Govt proposes GCSB control over NZ communications in new TICS Bill

The government has announced two new Bills for reforming the GCSB and expanding their powers. The first is the GCSB and Related Legislation Amendment Bill (PDF) and the second is the Telecommunications (Interception Capability and Security) Bill (PDF).

This article is a summary of the major parts of the TICS Bill.

The TICS Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide “lawful intercept” capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.

However, the addition of the word “security” is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand’s infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.

Summary of major elements of the TICS Bill

Interception

From the Bill:

A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.

Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.

The new Bill splits communications providers into multiple classes, with small, wholesale and infrastructure providers having reduced obligations. Providers must either have a full intercept capability, to be “intercept ready”, or to be “intercept accessible”. Membership of these classes can be varied by direction of the Minister.

The Bill specifies that the law applies to companies whether based in New Zealand or overseas. It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.

Finally, there is more detail about how intercepted data should be formatted and delivered (apparently this has caused problems under the existing law).

Encryption and decryption

Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.

What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?

Network security

There is a major new role for the GCSB in overseeing the design and operation of commercially available data and voice communications networks.

The Bill says that network providers and the GCSB are to work co-operatively and collaboratively on identifying and addressing network risks. If they fail to cooperate sufficiently, the law provides for penalties of up to $500,000 with an additional $50,000 per day.

Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the “specified security interest”. This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and “any place where data aggregates in large volumes”.

The GCSB can also demand any other information about the security and interception capabilities of the network including copies of contracts, specifications, and so on. That the information is commercially sensitive or held in confidence is not a defense.

Compliance

All network operators will have to register themselves with the government. The register will be administered by the Police and available to the Police, SIS and GCSB.

The register will include the numbers of customers, names of responsible contact people within the organisation, the regions they operate in and the types of services they provide. Providers of infrastructure services (e.g. companies that provide fibre links but not the equipment for communicating over those links) will also have to give the names of their customers to the register. There are penalties for non-compliance.

The government can insist that communications providers must obtain secret-level security clearances for some of their staff. It does not say what will happen if none of the technical staff qualify for a security clearance.

Liability and protecting classified information

People who do any act in good faith under the new law will be protected from subsequent prosecution or lawsuits. i.e. the new law is superior to other NZ laws or existing contracts.

There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant’s lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person. The judge in the case can appoint someone with an appropriate security clearance to represent the interests of the defendant for these parts of the trial.

Analysis and comment

The new TICS Bill is a major expansion of government power over the internet and other communications networks in New Zealand. While the existing TICA Act already mandated the provision of lawful intercept capabilities, handing over final control of network design and operation to the GCSB in the name of “security” seems incredibly wide and open ended.

Adding an additional level of government bureaucracy to the design and operation of these systems would appear to be a fairly significant hindrance to the ability of network operators to run their businesses.

There also must be concern about the GCSB being able to ban the resale of any services that do not provide lawful intercept capability. This means that New Zealanders will be prevented from protecting their communications from the New Zealand government – but equally they will be prevented from protecting their communications from foreign governments too. (We can safely assume that a foreign service that gives access to the NZ govt will also provide it to others.) These rules could wipe out businesses such as file lockers and password stores that rely on providing secure storage to their users.

One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.

There are many other parts of concern and there will need to be more analysis of the interception capabilities in conjunction with the new GCSB bill. One that does stick out as particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can’t even find out the evidence presented against you?

We will be doing further work on analysing this bill and would welcome contributions, particularly from those within the industry who already have experience working with TICA requirements.

Guest Post: Hacking, Data, and You

The following is a guest post from someone who has established to us that they have good reason to remain anonymous.

Update: The NZITF has released some guidelines for coordinated disclosure in NZ.


Deliberately hacking into a system like this is a criminal offence.”

Judith Collins is not alone in taking the view that any use of a computer that retrieves more than it should is a criminal act. Each time another government agency is publicly mocked for yet another failure to handle information security competently, the outcry is always directed towards the “evildoers” who found the hole and exploited it.

Information security is not a trivial matter, it’s not easy and it’s very rare that any organisation actually has the in-house skills needed to deal with the multitude of new ways systems can be attacked. Worse, as was illustrated in the breach of MSD’s network, management do not pay attention to the possible damage even when the risks are plainly pointed out to them.

