It started with a Tweet from Steve Cotter, CEO of REANNZ:
Trying to do the same in NZ, but govt's TICSA legislation makes deploying SDN/NFV in backbone networks challenging http://t.co/91MUpxfOnw
— Steve Cotter (@SteveCotter) February 22, 2015
Before we go any further let's unpack some of those acronyms and add one more:
- REANNZ - "REANNZ is the Crown-owned company that owns and operates New Zealand's high capacity, high performance advanced network... in order to 'establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand'."
- TICSA - The Telecommunications Interception Capability and Security Act passed by the National Government alongside the GCSB Act in 2013. It gives the GCSB oversight and control of New Zealand's data and voice communications networks. See our articles for more.
- SDN/NFV - Software Defined Networking and Network Functions Virtualization. Two up and coming methods of controlling complex networks, REANNZ has been doing useful work testing and developing SDN.
- NCSC - the National Cyber Security Centre - the people at the GCSB responsible for enforcing the 'security' part of the TICSA law.
So this is a statement by the CEO of a government owned company whose purpose is to "establish and operate the Advanced Network in order to promote education, research and innovation for the benefit of New Zealand" saying that they can't do the research and development work they need to do because the bureaucrats in the NCSC at the GCSB are holding them back.
Apparently the NCSC were willing to help, but the law was inflexible enough that making any significant change - like you might want to do quite frequently on an experimental network - was going to require the full notification and authorisation procedure. When asked for an exemption the reply was that this would be extremely unlikely to be granted.
But wait, there's more
Apparently Google has also been involved with research and development into SDN in New Zealand. We've been told by multiple sources that they were so annoyed by the TICSA's requirements and the NCSC's administration of them that they have closed the New Zealand section of this project and redeployed the hardware to Australia and the USA. This can only be seen as a loss to New Zealand.
This is a problem
We think it's a real worry that companies like Google and REANNZ, who are both pushing the boundaries of network research, are giving up in New Zealand due to the constraints imposed by government legislation.
It's exactly the sort of thing we worried about in our submission to the government about the TICS Bill:
It will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions.
Some people have suggested that these companies, REANNZ and Google, just needed to work harder to jump through the NCSC's hoops. The reality is that they obviously thought that this was not worth the effort and they abandoned the work. How many other companies in New Zealand are experiencing these exact same problems and deciding to just give up... or spend their research dollars in countries with a friendlier environment?
We stand by our original position that a spy agency can't intercept traffic on one hand and then provide security advice on the other. We don't believe that New Zealand's national security is enhanced by giving the GCSB more control of our telecommunications networks than any other spy agency has in any other comparable country. We don't believe that network operators should have to answer to a layer of micro-managing government bureaucracy to run their businesses. We think that this is in direct contravention of the GCSB's statutory objective of contributing to the economic well-being of New Zealand.
The TICS Act is proving to be a brake on innovation. It needs to be changed.
More on the story from Juha Saarinen at the NZ Herald.
The TICS Bill (Telecommunications Interception Capability and Security), a partner to the GCSB Bill that has already been passed, is progressing through Parliament. See our round-up of articles about the Bill.
The Bill has been modified twice:
- The Bill as reported back (PDF) by the Law & Order Select Committee on 19/9/2013.
- A supplementary order paper added by the government on 15/10/2013.
The government has also provided two further documents:
- A comparison of the original 2004 TICA law and the TICS Bill (PDF).
- An infographic showing how law enforcement interacts with the interception requirements.
As reported back by the select committee
The Law & Order Select Committee made a number of minor changes to the Bill. Many of the changes are tweaks to the drafting that have no substantive effect, while others are minor technical changes to improve clarity or streamline procedures.
Even those that do attempt to make changes are fairly weak. E.g. the Director of the GCSB will now have the duty to make decisions about network security "as soon as practicable".
There are no substantive changes worth reporting.
Supplementary order paper 366
As reported in the press release from Amy Adams, the SOP makes the following changes:
- Clause 39, allowing the Minister to forbid the resale of a foreign service that doesn't allow interception, has been removed. This is a good change as the clause was basically unusable - no one really thought that the Minister was going to, for example, ban the sale of Apple products in NZ.
- The GCSB's oversight of network providers has been further cleaned up in an attempt to make it workable, and the Minister can now make regulations about the timeframes for decisions.
- The press release says "it is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators". The words "any change" have now been replaced by "any change to the architecture", which would mean that minor changes would not have to be notified. However, the word "acquisition" has been added alongside procurement, thus extending the scope to systems that have not been through the normal procurement process (i.e. developed in-house or using free software).
- Adds an additional step before the Minister can make a direction to a network provider about how they should run their business. The Commissioner of Security Warrants will now be required to carry out their own analysis of the GCSB's risk assessment. The Minister will also have to take into account any cost or competition implications for the network provider.
- Acknowledges that some foreign-based service providers will not be able to provide assistance as required in clause 24 due to their own laws.
Tech Liberty comment
The changes to the Bill are largely tweaks designed to improve how the bill works rather than the product of any rethinking of what the government should or shouldn't be doing. Even the removal of section 39, which allowed the minister to ban the resale of foreign services, is fairly irrelevant as that part of the law was unworkable anyway.
There is no evidence that the revelations about the extent of government spying in our intelligence allies, the USA and UK, have had any impact on the TICS Bill which is still mainly concerned about making sure that all electronic communications in New Zealand can be exposed to government scrutiny.
