Govt proposes GCSB control over NZ communications in new TICS Bill
The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).
This article is a summary of the major parts of the TICS Bill.
The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
Summary of major elements of the TICS Bill
Interception
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be "intercept ready", or to be "intercept accessible". Membership of these classes can be varied by direction of the Minister.
The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).
Encryption and decryption
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
Network security
There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.
The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.
Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the "specified security interest". This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and "any place where data aggregates in large volumes".
The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.
Compliance
All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.
The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.
The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.
Liability and protecting classified information
People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.
Analysis and comment
The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of "security" seems incredibly wide and open ended.
Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.
There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government - but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.
Update on NZ Police use of aerial surveillance drones
We've been keeping track of the Police use of new surveillance and tracking technology. We asked them what they've been doing with drones and here are the more interesting/informative answers (Police letter, 19th February 2013):
- The Police currently have one aerial drone.
- They don't have a specific budget for it and claim not to know how much they've spent on it so far.
- They say that they can use it for tracking people and cars but promise to do it in accordance with the Search & Surveillance Act. We note that our interpretation of this says that they need a tracking warrant to use an electronic tracking system but we don't know if the Police agree with this.
- The Police believe that their current policy concerning video recording operations and events also covers their use of drones.
- The Police have been contacted by the Privacy Commissioner re their use of drones and will be meeting with them soon.
- The Police expect their drone trials to finish by the end of 2013.
You may also wish to read this article about drones by David Beatson at NZ Pundit.
We're going to be following up to get more information. If there's any questions you want asked, please leave them in the comments.
Police use of new surveillance technology
The NZ Police are continuing to expand their use of technology to watch and track people in New Zealand. We've already discussed automated number plate recognition, but information has emerged about two new initiatives:
The first is Signal - a tool used to scan and collate publicly availably data from multiple social media sites such as Twitter, Facebook and Youtube. This data can then be analysed to establish connections between people and events, and was used during the Rugby World Cup to monitor both boy racers and political protesters.
The second is the trialling of aerial surveillance drones. As part of the trials they have already been used in some Police investigations.
We're not reflexively opposed to the NZ Police using tools to do their job better, but we do have some concerns about how they can be used to infringe our rights to go about our lawful business without unwarranted surveillance and tracking. We believe that it is not healthy in a democratic society for our every movement and action to be monitored, stored and analysed by the government.
We've made requests to the Police for more information about both of these initiatives and will report more once we receive it.
General Principles
One thing that is of concern is that the Police seem to be being quite secretive about their use of technology. It seems that they wait for someone to find out about it before releasing information in dribs and drabs, sometimes after prompting from the Ombudsman. If the Police aren't proud of what they're doing to more efficiently fight crime, perhaps they shouldn't be doing it at all.
A second concern is that our laws, even including the new Search & Surveillance Act, might already be out of date when it comes to the Police use of such technology. For example, are there any controls on amassing publicly available data to such an extent that modern data analysis software can make some assumptions about very private behaviour?
We'd like to see two things:
- The NZ Police taking a more proactive role in disclosing what they are doing and how they are doing it. They may even wish to do more consulting with community groups and watchdogs such as Tech Liberty and the NZ Council for Civil Liberties.
- Work on a new set of standards and principles to inform the Police's (and other agencies) use of new technology and "big data" systems. These should cover data integrity, retention, security, auditing and notification. This is something that Tech Liberty is currently working on.
Police confirm they’re not keeping ANPR data
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
Conclusion
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Police contradictions on ANPR
Close Up have done a piece about the NZ Police trials of automated number plate recognition (ANPR). (See our earlier article explaining it.)
The main civil liberties issue is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
Nothing to fear?
The Police were represented on Close Up by Superintendent Carey Griffiths who said that these fears were incorrect: "The system we are using here, we don't retain the data."
He went on to say: "Most of the cameras and systems we use drop it off at the end of the shift. We're certainly not using it for data mining."
Police contradictions
However, we have letters (first letter March 2011, second letter December 2011) from the Police that indicate a very different story:
"Details of vehicle movements captured during ANPR deployments will be retained on a secure Police database."
What sort of data is stored?
"The time, data and a photograph of all vehicles passing the ANPR camera is stored." and "Yes it will include the location or where the device was deployed."
And will they be used for tracking?
"Police may search the stored data if there is a belief that there may be information relation to a crime; e.g. where a serious crime has taken place and Police are looking for an offender's vehicle."
And do the Police think they need a warrant to track people in this way?