Hacking

It is worth noting that “hacking” is a term often thrown around in the media or by the public for acts which barely extend beyond the normal usage of a system. “Hacking’ is, if we believe the way the term is used, literally any unintended use of a system no matter how trivial or obvious. A significant part of my job is to imagine how people can attack systems, and to weigh up the likelihood of those attacks being successful. I am, in part, a hacker by those terms.

Faced with any system, my first instinct is to poke it and notice the details most people do not – it’s my job to notice and reason about those details. Most geeks will do it somewhat instinctively, not because they’re “evil” as much as certain people want to make us out to be, but just because it’s there and it’s interesting. Given an “open file” dialogue box they’re going to see what else they can open, just like happened at MSD.

What is then done with the knowledge is where things get harder to define.

Whisteblowing

Whistleblowing is a dangerous business. The whistleblower becomes part of the story, with their motives and character questioned both in the media and by politicians and civil servants desperate to distract attention from their own failings. For some people it can be the end of their career.

It should not be taken lightly. You will note this story is published under a pseudonym, I won’t be putting my name out there to be dragged into the wrath of an embarrassed Minister’s rage. My objective as a whistleblower may have been to get a security hole fixed so that others can’t exploit it, but that won’t matter once it’s a media story.

Equally, if you are blowing the whistle, you had better be sure your own actions were honourable and can be demonstrated to be so. You should expect any and all of your interaction with the organisation will now be released/leaked for public consumption. But how should you disclose the vulnerability in such a way that it gets fixed and your name doesn’t get dragged through the mud?

What do we want?

We need to decide what the desired outcome is. Do we want information to be secure and for people who discover flaws to feel comfortable in disclosing them so security can be improved? Or do we want people to be too scared to speak up, so that those flaws live on to be discovered and traded on the black market?

It is in society’s interests that systems and information are well protected. We should expect that promises given to keep information secure are met, and that disclosures of holes aren’t responded to with yet another series of excuses and blame shifting. You might not feel that a breach of any given system affects you, but if breaches are covered up there is very little incentive to fix them.

Good disclosure

What can organisations do to encourage good disclosure? The first is to have the right attitude to information security. There are simple steps that any organisation can take to ensure vulnerabilities discovered by the public are handled properly.

  • Make it obvious where people should report any vulnerabilities that they find. This is no different from any other emergency contact details or a feedback point in a website.
  • A clear, public, policy on vulnerability disclosure. What steps will be taken with a claim of a vulnerability, how should information obtained be handled, and so forth. This is as much about ensuring you have processes internally as it is about making it safer for people to disclose to you.
  • Ensure vulnerability reports are reviewed by staff who are capable of giving them expert consideration. You don’t want a half-garbled explanation trying to be handled by people without the depth of experience to see the problem and to speak the same language.

This, however, leads us to the thornier issue of what responsible disclosure and handling looks like. What does ethical hacking, if there is such a thing, actually consist of? There are no hard and fast rules about what is acceptable.

Even within the IT security field there is significant debate on whether organisations should be notified privately or whether ‘full [public] disclosure’ is the only way to get real change in security practices. And if you do go the private route, how long do you persist with it before you give up and go public?

Unlike a theoretical exploit against a system these are breaches which involve real data. That becomes much harder to make set of ethical guidelines about because fundamentally it’s a criminal act. And as we started out this post with, there are no end of people who will attempt to convict you for it. For that reason you had better have a lawyer and I should note that none of this post is intended as legal advice.

Take too much data, or exploit the system too often and your intent will be read as a criminal act. How much is “too much” is not easily identified either. Limiting the amount of information copied and limiting how often the breach is exploited may help.

“Responsible disclosure” states that at a minimum the organisation should be notified and given a chance to correct the problem, before public or “full” disclosure takes place. The point is that organisations who value information security will have good policies and clear contact points to deal with breaches and those organisations should be rewarded for doing so. The outcome is what everyone wants, better information security.

Disclosing to journalists or competitors is much less ethical if the original organisation has not been contacted. This is less true if they have been and they have dismissed the breach or failed to respond in an adequate time. Again, there are no hard rules about how long that should be. But in either case, this is a path that is almost certainly going to result in questions about your intent.

Extending the Protected Disclosures Act?

This is not a new problem. The law already recognises that there are times when people have a duty to breach an obligation they may have, and offers legal protection when they do so. The Protected Disclosures Act 1990 allows employees and other people inside an organisation to blow the whistle provided they act in accordance with a specific set of rules.