The government is also still pressing on with their intention of giving the GCSB overarching control of New Zealand's voice and data networks. Again there have been some minor changes and shifts in emphasis, but network providers will still be obliged to get GCSB permission to expand or modify their communications infrastructure. The government claims that this is about improving security but it is also clearly about maintaining the ability of the Police, SIS and GCSB to spy on New Zealanders. How the GCSB will handle the tension between surveillance and security is yet to be seen.
One interesting element that hasn't changed is section 10(3) which obliges a network provider to decrypt a telecommunication where the network operator has provided that encryption. A number of submitters said that this was unclear - what about services such as Mega or LastPass that provide the encryption but don't have access to the key as it chosen by the user? The clause could be read to say that this was no defence and that the network operators would have to engineer in security backdoors or risk being fined. The government's decision not to clarify this would seem to indicate that this is the intention.
We believe that changes in technology mean we need to rethink surveillance, search warrants and interception. We also fear that the cold war heritage of our security services unreasonably influences their thinking and their operations.
We support the idea of an inquiry into our intelligence services to ensure that what they do and how they do it are in the best interests of New Zealanders. We also support the idea that just because something is technically possible, it doesn't necessarily mean that we should do it. There needs to be limits on surveillance to protect important rights, such as freedom of expression and freedom of association.
We have started our own project to develop a set of suitable laws and safeguards for surveillance and spying in New Zealand. Informed by the principles at Necessary and Proportionate, we want to come up with some solutions to the hard questions that we're all being confronted with. Please contact us if you'd like to be involved in this effort.
The GCSB Bill has now been passed by Parliament.
Next up is the Telecommunications (Interception Capability and Security) Bill also know as the TICS Bill. This is an update of the Telecommunications (Interception Capability) Act (2004) that forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
The bill has passed the first reading and is expected to be reported back from the Law & Order Select Committee on the 20th of September.
Tech Liberty articles
We've written about this bill and also made a written and oral submission to the Law and Order Select Committee. Here's a list of our articles in publication order:
- Govt proposes GCSB control over NZ communications in new TICS Bill
- Does the TICS Bill really give the GCSB control and oversight of NZ telecommunications?
- GCSB’s new powers for wide-spread spying on New Zealanders
- Will the GCSB ban Apple from New Zealand?
- Tech Liberty written submission
- Tech Liberty oral submission
Other articles worth reading
- Submissions to the Law & Order Select Committee.
- The NBR's Chris Keall writes about TICS's protectionist twist.
- Vikram Kumar writes about secret Ministerial orders.
- Vikram Kumar, disappointed by telco submissions, asks whether ISPs should be privacy crusaders.
- Vikram Kumar - The duty to assist.
- Vikram Kumar - Service provider's view of the TICS Bill jackboot.
- Human Rights Commission's Report to the Prime Minister re the GCSB and TICS Bills (PDF).
- Internet NZ's submission to the Law & Order Select Committee and their prepared remarks for the oral submission.
- Ian Apperly writes about the cost of the TICS Bill to NZ's IT industry.
- Ian Apperly - Why the TICS Bill could put NZ ICT companies out of business.
- Microsoft's submission warns that the TICS Bill is a threat to the industry and may lead to a withdrawal of services.
- Paul Brislen - intercept bill takes a cavalier approach to privacy.
Text of Thomas Beagle's speech to the Urgent Public Meeting to Oppose the GCSB Bill held in Auckland, 25th July, 2013. (Or watch video of all of the speeches.)
I’m from Tech Liberty. We’re a group dedicated to defending civil liberties in the digital age. I want to start by explaining what that means in the context of this bill.
Urgent public meeting in Auckland
A public meeting to oppose the GCSB Bill is being held at 7pm Thursday, Auckland 25th July at the Mt Albert War Memorial Hall. Get the flyer (PDF).
Text of our submission to the Law and Order Select Committee re the Telecommunications (Interception Capability & Security) Bill.
I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.
In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. However we fear that technological development is slowly making this lawful intercept regime increasingly irrelevant.
We’ll be addressing this and some other elements of the first two parts of the bill, before talking about the proposal to make the GCSB responsible for cyber security in New Zealand.
Text of our oral submission to the Intelligence and Security Committee concerning the GCSB Bill.
I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.
We see many problems with this bill and the thinking that lies behind it, problems that we described in our written submission. Today I want to concentrate on just a few of those that are particularly central to our group’s reason for existing.
Dear Mr Key
This letter is partly in response to the findings of the Kitteridge report about the GCSB and their failures to follow the law, but is also mindful of the recent PRISM revelations about the actions of the NSA in the USA, as well as the mass spying revealed to have been carried out by the GCHQ in the United Kingdom. As disturbing as these revelations have been, we cannot help but be shocked that this surveillance was done in secret without the knowledge of the citizens of each country.
We assert that, as citizens of a democratic society, we have the right to know the methods that government agencies use to watch us. Without this knowledge we cannot assert our rights to put appropriate limits on their use.
Full text of the Tech Liberty submission to the Intelligence & Security Committee concerning the Government Communications Security Bureau and Related Legislation Amendment Bill.
Tech Liberty has deep concerns about the extent of the powers granted to the GCSB by this Bill, especially when combined with the proposed changes to the Telecommunications (Interception Capability) Act (2004) contained in the TICS Bill.
We do not believe that the GCSB should be spying on New Zealanders. We are particularly concerned with the Bill’s silence on the GCSB’s existing practice of collecting and analysing metadata.
We do not believe that the GCSB is the right agency to have oversight and control of New Zealand’s telecommunications infrastructure in the name of “cybersecurity”.
We do not believe that the Bill makes any significant improvement to the current woefully inadequate oversight procedures.
We submit that this Bill and the TICS Bill should both be rejected. Rather there needs to be a formal review of New Zealand’s domestic and foreign intelligence requirements.