Full text of the Tech Liberty submission to the Intelligence & Security Committee concerning the Government Communications Security Bureau and Related Legislation Amendment Bill.
Tech Liberty has deep concerns about the extent of the powers granted to the GCSB by this Bill, especially when combined with the proposed changes to the Telecommunications (Interception Capability) Act (2004) contained in the TICS Bill.
We do not believe that the GCSB should be spying on New Zealanders. We are particularly concerned with the Bill’s silence on the GCSB’s existing practice of collecting and analysing metadata.
We do not believe that the GCSB is the right agency to have oversight and control of New Zealand’s telecommunications infrastructure in the name of “cybersecurity”.
We do not believe that the Bill makes any significant improvement to the current woefully inadequate oversight procedures.
We submit that this Bill and the TICS Bill should both be rejected. Rather there needs to be a formal review of New Zealand’s domestic and foreign intelligence requirements.
We've been keeping track of the Police use of new surveillance and tracking technology. We asked them what they've been doing with drones and here are the more interesting/informative answers (Police letter, 19th February 2013):
- The Police currently have one aerial drone.
- They don't have a specific budget for it and claim not to know how much they've spent on it so far.
- They say that they can use it for tracking people and cars but promise to do it in accordance with the Search & Surveillance Act. We note that our interpretation of this says that they need a tracking warrant to use an electronic tracking system but we don't know if the Police agree with this.
- The Police believe that their current policy concerning video recording operations and events also covers their use of drones.
- The Police have been contacted by the Privacy Commissioner re their use of drones and will be meeting with them soon.
- The Police expect their drone trials to finish by the end of 2013.
You may also wish to read this article about drones by David Beatson at NZ Pundit.
We're going to be following up to get more information. If there's any questions you want asked, please leave them in the comments.
Updated: see note below. Further updated 13/8/2013 to add commentary about the security of hashing.
One of the issues with modern technology when it comes to privacy and tracking is that it isn't always obvious what data we should be worrying about.
The latest example of this is the NZTA's trial of a passive monitoring system called Blip Track to monitor traffic congestion on the Puhoi to Warkworth road.
The BlipTrack system relies on the Bluetooth functionality built in to many mobile phones and related accessories, car stereos, and mapping devices. Each Bluetooth device broadcasts a unique MAC address if the device is set to be visible. By detecting the same MAC address at different locations, the Blip Track system can work out how long it took for the device to travel between the two points and therefore make some assumptions about how congested the road is. (See the BECA report (PDF) for more information about how the system works.)
With mobile phones being very personal devices that we tend to carry everywhere we go, it seemed obvious to us that this sort of technology could be used to track people. We asked NZTA about this and their response was:
We do not consider that the Privacy Act 1993 applies. This is because the information collected is not personal information.
NZTA declined to give us a copy of the legal advice they have received on the privacy issues.
The BECA report linked before also touches on the topic:
Although there may be potential sensitivities for using Bluetooth, the MAC address numbers can only be identified / observed if the Bluetooth device is active and the privacy settings have been set to allow it (i.e. the Bluetooth is set to 'visible'). Also, unlike number plates or cell phone IDE numbers, there is no way of tracking the MAC address number back to the owner as there are a variety of types of device with Bluetooth, and no database matching these devices to their owners.
What is "personal information"?
The Privacy Commissioner defines personal information as follows:
Information about a living human being. The information needs to identify that person, or be capable of identifying that person.
While the Bluetooth MAC address can't be used to work out who someone is, that's not to say that someone who already has a person's MAC address can't use it to find out where they've been. For example, an NZTA employee with access to the database could look up the MAC address of their partner's mobile phone to see if they were telling the truth about where they were last night.
We reject NZTA's interpretation; we believe that the Bluetooth unique identifier is personal information, that the NZTA is collecting it without consent and storing it without permission. This is in breach of the Privacy Act.
We also note that there is no need to store the unique Bluetooth address in the database after the match has been made. Anonymising this would remove much of the potential for misuse. (See Update below.)
Sharing data with law enforcement
More interestingly, this data could also be made available to the Police. While the Police are limited by the Search & Surveillance Act in the use of electronic tracking systems, is there anything stopping them from asking NZTA to look up their database?
Of course, even if NZTA did count it as personal information, we note that the Privacy Act has some very large holes when it comes to sharing data with the Police and provides no real oversight of such sharing.
