Helping spies break through hi-tech barriers
Big brother has a little brother.
Another spy bill controversy is brewing as the Government's Telecommunications Interception Capability and Security Bill returns to Parliament later this month.
Protesters marched in the street, and filled town halls, in opposition to the Government Communications Security Bureau Bill, which gave the agency the right to spy on Kiwis. It was passed, with a one-vote majority, in August.
The more technical TICS Bill will compel telecommunication firms to assist intelligence agencies in intercepting and decrypting phone calls, texts and emails.
The Government argues it is necessary to replace a decade-old law to keep pace with technology.
Critics say the bill is authoritarian and intrudes on privacy and civil rights, and limits internet freedom.
WHAT DOES THIS BILL DO?
The bill has two parts - interception and network security.
Broadly, it will compel telecommunications firms and online service providers to give "surveillance agencies" (the police, Security and Intelligence Service (SIS) and the GCSB) access to their clients' communications.
Telcos must also consult with the GCSB when developing new infrastructure and networks to lessen the risk of cyber attacks and espionage. The bill will replace the Telecommunications (Interception Capability) Act 2004.
WHO DOES IT APPLY TO?
It places different requirements on network operators depending on how many customers they have.
Full interception capability will apply to the bigger telcos (with more than 4000 customers over a six-month period) like Telecom and Vodafone. Others must be "intercept ready" and "intercept accessible". Obligations include allowing for equipment to plug into the network, and ensuring staff are trained and have suitable security clearance.
This will cost the companies tens of thousands of dollars - which will inevitably be passed on to the customers.
In certain circumstances, the requirements can be applied to "Over The Top" (OTT) services - such as Skype, VoIP (voice over internet protocol) or messaging services provided by Google, Microsoft or Apple - by using a controversial "deem in" power.
This means the communications minister can issue a "ministerial direction" to force any of these companies to make their communications accessible to the spy agencies, if it is believed to be in the interests of national security or law enforcement. Communications Minister Amy Adams says forcing "full capability" on everyone would be too costly for smaller providers. "That's not necessary because it is sort of the same information weaving its way through the system at different points."
Kim Dotcom's Mega company, which provides cloud storage, is opposed to the inclusion of service providers. Chief executive Vikram Kumar says it is an "exercise of obtaining wide, unbounded discretionary powers 'just in case' they are required in the future".
SO MY PHONE AND INTERNET PROVIDER WILL HELP INTELLIGENCE AGENCIES SNOOP ON ME?
Well, yes. But that is not new.
Under the old legislation, surveillance agencies were also able to carry out interception with a warrant.
Of course, under the new GCSB Act the agency has greater scope to spy on New Zealanders - this proposed legislation will make sure the telcos can and will help them do it.
The interception will only apply to "real time" communications - listening in to conversations as they happen.
It does not apply to stored data.
CAN THEY SHARE IT WITH ANYONE ELSE?
The GCSB can intercept Kiwis' private communications only to uphold cyber security, not for intelligence gathering.
However, there are no legal constraints on who it can be shared with - other than the approval of the prime minister.
Critics have speculated that the legislation opens the door for information to be fed into international mass surveillance programs, such as those operated by the US National Security Agency. Labour MPs have argued the definition of surveillance agencies - as law enforcement or intelligence and security agencies - is worryingly vague in the legislation. "It is unclear from this definition whether the bill purports to allow foreign agencies as well as New Zealand agencies," they note in the select committee report, published last month.
WHAT ABOUT MY PRIVACY?
Ms Adams says the Government worked with Privacy Commissioner Marie Shroff in drafting the bill "and she has indicated that she has no concerns". Ms Adams says the legislation does not breach the Bill of Rights Act.
WHAT IF I ENCRYPT MY EMAILS?
The bill requires network operators to decrypt a telecommunication. "This doesn't change from what is currently the law," Ms Adams says. "The law says if you have put the encryption on, you have an obligation, for the warranted information, to take it off."
But she stresses this is only "if you have provided the service".
Thomas Beagle, of digital civil rights group Tech Liberty, told MPs at the law and order select committee that encryption is on the rise and there are a number of systems that are uncrackable.
Designing encryption systems that allow for interception is also difficult and tends to make them more vulnerable to attack, he says.
And encryption can be "multi- layered". "If your network provider gives you an encrypted communications link, you can then further encrypt what you send across it and the network provider won't be able to read it."
CAN'T THE GOVERNMENT JUST BAN TECHNOLOGY THAT PREVENTS INTERCEPTION?
Yes and no. Tech Liberty says the bill gives the ability to stop the resale of foreign services that don't provide lawful interception.
"We think that this is just silly," Mr Beagle says. He uses the example of Apple Computers, which provides iMessage and Facetime - "designed to use encryption in a way that stops them being intercepted" - and are resold by Vodafone and Telecom.
"Let's assume that New Zealand finally gets a terrorist cell here who uses these services to plot an attack together. We think it's very obvious that we're not going to ban Apple from New Zealand, not least because Apple users tend to be quite fanatical and they might end up storming Parliament," Mr Beagle says.
Jordan Carter, chief executive of online watchdog InternetNZ, is concerned the constraints "will create a chilling effect in what New Zealand hopes will become a growth market". Ms Adams agrees there is a ministerial power to direct that network operators cannot sell a service if they can't properly provide interception capability on it. But there is no power to stop service providers directly selling it. She is "going to take a look at that".
SO WHO GETS MORE POWERS?
The spy agencies and government ministers. The GCSB argues that cyber attacks are on the rise and could cripple government systems or businesses. Both Labour MPs and InternetNZ argue the bill hands control of the network design and operation of a telecommunications network to the GCSB in the name of security.
Mr Kumar argues this is "effectively a power of veto" over infrastructure. But Ms Adams says it is only "the ultimate backstop provision" and can only be done by the prime minister, after consultation with trade, innovation and communications ministers. Giving ministers the "deem in" power over service providers has also created consternation. Mr Kumar says it will be "initiated at the sole and absolute discretion of a surveillance agency".
Mr Carter is worried about a lack of checks and balances, and wants the minister to publish annually the number of requests to service providers.
Tech Liberty argues there is a conflict of interest in having a spy agency take care of network security. "A major part of the accepted approach to securing communications is to use strong encryption wherever possible.
"But this will make the GCSB's job of spying significantly harder.
"Which way will they go in their advice? Protect New Zealand's communications or maintain their ability to spy," Mr Beagle says.
Software giant Microsoft argues there is a "dramatic change" in the law as a diverse range of data connections - carrying games, banking, education services, entertainment, company and government meetings, shopping, email and documents - will now be subject to interception. Google NZ argues the law may mean overseas providers run into conflict with laws in their home countries.
Some governments require clients communications be kept confidential. Policy manager Ross Young says assistance should be sought through the relevant overseas authority.
The Dominion Post