Tech Liberty NZ Defending civil liberties in the digital age

Govt proposes GCSB control over NZ communications in new TICS Bill

Posted on May 8, 2013

The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).

This article is a summary of the major parts of the TICS Bill.

The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

Summary of major elements of the TICS Bill

Interception

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.

The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).

Encryption and decryption

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

Network security

There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.

The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.

Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".

The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.

Compliance

All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.

The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.

The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.

Liability and protecting classified information

People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.

Analysis and comment

The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.

Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.

There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?

We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.

Copyright Act – IPAP Reports

Posted on January 29, 2013

When the new three-strikes copyright infringement scheme was implemented, it included section 122T that imposed some obligations on IPAPs (ISPs) to collect and retain data, and publish an annual report. As Sam Russell reminded us today, the first of these reports was due by 31st December 2012 for the period 1st October to 30th September.

Here's the reports we know of:

  • Actrix - the most minimal report yet (but claim that they received no notices).
  • DTS - no complaints received.
  • Maxnet - no complaints received and a very minimal report (bottom of page).
  • Orcon - received 234 complaints, sent 198 notices, received 16 challenges.
  • Slingshot (PDF) - received 473 complaints, sent 398 notices, received 14 challenges.
  • Telecom - takes a very minimal approach, just states it has complied.
  • TelstraClear - received 818 complaints, issued 540 notices, received 25 challenges.
  • Vodafone - received 538 complaints, issued 350 notices, received 21 challenges.
  • Xtreme - received 2 complaints, issued 0 notices.

We have asked 2 Degrees, Compass, Inspire, Snap, Vocus, and Xnet where their reports are.

We'll add more as we find them and do some collation/analysis when we have enough. One thing that is noticeable is that very few of the notices are being challenged by the recipients.

Tagged as: , , , 2 Comments

New Media submission opposes media regulation

Posted on March 13, 2012

Tech Liberty made a submission to the Media Regulation review run by the Law Commission. The summary of our submission is as follows:

We recognise that "big media" still has a lot of influence in New Zealand but that this influence is declining as the internet gives people the ability to:

  • self-publish ("little media")
  • share and distribute self-published articles
  • publicly critique the work of big media.

This change can be seen in the way that online media such as blogs used to be very reactive to work published in newspapers and TV, but now newspapers and TV are increasingly picking up stories from blogs and other forms of social media.

Much of the rest of the review was about how the media should be regulated but we believe that the need for greater media regulation has not been established.

Defining news media

The review suggests that regulation could be a trade-off for official recognition of news media, and spends a lot of time discussing who would be included in the definition of "news media". We believe any definition would either be so broad as to be useless or so narrow that it would miss out many people and publications that arguably should be covered. This is especially true as journalism continues to develop and change in the internet age.

Special privileges for news media

The review suggests that we need a definition because some laws refer to the news media to bestow special privileges. Our preference is that these privileges should be extended to all citizens (e.g. replace the media "fair dealing" section in the Copyright Act with a more general "fair dealing/fair use" provision for all people) or should be available to all people when they are acting as a journalist.

Furthermore, any organisation that wish to include/exclude "news media" can make their own determinations as to who that is rather then relying on a government mandated definition.

External regulation

We do not believe that there is a need for an external regulator. Indeed, as the internet gives people the means to publicly criticise the output of big media, the need for a regulator is reduced compared to the days when only a very limited number of media companies could get their views out (due to limited airwaves or the need to own a printing press).

Current regulation is also generally quite ineffectual. The original message still goes out and then any correction is ignored as the issue is no longer "news". Regulation tends to be after the fact score-keeping at best.

Any publishing company or journalist who wishes to be taken seriously has the ability to form a group and create their own code of ethics and regulator. The Press Council is an example of this and we do not see why other media groups who wish to be taken seriously could not do the same.

Finally, if there was a regulator our view was that it should be in the form of an Ombudsman with the ability to make morally rather than legally binding decisions.

Malicious speech online

The second part of the review was about harmful speech online.

We agreed that malicious speech online can be a problem just as it is when face to face Furthermore, the nature of the internet means that the malicious speech can both spread further and remain available longer.

We believe that the law is limited in what it can do about people being nasty to each other, either online or in person. Even if current law could deal with these issues, the international nature of the internet and the inevitable jurisdiction issues would mean that only a small proportion of problems could be resolved.

That said, many of the more contentious issues will be conducted by people who know each other well and probably even live in the same area. The law should be able to deal with issues of harassment using existing laws (possibly with the tweaks identified by the Commission to ensure that online communications are definitely covered).

