Does the new GCSB Bill give them the power to spy on New Zealanders?

There’s been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.

When even Peter Dunne gets it badly wrong in the “Ask Me Anything” article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.

Note: All references to the legislation are to the version reported back by the Intelligence and Security Committee combined with the changes in Mr Dunne’s SOP (PDF).

Spying on behalf

Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the “giving assistance” part and it appears to be limited to only doing things that the original agency would have the legal authority to do.

Recent changes include more clarity about the GCSB’s assistance being subject to the originating agency’s oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.

GCSB spying on New Zealanders

The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). “to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures”.

The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).

Interception warrants vs access authorisations

It’s worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:

  • one or more specific people or a class of person
  • communications made in one or more specific places or classes of place
  • communications sent from or to overseas

An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of “information infrastructure” which is further defined as “electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks”.

Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.

The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.

Doesn’t section 14 stop the GCSB spying on New Zealanders?

The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).

The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.

Warrantless spying?

Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)

Putting it all together

So what does all this mean?

Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.

We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to “New Zealand’s mobile networks” and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.

This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).

In theory this activity would have to be done as part of their purpose to “protect the security and integrity of the communications and information infrastructures” but we see that this could be interpreted rather widely.

Other issues

There are also a number of other issues around spying on New Zealanders that we haven’t directly addressed in this article:

Metadata – There are a number of places in the bill that put limits on intercepting “private communications”, but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.

Incidentally gained intelligence – when the GCSB does collect information it shouldn’t, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.

Access authorisation for the GCSB – section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?

Sharing data overseas – how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.

Collecting data from overseas – can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn’t legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?

What about data that New Zealanders store overseas? – are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?

Feedback and updates

Think we’ve got this wrong? Feel free to leave a comment with your interpretation. We’ll make any necessary corrections or additions as required.

24 thoughts on “Does the new GCSB Bill give them the power to spy on New Zealanders?”

  1. This govt is as criminal as the torturing, mass murdering artificial psychopathic entity known as Uncle Sam to whom it is abjectly subservient.
    In my opinion the individual public servants and politicians composing this govt are criminals and i reject any and all claims by this artificial psychopathic entity known as ‘the Crown’ of sovereignty over my being and this land.

  2. It’s probably fair to say most New Zealanders would be extremely unhappy to have their communications intercepted. I don’t think it would matter much whether it was the SIS or the GCSB doing the intercepting as most NZers probably couldn’t explain the difference between the two (it was the case when I became aware of those agencies in 2000/2001).

    The SIS has always been able to intercept the domestic communications of New Zealanders and that doesn’t appear to have changed.

    So, how much does this change “the NZ government” ability to spy on NZ’ers compared to 10 years ago?

    Who can they (the government) spy on with this bill that they could not have done before?

    1. You’re correct that the SIS and Police can also intercept communications. However, both of them work under different laws from the GCSB.

      Firstly, the SIS and the Police can only get warrants that are fairly tightly constrained to specific targets based on reasonable suspicion. It’s the GCSB that’s able to get these incredibly broad access authorisations that are targeted at systems rather than people, and it’s these that we believe will be used to usher in NSA/GCHQ-style mass surveillance.

      Secondly, both the SIS and the GCSB need better oversight of the warrants/access authorisations that are only subject to Ministerial approval.

      1. Thanks for covering that aspect. I’d assumed this was all about tidying up the otherwise unclear role of ‘assisting the SIS’.

        The introduction of broad surveillance authorisations to domestic surveillance is completely unnecessary. Indeed it’s the type of thing that drives otherwise unmotivated tech people to take sides against the government.

        Sigh.. and I thought NZ would be a bastion of sanity in that respect.

        1. James – did you really think “NZ would be a bastion of sanity in that respect”?

          I have to point out that this is an extremely naive thought indeed. The NZ government has never done anything to reinforce such an idea. From the outset New Zealand governments sought to strengthen and broaden power over New Zealand citizens, whether through legislation or agreements which impinge on our civil liberties.

  3. The key questions are A. what computer systems the GCSB will be using (XKeyscore? Prism?), and B. how many people could have their communications intercepted under a single warrant or access authorisation, and C. what an individual will have to do ‘wrong’ to be brought under surveillance.

    Under a 3 hop analysis, it seems that the communications of a very large number of people indeed could be intercepted. Most Kiwis are likely to assume that under a warrant or an access authorisation, only the communications of that individual will be intercepted and analysed.

    Also, if an individual only has to be seen to damage the economic or international interests of NZ (as construed by those who authorise the warrant), that could potentially capture a very wide range of people.

    Can you clarify these three points?

    1. Anne you make a good point – which I would take further. The assertion that the interests of “The Government”, “New Zealand” and “New Zealand Citizens” are all one and the same is naive to say the least.
      If I was a member of a political organisation which sought to limit or prevent activities engaged in by the New Zealand Government, which would then impinge economically on the operations of large New Zealand business entities – then despite my formal political freedom to state publicly and act upon cerain political principals – I would fall, most definitely, within the “class” of enemy of New Zealand “well being” – from the point of view of those who draft such legislation – the powerful lobbyists who run parliament for the benefit of NZ Inc.

