Text of our submission to the Law and Order Select Committee re the Telecommunications (Interception Capability & Security) Bill.
I represent Tech Liberty, we’re a group dedicated to defending civil liberties in the digital age.
In general we support the ability of the government to have interception capabilities on telecommunications where possible, when those interception capabilities have suitable oversight and control. However we fear that technological development is slowly making this lawful intercept regime increasingly irrelevant.
We’ll be addressing this and some other elements of the first two parts of the bill, before talking about the proposal to make the GCSB responsible for cyber security in New Zealand.
The future of interception - the encryption problem
Tech Liberty was started to help defend our civil liberties when they are threatened by technologically related changes. These problems normally takes one of two forms:
- The first is where the government panics about some new technology and decides that it’s going to over-react and pass laws that infringe on our rights.
- The second is where technology enables governments to do things like mass surveillance that would have been impossible before technology made it cheap.
However there is also a third type, where new technology removes our ability to make decisions about what we want to permit or allow, regardless of our feelings on the matter.
One example of this is name suppression where, at least in cases of famous people, the information tends to leak out on social media networks and there’s really very little anyone can do about it. We can change the law all we like but we may have to face the fact that name suppression in cases of public interest just isn’t achievable any more.
Another example, and the one I want to spend some time talking about today because it has ramifications for this bill, is encryption.
Some facts about encryption
I want to start by presenting some well-established facts about encryption, because many people tend to have a lot of misconceptions about it:
- Encryption is highly secure. There are a number of modern encryption systems that are considered to be uncrackable short of a major breakthrough in maths or computing.
- Encryption is easily available. The algorithms are public, you can download sample code and any software developer can include it in their application for free.
- Encryption is cheap. It costs nothing to buy and we have so much processing power that we can encrypt everything we do without slowing down our computers.
- Designing encryption systems that allows third party access or intercept is hard. It tends to make the system more vulnerable to attack.
- Encryption can be multi-layered. If your network provider gives you an encrypted communications link, you can then further encrypt what you send across it and the network provider won’t be able to read it.
- Encryption does not always hide metadata - e.g. the email might be encrypted but the date, the sender and the recipient is not.
- The trend is towards encrypting everything. It’s not just used to keep things private, but for security and proving identity.
Encryption is incompatible with lawful intercept
This increasing use of cheap and easily available encryption is a direct threat to the idea of lawful intercept. Year by year, the percentage of interceptable communications will drop. Naturally we can expect those people of most interest to the Police, SIS and GCSB to be amongst the vanguard of those using encryption.
For an example of this in action, we can look at what’s happening with mobile communications as data-based services take over from telco services. If presented with a warrant Vodafone can easily hand over voice and texts sent over their network, but won’t be able to provide voice and texts sent as encrypted data using iMessage and Facetime on iPhones, or any of a number of other services.
The TICS Bill and encryption
How does this relate to the bill we’re discussing today? I think it’s important that we recognise that we’re not only not going to be able to intercept all communications, but that the proportion of those we can intercept is going to go down.
In other words, even while we support lawful intercept the power to impose it is increasingly being taken out of our hands.
As a group we’re concerned about issues where the government thinks it has agency but the technology doesn’t agree. These issues tend to lead to bad laws with unforeseen side effects.
Need to clarify that “Network operator provided encryption” ambiguity.
One concrete change that needs to be made to the bill is to make it clearer that network and service providers don’t have to decrypt communications.
In theory the bill already recognises this, but section 10(3) requires network operators to decrypt a telecommunication if the network operator has provided that encryption. Other sections also mention a “duty to assist”.
But what does “provided” mean in this case? It is entirely possible for a network provider to make encryption available to the users of the service that the network provider could not decrypt because the users have chosen the keys. (A good analogy would be if someone supplied you with a combination lock that allowed you to choose your own combination.)
The bill needs to make it clearer that network providers and those who work for them have no duty to break encryption where they cannot due to not having the keys.
The Bill also talks about the ability to stop the resale of foreign services that don’t provide lawful intercept. We think that this is just silly.
Let’s look at one example, Apple Computers. You’ve all heard of it and I wouldn’t be surprised to find that you’ve each got at least one Apple device in your respective households.
Apple provides communications services through iMessage and Facetime and these are designed to use encryption in a way that stops them being intercepted. These phones and services are being resold by Vodafone and Telecom.
Let’s assume that New Zealand finally gets a terrorist cell here who uses these services to plot an attack together. We think it’s very obvious that we’re not going to ban Apple from New Zealand, not least because Apple users tend to be quite fanatical and they might end up storming Parliament.
Now repeat this for Google, Yahoo, Facebook, and the myriad of other services.
We struggle to imagine a case where this part of the bill would be used effectively, and believe it should be removed.
We understand that this committee is looking at the TICS Bill rather than the GCSB Bill but it’s also true that the two are somewhat intertwined, with the GCSB Bill letting the GCSB access the facilities provided by the TICS Bill.
One aspect we are concerned about is that the GCSB Bill has clause 15A(5) - “This section applies despite anything in any other Act.”
This could be used to override any of the procedures in the TICS Bill and ultimately makes a mockery of it and other laws that include reasonable safeguards.
