Illegal spying: 85 Kiwis watched

Prime Minister John Key says no arrests or prosecutions have occurred from the illegal spying cases exposed today.

The release of a critical report on the Government Communications Security Bureau (GCSB) was brought forward to this afternoon after details were revealed to Fairfax New Zealand.

It reveals the GCSB may have unlawfully spied on 85 people while acting for the Security Intelligence Service (SIS).

Key said the Kitteridge report found systematic problems with GCSB. The legislation was never fit for purpose, he told reporters in China.

He said it was crucial the public have confidence in the legislation.

Key said he will announce reform to the legislation when he returns from China.

OPERATIONS SIGNED OFF

A former spy boss says potentially illegal surveillance operations revealed in a top secret report were done under warrant and signed off by the Inspector General of Intelligence.

Bruce Ferguson, a former defence boss who ran the secretive Government Communications Security Bureau (GCSB) between 2006 and 2010, said the surveillance was done on behalf of the domestic spy agency, the Security Intelligence Service (SIS).

The SIS didn't have the resources or equipment that the GCSB had to intercept communications, Ferguson said.

"No one questioned it at the time. I certainly didn't question it," he said today.

"I obviously read the Act and said 'that's obvious'. I got a warrant that had gone through various stages, the Inspector General had looked at it - by the time it was presented to me I had a list of people saying 'this is fine, we are allowed to do this'."

A report ordered after the Kim Dotcom fiasco seen by Fairfax Media contains extensive criticism of the GCSB.

The report, prepared by Cabinet Secretary Rebecca Kitteridge, was due to be made public by Prime Minister John Key on his return from China but will now be released today.

The government has brought forward the release after Fairfax revealed it found 85 people may have illegally spied on by the foreign intelligence bureau. 

It confirms that the problem of illegal spying revealed in the case against Dotcom went far wider than previously admitted and involved up to 85 people in cases dating back nearly a decade.

Former GCSB legal adviser Hugh Wolfensohn resigned in the wake of the Dotcom scandal after nearly 25 years with the bureau.

But Ferguson said Wolfensohn had been treated badly.

"Hugh made one mistake and he has admitted that. That's it," Ferguson said.

"Over my time with him Hugh was immensely diligent, very capable, incredibly hard working and did a huge amount for New Zealand and the bureau. I think he's been very hard done by."

The problem was the legislation the GCSB operated under, Ferguson said.

"It's the legislation itself and how that is interpreted and I think that's the nub of the issue here.

"Nobody in the chain - and that's right up to and including the ministers responsible - would intentionally have wanted to spy on New Zealanders."

It was still murky territory, meanwhile, as to whether the spying was illegal, he said.

"Since about October last year a team of lawyers from Crown Law have been trying to come to a conclusion whether this was illegal or not," Ferguson said.

"And as far as I'm aware they still haven't."

While the GCSB was barred by law from spying on New Zealanders, there was a grey area when it was asked to do so by another organisation, like police or the SIS, who were authorised.

"They have the authority and under a duly signed authorised warrant ask for assistance. The GCSB under the legislation cannot spy on [New Zealanders] end of story. But if they are asked by another agency under a formal warrant to assist - is that legal or illegal?"

Ferguson also hit out at criticism of him by the prime minister and did not resile from his claim Key must have been "smoking dope" to blame him for the bureau's failings.

Ferguson has been outspoken over the way Key's former school friend Ian Fletcher was appointed to the GCSB.

"I knew right from the start once people like John Key start attacking the person you've hit a nerve," he said.

THE REPORT

The intelligence services’ watchdog began questioning the lawfulness of GCSB’s activities - five months before the illegal spying came to light.

A top secret report prepared by Cabinet Secretary Rebecca Kitteridge is due to be made public today.

The government has brought forward the released after Fairfax revealed it found 85 people may have illegally spied on by the foreign intelligence bureau. 

The agency is forbidden from spying on anyone with citizenship or permanent residence here.

The Kitteridge report raises questions about when the intelligence services first became aware there was a problem.

Kitteridge said Inspector-General Paul Neazor questioned whether long standing interpretations of the GSCB Act by the intelligence services were correct in May 2012.

This came five months before the government says the illegal spying on Kim Dotcom came to light.

The problem centres on work the bureau did on behalf of other agencies - particularly the Security Intelligence Service, New Zealand’s domestic spy bureau and the police.

She said the issue was the subject of some legal analysis and correspondence - but the matter is still not resolved.

Prime Minister John Key has repeatedly said the agency and the government only became aware of the illegal spying on Dotcom in September.

He ordered Kitteridge be seconded to the Bureau for an internal review.

The report reveals that internal legal advice at GCSB had been that it was lawful for agents to assist domestic agencies such as NZSIS or police in two circumstances:

* if they were helping the SIS on the basis of SIS warrants. The bar of spying on Kiwis is contained in section 14 of the GCSB Act, passed in 2003. But GCSB believed this prohibition not apply when they were acting under the legal authority of the SIS warrants.

* GCSB also assumed the law allowed them to intercept ‘‘metadata’’ - information about information such as the kind of information that appears on a telephone bill. It was judged not to be a ‘‘communication’’ and could be lawfully obtained from New Zealanders without a warrant. This has now been reviewed by lawyers and the bureau now believes metadata would likely constitute a communication. 

Kitteridge says GCSB director Ian Fletcher sought an opinion from the Solicitor-General if they authority of an SIS warrant would override the prohibition in section 14.

The SG confirmed the ‘‘difficulties of interpretation’’ and the ‘‘risk of an adverse outcome if a court were to consider the question.’’ 

Kitteridge has recommended the legislation be reformed.