We're not trying to say NZTA are bad people or that what they are doing is particularly wrong. They're currently using the technology for a reasonable purpose and at least already have some protocols around what data they can share with other agencies.
However, even though they've tried to think about the privacy implications of the technology they're using, they still haven't fully understood the risks of collecting and storing data of this type.
The technology involved in this type passive tracking system is continually getting cheaper. It would make perfect sense for NZTA to extend it across the road network to help them with their planning. At the same time, this would establish a national database that would enable NZTA or anyone else with access to it to track people. In particular this data could be made available to the Police with no significant oversight.
We believe that our privacy and data collection/sharing laws need to be updated to take account of new technologies and the power of big data.
We have been sent further information (PDF) about the BlipTrack system. From the document:
When a BlipTrack™ sensor detects a Bluetooth Device in its proximity, the sensor will generate a one way hash code from the Bluetooth address of the detected device using a SHA-256 algorithm. Only Bluetooth hash codes are transmitted to the central server. There is no way to revert hash codes back to real Bluetooth addresses, thereby preventing access to the Bluetooth MAC addresses of the tracked devices.
In case the BlipTrack™ data was compromised, the attacker could try to correlate data between multiple systems and possibly, over time, be able to link a hash code of a Bluetooth device address to a record in another system, that could contain user information. To prevent this, BlipTrack supports Re-Hashing of Bluetooth Address device Hashes. By Re-Hashing the Hash codes using a new salt on a daily basis, a detected Bluetooth device will only have the same hash code for one day. The next day that user will be seen as a new user.
However, people familiar with this type of cryptography expressed grave doubt that the protections outlined would be sufficient to protect the information from even basic attacks. Details of the BlipTrack implementation are vague, but the number of possible MAC addresses are small making it likely that without very careful precautions a brute-force attack against the hash using modern computers could reveal all the original MAC addresses even for days when the salt is not accessible.
BlipTrack, in an example of having their cake and eating it too, then go on to claim that MAC addresses do not link to personal user information. If this was the case, you might wonder why they go to such lengths to stop them being available in their database. More to the point, we've already explained why we believe that they are personal information in the terms of the Privacy Act - and therefore would require permission to capture them in the first place.
The NZ Police are continuing to expand their use of technology to watch and track people in New Zealand. We've already discussed automated number plate recognition, but information has emerged about two new initiatives:
The first is Signal - a tool used to scan and collate publicly availably data from multiple social media sites such as Twitter, Facebook and Youtube. This data can then be analysed to establish connections between people and events, and was used during the Rugby World Cup to monitor both boy racers and political protesters.
The second is the trialling of aerial surveillance drones. As part of the trials they have already been used in some Police investigations.
We're not reflexively opposed to the NZ Police using tools to do their job better, but we do have some concerns about how they can be used to infringe our rights to go about our lawful business without unwarranted surveillance and tracking. We believe that it is not healthy in a democratic society for our every movement and action to be monitored, stored and analysed by the government.
We've made requests to the Police for more information about both of these initiatives and will report more once we receive it.
One thing that is of concern is that the Police seem to be being quite secretive about their use of technology. It seems that they wait for someone to find out about it before releasing information in dribs and drabs, sometimes after prompting from the Ombudsman. If the Police aren't proud of what they're doing to more efficiently fight crime, perhaps they shouldn't be doing it at all.
A second concern is that our laws, even including the new Search & Surveillance Act, might already be out of date when it comes to the Police use of such technology. For example, are there any controls on amassing publicly available data to such an extent that modern data analysis software can make some assumptions about very private behaviour?
We'd like to see two things:
- The NZ Police taking a more proactive role in disclosing what they are doing and how they are doing it. They may even wish to do more consulting with community groups and watchdogs such as Tech Liberty and the NZ Council for Civil Liberties.
- Work on a new set of standards and principles to inform the Police's (and other agencies) use of new technology and "big data" systems. These should cover data integrity, retention, security, auditing and notification. This is something that Tech Liberty is currently working on.
One of the most common topics of the emails we receive at Tech Liberty is the placement of video cameras. People worry about them where they work, in the street, and on their neighbour's properties.
This guest post is from Yuri Wierda, a licensed security consultant, and he's concerned about the increasing popularity of security cameras in public toilets:
I have personally refused to install cameras in toilets and have talked a few clients out of doing it. I believe cameras in toilets are immoral and may be illegal. Part of my responsibility when advising people on security is ensuring that they themselves don't break the law.
The argument for cameras in toilets has been that it reduces vandalism.
