Adam Bennett

Adam is a political reporter for the New Zealand Herald.

Spying on NZ: Law widens net for snooping

Telco legislation works hand in glove with GCSB bill to broaden Govt access to communications networks.

The web offers us the chance to interact with others across the globe who share the same interests and passions. Photo / Greg Bowker
The web offers us the chance to interact with others across the globe who share the same interests and passions. Photo / Greg Bowker

Like a wild west frontier town, the internet has grown quickly into an unruly place offering all manner of opportunities - and hazards.

The web offers us the chance to interact with others across the globe who share the same interests and passions. But since the terrorist attacks of September 11, 2001, in America it's become clear that some of these interests and passions run counter to what Western governments consider to be their interests and they have sought to strengthen their oversight of cyberspace.

The Kim Dotcom case has exposed legislative issues that pose problems to the New Zealand Government in exercising internet surveillance.

The legislative response to the Dotcom debacle goes beyond clarifying the Government Communications Security Bureau's powers to allow it to spy on New Zealanders.

To do that effectively the GCSB and other surveillance agencies need the ability under law to plug into all the networks and communications services available.

At present it is limited in its scope to do that.

The Telecommunications (Interception Capability and Security) - (TICS) - Bill gives Communications Minister Amy Adams sweeping new powers to widen the net.

MPs will tomorrow begin hearing submissions on the bill, which works hand in glove with the GCSB bill.

One half of the TICS bill deals with surveillance agencies' access to telecommunications networks to do their work. The other half sets out a new compulsory regime for telco companies to work with the GCSB to ensure their networks and users are secured against unauthorised access or disruption. This part of the bill is a response to the increasing risk of cyberattack or espionage of a security or commercial nature.

But while the telco industry is welcoming measures in the bill that will reduce the obligations and costs on some companies, internet freedom advocates say the legislation will allow the Government to impose those obligations on a wider group of companies at the stroke of a pen and without due oversight.

Furthermore, they argue that some obligations, particularly those around encrypted communications offered by a rising number of providers, will be impossible to meet and that could lead to services such as Apple's iPhone to iPhone iMessage service being withdrawn from New Zealand or even banned.

Interception goes 'over the top'

When they have a warrant or appropriate legal authorisation, the GCSB and other surveillance agencies can at present plug into the arteries of New Zealand's communications infrastructure via the major telcos such as Telecom and Vodafone.

The law requires different network operators to offer different levels of interception capabilities to surveillance agencies, depending on the size of their customer base. The obligations range from full interception capability down to being "intercept ready" and "intercept accessible".

The requirements include points at which equipment can tap into the physical network, climate-controlled space for the agencies' equipment, and that the company has an employee with a suitable security clearance who will deal with the agency.

But access just to network operators' systems is no longer enough, given the way technology and usage patterns have changed.

Network operators are losing more and more business to "over-the-top" services such as Skype and internet-based message services which run on their infrastructure but are provided by others. While the law now only puts interception obligations on network operators, the new bill will remove that constraint so that if necessary those over-the-top communications can be intercepted.

That is done through the controversial "deem in" power it gives to Ms Adams and her successors.

Ms Adams will be able to make a ministerial direction that any service provider must make communications carried over its system accessible to the agency. The minister can make that order if an enforcement agency believes a lack of interception capability at the service provider represents a national security or law enforcement issue. An entire class or type of service provider such as all voice-over-internet service providers could have interception obligations placed on them for the same reasons by way of regulation or an order-in-council.

Those obligations may apply to foreign service providers such as Microsoft's Skype and its messaging services, as well as Apple and Google.

Overseas companies such as Microsoft, whose services are resold in NZ by the likes of Telecom, can in theory be banned altogether by ministerial direction if they don't comply with interception obligations.

But the bill remains unclear as to whether interception obligations for such companies will require them to decode encrypted communications.

Kim Dotcom's Mega, which uses the privacy provided by its encryption service as a selling point, argues it could not decrypt users' information even if it wanted to and wants the bill changed to clarify the issue.

The legislation also gives the Cabinet the power to decide by regulation that agencies other than the GCSB, SIS and police are enforcement agencies for the purpose of the bill, allowing them to request that particular service providers have interception obligations placed on them.

Network security

The bill introduces a new system for ensuring the security of New Zealand's communications networks.

This appears to have been at least partly driven by concerns that some providers of telco equipment, such as China's Huawei, may be incorporating covert features that allow unauthorised interception of data.

It requires network operators to consult the GCSB on network security issues during the design, building and operation of their systems.

Both industry and internet freedom advocates have slammed this section as essentially giving the GCSB a veto over the design and operation of NZ's communications systems.

Enforcement

The bill introduces a new compliance and enforcement regime to compel network operators and service providers to meet their obligations. The enforcement regime is graduated, ranging from breach notices for minor issues to financial penalties of up to $500,000 plus $50,000 for each day companies are in breach of their interception or network security obligations.

It also compels network operators to sign on to a new register which is to be maintained by the police.

More controversially it introduces measures to prevent classified information being disclosed when infringements are dealt with in court.

This "secret evidence" provision has sparked concerns from the Law Society and Tech Liberty. It allows for evidence to be given in the absence of the defendant and their lawyers if that evidence is sensitive from a security perspective.

Overhaul sparks privacy concerns

The overhaul of New Zealand's intelligence and security legislation that the TICS bill is part of was sparked by revelations of illegal GCSB spying that followed the police raid on internet entrepreneur Kim Dotcom's home.

Mr Dotcom's Mega is one of the TICS bill's more vociferous opponents.

In its submission, Mega chief executive and former Internet NZ chief executive Vikram Kumar recommends that service providers like his company, which appear to be the bill's main target, be excluded entirely.

Failing that, Mr Kumar says that if the Government gives itself the "deem-in" powers to place interception obligations on businesses such as Mega, there should be a higher test before that happens.

In Internet NZ's submission, acting chief executive Jordan Carter says it is concerned the deem-in provisions do not have sufficient checks and balances to protect privacy and notes the bill's regulatory impact statement does not consider human rights, particularly the right to privacy.

Internet NZ also wants the minister to publicly report on the number of interception requests made each year to network operators and service providers.

Internet freedom advocate Tech Liberty wants a list of service providers which have interception obligations placed on them to be regularly published.

- NZ Herald

Your views

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_n4 at 19 Sep 2014 20:38:01 Processing Time: 687ms