Perhaps it is time we had an IT vulnerability disclosure law that applies to people who are not employees. It would outline rules to follow when disclosing a vulnerability, and would provide legal protection as long as those rules were followed. The outcome would be that more holes can be discovered and fixed, thus improving the security of all our information.

What outcome do we want. Do we want vulnerabilities fixed, or points to be scored? I want my information secure, and I don’t care how that breach is discovered. I just want it fixed, and for all organisations to take information security seriously.

Anti cyber-bullying proposal marches on

A cabinet paper (PDF) shows that the Government has accepted most of the Law Commission’s proposals to control and punish cyber-bullying and other ‘digital harms’. This includes:

  • Clarification of existing laws such as the Harassment Act to explicitly say that they apply to modern communications technology.
  • Establishment of an agency (probably NetSafe) that will provide non-coercive mediation of online issues.
  • More encouragement of anti-bullying measures in schools.
  • New criminal offences for “using a communications device with the intention to cause harm” and “incitement to suicide”.
  • Establishment of a new regime with wide ranging censorship powers for controlling online speech, including new tighter standards for what speech is acceptable online.

One significant change is that the paper rejects the establishment of a separate Communications Tribunal (staffed by District Court judges with specialist knowledge in this area) in favour of passing it to the District Court as a whole. This would seem a step backwards in many ways as we question whether the average District Court judge is up to the task of understanding the technology involved.

Our response

Read our response to the Law Commission’s original proposals: What’s Wrong with the Communications (New Media) Bill and can it be fixed?

Many of these problems remain in the current proposal.

From a civil liberties point of view, the most serious concerns are around the idea that online speech should be held to a different and significantly higher standard than offline speech, a position we strongly object to. There is also a concern around why harming someone via online communication is seen as so much worse than other forms – it would make more sense to us to concentrate on the extent of the harm caused, not the means by which it was delivered.

From a purely practical point of view, when we consider the wide-ranging use of anonymity and foreign services on the internet, combined with the speed at which many situations blow up online, we still question how much good these proposals will be able to do.

Other Reactions

Our page listing reactions to the initial report.

No Right Turn reports that the proposal is the return of the offence of criminal libel:

Back in the dark ages, when spousal rape was legal and homosexuality was a crime, there was a criminal offence in this country of “criminal libel”. Publishing material “designed to insult any person or likely to injure his reputation by exposing him to hatred, contempt and ridicule” wasn’t just a matter for defamation lawyers; it was a crime punishable by two years imprisonment. The law was clearly incompatible with the Bill of Rights Act (not to mention with modern ideas about defamation being a tort), and so it was repealed in 1992. Now Judith Collins wants to bring it back – but only on the internet.

Lawyer Steven Price points out some of the hurdles you’ll have to get over to actually use the new new censorship regime and then questions the wisdom of handing over decision making around some complex technical and Bill of Rights issues to the next District Court judge off the bench.

Blogger David Farrar generally favours the proposal but questions the communications principles.

InternetNZ points out that the proposal has some worrying flaws.

Do New Zealanders want web-based email services to be subject to take-down orders? Do people understand that such orders, as outlined in the Cabinet paper, could be based on lower legal standards than is the case today – and could be imposed on people without them being part of the Court’s proceedings?

Vikram Kumar worries that the proposals will cause collateral damage to the NZ internet.

NZ Herald editorial in favour.

Update on NZ Police use of aerial surveillance drones

We’ve been keeping track of the Police use of new surveillance and tracking technology. We asked them what they’ve been doing with drones and here are the more interesting/informative answers (Police letter, 19th February 2013):

  • The Police currently have one aerial drone.
  • They don’t have a specific budget for it and claim not to know how much they’ve spent on it so far.
  • They say that they can use it for tracking people and cars but promise to do it in accordance with the Search & Surveillance Act. We note that our interpretation of this says that they need a tracking warrant to use an electronic tracking system but we don’t know if the Police agree with this.
  • The Police believe that their current policy concerning video recording operations and events also covers their use of drones.
  • The Police have been contacted by the Privacy Commissioner re their use of drones and will be meeting with them soon.
  • The Police expect their drone trials to finish by the end of 2013.

You may also wish to read this article about drones by David Beatson at NZ Pundit.

We’re going to be following up to get more information. If there’s any questions you want asked, please leave them in the comments.

