copyright Infringement

Posted on December 9, 2010

Tech Liberty was a co-signer on this letter to Simon Power about the Copyright (Infringing File Sharing) Amendment Bill.

The three main areas covered by the letter and briefing are:

  • Avoiding the possible reversal of burden of proof when people are accused of infringement (section 122MA).
  • Account holder liability for shared internet connections when the account holder would have no way of controlling the users of the connection.
  • Mechanism for activating the suspended "account suspension" provisions.

See our other articles about copyright issues in general and this law in particular.

ACTA: Bad for Civil Liberties

Posted on June 2, 2010

We've been writing about the ACTA (Anti Counterfeiting Trade Agreement) treaty for a while. We believe that copyright law and enforcement will need to change but also believe that everyone should participate in creating new laws, not just big business and their proxies. As such, we strongly objected to the secrecy around the negotiations and called for New Zealand to withdraw. We also made a submission to the Ministry of Economic Development about the digital enforcement provisions section.

The secrecy around ACTA caused problems for critics because, while much of the contents had been leaked, it was difficult to analyse the draft treaty without solid information. This all changed after the last meeting in Wellington, where global public pressure forced them to release the current draft (pdf) of the treaty.

Now we have the text to look at, were our fears justified? In this article we concentrate on some of the ways that the draft ACTA treaty encroaches on our civil liberties.