Denis Tegg: Loophole that legalises official snooping

104 comments

GCSB must tell us how it interprets the rules intended to control its spying on New Zealanders.

The US and UK, which share information from the Waihopai Valley Satellite Station, have fought in court against privacy rules. Photo / Mark Mitchell
The US and UK, which share information from the Waihopai Valley Satellite Station, have fought in court against privacy rules. Photo / Mark Mitchell

We have been assured repeatedly by the Prime Minister that the Government Communications Security Bureau (GCSB) cannot spy on New Zealanders without a warrant.

But what if the greatly enhanced knowledge we have gained from Edward Snowden's disclosures of mass global surveillance has left New Zealanders nakedly exposed to lawful warrant-less spying on their internet communications by the GCSB?

That perverse and deeply disturbing outcome for New Zealanders' privacy and democratic freedoms has been overlooked by commentators on state surveillance since the GCSB Act was passed in September 2013.

The Snowden revelations of the last 12 months mean that most of us have greatly increased expectations that our emails, phone calls and online activity will be intercepted. A Stuff.co.nz/Ipsos poll, of June 21 shows 71.6 per cent of New Zealanders believe United States spy agencies are gathering data on them.

These raised expectations that our communications will be intercepted profoundly affects the legal interpretation of a critical phrase, "private communications", in the GCSB Act.

The phrase is critical because it is supposed to provide protection for New Zealanders against the GCSB's intelligence-gathering powers (section 8B), and warrant-less interception powers (section 16).

Under the GCSB Act a communication can be "private", and therefore protected from interception, only if one of the parties has a "reasonable expectation" that their communication will not be intercepted by some other person. A "reasonable expectation" in this context is not about privacy in the wider meaning of that term, or about loss of privacy.

Defining "reasonable expectation" in the GCSB Act requires a much narrower and focused enquiry - as to whether the communication will be intercepted. It is irrelevant whether the interception occurs overseas or within New Zealand.

The Snowden revelations have helped turn this critical phrase in the GCSB Act, which is supposed to safeguard our democratic freedoms and privacy, into a contrivance which works contrarily to largely extinguish those protections. Lawful warrant-less surveillance of New Zealanders by the GCSB is possible.

No amount of oversight after the event can protect the public if the GCSB is lawfully exploiting a legal loophole.

Would the public ever know the GCSB was exploiting these legal flaws in this manner? They would not. The GCSB's legal advice and internal operations are kept highly secret.
If the interception of everyday communications is deemed by the GCSB to be not private, and therefore legal, then no warrant is required from either the Prime Minister or The Commissioner of Security Warrants.

Warrant-less interception is possible, no register need be kept, and any audit by the Inspector General of Intelligence and Security would confirm legal compliance. The GCSB could also lawfully request any Five Eyes partners or other foreign intelligence agency to share data it holds on New Zealanders.

The Government has known about this legal loophole but has chosen not to close it. In 2010, the Law Commission Stage 3 Report on Privacy pointed out that the definition of "private communication" in the criminal law was outdated and seriously flawed.

In June 2013, submissions from the New Zealand Law Society and Court of Appeal judge Sir Grant Hammond on behalf of the Legislation Advisory Committee (LAC), both raised serious concerns about the phrase "private communications" in the GCSB Bill.

Sir Grant took his concerns to the media, where he stated: "The definition of the term 'private communications' within the protection clause of the bill was not clear and, because it was central to the protections in the bill, it needed further work.
"It's a trigger provision. A lot of other things turn on it."

Both the Law Society and Sir Grant strongly submitted that the phrase be strengthened to take account of changes in technology and community expectations of privacy.

"The LAC suggests that the definition of "private communication" be revised to better reflect the level of communications, information and data privacy that New Zealanders may reasonably expect."

The Prime Minister's Office acknowledged that New Zealanders' metadata and content would not always meet the legal test for a "private" communication, and could in some circumstances be intercepted.

But the Government would not agree to delay the Bill until a precise and protective definition was established. Instead the Bill was rushed through Parliament with a two-vote majority - including that of MP Peter Dunne.

Mr Dunne gave his support in return for a commitment from the Government to review the definition of "private communication", stating this is "what I have ensured will happen as a priority".

A year later, the review has not even begun, and the Government has delayed any review indefinitely.

Edward Snowden has stated that New Zealand was one of the countries to which the US and UK spy agencies provided "legal guidance" on how to degrade its legal protections and enable mass surveillance.

In written testimony to the European Parliament, Snowden said: "Lawyers from the NSA (National Security Agency), as well as the UK's GCHQ, work very hard to search for loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations that were at best unwittingly authorised by lawmakers. These efforts to interpret new powers out of vague laws is an intentional strategy to avoid public opposition."

This context explains why the Government has rushed through radical changes to the GCSB Act knowing full well that a critical definition was deeply flawed, and explains why it has then reneged on a promised "urgent" review and delayed it indefinitely. The intention is clear - the GCSB wishes to retain the current definition of "private communications" and with it "loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations".

