Posts

'>

Collateral Damage

/in /by

Hat tip to former InternetNZ Chief Executive Vikram Kumar
for his discovering that the TICS and GSCB bills include forcing telcos to
install backdoors into their networks.

This goes a long way past “making sure the data can be
handed over to the authorities” which we’re still unhappy with and goes a long
way out of my comfort zone, especially given the way international intelligence
agencies are using their powers around the world.

So what’s driving the government rush to enact these laws?
Can it be that New Zealand is a hot bed of international terrorists and that we
need to severely curtail public freedoms in order to ensure our on-going
security?

Clearly this isn’t the case. Nor was it the case when the
Urewera raids took place under the auspices of anti-terrorist activity –
charges that were later withdrawn and eventually dropped entirely from the
case.

But even that wasn’t the start to all of this. An online
chat with Judge David Harvey reminded me of the Crimes Amendment Act,
introduced in 2003 which took away our right to remain silent.

Sorry, did you not realise?

If you own a computer (roughly 110% of the population these
days) you’d better know exactly what’s on it, including those pesky system
files that you’ve neither seen nor looked at, because under the Crimes
Amendment Act, you’re entirely responsible for files on your computer.

In addition, if you have encrypted files (I presume I have)
then you’re required by law to hand over the encryption keys to those files.

So if, for argument’s sake, you have a system file somewhere
that you’ve never seen and which you’ve no way of decrypting, you’re still
responsible for it and if a nice policeman taps you on the shoulder and says
“decrypt that file” you’re up for three months’ jail and a fine of $2000 if you
don’t comply.

Harvey described that as synonymous with a police officer
asking you where you were “on the night in question” and you refusing to answer
– something you’re perfectly entitled to do 
– and then ending up in the cells for three months.

Even with that level of intrusion we aren’t quite at the
source, because I remembered an even earlier conversation about the
International Law Enforcement Telecommunications Seminar (ILETS).

In 1999, ILETS was telling police representatives from
around the world that what the world really needs is a terrorist event of grand
enough scale that the citizens will clamour for police intervention on a
massive scale. Indeed, ILETS (of which New Zealand was a member) encouraged
participants to draft legislation and PR strategies ready for the day when such
an event would occur and which would then give these agencies the support
needed to get bills passed in the various parliaments.

ILETS was set up by the FBI in the early 1990s and included
representatives from New Zealand, Australia, the UK, US and Canada (sound
familiar?) to promote a “universal wiretap ability” in the newly emerging
internet world.

Governments would be encouraged to gradually allow police
and affiliated agencies more powers to monitor and track movements online so as
to ensure police agencies were able to keep up with criminals. Terrorists were
just an excuse.

From there we moved on to the Search and Surveillance Act, introduced in 2012 and the expansion of police powers that included. 

Today we face the introduction of the badly flawed GCSB bill
and shortly, the TICS bill. Both will enable relevant security agencies (and
the police, and potentially IRD and potentially all manner of other government
agency) to access our most secret data and indeed track our real-world
movements thanks to those handy GPS-enabled tracking devices we all carry.

I’m all in favour of the police having the right tools for
the job. If there was evidence that nefarious agents were using encrypted
pathways to communicate and to plan illegal activities, that massive online
money laundering were taking place, that terrorist cells were active or even present
in New Zealand and that we faced a clear and present danger, then I would
support giving the right agencies the right tools. But no such evidence has
been presented or even hinted at, and the badly-drafted laws mean our nascent
cloud computing industry might well be snuffed out before it gets off the
ground in a commercial “blue on blue” incident.

New Zealand needs access to world’s best IT practices if
we’re to compete. We can and should grow our own businesses to take part in the
global economy. We should be able to buy in the best of breed hardware and
technology needed to enable our economy to grow.

Yet these laws mean we won’t be able to do that. Local
businesses won’t be able to deploy internationally because our laws mean
they’ll have to hand over sensitive customer data to New Zealand officials, and
who would buy such a product? International businesses will have to decide
whether or not to operate in such an environment locally, and some businesses
could potentially be excluded from New Zealand because of the laws themselves.
Will Apple or Google chose to operate in New Zealand under laws that contradict
and are explicitly outlawed in the US? Will Huawei be able to build world class
infrastructure here if they’re not on the “friendly” list?

