Tech Liberty NZ Defending civil liberties in the digital age

Submission: Harmful Digital Communications Bill

Posted on February 21, 2014

Text of the Tech Liberty submission to the Justice and Electoral Select Committee concerning the Harmful Digital Communications Bill. (Or download PDF of original version with footnotes.)

Summary

We believe that this Bill is based on false premises about the nature of freedom of expression and the differences between digital and non-digital speech. We see the Bill as being a well-meaning but misguided threat to the civil liberties of New Zealanders. We fear that the Bill will be ineffective in too many cases where it might be needed most, while being too effective in the cases which are most problematic to civil liberties.

We support the establishment of an agency to assist those harmed by harmful communications and believe that this will go a long way to resolving the types of situations that can be resolved.

We believe that the court proceedings are unfair and unlikely to be of much use. We support the discretion and guidelines given to the court in making a judgement, but believe that the procedures of the court need to better take into account the requirements for a fair trial.

The safe harbour provisions for online content hosts are unreasonable. While online content hosts do need protection from liability, the suggested mechanism amounts to a way that any person can get material taken down that they don’t like for any trivial reason. This section needs to be completely rethought in the context of overseas experiences to ensure that freedom of expression is properly protected.

The new offence of causing harm is poorly conceived and criminalises many communications that are of value to society. If not removed in its entirety, defences and an overriding Bill of Rights veto should be added.

We have also made comments on the changes to the Harassment and Crimes Acts.

HDC Bill and criminalising free speech

Posted on February 1, 2014

As part of our ongoing look at elements of the Harmful Digital Communications Bill (general critique and safe harbours), we now turn to the new offence of causing harm by posting digital communication (section 19). This is a criminal offence and is not related to the rest of the bill with its 10 principles, Approved Agency and quick-fire District Court remedies. It's quite simple:

(1) A person commits an offence if:

  1. the person posts a digital communication with the intention that it cause harm to a victim; and
  2. posting the communication would cause harm to an ordinary reasonable person in the position of the victim; and
  3. posting the communication causes harm to the victim.

"harm" is defined in the interpretation section as "serious emotional distress".

Unfortunately this new offence is actually very wide and may well capture many communications that are of immense value to society - or at least shouldn't be made illegal.

Let's consider the case where someone takes a photo of a politician receiving a bribe and, shocked at their corruption, posts that photo to the internet. This communication would:

  1. be posted with the intention of harming the victim (the prospect of facing criminal charges or being obliged to resign could be assumed to cause the victim distress).
  2. would cause harm to any reasonable person in the position of the victim (any reasonable person would not like having evidence of their criminal corruption exposed to the world).
  3. could be easily proved to have caused harm (serious emotional distress) to the victim.

The penalty? Up to 3 months in jail or a fine not exceeding $2000.

In section 19(2) the judge gets some guidelines about how to assess whether the communication causes harm, but nowhere is there the idea that some communications that cause harm might actually have some societal value or would otherwise come under freedom of expression. There are no available defences such as that the communication may be in the public interest, counts as fair comment, or exposes criminal wrongdoing.

And just in case you thought that whether the communication is true or not should matter, section 19(4)(a) clarifies that "...or otherwise communicates by means of a digital communication any information, whether truthful or untruthful, about the victim;"

This is obviously a terrible law and will have a detrimental effect on freedom of expression and public discourse in New Zealand. How will our journalists and citizen journalists be able to expose wrong doing when broadcasting it on electronic media such as the internet, radio or TV is a criminal act if it hurts the wrong-doer's feelings?

This law wouldn't be acceptable if it applied to speech in a newspaper, it's not acceptable online.

Section 19 isn't complete worthless - it also criminalises the communication of "intimate visual recordings" in an attempt to harm someone. This seems worth keeping but the parts of section 19 concerning speech need to be either removed or significantly modified to protect freedom of expression.

