Officials defend GCSB web secrecy
Ministers could use powers granted under proposed new spy laws to compel internet companies to provide technical assistance to the Government Communications Security Bureau, and no-one might ever know, officials have confirmed.
Mega chief executive Vikram Kumar said the prospect that such orders could be issued confidentially added to his concerns about the Telecommunications Interception Capability and Security Bill, which is currently being examined by a select committee.
"When you go and target an individual company and it is entirely at the discretion of a minister, plus it is secret, that is entirely unacceptable," he said.
However, Business, Innovation and Employment Ministry officials said such confidentiality was necessary and normal. Protections were in place, both for companies that might be required to provide the extra assistance to the GCSB and their customers, they said.
The bill would oblige traditional telecommunications firms to provide technical assistance to the GCSB, as required by the spy agency, in order to make their networks capable of being intercepted. Telcos would also need to get the GCSB's approval before making changes to their networks that could affect the bureau's work.
But most controversy has arisen over other clauses in the bill that would let ministers extend those obligations to companies other than traditional network operators, without going back to Parliament for approval. These could either be individual firms, which would be roped-in through "ministerial directives", or "classes" of firms, such as internet telephony or secure email providers, which would be included through regulation.
Officials said that any ministerial directives issued under the legislation would be confidential "so as not to publicly disclose any operational, commercial or strategic information that could impinge on the agencies' investigations".
The companies that were subject to the orders could also be prevented from discussing them.
"The need for confidentiality reflects the fact that the bill ... deals with sensitive law enforcement and national security interests, as well as potentially sensitive commercial interests, where public discussion about individual levels of capability would be detrimental," they said.
Under the current act, exemptions to the obligation to be intercept-capable were granted by the Communications Minister on a confidential basis, so "confidentiality in these circumstances is not new", they said.
Kumar said that if an internet company did disclose it had received a ministerial directive ordering it to provide the same cooperation to the GCSB that any of the traditional network operators were compelled to provide, then that could have a "huge" affect on them and could potentially "drag them out of business".
But he said disclosure would be the "lesser evil". If ministerial directives could be confidential, no-one could know what firms were subject to any such orders and confidence in all service providers would be undermined.
The Law and Order select committee is due to issue its report on the Telecommunications Interception Capability and Security Bill next month.
Mega has already submitted that the bill should not allow ministers to single-out individual firms for compliance. But Kumar said that if that power was retained and subsequently used, any directives ministers did issue should be made public.
Mega plans to introduce a secure email service that would make it difficult for law enforcement agencies, spy agencies and hackers to read emails between its members. It is one of a number of firms that could potentially be singled out by ministers and compelled to provide additional assistance to the GCSB, if the bill is passed in its current form.
Officials noted that if a company was issued a directive under the bill and objected, they could appeal to a three-person review panel, or ultimately seek a judicial review.
"If obligations to be intercept-capable are extended to an individual service provider, that capability [will be] for the purposes of fulfilling an interception warrant or other lawful authority. As is the case under the current act, the duty for full interception capability includes clear privacy protections," they said.