The collateral damage from these bills has the potential to
be huge. The cost of implementation alone is likely to be massive and will be
borne by the telcos and network operators who will, of course, pass it on to
customers, but the lost opportunity for our ICT industry could potentially
dwarf even that price.

Ian Apperley, an independent cloud computing consultant who blogs at whatisitwellington.com, has written a great piece about the potential size of the market and the cost if we miss out.

It’s a quick and dirty economic analysis but I suspect that’s more than we’ve undertaken at government level.

'>

Nothing to hide but plenty I don’t want to share

/5 Comments/in /by

I’ve had a number of discussions about online privacy,
security and matters of this sort over the past few months.

All too often I’m faced with someone who says “I have
nothing to hide” and who seems to be quite willing to put up with government
invasion of his or her privacy.

I don’t have anything to hide either, but I do keep some
things to myself. I won’t list them but trust me, they’re better off being
conducted behind closed doors with the lights off.

On top of that, I have other things I like to keep private.
My financial matters are nobody’s business but mine and the bank’s. My health
records are likewise quite important to me. Which books I get out of the
library, where I spend my money, who I call and TXT.

As a former journalist the recent spate of attacks on a
reporter’s freedom to do their job irks me. All too often I hear from readers
(or viewers) bemoaning the state of journalism in New Zealand and I tend to
agree. Today I met with an old colleague and we talked about how many of us
there were at Computerworld in its
heyday. We had 11 journalists working on a niche publication – other newsrooms
had far more. Today, the newsrooms have shrunk dramatically, the pay rates are
stagnant and each reporter is expected to churn out more copy with less time to
do it properly.

The one thing a journalist has in his or her favour is the
ability to ask questions and to get answers from people who may not want their
names splashed about the place. Journalists need access and they need privacy
in order to secure the news that quite often someone doesn’t want you to know
about.

Journalism comes in for a lot of flak for its invasive,
intrusive nature and rightly so. I managed to avoid ever having to ask “How do
you feel” or its bedmate, “Will you apologise?” but there are plenty of
journalists who employ such phrases and far worse. I know of at least one who
likes to goad interview subjects to the point of cracking in order to get a more
salacious story and several have been known to deploy much worse tactics in
order to secure a scoop.

But “keeping the bastards honest” is at the heart of any
good journalist’s role. “Afflict the comfortable and comfort the afflicted” is
one of my favourite definitions of the job of journalist (and check out the link to see who said it – oh the irony), but in this case
perhaps there’s a better one: “News is what somebody does not want you to
print. All the rest is advertising.”

It’s vital we have a strong media that can ask questions that
someone somewhere doesn’t want answered. My hat is off to the likes of Lisa
Owen at TVNZ who once served her own organisation with an Official Information
Act request and to Andrea Vance who got the government’s report into the GCSB
ahead of time and ran a story exposing the information before the government
spin doctors had all their ducks in a row.

That’s why privacy, security and our right to know are
inextricably linked. That’s why it’s important we understand how well the
government handles our data, and what limits are put in place, and why it’s
important we understand the GCSB and associated legislation.

These laws give the government security agencies
unprecedented powers of access to our daily lives. I may not have anything to
hide, but I have plenty I don’t want to share and if I do, I want to know it
will be handled with all due care and diligence.

Unfortunately, the government (in various guises) does not
have a good track record on this score. Take a look at this list and then tell
me – do you think we should give the government agencies more access to our
data?

July 2012 – Immigration privacy breach results in staff being fired

March 2012 – ACC spreadsheet debacle

October 2012 – MSD kiosk debacle

November 2012 – Immigration privacy breach

November 2012 – Novopay sends wrong information to multiple
schools

December 2012 – Corrections faxes sensitive data to removals
company

March 2013 –  Ministry of Environment email breach

April 2013 – EQC privacy breach twice

April 2013 – IRD privacy breach

April 2013 – Ministry of Justice security flaw revealed (and a note from IITP about white hat hackers)

April 2013 – GCSB “Kitteridge report” leaked

May 2013 – WINZ privacy breach 

June 2013 – Peter Dunne resigns

July 2013 – Journalists described as “subversion” threat to New
Zealand Defence Force

July 2013 – Andrea Vance’s access records handed to PM’s investigator

July 2013 – Andrea Vance’s phone records handed to PM’s
investigator (and here’s a very good time line of events from Dylan)

August 2013 – Govt admits SIS has a “special protocol” for
spying on journalists

Sundry other “minor” breaches that involved only one or two people’s private information.