So in the spirit of 15A(5), we recommend adding a countervailing clause to the TICS Bill along the lines of “This Act cannot be overridden by anything in any other Act.”
Now this will obviously lead to a conflict if the two clauses ever clash. It is our understanding that judges tend to, amongst other elements, use the New Zealand Bill of Rights to help them interpret confusing or conflicting law, an outcome that we would be very happy with.
No secret evidence
This bill provides for fines of up to $500,000 and $50,000 per day which I think we would all agree are quite significant.
An important part of the NZ Bill of Rights concerns the elements needed to make sure that people in our justice system are treated fairly.
We have serious issues with sections 96-98 that allow secret evidence to be presented in court without the presence of the defendant or their lawyer. This is particularly worrying as some of these trials, being about interception, could have significant amounts of classified evidence. How can there be a fair trial when the defendant and their representative don’t even know what evidence is being presented against them?
The bill even allows for this secret protection to be given to evidence from overseas intelligence agencies and other unreliable sources.
We acknowledge that this only applies to matters concerning the operation of this law, but we are greatly concerned that this sets a worrying precedent that will spread to other laws. This is particularly true because our spying allies, the UK and US, have both gone significantly further with secret courts and secret trials and we fear that this is the first step in following them.
More to the point, the types of offences contained in this bill just aren’t worth the damage to our justice system represented by these clauses. We reject the idea that secrecy around the operation of this law is worth protecting in this way and request that these clauses are removed.
GCSB as cybersecurity czars
While this bill is largely an update to the existing TICA law, there is one very large new section that gives the GCSB sweeping oversight and control powers over New Zealand’s telecommunications networks.
The bill refers to “partnership” between industry and the GCSB, but it is also very clear that by partnership it means that the GCSB will be in control. This is obvious when you look at the language used in the procedures defined in section 3. Network providers must consult with the GCSB, they must not proceed without approval, the GCSB can accept or reject proposed alternatives, and, ultimately, the GCSB can get a Ministerial direction that forces the network provider to follow their orders.
This is also not just for major decisions, it goes right down to the brand of PC workstations that the network providers deploy in their network operation centres. The bill is very detailed about what is covered and network operators, in order to be safe, will have to pass many, many decisions to the GCSB for permission.
We find this to be a gross imposition on the freedom of these companies to develop their businesses in their own way. We very much doubt that the GCSB will be able to cope with the volume of requests and it will introduce a layer of unnecessary bureaucracy and slow down development of services. It will lead to network operators making “safe” choices that they know will be accepted by the GCSB rather than making the best decisions for their business.
We believe that this will slow down innovation in the development of NZ-based network services while doing very little to improve security.
Why does the GCSB need this control?
Frankly we’re suspicious about why the GCSB thinks it needs this level of control. What do they intend to do with it? Do any other Western democracies give their spy agencies this level of control over their national networks?
We can assume it’s nothing to do with providing lawful intercept because the rest of this bill already provides all the lawful intercept that the GCSB could want.
Maybe the GCSB will attempt to protect us from Huawei - although it would seem a bit late with many of our major telcos already heavily investing in Huawei equipment. Does the government really need the power to protect US networking equipment manufacturers from Chinese competition?
We suggest that New Zealand is not seeing the sort of threats that could be mitigated by this proposal. Our network providers already have a strong interest in securing their networks and most of the incursions and attacks happen at the user level rather than the infrastructure level.
Indeed, network providers apparently already voluntarily work with the National Cyber Security Centre without any law coercing them to do so. Does anyone honestly think that network providers would not react appropriately if the GCSB could show that equipment from a particular vendor included spyware? We believe that this cooperation should be encouraged, although possibly with the NSSC being housed with the Police rather than the GCSB as it is at present.
Conflicts of interest
This brings up a more serious problem - can we trust a spy agency to do network security? There are some unfortunate conflicts.
We discussed encryption earlier and how the increasing usage of good encryption is going to make it steadily more difficult for lawful intercept. A major part of the accepted approach to securing communications is to use strong encryption wherever possible. But this will make the GCSB’s job of spying significantly harder. Which way will they go in their advice? Protect New Zealand’s communications or maintain their ability to spy?
Secondly, we keep hearing about the GCSB’s close relationship with the Five Eyes intelligence partners. We’ve also been hearing a lot in the news about the extensive spying performed by those partners on both their own citizens and those of other countries. Our question is, whose side is the GCSB on? Their intelligence partners or the citizens of New Zealand? Will they really risk closing a security hole that the NSA is relying on to collect information?
You may think it preposterous that anyone would even ask these questions but we can assure you that we’re not the only ones asking them - and it shows just how tainted the GCSB is when it comes to network security.
The wrong agency and the wrong model
We believe that the GCSB is the wrong agency to take a lead role in cybersecurity. They are a spy agency, they think like a spy agency, and too many people, including us, will refuse to see past this.
More importantly, we believe that this is the wrong model. Rather than a secretive government agency having command and control, we believe that network security should be a collaboration between government and the private sector.
We therefore recommend that Part 3 - Network Security of the bill be removed in its entirety.