While there may be signs advising people that there is a camera I do not believe that it justifies it or complies legally. There are several situations where signs will not provide informed consent.
- Someone may get changed in the toilet and not see the sign.
- Someone may be blind or illiterate.
- Someone may be intellectually disabled.
- Children may be visiting the toilet unaccompanied.
This creates several privacy and legal issues:
- The intellectually disabled and children CANNOT legally provide consent to being filmed in the nude or partly clothed. Toilets are places where people adjust their clothing and may be partially clothed. Children and intellectually disabled people will not expect there to be a camera filming them. Filming such an event is illegal (s216G to s216N of the Crimes Act) and potentially can (and should) result in serious criminal charges.
- People who have not seen the sign or were unable to read it cannot provide informed consent.
I am appalled that the police has provided advice that it is not illegal.
See update at end of post.
We've been keeping an eye on the NZ Police trials of ANPR (automated number plate recognition - read our explanation).
The main civil liberties issue with this technology is that the system stores the time and location of the license plate check. Once enough of these systems are deployed they can be used to track people by following vehicle movements, as is being done by a number of other countries. We believe that, at a minimum, there should be some controls on how this data is stored and used, for example by having to apply for a tracking warrant.
The Police themselves have been sending out mixed messages about whether they're keeping the information and whether they'll be using it for tracking, as documented by our article. At the end of that article we said we were seeking further clarification from the Police.
Police confirm they're not keeping ANPR data for tracking
We have now received a letter (PDF) from Superintendent Carey Griffiths in which he explains:
All three patrol cars and one of the vans have the capacity to store information for up to a two or three day period depending upon operational use. In general the information is not stored for any longer than a shift period which can vary from an eight hour to a ten hour shift.
One of the [two] vans has a system known as BOSS ( Back Office System Software) and this system has the capability to store information for a longer period ... The BOSS system settings have recently been amended, and the information is now only stored for a maximum of 48 hours.
It seems clear from this that the Police will not be keeping the ANPR data.
Police believe they can't track without a warrant
Furthermore, Superintendent Griffiths goes on to say that:
Police considers that with so few cameras, the technology cannot be used to "track" vehicles. In any event, Police cannot track vehicles other than in accordance with the Search & Surveillance Act 2012.
This contrasts strongly with what the Police said in a letter from December 2011:
There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
This change in attitude is quite interesting. The Search & Surveillance Act only refers to getting a warrant for tracking when it involves the use of a tracking device (s46). We initially took this to refer to getting a warrant to allow the installation of a "bug" on the car or person to be tracked.
However, tracking device is defined as "a device that may be used to help ascertain, by electronic or other means ... the location of a thing or a person".
Could one define an ANPR system as a tracking device and would the Police then have to get a warrant to use it to track people? It seems that the Police now think it would. The same argument would also seem to apply to using mobile phones to track people.
In our opinion this interpretation would fit in both with the purpose of the Act and the requirements in a civil society for oversight of the use of this type of mass surveillance.
We're pleased that the Police are not attempting to implement the sort of pervasive people/vehicle tracking systems that are becoming popular in some overseas jurisdictions. We do not think that this sort of police state behaviour has any place in a free and democratic New Zealand.
Furthermore, after some problems with illegal surveillance in recent years, it's good to see that the Police are taking their responsibilities under the Search & Surveillance Act seriously.
We will continue to monitor the Police use of ANPR technology and look forward to receiving copies of the assessment from the Privacy Commissioner and the final Police report into their test ANPR deployment.
Update 5th August 2013
The Police have announced they will be deploying new red-light and speed cameras. We asked them if these new cameras would support ANPR. Their response:
There are no current plans to deploy either digital red-light cameras or speed cameras that support Automatic Number Plate Recognition.
ANPR stands for automated number plate recognition.
It’s a camera that can automatically recognise and read license plates on cars and then checks them against a central database. If the plate matches a “vehicle of interest”, the police can then decide to pull over the car and talk to the driver. ANPR cameras are typically deployed in police cars and in fixed installations by the side of the road.
The current state of ANPR in New Zealand
[Edit: there is some inconsistency between the information available over multiple letters from the Police and that reported in Police News.]
[Edit 2: Superintendent Carey Griffiths has denied that the Police will be storing the ANPR data and using it for tracking. We have asked the Police Commissioner for clarification.]
According to the June 2012 edition of Police News, the NZ Police have been trialling ANPR since 2009. This has involved four mobile ANPR units which are not that sophisticated in that they need two people to operate them (one to drive, one to watch the screen).