  4. How will foreign organisations be defined for Sect 8B. For example if you are a member of Greenpeace and a NZ citizen, does the fact than Greenpeace – which is an international and therefore potentially could be construed to be a foreign organisation – who may undertake activity locally or internationally which is determined to need surveillance, trump your status as a NZ citizen by the law?

    1. The 2003 Act has a definition of “foreign organisation”, and this bill makes one change, switching “exclusively” for “principally” in (d):

      “foreign organisation means—
      (a)a Government of any country other than New Zealand:

      (b)an entity controlled by the Government of any country other than New Zealand:

      (c)a company or body corporate that is incorporated outside New Zealand, or any company within the meaning of the Companies Act 1993 that is, for the purposes of the Companies Act 1993, a subsidiary of any company or body corporate incorporated outside New Zealand:

      (d)an unincorporated body of persons consisting principally of foreign organisations or foreign persons that carry on activities wholly outside New Zealand:

      (e)an international organisation:

      (f)a person acting in his or her capacity as an agent or a representative of any Government, body, or organisation referred to in any of paragraphs (a) to (e)”

      I’m guessing Greenpeace would come under any of (c) to (f).

  5. Thanks for your informative summary, Thomas.

    My initial reading of the SIS Act and the GCSB Bill led me to the same conclusion as James.

    You’ve suggested that the GCSB will be able to get warrants/authorisations that are much broader in scope.
    But the SIS Act allows warrants to relate to ‘places’ rather than people. The definition of place includes ‘any land’. So (in theory, please correct me if I’m wrong) the SIS *could* apply for a warrant relating to any land, eg – Auckland, or the North Island, or even NZ as a whole.

    I assume the reason that SIS doesn’t apply for such broad warrants (aside from the logistics of covering that many communications) is because the SIS Act requires the Commissioner to consider whether the value of information being sought justifies such a warrant, and whether the information could be obtained by any other means, eg – a more targeted warrant.

    Those same constraints are in the GCSB bill. Wouldn’t they make a warrant/authorisation relating to ‘New Zealand’s Mobile Networks’ just as unlikely to be granted?

    1. I think there’s a big difference between your hypothetical expansion of “places” to “New Zealand”, whereas the access authorisations in the GCSB bill seems much more designed to be very wide. “classes of information infrastructure”.

      The problem is that the Commissioner of Security Warrants can only apply the law as it is written. If the GCSB says that they need to spy on New Zealanders to detect when cybercrime is happening (as they claim in the Regulatory Impact Statement) and that they need to be able to capture details of all emails to detect certain types of email… the CSW is going to really have no choice but to sign it off.

      Ultimately, however, I don’t want to be having these conversations. Rather than relying on “arguably they can/cannot do this” or “they wouldn’t want to do this” I’d much rather the law explicitly said “they cannot do this”.

      1. Thanks for your reply Thomas.

        I understand your position that there are some things the GCSB/SIS should never be allowed to do.

        Personally, I’m a strong believer in ‘Never say never’. I can live with the GCSB/SIS having wide-ranging powers, if the legislation is explicit on when they can be used, and there is a strong Commissioner or other watchdog to ensure that the exercise of those powers is appropriate.
        The language of the GCSB bill seems to me (as a layman) to give the CSW room to exercise judgment. My experience with Commissioners in other areas is that they do not blindly accept petitioners’ claims.

        1. I’m not quite so optimistic on the wide-ranging powers. The problem is this kind of thing:

          In that case it was sparked by an employer, but could just as easily be a just-as-clueless government agency.

          Sophisticated criminals are going to use multiple layers of indirection, encryption, and anonymising. Organised criminals already have botnets for hire so it is no stretch for someone who really wants to google for tools of crime to make it appear to come from Susan of Huntly.

          The bad guys are always a few years ahead of the law. When blanket interception warrants become the norm, then the next target will be those that like privacy and security. Encryption will become a crime.

          See what happened to this secure, private email service:

          1. Thanks for your response James.

            I did say that wide-ranging should be accompanied by a strong Commissioner or other watchdog. They are the check on clueless government agencies, and should ensure that blanket interception warrants and ‘consented-if-casual’ searches are only used when appropriate.

            I agree that sophisticated criminals are going to use indirection, encryption, and anonymising. That is why I have reservations about services like Lavabit, whose main selling points are strong encryption and anonymity. I haven’t, in all the material that’s been written on Lavabit recently, been able to find what Mr Levison did to mitigate the risk of criminals using his service.

            I think it’s too early to learn much from what has happened with Lavabit. Without knowing what Mr Levison was asked to do, and by whom, I have no way of judging whether his actions are reasonable.
            The most popular theory at this point seems to be that Lavabit was served with a National Security Letter. According to the EFF these “allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any meaningful oversight or prior judicial review.”
            Which again highlights the importance of a strong watchdog.