We reject the idea that speech online should be held to a higher standard than any other form of speech.

We do support the creation of a new crime of "malicious online impersonation" with the caveat that it must be very careful not to include obvious cases of parody and other forms of non-serious impersonation.

No ISP responsibility

We oppose any attempt to make ISPs responsible for taking down or blocking information either hosted on their network or available through it. This is because ISPs typically have no visibility or control over the material that their customers might store on servers hosted with the ISP. Typically an ISP will only have one option - passing the request on to the publisher or turning off the entire site. Closing down an entire site would seem a gross over-reaction to the content of one offending post or comment.

It does seem appropriate to us that an ISP might have a responsibility to pass on a takedown message to the site owner (similar to the copyright legislation) or, upon presentation of a suitable court order, reveal the identity of the site owner so that legal action can be taken.

The Infringing File Sharing Act starts today

Posted on August 11, 2011

Welcome to the new world of the Copyright (Infringing File Sharing) Act.

This is the law that:

  • Makes internet account holders liable for the actions of others, even when there is no reasonable expectation that they could control their behaviour.
  • Will make it very hard for anyone, including universities, libraries, motels and cafes, to offer internet access to their patrons as they can't risk penalties of up to $15,000.
  • Can fine people for downloading material that isn't even available for purchase in New Zealand.
  • Takes away the right to be assumed innocent until proven guilty, by assuming that complainants are telling the truth, leaving people having to prove that they didn't do something.

While the law comes into effect on September 1st, notices can be sent for activity up to 21 days earlier. This means that you could get a notice for any activity from August 11th onwards - today.

What's covered?

The law is meant to be aimed at people infringing copyright by downloading material without permission over peer to peer (P2P) file sharing - BitTorrent, eDonkey, etc. However it is written in such a way that it might be possible to use it for other forms of online infringement such as downloading from websites or watching streaming video. We'll be testing that further from September 1st.

Who is at risk?

The person whose name is on the internet account. They're liable for the actions of all people who use that internet account.

What can I do to protect myself?

If you're the account holder, make sure you know what everyone who uses your internet is doing. Don't let people use your account if you don't trust them not to download infringing material via file-sharing.

More information

Quick guide to the new copyright bill

Posted on April 14, 2011

The Copyright (Infringing File Sharing) Bill is a replacement for the abandoned section 92A of the Copyright Act. It provides provisions for media companies to accuse people of infringing copyright, and for those people to be fined by the Copyright Tribunal. It also includes the penalty of disconnecting their internet - but this provision will initially be suspended.

The Bill went through one round of submissions (see ours) but the second reading was done under parliamentary urgency on the 13th of April and it is expected to be passed, still under urgency, on the 14th of April.

Updates: the bill has passed its third reading and will come into effect on September 1st, 2011. The Ministry of Economic Development is consulting on the regulations that will help with the administration of the law.

Improvements

The Bill has some improvements over section 92A:

  • It has replaced the overly wide definition of ISP (Internet Service Provider) with the idea of an IPAP (Internet Protocol Address Provider).
  • The person accused of infringing copyright now has a chance to defend themselves against the accusations.
  • It doesn't make ISPs responsible for making decisions about disconnection - they just have to pass messages between the accuser and the accused.
  • It better respects the privacy of account holders.

Major problems

But overall it still has some major problems:

  • It makes the person whose name is on the internet account liable for all actions done by any user of that connection. Flatmates will be responsible for the people they live with, businesses will be responsible for their staff, parents will be responsible for their kids, librarians will be responsible for the users of their free internet terminals. Sharing your internet connection will put you at legal risk.
  • It includes the idea that the Copyright Tribunal should believe the accusation from the media companies unless the account holder can prove it to be wrong. This is even when these accusations have been proven time and time again to often be substantially inaccurate. There are no penalties for making false accusations.
  • It still includes internet disconnection as a penalty. Initially this provision will be suspended but it can be reactivated at the whim of the government. We oppose disconnection.

Political support

National, Labour and the Maori Party are voting in favour of the Bill.

The Greens are voting against it.

Tech Liberty articles about the bill

Other articles of note

Website takedowns: a followup

Posted on March 18, 2011

We recently wrote about how an offensive website was taken offline by complaints.

In particular, we talked about the tactics that were used to take them down and whether they were a good thing for the internet or not. The two tactics described were:

  1. Complaining to the ISP that the site breached their terms of service. We said this risks reducing opinion on the internet to the level of whatever a company's PR department finds acceptable.
  2. Using copyright complaints over the site's use of a photo without permission. Taking down an entire site over what is arguably a reasonable use of an image is an affront to freedom of speech and shows how dangerous these US-style shoot-first-ask-questions-later copyright laws are.