In theory the trial ended in January 2012 but it is our understanding from Police News that they are still using the current four ANPR vehicles (2 in Auckland, 1 in Waikato/Eastern and 1 in Christchurch/Southland) and are looking at deploying another couple.
We have requested copies of reports about the trial and any recommendations about further deployment of ANPR systems.
Thanks an OIA request by Alex Harris we also have a draft copy of the ANPR manual. There is also an associated letter where the Police report that the trial began in 2010 and has consisted of only two units for a limited time in Counties Manukau and Wellington, with them currently deployed in Counties Manukau and Waitemata.
The Police answer questions about ANPR
Some questions and answers from letters to the police about ANPR (questions are ours, answers are from the Police):
Q. What data is stored with each record (e.g. location, time of day, etc)?
A. The time date and a photograph of all vehicles passing the ANPR camera is stored.
Q. Will this information include the location of the ANPR device at the time of the lookup?
A. Yes it will include the location of where the device was deployed.
Q. How long will the data for each captured license plate be kept for?
A. Data of vehicle movements captured during ANPR deployments will be retained on a secure Police database. In time this information may be deleted with it is no longer required for the purpose it was obtained. Police may search the stored data if there is a belief that there may be information relating to a crime.
Q. Are the police considering using the information stored in the ANPR database to track vehicles?
A. The ANPR system alerts police to vehicles that are a vehicle of interest to police recorded in the vehicles of interest database.
Q. If so, do the police believe they would need to apply for a warrant to use the information in this way?
A. There is no requirement for police to apply for a warrant for any ANPR information as it is gathered in a public place.
Why does ANPR make us worried?
If ANPR was simply used by the police to help find people they are actively looking for, we’d probably have no argument against it.
The problem is that it’s more than just a simple database lookup. That central database isn’t just responding to queries, it’s also storing the date, the time and the place for every car that passes the ANPR camera.
So the police end up with a very big database of car sightings – which gives them the ability to track the movements of any car they wish. Even more worrying is that they can keep this data for as long as they like and therefore “go back in time” by entering queries for any day since the database was started.
The technology is rapidly getting cheaper and could easily end up deployed in every police car and in fixed places around major cities and roads, allowing for near total coverage.
There are three types of harm that can come from creating a new database like this:
- An inappropriate extension of police power that might be used badly. e.g. the Police use it to spy on political activists who are engaged in peaceful protest, breaching their rights to privacy and freedom from Police surveillance.
- Extension to other government departments. e.g. could CYFS access the database to determine that you are feeding your children badly because you park near the local McDonalds each day?
- Improper use. A police officer using it to stalk someone for their own reasons.
Tracking used to be hard
Tracking someone used to be hard and expensive but ANPR is going to make it easy and cheap. With ANPR you don't need a whole team of people, you don't need to install a GPS tracking device, you don't need to get a court order to access mobile phone data - you just install ANPR devices everywhere and then ask the database about whoever you like.
More to the point, you also don’t need to change any laws or apply for a surveillance warrant to install a tracking device – you can just start doing it.
It’s the sort of information that a totalitarian regime would love to have. But is it the sort of information that we want our government to have about everyone?
Shouldn't we talk about what sort of controls we might want to impose if such a system is implemented?
Are we going to end up with this system watching our every move without even any public debate about it?
The government is your friend and wants you to be happy.
This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.
The Search and Surveillance Bill is an attempt to rewrite New Zealand's laws around search and surveillance.
One thing that has become clear in the debate around the bill is that many people are not fully aware of the existing powers that government agencies have to pry into our personal affairs. It's not uncommon for someone to decry a 'new' power in the Search and Surveillance Bill, only to be told that it is already in existing law.
This article lists, to the best of our knowledge, the current ways that the government can use to watch us. We will expand/correct it as additional knowledge comes to light.
This article has not yet been updated to reflect the changes made when the Search & Surveillance Act became law.
[This post was prompted by contact from a person who had a laptop seized. Since original publication they have asked for their comments to be removed.]
We recently asked Customs whether they were able to do this and they replied that they could under the Customs and Excise Act (1996).
Looking for information
We'd like to find out more about what Customs are doing in this area. In particular we'd like to know what they're looking for, whether they're targeting anyone in particular, and what they do with the systems and data they seize.
Please contact us if this has happened to you or anyone you know. Please include as much detail as possible. We promise to respect your anonymity.