The Telecommunications Interception Capability and Security Bill

UPDATE: I've been emailed by the Ministry to tell me I've got parts of this wrong - as I said, it's a first take on the bill and I'm still working through all the ramifications so that's not surprising.

I've included the changes and clarifications the Ministry has suggested below.

I'm working my way through the new Telecommunications Interception Capability and Security Bill (known as TICSA) and although I'm not done yet, there are a few issues that we need to discuss.

Basically this bill will allow the security agencies to spy on phone calls, TXT messages, emails and other data transfers, much as they do today under our existing law.

(EDIT: The Ministry points out that this bill is about the telcos, not the agencies themselves, and the obligations placed on the telcos themselves. Well, yes).

The current Act, in place since 2006 (EDIT: Actually, 2004) allows the security services to contact a telco and demand they make certain communications available to the authorities. They must have a warrant to do this - you can't just ring up like they do in the movies and get someone to dig around a bit. None of the telcos would stand for that.

The Act has been working well, but apparently there are enough issues with it to require an update - hence the new bill.

The bill deals with two key issues - network management and interception.

Network management is new - under this proposed bill the telcos must work with GCSB when deploying their networks, must agree to consult with the GCSB with regard to key decisions that may affect national security (or, I'm alarmed to read, New Zealand's economic wellbeing, which frankly is quite a broad addition to the old regime) and must agree to inform the GCSB whenever it makes changes to the network that may impact on national security (or again on our economic wellbeing).

(EDIT: The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today. That's as may be, but the emphasis from the new bill is new and the explicit formalisation of the relationship goes beyond what is contained in the current bill)

EDIT: The Ministry says the bill:

·         requires network operators to engage in good faith with the government on the design, build and operation of networks where this may affect New Zealand’s national security or economic wellbeing;

·         requires network operators to notify the GCSB of certain proposals such as procurement decisions or changes in relation to areas of particular national security interest (those areas are set out in the Bill);

·         sets out a stepped process for network operators and the government to agree, where possible, on the response to an identified network security risk).

Does this mean the GCSB will be directing the telcos in their network rollouts? Does it mean certain vendors will be unable to provide gear for certain parts of the network? Does it mean those telcos that already use a certain provider (I'm thinking here specifically of Huawei but it could be anyone) be excluded from certain key government contracts?

This rings alarm bells for me because any government involvement beyond wanting to simply use the networks is fraught. These are commercial entities that already face challenging economic times and adding in yet another layer of complexity is far from ideal.

The other half other half of the bill covers interception and the idea that the telcos must make their networks "able to be intercepted" should the need arise.

(EDIT: The Ministry would like me to point out that the current bill requires telcos to work with government agencies. Yes, that's a given - I'm not suggesting they aren't already doing some of this.)

Here I must confess to some moral ambiguity. On the one hand, government-led security services have no business demanding we hand over anything that may incriminate us. If the police (or SIS or GCSB) want to prove I'm breaking the law then it's up to them to prove it. I should not, as an individual, be required to help. I'm innocent until proven guilty - that is, unless I own a computer and then I'm required by law to help the police find evidence to convict me.

Think I'm making that up? It's part of the Crimes Act, introduced post 911 to help police get round the tricky business of people using this newfangled "encryption" stuff to hide their crooked business dealings.

For me, this is taken to a whole new level by the requirement on telcos that their networks be made "able to be intercepted" (is that "interceptable"? Computer says no). Now my telco is required to help the police prove I'm a criminal. This upsets me greatly, not because I am a criminal but because I shouldn't have to prove that I'm not.

Having said that, I know the police have solved some fairly major crimes by having access to telco records and I know that the creation of the internet has been one of the biggest boons in policing of those responsible for child pornography. The internet is a giant copying machine and anyone sharing objectionable material leaves a trail a mile wide.

So I'm torn on the general need for interception at this level. It also annoys me that the security services are, in effect, outsourcing the entire thing to the telcos and demanding that the telcos spend money on staff and technology which, if left to their own devices, would not be needed in the day-to-day commercial running of the network. These things all add cost to the network operators' budgets and it's a cost that doesn't deliver a return so it will indeed get passed on to users, yet again.

The bill introduces a multi-stage approach to defining its telcos. If you're a small operator or a wholesale-only operator, the interception requirement is less than if you're a fully-fledged telco with lots of customers. You're only required to make your network "intercept ready" or "intercept accessible" whereas the big telcos have to provide the full intercept capability. Oh and the minister (one of three ministers) can decide which category you fall into as the need arises.

The law also says it applies to companies based in New Zealand or overseas, which is entertaining. Quite how the bill can be applied to, say, a VPN service based in Uzbekistan is an interesting one, but this catch-all concept means that the new TICSA will be applied to Facebook, Google, Yahoo and all the other "over the top" providers (including presumably Skype and Viber) as well.

Apparently the security agencies already deal with such offshore entities whenever they need to, but this bill will formalise that arrangement.

Curiously, the bill also gives the government the ability to ban a product if the government decides it can't be made interceptable. Imagine, if you will, the TUANZ encrypted email and storage service that makes sure your highly sensitive documents are stored and transmitted with the greatest of encryption levels. If the security agencies decide that's going to be a problem, the government will simply ban us from offering it.

Interestingly, they won't necessarily tell me about it (if TUANZ was based off shore) but rather would tell the telcos and ISPs in New Zealand that it was banned, because they would be deemed to be "reselling" the service, even though all the ISP are doing is giving my customers access to the service. And if they don't remove the service from "sale" in New Zealand they're liable for fines that accumulate on a daily basis.

On top of all that, we have a police-held register of ISPs and telcos, which must be kept up to date at all times. Yes, we're getting a "licensed ISP" regime without any of the benefits.

All of this concerns me. We'll need to submit on it, if the government opens up the bill to public submission (something it may choose to avoid). While I'm always wary of getting involved in any conversation about security agencies and various tin-foil hat (black tin-foil hat, no less) conspiracies, I do object to having my right to privacy treated in a cavalier manner. Hopefully we can make some suggestions that will improve this bill before it's passed into law.

For more reading on this I suggest you have a look at Thomas Beagle's excellent piece over at Tech Liberty. Thomas is a much faster reader than I am and he's done a good job of working through the various parts of the bill. We'll need to do a lot more of that before the government gets to decide on interception of our communications.