Safe harbours in HDC Bill are a threat to freedom of expression

Posted on November 21, 2013

The safe harbour provisions in the Harmful Digital Communications Bill are a serious threat to online freedom of speech in New Zealand.

How it works

Anyone can complain to an online content host (someone who has control over a website) that some material submitted by an external user on their site is unlawful, harmful or otherwise objectionable. The online content host must then make a choice:

  1. Remove the content and thereby qualify for immunity from civil or criminal action.
  2. Leave the content up and be exposed to civil or criminal liability.

The content host has to make its own determination about whether a piece of given content is unlawful (which may be very difficult when it comes to subjective issues such as defamation and impossible to determine when it concerns legal suppression), harmful or "otherwise objectionable".

Furthermore, there is:

  • No oversight of the process from any judicial or other agency.
  • No requirement for the content host to tell the person who originally posted the content that it has been deleted.
  • No provision for any appeal by the content host or the person who originally posted the material.
  • No penalty for people making false or unreasonable claims.

We can safely assume that most content hosts will tend to play it safe, especially if they're large corporates with risk-averse legal teams, and will take down material when requested. They have nothing to gain and plenty to lose by leaving complained about material online.

Serious ramifications for freedom of speech

Don't like what someone has said about you online? Send in a complaint and wait for it to be taken down.

This applies to comments on blogs, forums on auction sites, user-supplied content on news media sites, etc, etc. These are exactly the places where a lot of important speech occurs including discussions about politics and the issues of the day. The debates can often be heated, and some sites are well known for encouraging intemperate speech, but these discussions are becoming and increasingly important part of our national discourse.

This law will make it too easy for someone to stop arguing and start making complaints, thereby suppressing the freedom of expression of those they disagree with.

The jurisdiction problem

Of course, this will only apply to websites that are controlled by people who have a legal presence in New Zealand. Overseas websites will continue to maintain their own rules and ignore New Zealand law and standards of online behaviour.

Conclusion

As currently written, these safe harbour provisions are just a bad idea. They're too open to abuse and we believe they're more likely to be used to suppress acceptable speech than to eliminate harmful or "otherwise objectionable" speech. As a very minimum, the complaint should have to be approved by the Approved Agency referred to in the other parts of the Bill.

That said, the whole idea of removing "otherwise objectionable" speech is also quite worrying. The Harmful Digital Communications Bill already has an expansive set of rules about what sort of harmful speech shouldn't be allowed online and this "otherwise objectionable" seems to extend it even further. One of the principles we stand up for here is that civil liberties such as freedom of expression are as important online as they are offline, and this law goes far beyond anything in the offline world.

We hope to have more comment and analysis on other aspects of the Harmful Digital Communications Bill soon.

Changes to the TICS Bill

Posted on October 16, 2013

The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.

The Bill has been modified twice:

  1. The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
  2. A supplementary order paper added by the government on 15/10/2013.

The government has also provided two further documents:

As reported back by the select committee

The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.

Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".

There are no substantive changes worth reporting.

Supplementary order paper 366

As reported in the press release from Amy Adams, the SOP makes the following changes:

  • Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
  • The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
  • The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
  • Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
  • Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.

Tech Liberty comment

The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.

There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.

The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.

One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.

The future

We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.

We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.

We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.

Does the new GCSB Bill give them the power to spy on New Zealanders?

Posted on August 13, 2013

There's been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.

When even Peter Dunne gets it badly wrong in the "Ask Me Anything" article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.

Note: All references to the legislation are to the version reported back by the Intelligence and Security Committee combined with the changes in Mr Dunne's SOP (PDF).

Spying on behalf

Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the "giving assistance" part and it appears to be limited to only doing things that the original agency would have the legal authority to do.

Recent changes include more clarity about the GCSB's assistance being subject to the originating agency's oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.

GCSB spying on New Zealanders

The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). "to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures".

The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).

Interception warrants vs access authorisations

It's worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:

  • one or more specific people or a class of person
  • communications made in one or more specific places or classes of place
  • communications sent from or to overseas

An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of "information infrastructure" which is further defined as "electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks".

Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.

The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.

Doesn't section 14 stop the GCSB spying on New Zealanders?

The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).

The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.

Warrantless spying?

Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)

Putting it all together

So what does all this mean?

Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.

We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to "New Zealand's mobile networks" and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.

This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).

In theory this activity would have to be done as part of their purpose to "protect the security and integrity of the communications and information infrastructures" but we see that this could be interpreted rather widely.

Other issues

There are also a number of other issues around spying on New Zealanders that we haven't directly addressed in this article:

Metadata - There are a number of places in the bill that put limits on intercepting "private communications", but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.

Incidentally gained intelligence - when the GCSB does collect information it shouldn't, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.

Access authorisation for the GCSB - section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?

Sharing data overseas - how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.

Collecting data from overseas - can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn't legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?

What about data that New Zealanders store overseas? - are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?

Feedback and updates

Think we've got this wrong? Feel free to leave a comment with your interpretation. We'll make any necessary corrections or additions as required.

Opposition to the GCSB Bill

Posted on July 22, 2013

Urgent public meeting in Auckland

A public meeting to oppose the GCSB Bill is being held at 7pm Thursday, Auckland 25th July at the Mt Albert War Memorial Hall. Get the flyer (PDF).

Submission – Telecommunications (Interception Capability & Security) Bill

Posted on June 13, 2013

Full text of the Tech Liberty submission to the Law & Order Select Committee concerning the Telecommunications (Interception Capability & Security) Bill.

Summary

In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. We have made some technical suggestions on how Part 2 - Interception Duties could be improved and clarified:

  • Publish a list of service providers with interception responsibilities.
  • Remove the ability for the Minister to ban the resale of overseas services.
  • Clarify the duty to decrypt to indicate that it does not require network providers to supply deliberately weakened encryption with government backdoors.

We reject the idea that the GCSB should have oversight and control of communications networks in New Zealand. No need for this has been established and the use of an agency whose main focus is spying on external organisations is inappropriate and open to abuse. We therefore recommend the removal of Part 3 - Network Security in its entirety, possibly to be replaced by the establishment of a coordinating and consultative, not controlling, network security body.

Finally, we find the idea of evidence being presented in court that cannot be seen by the defendant and their lawyer to be extremely offensive to the right to a fair trial as promised by section 25 of the Bill of Rights Act. We therefore recommend the removal of Subpart 8 - Protecting Classified Information (sections 96-98). If this is retained we recommend that the appointment of a special advocate as in 97(3)(c) should be mandatory rather than optional.

GCSB’s new powers for wide-spread spying on New Zealanders

Posted on June 9, 2013

There have recently been a number of revelations about the US government spying on its citizenry and other people around the world (a good summary). Many people have been shocked to find out the extent of the US's spying and access into theoretically private systems.

What many New Zealanders don't realise is that the NZ government is currently changing both the GCSB Act of 2003 and the Telecommunications Interception Capability Act of 2004 to allow similar levels of access to New Zealand communications for the GCSB (Government Communications Security Bureau).

Current law

The current TICA law already gives the GCSB, Police or SIS the technical capability to intercept all NZ communications if they have a valid warrant.

The GCSB can get warrants to spy on the communications of foreign people and organisations, although they can spy without a warrant if it doesn't require the installation of any device (e.g. wireless/satellite/radio/mobile).

TICS - Telecommunications Interception Capability and Security Bill

The new TICS Bill clarifies and expands on these interception capabilities. It also allows them to be extended to service providers (people who offer "goods, services, equipment, and facilities that enable or facilitate telecommunication") such as email providers, Trademe forums, Mega, etc.

TICS continues the existing regime where these interception powers can only be accessed with a valid warrant, but keep reading for the new exceptions to this in the GCSB Bill.

Furthermore, the TICS Bill also creates a new role for the GCSB, ensuring the security of New Zealand's telecommunications infrastructure. This includes wide powers of oversight and control of how communications networks are managed and implemented in order to "protect New Zealand's national security or economic wellbeing".