The article attracted a fair bit of comment both for and against the use of these tactics. We also received some new information and thought it was worth posting a followup.

Taking down websites you don’t agree with

Posted on February 28, 2011

This is a post about the tactics used to take down a New Zealand website hosted in the the USA and what they mean for the Internet. (Update post.)

The website

Soon after the Christchurch quake, a website (christchurchquake.net) was published that said the quake was God's punishment for Christchurch's tolerance of homosexuality, with God being especially annoyed by Gay Ski Week. The website also made a number of other very odd claims concerning a conspiracy of "Phoenician-descended swamp lesbians" headed by Helen Clark that had taken over New Zealand.

The takedown

The site is no longer available (Google cache here). This is because a number of people found the site highly offensive, and some of them decided that they would do what they could to get the site taken off the Internet.

The author of the site could not be identified so most action was aimed at getting Bluehost, a company based in the US state of Utah, to take it down. Two main tactics were employed:

Remove ISP Liability from the Criminal Procedure Reform Bill

Posted on February 7, 2011

The attempt to make ISPs (Internet Service Providers) criminally liable for their users' breach of name suppression orders is unjust and unworkable.

The Criminal Procedure (Reform and Minimisation) Bill is an omnibus bill that makes significant changes to the New Zealand criminal justice system. In its attempt to reform and streamline, it weakens the right to a jury trial, takes away the right to silence and forces defendants to help the Police make the case against them.

It also changes the law around name suppression. While we support the attempt to make name suppression harder to get, we have serious concerns about the attempt to make ISPs liable for breaches of name suppression online. Read section 216 of the proposed law and then consider some of these questions:

Letter to Simon Power About Copyright Infringement

Posted on December 9, 2010

Tech Liberty was a co-signer on this letter to Simon Power about the Copyright (Infringing File Sharing) Amendment Bill.

The three main areas covered by the letter and briefing are:

  • Avoiding the possible reversal of burden of proof when people are accused of infringement (section 122MA).
  • Account holder liability for shared internet connections when the account holder would have no way of controlling the users of the connection.
  • Mechanism for activating the suspended "account suspension" provisions.

See our other articles about copyright issues in general and this law in particular.

Replacing ISPs with IPAPs – How well have they done?

Posted on November 3, 2010

The Commerce Select Committee has reported back on the Copyright (Infringing File Sharing) Amendment Bill (PDF).

One of the problems in the drafting of such a law is how to define what an ISP is. The obvious approach is "provides internet services" but what about a cafe that gives free wireless access to customers? Or a university that provides services to staff and students? The problem is a lot harder than it looks.

The latest report suggests replacing the definition of "Internet Service Provider" with one for "Internet Protocol Address Provider" or IPAP.

This would avoid ambiguity and focus on the function of an Internet service provider that is relevant to infringing file sharing, namely the provision of Internet protocol addresses.

Of course, this does no such thing as anyone providing any form of internet service must provide an "Internet protocol address" to each person using it. It's inherent to the nature of an Internet connection and, once again, shows that Government isn't very good at technology. Edit: This may be trying to protect providers of low level services such as cabling and fibre.

However, when we look at the full definition, maybe it's not so bad:

IPAP means a person that operates a business that, other than as an incidental feature of its main business activities,

(a) offers the transmission, routing and providing of connections for digital online communications, between or mong point specified by user, or material of the user's choosing; and

(ab) allocates IP addresses to its account holders; and

(b) charges its account holders for its services; and

(c) is not primarily operated to cater for transient users.

A discussed, the inclusion of "(ab) allocates IP addresses" seems a bit unnecessary but overall the definition seems to hold up under scrutiny.

  • Orcon and other ISPs would obviously be an IPAP.
  • Cafenet supports both transient and account-based users. Should it be an IPAP?
  • Universities and libraries would not be an IPAP because of (b) (there is no direct charging although student fees do include provision for services).
  • Someone sharing a connection with their friends would not be an IPAP because of (b).
  • Citylink would be an IPAP. (Should it be? See discussion in comments.)
  • The local coffee shop would not be an IPAP because of (b) and (c).
  • Would an Internet cafe be included? They do charge, the users vary between transient and regular.
  • Mobile data from Vodafone/Telecom/2 Degrees will not be included for now, because a separate clause delays their inclusion until 1 August 2013.

How have they done? Please help.

Can you think of any cases:

  • Where a person or company will be included as an IPAP that shouldn't be?
  • Where a person or company that should be an IPAP won't be?