NZTA’s passive electronic tracking system

Updated: see note below. Further updated 13/8/2013 to add commentary about the security of hashing. Further updated 5/11/2014 to link to NZTA letter showing that data is being shared with CERA, Police and Ministry of Transport.

One of the issues with modern technology when it comes to privacy and tracking is that it isn’t always obvious what data we should be worrying about.

The latest example of this is the NZTA’s trial of a passive monitoring system called Blip Track to monitor traffic congestion on the Puhoi to Warkworth road.

The BlipTrack system relies on the Bluetooth functionality built in to many mobile phones and related accessories, car stereos, and mapping devices. Each Bluetooth device broadcasts a unique MAC address if the device is set to be visible. By detecting the same MAC address at different locations, the Blip Track system can work out how long it took for the device to travel between the two points and therefore make some assumptions about how congested the road is. (See the BECA report (PDF) for more information about how the system works.)

With mobile phones being very personal devices that we tend to carry everywhere we go, it seemed obvious to us that this sort of technology could be used to track people. We asked NZTA about this and their response was:

We do not consider that the Privacy Act 1993 applies. This is because the information collected is not personal information.

NZTA declined to give us a copy of the legal advice they have received on the privacy issues.

The BECA report linked before also touches on the topic:

Although there may be potential sensitivities for using Bluetooth, the MAC address numbers can only be identified / observed if the Bluetooth device is active and the privacy settings have been set to allow it (i.e. the Bluetooth is set to ‘visible’). Also, unlike number plates or cell phone IDE numbers, there is no way of tracking the MAC address number back to the owner as there are a variety of types of device with Bluetooth, and no database matching these devices to their owners.

What is “personal information”?

The Privacy Commissioner defines personal information as follows:

Information about a living human being. The information needs to identify that person, or be capable of identifying that person.

While the Bluetooth MAC address can’t be used to work out who someone is, that’s not to say that someone who already has a person’s MAC address can’t use it to find out where they’ve been. For example, an NZTA employee with access to the database could look up the MAC address of their partner’s mobile phone to see if they were telling the truth about where they were last night.

We reject NZTA’s interpretation; we believe that the Bluetooth unique identifier is personal information, that the NZTA is collecting it without consent and storing it without permission. This is in breach of the Privacy Act.

We also note that there is no need to store the unique Bluetooth address in the database after the match has been made. Anonymising this would remove much of the potential for misuse. (See Update below.)

Sharing data with law enforcement

More interestingly, this data could also be made available to the Police. While the Police are limited by the Search & Surveillance Act in the use of electronic tracking systems, is there anything stopping them from asking NZTA to look up their database?

Of course, even if NZTA did count it as personal information, we note that the Privacy Act has some very large holes when it comes to sharing data with the Police and provides no real oversight of such sharing.

Conclusion

We’re not trying to say NZTA are bad people or that what they are doing is particularly wrong. They’re currently using the technology for a reasonable purpose and at least already have some protocols around what data they can share with other agencies.

However, even though they’ve tried to think about the privacy implications of the technology they’re using, they still haven’t fully understood the risks of collecting and storing data of this type.

The technology involved in this type passive tracking system is continually getting cheaper. It would make perfect sense for NZTA to extend it across the road network to help them with their planning. At the same time, this would establish a national database that would enable NZTA or anyone else with access to it to track people. In particular this data could be made available to the Police with no significant oversight.

We believe that our privacy and data collection/sharing laws need to be updated to take account of new technologies and the power of big data.

Update

We have been sent further information (PDF) about the BlipTrack system. From the document:

When a BlipTrack™ sensor detects a Bluetooth Device in its proximity, the sensor will generate a one way hash code from the Bluetooth address of the detected device using a SHA-256 algorithm. Only Bluetooth hash codes are transmitted to the central server. There is no way to revert hash codes back to real Bluetooth addresses, thereby preventing access to the Bluetooth MAC addresses of the tracked devices.

In case the BlipTrack™ data was compromised, the attacker could try to correlate data between multiple systems and possibly, over time, be able to link a hash code of a Bluetooth device address to a record in another system, that could contain user information. To prevent this, BlipTrack supports Re-Hashing of Bluetooth Address device Hashes. By Re-Hashing the Hash codes using a new salt on a daily basis, a detected Bluetooth device will only have the same hash code for one day. The next day that user will be seen as a new user.