GCSB - Government Communications Security Bureau and Related Legislation Amendment Bill

The new GCSB Bill gives the GCSB three purposes (we'll come back to these):

  • 8A - Information assurance and cybersecurity. (Expanded from protecting government communications to a much wider responsibility for New Zealand's communications.)
  • 8B - Intelligence gathering, analysis and sharing. (Similar to the existing law except that it adds "gathering information about information infrastructures" to the existing spying on foreign people/organisations.)
  • 8C - Helping the Police, SIS and Defence Force by providing advice and assistance in helping them execute their own legally obtained warrants. (This is entirely new.)

The bill doesn't significantly change how the GCSB can apply for an interception or search warrant, but it does add a whole new class of "access authorisation". To quote section 15A(1)( b)

The Director may apply in writing to the Minister for the issue of an access authorisation authorising the accessing of 1 or more specified information infrastructures or classes of information infrastructures that the Bureau cannot otherwise lawfully access.

These authorisations are granted at the whim of the Minister (although see below) and are incredibly wide-ranging and open-ended. There are no recommendations of limits (other than what the Minister sees fit to impose) and there is no automatic expiry. And just in case you thought that the TICA/TICS law might provide some protection, the GCSB Bill goes on to add section 15A(5):

This section applies despite anything in any other Act.

Most importantly these new access authorisations can be used for purpose 8A (cybersecurity) as well as 8B (information gathering). As paragraph 36 of the Regulatory Impact Statement explains: "an amendment will also be required to allow the GCSB to see who (namely NZ individuals and companies) is being attacked". That is to say, the GCSB believes that it needs to be able spy on New Zealanders to maintain ther security. Based on what we know from recent reports in GCSB activities, we assume that the GCSB particularly intends to collect communications metadata (i.e. who speaks to who, when and how often but not what they say).

If you had any doubts about whether this applies to NZ communications, section 15B then further clarifies that for any access authorisations "for the purpose of intercepting the private communications of a New Zealand citizen or permanent resident of New Zealand under section 8A (cybersecurity)" the authorisation must be approved by the Commissioner of Security Warrants as well as the Minister.

And finally if you were hoping that section 14, which controls the ability of the GCSB to target New Zealanders would provide any protection, this only applies when the GCSB is performing duties under section 8B (intelligence gathering) and not section 8A (cybersecurity).

Putting it all together

The GCSB believes it needs to monitor the communications of New Zealanders in order to ensure that it can protect them from attacks.

TICA and TICS establish the technical capability for the GCSB to spy on any communications, subject to the limits in that law and the GCSB Act.

A section 15A(1)(b) access authorisation can give GCSB power to access any communications system it wants for the purpose of spying or information security, irrespective of any legal controls in any other law. This will allow it access to the facilities provided by TICS/TICA.

The GCSB will be spying on New Zealanders.

Conclusion

These new laws are not some minor adjustments to the work of the GCSB and how interception works. They are not just about letting the GCSB provide technical assistance to the Police, SIS and Defence Force.

While people in the USA are getting upset about the revelations of the extent of NSA spying there, these new laws give the GCSB far greater control of New Zealand communications networks, and practically unlimited capacity to intercept New Zealand communications.

These new laws are the point at which New Zealand switches from being a society that investigates "bad guys" subject to judicial oversight, to being a surveillance state where the government is always watching and recording everyone just in case they're thinking about doing anything wrong.

We don't want to live in that society. We believe that these new laws contravene the right in the NZ Bill of Rights to be free from unreasonable search and seizure, and will have a chilling effect on the rights to free expression and freedom of association.

We think that these laws need to be stopped.

DIA now filtering .. Google?

Posted on May 29, 2013

Update 1st August 2013

The DIA have now confirmed that they did filter some sites hosted by Google and that this caused problems for both the filter and some internet users.