The Privacy Commissioner’s annual report last year includes this quote from Marie Schroff and it’s worth repeating here: 

“The public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset.

“They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation.

“There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold.”

 

'>

Electronic McCarthyism

/in /by

The government’s committee looking after the GCSB bill has
reported back and made very few changes in light of the overwhelming opposition
to the law change.

Currently opposed to the bill are the Privacy Commissioner,
the Human Rights Commission, InternetNZ, the Law Society, dozens of individual
submitters, the Labour party, the Green party, possibly NZ First and of course
TUANZ.

In favour of the bill is the government and, presumably, its
security allies the US, Australia, the UK and Canada.

Increasingly, New Zealand trades with China, yet it is China
that is specifically listed as a potential threat from what we can read of the
advice to government over this bill and its sister, the Telecommunications
(Interception and Security) Bill which is still proceeding unhindered through
the political process, albeit “under urgency”.

We have a number of issues with the two bills, not least of
which is the cost it will impose on the industry and which will, inevitably, be
passed on to customers.

Under the bills, not only will the telcos be required to
store information they normally wouldn’t bother with, but they’ll also be
required to consult with the GCSB over changes to the network up to and
including which vendors they wish to use.

Assume for a moment that Chinese company Huawei is making
huge inroads into network deployments around the world and that US companies
are upset by this. Assume that Huawei is providing a better product at a
cheaper price and is currently engaged by all our major telcos in one form or
another. Assume that the GCSB still thinks China is the enemy and that Huawei
is a puppet of the Chinese political system.

What will that mean for our future network deployments?

Will Telecom, Vodafone, 2Degrees, Orcon and Slingshot and
all the rest be forced to use non-Chinese technology?  Will they be required to only use “friendly”
technology providers, even if the cost is 20% more and the deployment that much
slower?

Will the GCSB balk at a request from a telco to move to technology
that passes email and TXTs through the network rather than decrypting and
storing them for future retrieval?

Will the GCSB ban Apple or Google or any other provider from
selling certain “uncrackable” products in New Zealand or ban New Zealand companies
from developing similar products for sale overseas?

In decades to come, will the GCSB be able to trawl through a
political leader’s entire online history looking for signs of being a teenager
in order to embarrass or block that person from office?

If all that seems unlikely to you then you’ll have no
problem with the bills as they stand. But even then there’s a problem.

The US Electronic Communications Privacy Act (ECPA)
specifically excludes US-based companies from providing the kind of support the
GCSB and TICS bills demand. Under this law it is illegal for US-based companies
to provide foreign intelligence services with access to such customer data.

So even if these bills are introduced, Google and Apple,
Microsoft and all the rest will be unable to comply without facing legal action
in the US, presumably from the US government itself.

We’ve not been shown any pressing need to change our laws,
and most New Zealanders it seems are unhappy about the level of intrusion into
their lives these bills represent.

Just as difficult is the position it puts New Zealand in
with regard to both our trading partner, China, and our security partner, the
United States.

We don’t need to rush into a decision. There is no “clear
and present danger” that requires New Zealand to enact these laws without first
considering the obvious ramifications both at home and abroad. We need to get
this kind of thing right, because the consequences are grave indeed.

 

The GCSB hearing

/1 Comment/in /by

All the media coverage of yesterday’s committee hearing into the GCSB bill centred on Kim Dotcom but for my money the real discussion came in Thomas Beagle’s presentation.

Thomas runs Tech Liberty and is, on reflection, one of the most principled people I know. His views are based on some very clear, well-thought out beliefs about civil liberties in the age of the all-powerful network and I agree with most of his views and ideas, albeit in a more watered down form. He’s quite right when it comes to copyright issues, the extent to which technology offers governments the ability to monitor and invade our lives and the need to counter that with some strong, clearly defined limits on those powers.

