Spy-bill a threat to industry, says Microsoft

New Zealand's IT industry could fall behind like the British car industry did last century if the Government presses ahead with proposed new surveillance laws, Microsoft has warned.

Online services might withdraw from the country, the US-based software giant said.

Spokesman Waldo Kuipers likened the Telecommunications Interception Capability and Security (TICS) Bill being considered by Parliament's law and order select committee to a 19th century British law. That law required someone to walk in front of every motor vehicle waving a red flag.

The law hamstrung Britain's car industry, leaving the United States and Germany to leap ahead, he said.

The TICS Bill is a companion measure to the Government Communications Security Bureau Bill which would give the GCSB the right to carry out surveillance on New Zealanders.

More technical in nature, the TICS Bill would compel telecommunications firms to provide assistance to the GCSB in intercepting and decrypting customer communications. The firms would also be obliged to follow the spy agency's instructions on network security.

Appearing in front of the select committee this morning, Kuipers said surveillance laws had been designed for an era in which spying meant tapping into analogue phone calls.

However, the TICS Bill took things much further.

"It is no longer about just tapping into the telephone exchange. Today what we are talking about is a diversity of data connections carrying every imaginable service such as games, banking, education services, entertainment, company and government meetings, shopping, email and documents.

"Many of these were never subject to interception capability obligations in the pre-digital world. That is a dramatic change in the law."

Potentially, the GCSB could use the law change to force any provider of those online services to change their technology or business model, including in ways which might "fundamentally undermine the security of those services", he said.

"An obligation to have interception capability on a fundamentally different technology in our view needs to be considered on its merits, not swept up in broad legislation that gives wide powers to surveillance agencies and ministers."

Kuipers said a 2004 law change meant traditional network operators had already had to make digital telecommunications services behave more like old analogue services to aid interception.

"We know that legislation has caused network operators in New Zealand not to offer services in New Zealand that would have been beneficial," he said.

He declined to disclose details to the committee without the consent of the operators, saying they were commercially sensitive. The TICS Bill could "further stifle innovation", he said.

The TICS Bill as drafted would initially apply only to traditional telecommunications providers.

However, ministers could extend the GCSB co-operation requirement and its veto on network changes to any "electronic communications" provider without seeking approval from Parliament.

Overseas providers could find the law conflicted with obligations they had in their home country, Kuipers said.

One example would be the duties they had under the United States' Electronic Communications Privacy Act to keep customer communications confidential.

The US act would generally prevent those providers from complying with interception warrants issued in New Zealand, he said.

"If the proposed law leads to a situation where a US-based provider must choose between breaking New Zealand law and breaking US law, where it is headquartered and based, they may be forced to withdraw their service from New Zealand."

Google New Zealand policy manager Ross Young echoed those concerns when he appeared in front of the select committee today.

Both companies said that if New Zealand law enforcement agencies needed access to information held by foreign firms, it would be a better option for them to seek it from the relevant overseas authority.

They could do this by invoking the Mutual Legal Assistance Treaty.

InternetNZ chief executive Jordan Carter said MPs needed to decide whether they wanted to allow innovative new services provided by online intermediaries that let people encrypt their communications in a way that meant they could not be decrypted by those providers.

Kim Dotcom's new venture Mega has some such services in the pipeline.

2degrees chief engineer Nick Read said the new requirements imposed by the bill could cost the company at least $1 million.

Chief counsel Tim Mathews said it would also slow down decision-making and could prevent the company from making upgrades and improvements to its network that might benefit consumers.

"We haven't got a clear understanding of the need for these changes, or the extent of these changes," he said.

Telecom and Vodafone have already voiced their concerns to the committee. They also argued the law change was unnecessary, but said traditional network operators should not be singled out and any new spy-compliance requirements should apply equally to "over the top" providers such as Microsoft and Google.

Oral submissions have now been completed. The committee is due to issue its report on the bill by September 20.