Officials provided an oral briefing on the incident reported regarding a degradation of service noted by some users of certain services. The Filter Operations Team worked with the provider of those services in question. It was discovered that hentai and cgi based child abuse sites hosted on the blogspot.com domain, a resource operated by Google Inc were included in the list in error.These sites were then shown to the IRG. It was then explained that a list refresh, removed the sites in question, and subsequently resolved this issue.

The problem was further compounded by the severe congestion in the networks of one of the upstream providers used by the system. A review of the Filter’s failsafe systems was undertaken. Steps have been added to ensure that the IPs of large hosting providers are flagged and placed on a white list with a reporting mechanism for the removal of the content from the site. Additional resources were requested from the upstream provider in question to ensure traffic congestion can be avoided in the future.



Back in 2011 we spotted the first indications of how the Department of Internal Affairs Internet filter, used by 90% of all New Zealand Internet connections, actually operates. At the time, we noticed an address - 124.150.165.62 - appearing where it shouldn't in traceroutes to a site.

Performance Problems

Now that same address has popped up in traces to Google addresses, specifically googlehosted.l.googleusercontent.com (74.125.237.11). As noted in this thread on Geekzone, some people have  been experiencing performance problems reaching some Google services.

These performance problems could be caused by a Google-load of traffic to that IP being routed to the DIA's filtering server which may not be coping with the volume. Note that the filter will only be blocking one web address (URL) at that IP and letting the rest of the traffic through.

Of course this won't affect you if you are using an ISP that doesn't use the filter. Check the list of ISPs here.

Making the link

As noted back in 2011, the address appearing in traces where they shouldn't be are controlled by Fastcom, who list the Department of Internet Affairs as an important customer and which they host infrastructure for.

Filtering problems

This was always one of the fears when the filter was introduced - that it would reduce the stability and performance of the New Zealand internet. It appears that this has now happened. Two questions:

  1. Will the DIA remove the entry for this IP now that they realise the problems it's causing?
  2. How will the DIA block web addresses hosted at high volume websites such as Google (or Wikipedia) when the filter can't cope?

Seeking more information

Have you been experiencing any issues accessing Google? Can you provide a traceroute for us? Post a comment below.

Rumours and hearsay

Thanks to the people who contacted us with more information, we just wish you were prepared to speak on the record. So far we have heard the following from people that we typically find to be reliable:

  1. That the DIA has denied filtering that IP address.
  2. That a senior ISP engineer says that the IP address was definitely filtered by the DIA filter and that they have seen the relevant BGP records.
  3. That the filtering of at least one Google IP address has been removed but that there might be more.
  4. That Google was greatly annoyed by the block and contacted the Minister to get it removed.

We'll update these rumours as we can confirm/deny them. Please email any information to thomas@techliberty.org.nz. We will do our best to keep your name confidential if requested, but suggest using an anonymous remailer for the best anonymity.

Does the TICS Bill really give the GCSB control and oversight of NZ telecommunications?

Posted on May 10, 2013

After our recent article looking at the TICS (Telecommunications Interception Capability & Security Bill), we were contacted by Brad Ward, the Programme Manager of the Telecommunication Review at the Ministry of Business, Innovation and Employment (MoBIE).

He had some issues with what we wrote, and in particular he rejected our claim that the bill gave the GCSB sweeping new powers of oversight and control over NZ telecommunictions networks, writing that (emphasis added):

The new formal framework for network security does not give “sweeping powers of oversight and control” to the GCSB, and it does not give the GCSB “final control of network design and operation.”

The GCSB already works in partnership with network operators on network security issues, to agree on measures that are proportionate and risk-based. The Bill will formalise and build on this existing approach.

The Bill emphasises that network operators and the GCSB are to work cooperatively and collaboratively on identifying and addressing network security risks.

In the event that the network operator and the GCSB are unable to agree, the Bill establishes a Ministerial direction power that can be used where significant national security concerns are involved, and as a last resort. This Ministerial power relates to network security issues.