            1. We have divergent views on this. I have no problem whatsoever with Lavabit. I’ve not used such a service but lately I’m beginning to see the value in it.

              You are illustrating my point though: that some people associate a desire for privacy with criminal activity. I find that very very disturbing.

              I know that many of my communications, when taken out of context, could be easily misunderstood by someone of low intelligence and humour. I would dread having to justify my interests to some government thug.

              The whole “nothing to hide, nothing to fear” argument is creepy. My home has curtains.

          2. James I invite you to think outside your certainties – “The bad guys are always a few years ahead of the law” suggests to me that you believe the New Zealand government, and everyone who moves in the shadows in the corridors therein, is a “good guy”. For a more complete, and less surprising view of the world, I suggest you broaden your assumptions to include activities where governments simply change the law to make the illegal legal – especially in an environment of political docility such as New Zealand.

  6. Regarding interception warrants you say that section 15A(1)(a) relates to
    “one or more specific people or a class of person”
    when in fact it says
    “1 or more persons or classes of persons”

    Persons and people are not equivalent terms. The difference is that persons do not have the legal status pf people, and a corporation (as a legal entity) can also be a person.

  7. The only way to get people engaged- people that matter that is- Auckland property owning snapper loving people. Is to tell them stories about people like them. People like them who have traded up houses over the past 5-8 years , people who text each other and email. People who file tax returns that fail to mention the capital gains on the last couple of houses.
    Trouble is coming for these people. Tax Avoidance is a crime, conspiracy to avoid tax and to to create schemes to avoid tax sounds like a big crime.
    Trolling all data over the past 5-8 years of such people looking for key words such as flipping, capital gain, ‘lets find ourselves another house to flip’- or pretty much any combination of those words may well show intent, then charges are laid, assets seized, the couple are in jail as they are a flight risk- all those trips to Fiji and the Gold Coast will need explaining. And they are now of no fixed abode and they don’t have jobs so prison is probably best, trouble is that the kids are now in care.
    This story only needs a willing government that needs to get tax revenue and people who have own a few properties. Anything they have ever said can and will be used against them by the full power of the state.
    Now my story is not well written but it is stories that we need simple tales that explain why everyone has something to hide. Fear is the key.

  8. Good article. How does all this fit in with the Bill of Rights Act and any reasonable epectation of privacy do you think? And does it make any difference using an offshore internet probider?

    1. Rightly Paranoid

      we have formal rights which can be claimed – we are citizens of a democracy according to any uncritical mind. In practice, our rights are of interest to the government only when they must negotiate their way through the activity of ignoring them. The rights the government exists to protect are those of business and the unfettered process of generating profit. The privacy of average Jo is a small matter which can typically be ignored. It is best ignored with subtle diplomacy, rather than the smug arrogance of John Key and his ilk.
      In terms of off-shore service providers. These are covered in the TICS provisions – the government appears to have given itself the power to instruct network providers to cease allowing access to service providers which can’t, don’t, fail, or refuse to comply with the broader provisions of the TICS legislation. However, instructing TELECOM to prevent access by NZers to Gmail, for example, would unleash an holy row – one easily avoided simply because the servers of Google fall under the remit of the US and NSA – which NZ is party to indirectly through intelligence-sharing agreements. Outside this type of coverage, I’m sure good old political leverage will do the trick.

  9. Hey Thomas, it occurs to me that concerns could be allayed if the public had access to discover who the GCSB actually does spy on. If legit, the number would be few enough each year to report easily. We have hardly any terrorists, so if the spooks perform properly, such a reporting system would reassure folks.

    It wouldn’t stop illegal snooping, of course, but it would provide some basis for trust. If the public reporting was required by law, spooks who broke the law would be vulnerable to exposure by ethical colleagues. Has anyone suggested such accountability be written into the law?

    1. There is some limited reporting built into the bill – but that doesn’t include listing people who have been spied on.

      Anyway, our main fear is that this Bill gives the GCSB powers to spy on everyone at once…

  10. The fundamental point here is that the official New Zealand political machine exists not for the New Zealand people, but for New Zealand business. To not understand this is naive to say the least. A government OF the people has no reason to spy on it’s citizens AT ALL – simply because, at any point in time, its sole purpose is directly aligned with the fundamental interests of its population. However, a government of business which relies on passing itself off as a government of the people must constantly negotiate its way through actions which contravene its “stated” priorities, and instead represent covert priorities.
    In this case, the desire to have more control arises in a nervous world in which governments are increasingly alienated from the people they “govern” by decades spent eroding civil liberties and living standards. The NEED to increase control comes directly through the desire to participate in strategic agreements with other similarly motivated “governments”. Who is the enemy? We are. We continue to grant power over us to governments who are fundamentally unworthy – both personally and collectively – simply through our inaction, silence, compliance and docility.
    The “Gay Marriage” legislation created more noise and rejoicing than this legislation has caused angst and hand wringing.

Comments are closed.