We know from Snowden's disclosures that the NSA, with assistance from its Five Eyes spy partners - the UK, Canada, Australia, and New Zealand, now intercepts (and in some cases stores) emails, calls and internet activity on a global basis.

Some 95 per cent of all New Zealand's internet traffic passes, via the Southern Cross undersea cable, to the US, where it may be lawfully intercepted as "foreign intelligence".

In many cases this will include communications between two people in New Zealand.
The NSA has Network Security Agreements with scores of cable companies worldwide, including Telstra in Australia. These agreements compel the cable companies to grant access to all the data on their cables when they land on US territory. The company previously known as Telecom New Zealand, which half owns the Southern Cross cable, has confirmed that once its cable entered US territory, it is legally obliged to co-operate with US laws.

One of Snowden's documents suggests that the NSA has a broad no-spying agreement with New Zealand and the other Second Party/Five Eyes partners. But spying on citizens of Second Party nations, such as New Zealand, is possible with "additional approval".
In other documents released by Snowden, the phone, internet and email records of UK citizens not suspected of any wrongdoing have been analysed and stored by the NSA under a secret deal with UK intelligence officials.

The Snowden revelations have confirmed that the spy agencies:
• Have direct access to Google, Apple, Facebook and Yahoo data
• Intercept data on fibreoptic cables on a global scale
• Unlock encryption, and monitor banking and credit card information
• Collect email address books and millions of text messages daily
• May target New Zealand citizens without New Zealand Government knowledge or consent
• Infect computer hardware with malicious malware to allow spying
• Intercept webcam and other images
• Collect and store phone conversations for whole nations "word for word"

The mission of the Five Eyes partners has been articulated in a briefing as mass surveillance where, globally, the spy agencies "know it all, partner it all, collect it all, and exploit it all".

Some might believe the GCSB would never attempt to exploit a loophole in the law in this manner. The legal stance taken by the US and UK intelligence agencies suggests otherwise.

The US authorities recently successfully contended in court that customers of Lavabit, an encrypted email service, still did not have a reasonable expectation that their emails would not be intercepted.

The US Department of Justice has just argued in another case before the US courts that "the privacy rights of US persons in international communications are significantly diminished, if not completely eliminated, when those communications have been transmitted to or obtained from non-US persons located outside the United States".

A loophole allowing the NSA to carry out warrant-less spying on Americans has been revealed in this Washington Post article.

The US Government also argues that Americans cannot expect that their private communications will not be intercepted by the NSA, when intelligence services of so many other countries might be monitoring those communications too.

In the UK, Britain's top counter-terrorism official has been forced by a legal challenge to attempt to legally justifying the unwarranted mass surveillance of every Facebook, Twitter, YouTube and Google user in the UK.

The legal sophistry advanced includes suggesting that two British users messaging each other on Facebook are not communicating with each other but with the "platform". Even when privacy violations happen, it is not an "active intrusion" because the analyst reading or listening to an individual's communication will inevitably "forget" about it anyway.

When the US and UK authorities use such dubious legal justifications, we should not be surprised if the GCSB interprets New Zealand law to facilitate warrant-less interception of our emails, phone calls and online activity.

Assume that the GCSB has targeted a prominent New Zealand citizen for surveillance. This person has a clean criminal record and no links to any terrorist or cybercriminal group. People with a similar profile have been subject to surveillance in the US.

A GCSB intelligence analyst has access to a NSA-developed computer data search program called XKeyscore. XKeyscore enables a single search to query "all unfiltered data", including mass harvested email addresses, phone numbers, online chat, social media activity, web-based email and attachments, sent to or stored at 150 global sites, on 700 database servers.

Disclosures confirm that GCSB staff has been briefed on the use of XKeyscore, and that at least one XKeyscore terminal is located in New Zealand.

A Five Eyes 2010 guide explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. The analyst clicks on "Target has no reasonable expectation that communications will not be intercepted - not a private communication" and retrieves the data.

While the GCSB and the Inspector-General may possibly carry out audits of such searches, the GCSB Act does not compel either of them to make public any record of warrant-less interceptions, which are deemed to be lawful.

We know that the GCSB bungled the Dotcom case by unlawfully spying on a New Zealand resident. The Kitteridge Report identified legal non-compliance as the root cause of its failings.

New Zealanders' privacy and democratic freedoms will always remain under threat from non-compliance. But the real danger lies right under our noses in the revised GCSB Act, and in the exploitation of acknowledged loopholes which permit lawful warrant-less surveillance of New Zealanders.

The solution is clear. The GCSB must release its internal legal manuals, and the legal opinions it has received. The USA's spy agency did so in November 2013. Carefully crafted semantics, denials and obfuscation from the GCSB and the Prime Minister will not suffice. Only when the public have seen the legal manuals and opinions can they judge whether or not the GCSB considers it has the power to lawfully spy on New Zealanders without a warrant.

* Denis Tegg is a Thames lawyer with an interest in state surveillance and the erosion of civil liberties.

Debate on this article is now closed.

- NZ Herald

Sort by
  • Oldest

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_a3 at 23 Sep 2014 03:29:57 Processing Time: 336ms