The GCSB would apply to the Minister responsible for the GCSB to direct a network operator to take specific steps to prevent, mitigate or remove the security risk.

The Minister can receive any submissions on this directly from the network operator, and is required to consult with the Minister for Communications and Information Technology and the Minister of Trade.

When exercising the direction power, the Minister is required to take into account the principle that the direction should be proportionate to the network security risk. This means considering whether costs would be higher than reasonably required to address the risk, and whether there would be undue harm to competition or innovation in telecommunications markets.

Looking at the law

Firstly, while it is nice that the Bill suggests that network operators should work in partnership with the GCSB over security, the reality is that there is no choice. Let's quote section 45(1):

A network operator must engage with the Director as soon as practicable after becoming aware of any network security risk, or proposed decision, course of action, or change that may raise a network security risk.

A network security risk is defined as: "any actual or potential security risk arising from (a) the design, build, or operation of a public telecommunications network; or (b) any interconnection to or between public telecommunications networks in New Zealand or with telecommunications networks overseas".

Further more in section 47(1) (edited for clarity/length), "a network operator must notify the Director of any proposed decision, course of action, or change made by or on behalf of the network operator regarding procurement of..., changes to..., and ownership control... of anything that falls within an area of specified security interest."

This applies to areas of specified security interest which are defined in section 45(1) as (slightly edited for clarity) "network operations centres, lawful intercept equipment, any part of a public telecommunications network that manages or stores aggregated customer information or administration authentication credentials, and any place in a network where data aggregates in large volumes being either data in transit or stored data".

The compliance process

So, what happens after this engagement/notification if the GCSB thinks it would raise a network security risk? Sections 49 to 54 have the process:

  1. Director of the GCSB notifies the network operator and then again in writing in s49(1)(a) and s49(2)
  2. Network operator must immediately stop work. s49(1)(b)
  3. Network operator can propose an alternative. a49(3)
  4. GCSB considers the network operator's proposed alternative and possibly accepts it. s50(1) and s50(2)
  5. Network operator must implement the response. s51
  6. If the GCSB is not happy with the proposal it may refer the matter to the Minister (the Prime Minister normally has responsibility for the GCSB) to make a direction. s52
  7. Network operator may choose to make a submission to the Minister. s53(2)(b)
  8. The Minister must consult with the Minister for Communications & Information technology and the Minister of Trade. s54(3)
  9. The Minister may direct the network operator to either cease/refrain from an activity or make changes to or remove any system or operation on the network. s54(2)
  10. If the network operator refuses to comply with an s54 Ministerial direction, this is treated as serious non-compliance. s82(b)
  11. The GCSB can servce an enforcement notice on the network operator. s85(2)
  12. The GCSB can apply to the High Court for a court order. s86(1)
  13. The High Court can make an order (subject to normal apeals). s87
  14. The High Court can make the network operator pay a fine of up to $500,000 and/or $50,000 per day of continuing non-compliance. s92 and s93

In other words, the Bill may suggest that the GCSB and network operators should cooperate, but the content of the law and the procedure I have just outlined makes it very clear to everyone involved where the power really lies. Indeed, the expectation that network operators will do what they're told is so clear that we wouldn't expect any fines to be issued because there won't be a lot of point fighting any directions from the GCSB.

But it's only security issues!

Now one might claim as Brad Ward has that "This Ministerial power relates to network security issues."

However when it comes to network design and operation, everything has an impact on network security. What you buy, what systems they run, who you buy them from, how they get delivered to you, where they're installed, how they're configured, who you've employed, how well they're trained, etc, etc, etc - network security is not one attribute but is a product of the system as whole.

Conclusion

We stand by our original statement that the TICS Bill as written will give the GCSB sweeping powers of oversight and control over New Zealand telecommunications networks.

One final point of interest is - why is a government bureaucrat trying to deny this is the case? Does the Bill as written not reflect the intention of the people who wrote it, or is this a case of the government trying to pull the wool over people's eyes?