However, people familiar with this type of cryptography expressed grave doubt that the protections outlined would be sufficient to protect the information from even basic attacks. Details of the BlipTrack implementation are vague, but the number of possible MAC addresses are small making it likely that without very careful precautions a brute-force attack against the hash using modern computers could reveal all the original MAC addresses even for days when the salt is not accessible.

BlipTrack, in an example of having their cake and eating it too, then go on to claim that MAC addresses do not link to personal user information. If this was the case, you might wonder why they go to such lengths to stop them being available in their database. More to the point, we’ve already explained why we believe that they are personal information in the terms of the Privacy Act – and therefore would require permission to capture them in the first place.

 

Update 2

In response to an OIA request (PDF), NZTA has revealed that BlipTrack data has been shared with NZ Police, CERA and the Ministry of Transport. They say that this is just aggregated statistical data.

RIANZ withdraws again and copyright notices insufficient

Three brief items about the Copyright Act and the Copyright Tribunal:

1. RIANZ withdraws from another defended hearing

Another defended hearing was scheduled to go to the Copyright Tribunal this month but RIANZ has withdrawn the complaint (info from phone call to Copyright Tribunal). No further details of the case are known, so was it another fatally flawed case like the first withdrawn case or is RIANZ just not prepared to fly down to Christchurch to appear before the Tribunal?

2. Second Copyright Tribunal Decision

A second decision has been made with the Copyright Tribunal ordering a 50 year old father to pay $557 to RIANZ for sharing two songs (one twice). As in the last judgement, the evidence would appear to show that the defendant did not really understand the process nor what they had been accused of – rather it seems likely that their 8 and 12 year old sons might have done it. There is also evidence to show that they didn’t understand the first two notices they received enough to be able to take action to prevent the third enforcement notice.

3. Copyright Act working as intended – kind of

Finally we come to a case where the Copyright Act did work as intended – but only after the intervention of Tech Liberty. We received a communication from someone who had received an initial detection notice.

Just got this and as a 52 year old single mum I can’t understand what they mean about that the alleged infringed song has been communicated to the public? Is the infringement about the song being downloaded of shared publicly or both? I’m horribly confused. My teenage daughter says she can’t stand the song and I don’t even know the song. Perhaps my older 2 adult children or my boarders have done this? Any advice would be very much appreciated.

Her confusion is quite understandable when you look at the notice (identifying details removed):

Notice Number: xxxxxxxxx
Infringement Notice Date: xxxxxx
Notice Type: Detection Notice
Infringing IP Address: xxx.xxx.xxx.xxx
Infringing Date: xx/xx/xx
Name of the file: Chris Brown – Beautiful People.mp3
Unique identity of the file:
Copyright Owner: Sony Music Entertainment Incorporated
Type of Copyright Work: Sound recording (14(1)(b))
Restricted Act: Copyright has been infringed by this account holder communicating the work to the public (16(1)(f))
File Sharing Application: Azureus 4.5.0.4

What is this meant to mean to someone who doesn’t understand what file sharing is? The information included by Slingshot may have explained the law but made a very poor effort at explaining what she was accused of. We rewrote it for her:

They’re saying that someone at your house has installed a piece of software called Azureus (also called Vuze) and they’ve used that to download a song called Beautiful People by Chris Brown. The Azureus software not only downloads the song, it also uploads it to other people who want it (this is why it’s called peer to peer file sharing). Sony/RIANZ have detected this upload and have made a complaint to Slingshot who have passed it on to you.

The response came quickly:

Thank you so much for getting back to me and for taking the time and all the information, very much appreciated. :) I have found out that one of my son’s friends has done this and he says he won’t do it again. He is a good family friend so thats fine. I will get the guys to delete the Azurus or Vuse and to check for any other peer to peer programs.

Surely a good outcome for RIANZ with a junior copyright infringer stopped after the first warning.

But it seems that the current format of the notices is not good enough. Non-technical people don’t understand what they’re accused of and have no idea what they should do to stop it happening again. And, after all, it’s often the non-technical people who are the account holders while someone else sharing the same account may be the one doing the infringing.

It seems clear from these first few cases that the notices need to be improved so that they do a better job of explaining both the accusation and what they need to do to stop it happening again.

First Copyright Tribunal case demonstrates flaws in the law

The first decision from the Copyright Tribunal has now been announced and RIANZ has been successful in getting a penalty of $616.57 awarded to them. Read the text of the decision linked from this NBR article.