"There is no requirements for police to apply for a warrant for any ANPR information as it is gathered in a public place."
The big question
Who is correct - Superintendent Carey Griffiths, Road Policing Manager, who just appeared on Close Up or Superintendent Paula Rose, National Manager Road Policing, who wrote to us in March and December 2011?
Has the policy changed in the meantime? Was Superintendent Paula Rose incorrect? Or has Superintendent Carey Griffiths been misleading us all on national TV?
Edit (19/8/2012): We have written to the Commissioner of Police to ask for an explanation and will report back with any answer we get.
An introduction to ANPR (automated number plate recognition)
ANPR stands for automated number plate recognition.
It’s a camera that can automatically recognise and read license plates on cars and then checks them against a central database. If the plate matches a “vehicle of interest”, the police can then decide to pull over the car and talk to the driver. ANPR cameras are typically deployed in police cars and in fixed installations by the side of the road.
The current state of ANPR in New Zealand
[Edit: there is some inconsistency between the information available over multiple letters from the Police and that reported in Police News.]
[Edit 2: Superintendent Carey Griffiths has denied that the Police will be storing the ANPR data and using it for tracking. We have asked the Police Commissioner for clarification.]
According to the June 2012 edition of Police News, the NZ Police have been trialling ANPR since 2009. This has involved four mobile ANPR units which are not that sophisticated in that they need two people to operate them (one to drive, one to watch the screen).
In theory the trial ended in January 2012 but it is our understanding from Police News that they are still using the current four ANPR vehicles (2 in Auckland, 1 in Waikato/Eastern and 1 in Christchurch/Southland) and are looking at deploying another couple.
We have requested copies of reports about the trial and any recommendations about further deployment of ANPR systems.
Thanks an OIA request by Alex Harris we also have a draft copy of the ANPR manual. There is also an associated letter where the Police report that the trial began in 2010 and has consisted of only two units for a limited time in Counties Manukau and Wellington, with them currently deployed in Counties Manukau and Waitemata.
The Police answer questions about ANPR
Some questions and answers from letters to the police about ANPR (questions are ours, answers are from the Police):
Q. What data is stored with each record (e.g. location, time of day, etc)?
A. The time date and a photograph of all vehicles passing the ANPR camera is stored.
Q. Will this information include the location of the ANPR device at the time of the lookup?
A. Yes it will include the location of where the device was deployed.
Q. How long will the data for each captured license plate be kept for?
A. Data of vehicle movements captured during ANPR deployments will be retained on a secure Police database. In time this information may be deleted with it is no longer required for the purpose it was obtained. Police may search the stored data if there is a belief that there may be information relating to a crime.
Q. Are the police considering using the information stored in the ANPR database to track vehicles?
A. The ANPR system alerts police to vehicles that are a vehicle of interest to police recorded in the vehicles of interest database.
Q. If so, do the police believe they would need to apply for a warrant to use the information in this way?
A. There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
Why does ANPR make us worried?
If ANPR was simply used by the police to help find people they are actively looking for, we’d probably have no argument against it.
The problem is that it’s more than just a simple database lookup. That central database isn’t just responding to queries, it’s also storing the date, the time and the place for every car that passes the ANPR camera.
So the police end up with a very big database of car sightings – which gives them the ability to track the movements of any car they wish. Even more worrying is that they can keep this data for as long as they like and therefore “go back in time” by entering queries for any day since the database was started.
The technology is rapidly getting cheaper and could easily end up deployed in every police car and in fixed places around major cities and roads, allowing for near total coverage.
Potential harm
There are three types of harm that can come from creating a new database like this:
- An inappropriate extension of police power that might be used badly. e.g. the Police use it to spy on political activists who are engaged in peaceful protest, breaching their rights to privacy and freedom from Police surveillance.
- Extension to other government departments. e.g. could CYFS access the database to determine that you are feeding your children badly because you park near the local McDonalds each day?
- Improper use. A police officer using it to stalk someone for their own reasons.
Tracking used to be hard
Tracking someone used to be hard and expensive but ANPR is going to make it easy and cheap. With ANPR you don't need a whole team of people, you don't need to install a GPS tracking device, you don't need to get a court order to access mobile phone data - you just install ANPR devices everywhere and then ask the database about whoever you like.
More to the point, you also don’t need to change any laws or apply for a surveillance warrant to install a tracking device – you can just start doing it.
It’s the sort of information that a totalitarian regime would love to have. But is it the sort of information that we want our government to have about everyone?
