The Telecommunications Interception Capability and Security Bill
UPDATE: I’ve been emailed by the Ministry to tell me I’ve got parts of this wrong – as I said, it’s a first take on the bill and I’m still working through all the ramifications so that’s not surprising.
I’ve included the changes and clarifications the Ministry has suggested below.
I’m working my way through the new Telecommunications
Interception Capability and Security Bill (known as TICSA) and although I’m not
done yet, there are a few issues that we need to discuss.
Basically this bill will allow the security agencies to
spy on phone calls, TXT messages, emails and other data transfers, much as they
do today under our existing law.
(EDIT: The Ministry points out that this bill is about the telcos, not the agencies themselves, and the obligations placed on the telcos themselves. Well, yes).
The current Act, in place since 2006 (EDIT: Actually, 2004) allows the security
services to contact a telco and demand they make certain communications
available to the authorities. They must have a warrant to do this – you can’t
just ring up like they do in the movies and get someone to dig around a bit.
None of the telcos would stand for that.
The Act has been working well, but apparently there are
enough issues with it to require an update – hence the new bill.
The bill deals with two key issues – network management
and interception.
Network management is new – under this proposed bill the
telcos must work with GCSB when deploying their networks, must agree to consult
with the GCSB with regard to key decisions that may affect national security
(or, I’m alarmed to read, New Zealand’s economic wellbeing, which frankly is
quite a broad addition to the old regime) and must agree to inform the GCSB
whenever it makes changes to the network that may impact on national security
(or again on our economic wellbeing).
(EDIT: The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today. That’s as may be, but the emphasis from the new bill is new and the explicit formalisation of the relationship goes beyond what is contained in the current bill)
EDIT: The Ministry says the bill:
·
requires network operators to engage in good
faith with the government on the design, build and operation of networks where
this may affect New Zealand’s national security or economic wellbeing;
·
requires network operators to notify the GCSB of
certain proposals such as procurement decisions or changes in relation to areas
of particular national security interest (those areas are set out in the Bill);
·
sets out a stepped process for network operators
and the government to agree, where possible, on the response to an identified
network security risk).
Does this mean the GCSB will be directing the telcos in
their network rollouts? Does it mean certain vendors will be unable to provide
gear for certain parts of the network? Does it mean those telcos that already
use a certain provider (I’m thinking here specifically of Huawei but it could
be anyone) be excluded from certain key government contracts?
This rings alarm bells for me because any government
involvement beyond wanting to simply use the networks is fraught. These are
commercial entities that already face challenging economic times and adding in
yet another layer of complexity is far from ideal.
The other half other half of the bill covers interception
and the idea that the telcos must make their networks “able to be
intercepted” should the need arise.
(EDIT: The Ministry would like me to point out that the current bill requires telcos to work with government agencies. Yes, that’s a given – I’m not suggesting they aren’t already doing some of this.)
Here I must confess to some moral ambiguity. On the one
hand, government-led security services have no business demanding we hand over
anything that may incriminate us. If the police (or SIS or GCSB) want to prove
I’m breaking the law then it’s up to them to prove it. I should not, as an
individual, be required to help. I’m innocent until proven guilty – that is,
unless I own a computer and then I’m required by law to help the police find
evidence to convict me.
Think I’m making that up? It’s part of the Crimes Act,
introduced post 911 to help police get round the tricky business of people
using this newfangled “encryption” stuff to hide their crooked
business dealings.
For me, this is taken to a whole new level by the
requirement on telcos that their networks be made “able to be
intercepted” (is that “interceptable”? Computer says no). Now my
telco is required to help the police prove I’m a criminal. This upsets me
greatly, not because I am a criminal but because I shouldn’t have to prove that
I’m not.
Having said that, I know the police have solved some
fairly major crimes by having access to telco records and I know that the
creation of the internet has been one of the biggest boons in policing of those
responsible for child pornography. The internet is a giant copying machine and
anyone sharing objectionable material leaves a trail a mile wide.
So I’m torn on the general need for interception at this
level. It also annoys me that the security services are, in effect, outsourcing
the entire thing to the telcos and demanding that the telcos spend money on
staff and technology which, if left to their own devices, would not be needed
in the day-to-day commercial running of the network. These things all add cost
to the network operators’ budgets and it’s a cost that doesn’t deliver a return
so it will indeed get passed on to users, yet again.
The bill introduces a multi-stage approach to defining
its telcos. If you’re a small operator or a wholesale-only operator, the
interception requirement is less than if you’re a fully-fledged telco with lots
of customers. You’re only required to make your network “intercept
ready” or “intercept accessible” whereas the big telcos have to
provide the full intercept capability. Oh and the minister (one of three
ministers) can decide which category you fall into as the need arises.
The law also says it applies to companies based in New
Zealand or overseas, which is entertaining. Quite how the bill can be applied
to, say, a VPN service based in Uzbekistan is an interesting one, but this
catch-all concept means that the new TICSA will be applied to Facebook, Google,
Yahoo and all the other “over the top” providers (including
presumably Skype and Viber) as well.
Apparently the security agencies already deal with such
offshore entities whenever they need to, but this bill will formalise that
arrangement.
Curiously, the bill also gives the government the ability
to ban a product if the government decides it can’t be made interceptable.
Imagine, if you will, the TUANZ encrypted email and storage service that makes
sure your highly sensitive documents are stored and transmitted with the
greatest of encryption levels. If the security agencies decide that’s going to
be a problem, the government will simply ban us from offering it.
Interestingly, they won’t necessarily tell me about it
(if TUANZ was based off shore) but rather would tell the telcos and ISPs in New
Zealand that it was banned, because they would be deemed to be
“reselling” the service, even though all the ISP are doing is giving
my customers access to the service. And if they don’t remove the service from
“sale” in New Zealand they’re liable for fines that accumulate on a
daily basis.
On top of all that, we have a police-held register of
ISPs and telcos, which must be kept up to date at all times. Yes, we’re getting
a “licensed ISP” regime without any of the benefits.
All of this concerns me. We’ll need to submit on it, if
the government opens up the bill to public submission (something it may choose
to avoid). While I’m always wary of getting involved in any conversation about
security agencies and various tin-foil hat (black tin-foil hat, no less)
conspiracies, I do object to having my right to privacy treated in a cavalier
manner. Hopefully we can make some suggestions that will improve this bill
before it’s passed into law.
For more reading on this I suggest you have a look at
Thomas Beagle’s excellent piece over at Tech Liberty. Thomas is a much faster
reader than I am and he’s done a good job of working through the various parts
of the bill. We’ll need to do a lot more of that before the government gets to
decide on interception of our communications.
Hi, I’ve also been approached by a MoBIE bureaucrat claiming I got major parts of my article wrong. I’ve reviewed what he’s said and as far as I can tell it’s spin rather than substance.
In particular he denies that TICS gives the GCSB sweeping powers of oversight and control over NZ’s telecommunications networks. However, he even contradicts himself in his own email. I’ve written a response and published it here: http://techliberty.org.nz/does-tics-really-give-gcsb-control/
Or to put it more simply: "You’ve got to notify of us everything you do, and we can override anything you have done or plan to do, and fine you if you don’t do what we say…. but we don’t control it. No no no!"
Officials charged with the new Bill say about this article:" The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today." Voluntary compliance is world’s apart from compulsory compliance required by executive decision. Surely the officials aren’t so glibly side-stepping this Kafka-esque issue?