Facts of the Case

The respondent admits to downloading one of the tracks using uTorrent but seems confused as to how she could have received two notices for downloading it twice (she’s actually been accused of uploading it). She also acknowledges that she was in the wrong and goes on to say that she had deleted the track and removed the software from her computer.

The respondent also denies having downloaded the second track and says that she also doesn’t think anyone else in her household would have done it.

The decision

The respondent has been ordered to pay $616.57 to RIANZ (the applicant) calculated as:

  • $6.57 as the cost of buying the three tracks on iTunes.
  • $50 towards the $75 cost of the three notices.
  • $200 to reimburse the Copyright Tribunal fee.
  • $360 ($120 per track) as a deterrent.

Commentary

The respondent’s perspective

From reading the quotes from the respondent’s submission, as far as they’re concerned they got penalised $616.57 for downloading a single song. (They got two notices for that song because it was being uploaded as well, and they deny ever downloading or sharing the song mentioned in the final notice.)

Anonymity

The Copyright Tribunal does not publish the name of the respondent accused of copyright infringement. This will be a relief to the other 11 people waiting for their decisions.

Ignorance about filesharing

It seems clear from the quoted part of the respondent’s submission that they have no real idea about how file sharing via bittorrent works. RIANZ and the Tribunal both also seem somewhat blind to the reality that a default uTorrent installation will set itselt to automatically restart whenever the computer is restarted, and will thus keep sharing until stopped.

Can’t prove a negative

The Tribunal basically ignores the respondent denying that they downloaded the second track, saying that the law presumes that the notices are correct and that the respondent must show evidence that this is not true. The great difficulty involved in trying to prove that something didn’t happen is not touched on by the Tribunal.

Quality of notices

The decision includes no discussion of the quality of the notices. This is disappointing as all of the notices we have seen to date have been flawed in one or more ways.

We also note that the second notice was sent on 19th June while the third notice was sent on 30th July. This means that the infringement would have had to have occurred between the 19th of July and the 30th of July to not have occurred during the stand down period. The timing looks a bit tight but the date of the infringement is not given in the decision.

Tribunal rejects RIANZ creative maths

The Tribunal rejected RIANZ’s attempt to rewrite the law by making up numbers about how many times the tracks might been uploaded and then arguing that the respondent should have to pay that many times for each track. However, the Tribunal did allow that uploading might be taken into account when calculating the deterrent penalty.

Tribunal rejects RIANZ arguments re flagrancy

RIANZ claimed that a) installing uTorrent, b) infringing over 8 months, c) repeated infringement, indicated flagrancy and therefore a heavy penalty. The Tribunal noted that these will be common to nearly all cases appearing before the Tribunal and therefore the behaviour could not be seen to be particularly flagrant.

Tribunal ignores apology and efforts to stop file sharing

While the Tribunal notes that the respondent acknowledged wrongdoing, apologised and attempted to stop file sharing (possibly being defeated by lack of technical understanding), they do not seem to acknowledge this when setting the deterrent penalty.

Deterrent penalty

The Tribunal seems to have made up the principle that the deterrent penalty should be higher than the part of the penalty concerned with reimbursement, and therefore arbitrarily adds on another $360 ($120 per infringement). There is no acknowledgement that for many people a penalty of $256 is already a significant punishment.

Do they now have a license?

The decision does not establish whether the respondent now has a license to possess the music in question after paying the cost of buying it in iTunes as part of the penalty.

Conclusion

On the face of it this decision isn’t too bad. The respondent admits they copied some music and the guilty judgement has apeared with minimum fuss and legal expenses. There was no possibility of their internet connection being disconnected – although we suspect that the respondent will be very reluctant to have their name on an internet account in the future.

This decision sets a benchmark penalty of approximately $600 for a typical infringing file-sharing case appearing before the Tribunal. While low compared to the ludicrous sums awarded by US courts (e.g. US$12,500 per track award awarded against Tenenbaum for a total of US$675,000) it seems high compared to penalties for some other NZ offences. Accordingly we think that this amount is still too high for what is infringement on a very small scale with someone who admits guilt, apologises and tries to stop file sharing.