Shouldn't we talk about what sort of controls we might want to impose if such a system is implemented?
Are we going to end up with this system watching our every move without even any public debate about it?
MegaUpload arrests in New Zealand
NZ police have arrested four people connected with MegaUpload.com in New Zealand today at the request of the US FBI. They have been charged in the US "with running an international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of copyrighted works through Megaupload.com and other related sites". (FBI press release.)
Comment
We have little faith in the fairness and appropriateness of the US's laws and processes around copyright and intellectual property. The US government is continually strengthening its copyright laws at the behest of the entertainment industry (see SOPA and PIPA) and is trying to pass laws that we would not like to see copied in NZ.
Will this NZ police cooperation lead to New Zealanders being arrested and handed over to the US for doing things that may not be serious offences in New Zealand? Which other countries' laws do New Zealanders have to obey when using the internet?
Whether this case is an example of good international cooperation or the US demanding other countries help enforce bad law is yet to be determined. We will be monitoring this issue closely and hope to publish more information as it is available.
Media Links
- FBI charges seven with online piracy (Wall Street Journal)
- Megaupload's Kim Schmitz arrested in Auckland, site shut down (3news)
- File-sharing website Megaupload shut down, NZ-based founder arrested (PC World NZ)
- File-sharing kingpin arrested in New Zealand at US officials' request (NBR)
- 'We're not pirates, we're just providing shipping services to pirates' (Wall Street Journal Law Blog).
- Why the feds smashed Megaupload (Ars Technica).
- Megaupload attempting to get back online (Stuff NZ)
Useful Links
- The FBI press release.
- The indictment.
- Statement from the NZ Police.
- The NZ extradition treaty (PDF) with the US.
- Ministry of Foreign Affairs and Trade's information about extradition from New Zealand
- Yes, copyright infringement can be criminal in New Zealand with imprisonment up to five years.
- Damning quotes from the MegaUpload owner's email.
Can you photograph or video the police in New Zealand?
There has been a recent spate of people being arrested in the USA and UK for taking photos and video of the police at work. We also found anecdotal evidence of police in New Zealand exceeding their legal authority when it came to people taking photos and video of them:
"Taking photographs around Cuba Mall and a police officer approached and said 'Would you like me to break that?' indicating the camera. He was exceedingly hostile and it turned out it was because the officer thought he had been photographed by us."
"Have to wonder why they confiscate cameras and tapes then. We were told we could pick the tapes up from the station... at which point any knowledge of the tapes was denied."
The legal situation in New Zealand
Firstly, it is generally accepted that anyone can photograph or video anyone else as long as the subject wouldn't have a reasonable expectation of privacy. There are a range of exceptions, but are the police one of them?
We wrote to both the Police Commissioner and the Minister of Police and asked them "Is it against the law in New Zealand to take photos of video of the police at work?"
The Police responded first: "No, not if the photos of video of police at work are taken in a public place, or with the landowner's consent if on private property."
Judith Collins, the Minister of Police, backed up the Police's position in her response, going on to say that she saw no need to change the law and was not aware of any plans to do so.
Conclusion
It seems clear that in New Zealand the police can't stop you from documenting what they are doing. They have no power to stop you, seize your camera or force you to delete images or video.
We believe that this is a good thing and is part of having a police force that is accountable to the people they serve. The police hold most of the cards when it comes to dealing with the public, and the prospect of being recorded should provide a brake on any temptation to abuse those powers.
However one concern remains. Police training does not cover this issue and it seems that some officers feel free to make up their own powers as they go. We recommend that the NZ Police should make sure that this is included in initial and continuing training.
Finally, we remind anyone taking photos of police at incidents to make sure that you do not get in their way or you could be arrested for obstruction.
Privacy and Technology
A Tech Liberty representative spent two half days at a group discussion about privacy and technology.
Here are some of the things that were discussed:
Surveillance: current law
The Search and Surveillance Bill is an attempt to rewrite New Zealand's laws around search and surveillance.
One thing that has become clear in the debate around the bill is that many people are not fully aware of the existing powers that government agencies have to pry into our personal affairs. It's not uncommon for someone to decry a 'new' power in the Search and Surveillance Bill, only to be told that it is already in existing law.
This article lists, to the best of our knowledge, the current ways that the government can use to watch us. We will expand/correct it as additional knowledge comes to light.
This article has not yet been updated to reflect the changes made when the Search & Surveillance Act became law.