A freeze was put on assisting other agencies in September and no more surveillance will take place until the law in amended.

And she said the other 85 cases have been reported to Key so he can take appropriate action. 

Kitteridge stressed assistance was provided to the SIS was to help combat threats to New Zealand security in areas such as counter terrorism.

She also emphasised there was no evidence agents acted in bad faith nor believe the ends justified the means. They were devastated to learn they may have acted unlawfully, she said. 

Kitteridge was tasked with reviewing the GCSB after the bureau conducted illegal surveillance on Dotcom, a German internet entrepreneur who has New Zealand permanent residency.

Labour MP Grant Robertson said the revelations threw fresh pressure on Prime Minister John Key to order an immediate independent inquiry.

"We need a full overhaul and overview of all our security agencies because that report indicates there are some serious issues at the GCSB," he said.

"But that is only an internal review and while that has thrown up some disturbing findings, it makes the case for the much wider review that's needed."

Labour leader David Shearer said an independent inquiry into the intelligence agencies was now imperative, but his party was not dodging any of the blame.

The alleged illegal spying by GCSB dates back to the reign of the previous Labour Government and then prime minister Helen Clark.

Shearer said he was ‘‘not dodging any of that and I acknowledge that’’.

But, the public needs confidence that the intelligence agencies were operating as they should.

Attempts to cover up the illgeal spying in the Kim Dotcom case were part of the problem culture within GCSB, he said.

‘‘John Key can’t just simply sweep this under the carpet, we need a full independent inquiry into our intelligence agencies, not just GCSB.’’

Shearer was very concerned about the allegations in the report.

And Key must be outraged that even a report about the country’s spies could not be kept secret.

Key, who is in China, has pledged to publicly release the review findings. The report is due to be discussed by Parliament's secret intelligence and security committee next week.

It is understood new legislation will be introduced to Parliament soon after the report's release.

Police are already investigating the GCSB's illegal spying on Dotcom after a complaint from the Green Party.

SPY AGENCY LEGAL MAN TOO BUSY WEARING OTHER HATS

The man responsible for making sure the GCSB followed the law wore too many hats and did not have time to deal with legal advice, the report reveals.

Hugh Wolfensohn resigned over the Dotcom spy scandal after almost 25 years with the bureau. His job title was deputy director of mission enablement (DDME) at the spy agency. Mr Wolfensohn was the GCSB's only legal adviser from his appointment in 1988.

Mr Wolfensohn, sometimes known as Agent CX, was placed on gardening leave last September and subsequently resigned.

Last February, Mr Wolfensohn dismissed police and GCSB fears that they may have illegally spied on Kim Dotcom.

The illicit surveillance came to light last September when Dotcom's lawyers began questioning which other agencies were involved in Operation Debut, the joint police and FBI raid on Dotcom's mansion in 2012.

The Kitteridge report outlines Mr Wolfensohn's multiple and pivotal roles - and concludes he had too much on his plate. Mr Wolfensohn admitted he devoted at most 5 to 10 per cent of his time to legal work. He had asked for more lawyers but none were appointed. His only back-up came when legally qualified intelligence analysts were twice seconded to work with him, but they were inexperienced and needed considerable supervision.

Mr Wolfensohn was the chief architect of the flawed GCSB Act. He interpreted the law and was responsible for its implementation and operation. These were conflicting roles, the report says.

Ms Kitteridge said there was little peer review of Mr Wolfensohn's work by the Crown Law Office, and he consulted only the intelligence watchdog, the inspector-general, on legal matters.

There was also no budget for seeking outside advice.

Mr Wolfensohn also told Ms Kitteridge that the culture of the bureau was to keep its work within classified channels.

The report also found legal advice was not sufficiently documented or accessible.

Staff said Mr Wolfensohn gave advice informally and in emails that could not be accessed when he was absent.

Ms Kitteridge recommended the DDME role be reformed and reviewed - which has now happened.

Mr Wolfensohn had responsibility for legal advice, governance, performance, strategy, policy, and risk management and strategic relationships.

He was also responsible for a huge number of staff, including the GCSB's compliance adviser, chief financial officer, chief information officer, IT and security staff, HR, finance and logistics, procurement and property services.

He also stepped in as acting director - and was undertaking those duties when the GCSB became involved in Operation Debut.

THE LEGISLATION

The GCSB Act 2003, the sole source of authority and law within the agency, is so confused it is not fit for the purpose.

The key issue is with section 14, which states the GCSB may not "take any action for the purpose of intercepting the communications of a person . . . who is a New Zealand citizen or a permanent resident".

Immediate legislative reform is needed to clarify the application of the act to the GCSB'S work.

The GCSB Act has not kept pace with the internet - the act is difficult to apply to some of the bureau's work with new technology.

GCSB'S compliance with the Defence Act 1990 and the Privacy Act 1993 is also being analysed - and the agency may not have complied with the Public Records Act 2005.

STAFF CULTURE

It will take a year and a really solid effort to address GCSB's problems.

GCSB's organisation was too complex and fragmented, with too many managers.

There was a tendency to tick boxes and make assumptions but not ask questions or seek evidence.

A culture persisted where poor performance was tolerated and problem staff redeployed internally instead of being held accountable.

There was an aversion to dealing with poor performance because of security risk from disgruntled former staff and also because vetting of new recruits takes so long.

Specialised knowledge was valued over other skills, staff stayed too long in one job and there is some passive resistance to change.

A need-to-know culture created silos.

Staff faithfully followed legal advice and it was devastating and abhorrent to learn they were not acting within the law.

There was no evidence they acted in bad faith or believed the end justified the means.

Staff believe it is an organisation spread very thinly - money was directed at operations at the expense of legal and compliance advice.

Fairfax Media