Flawed law

However, this case once again demonstrates two of the key weaknesses of the law:

  1. There is no way to prove your innocence. No one in New Zealand keeps the kind of detailed network logs that would be necessary to prove that you hadn’t done what you were accused of. All you can do is assert that you didn’t do it and the Tribunal has just shown that they will ignore this.
  2. The responsibility falls on the account holder, not the people using the internet to infringe copyright. In this case the respondent admitted she had downloaded the first track, apologised and had taken steps to stop it happening again. She denied downloading the third track that triggered off the penalty and suggested that someone else might have done it. Obviously we can’t know if she was telling the truth, but the reality is that most internet connections are shared and this could easily happen.

These two points are going to come up again and again. It seems certain that in many cases justice will not be done, with the account holder taking the fall for sloppy detective work on the part of RIANZ and the ISP, or the actions of other people sharing their internet account (see another case involving shared internet use).

We believe the law is unjust and needs to be dropped before too many people are punished for things that they didn’t do.

Copyright Act – IPAP Reports

When the new three-strikes copyright infringement scheme was implemented, it included section 122T that imposed some obligations on IPAPs (ISPs) to collect and retain data, and publish an annual report. As Sam Russell reminded us today, the first of these reports was due by 31st December 2012 for the period 1st October to 30th September.

Here’s the reports we know of:

  • Actrix – the most minimal report yet (but claim that they received no notices).
  • DTS – no complaints received.
  • Maxnet – no complaints received and a very minimal report (bottom of page).
  • Orcon – received 234 complaints, sent 198 notices, received 16 challenges.
  • Slingshot (PDF) – received 473 complaints, sent 398 notices, received 14 challenges.
  • Telecom – takes a very minimal approach, just states it has complied.
  • TelstraClear – received 818 complaints, issued 540 notices, received 25 challenges.
  • Vodafone – received 538 complaints, issued 350 notices, received 21 challenges.
  • Xtreme – received 2 complaints, issued 0 notices.

We have asked 2 Degrees, Compass, Inspire, Snap, Vocus, and Xnet where their reports are.

We’ll add more as we find them and do some collation/analysis when we have enough. One thing that is noticeable is that very few of the notices are being challenged by the recipients.

Police use of new surveillance technology

The NZ Police are continuing to expand their use of technology to watch and track people in New Zealand. We’ve already discussed automated number plate recognition, but information has emerged about two new initiatives:

The first is Signal – a tool used to scan and collate publicly availably data from multiple social media sites such as Twitter, Facebook and Youtube. This data can then be analysed to establish connections between people and events, and was used during the Rugby World Cup to monitor both boy racers and political protesters.

The second is the trialling of aerial surveillance drones. As part of the trials they have already been used in some Police investigations.

We’re not reflexively opposed to the NZ Police using tools to do their job better, but we do have some concerns about how they can be used to infringe our rights to go about our lawful business without unwarranted surveillance and tracking. We believe that it is not healthy in a democratic society for our every movement and action to be monitored, stored and analysed by the government.

We’ve made requests to the Police for more information about both of these initiatives and will report more once we receive it.

General Principles

One thing that is of concern is that the Police seem to be being quite secretive about their use of technology. It seems that they wait for someone to find out about it before releasing information in dribs and drabs, sometimes after prompting from the Ombudsman. If the Police aren’t proud of what they’re doing to more efficiently fight crime, perhaps they shouldn’t be doing it at all.

A second concern is that our laws, even including the new Search & Surveillance Act, might already be out of date when it comes to the Police use of such technology. For example, are there any controls on amassing publicly available data to such an extent that modern data analysis software can make some assumptions about very private behaviour?

We’d like to see two things:

  1. The NZ Police taking a more proactive role in disclosing what they are doing and how they are doing it. They may even wish to do more consulting with community groups and watchdogs such as Tech Liberty and the NZ Council for Civil Liberties.
  2. Work on a new set of standards and principles to inform the Police’s (and other agencies) use of new technology and “big data” systems. These should cover data integrity, retention, security, auditing and notification. This is something that Tech Liberty is currently working on.

Presentation to Kiwicon 6, 2012

Edited text of the presentation given at Kiwicon 2012 (“New Zealand’s Hacker Con”) by Tech Liberty co-founder Thomas Beagle.

Do not ask for whom the panopticon watches, it watches for thee

My name is Thomas Beagle and I’m from Tech Liberty. We’re a New Zealand lobby group dedicated to protecting civil liberties in the digital age.

I’m going to survey some of the political issues that affect our civil liberties before talking in a bit more depth about where we’re up to with mass surveillance in New Zealand.

Continue reading Presentation to Kiwicon 6, 2012