We disagree, for example, on whether there should even be a GCSB or security apparatus in New Zealand to begin with. Thomas’s view is the more principled – mine is less well founded but more pragmatic. Too many politics classes at university I fear, or perhaps not enough.

Thomas’s submission focused on two key issues: the scope of the GCSB’s reach under the new legislation and the concept of “metadata” and what that means in this day and age.

Thomas quite rightly points out that the scope of the GCSB is being extended, not tidied up as the Prime Minister would have you believe. Instead of being banned from spying on New Zealanders at home, the GCSB will be empowered to do so. This is a major leap, a huge change in both the operational parameters and the brief the GCSB works under and, when combined with Vikram Kumar’s point about the inclusion of a new role – spying not just for national security issues but also for “commercial” reasons, potentially opening up the use of the GCSB by such vital New Zealand operations as Fonterra (don’t laugh – search out the stories about the US use of Echelon to spy on Airbus on behalf of Boeing during some tense negotiations) and you’ll see scope creep of the highest order.

But it’s metadata and the definitions, or rather lack thereof, that concern me most. Metadata – information about information – can be as banal as the details you see on your phone bill. That is, it’s the information about who you called, how long you talked and what you paid. It’s not the conversation itself.

So far so what, but in this day and age of mobility, metadata includes your location because everyone of us carries a cellphone and every cellphone knows where it is in the world in order to connect to the network.

Unfortunately the GCSB bill doesn’t define metadata. It doesn’t rule it in or out of scope, it doesn’t even mention the term. We’re none the wiser as to what metadata can or cannot be gathered and neither, I suspect, is the GCSB.

I was also unimpressed with the PM’s assertion that those who don’t like it can either stay off the internet or encrypt their communications. Staying off the internet is a facile point of view and as he well knows the sister bill to this one – the Telecommunications (Interception and Security) Bill – effectively outlaws encryption that cannot be cracked by the GCSB.

New Zealand businesses need to be able to fight it out on the world stage without fear that the GCSB is handing highly important intellectual property over to US or other allied “authorities” without realising what they’re giving away. Given the news out of Europe about the level of US spying, New Zealand will have to tread very carefully on the international stage. On the one hand our security alliance is with the US and its traditional allies. On the other, our trading alliances are increasingly with those who stand on the other side of the fence – China and south east Asia.

It’s vitally important we get this right not only for Thomas’s principled views around civil liberties but also because of my pragmatic views around trade relationships. That’s a tricky position to be in and TUANZ urges the government to think carefully before plowing ahead with a law that puts both liberty and economy at risk.

Quis custodiet ipsos custodes

/2 Comments/in /by

I’ve spent the past few days talking to various journalists about the GCSB, Big Brother and spying on citizens.

To be honest, I’m a tad uncomfortable with the whole thing. Spies, spooks and state surveillance are a bit “tin foil hat” for my liking. I’ve had several emails and phone calls to the effect that I should watch out for black helicopters and that the only thing stopping the drone strike is my cellphone dropping out (seriously, what is that about? Central Auckland, no less).

In a theoretical world, the spies would spy on high priority folk like diplomats and bomb makers and other spies. They’d have secret alliances and counter-alliances and no doubt secret handshakes as well. We commoners would be below the radar and we’d be left alone to get on in peace.

In a theoretical world, we wouldn’t be bothered by any of this kind of nonsense and the only time we’d care is when the spies leave their briefcases (complete with meat pies, copies of Playboy and a file marked “TOP SECRET”) in a taxi in Wellington somewhere. Then we’d all have a laugh and go back to work.

Sadly we don’t live in such a world. Instead, we face a security service that seems keen on the idea of storing all our online communications in perpetuity on the off chance that some years from now they might want to have a poke around and pull something out that could be juicy enough to justify their endeavours. It could be a politician who is making life difficult for them, it could be a department head they’d rather see the back of, it could be a journalist who has a source and won’t say who it is.

Just as bad, if not worse, is the model that this surveillance will take. Instead of user pays, the expectation is that the telcos will have to pay for it. Store every email, TXT message and the “metadata” about every phone call? No problem – make the telcos do it. They won’t want to keep that kind of information, of course. TXT messages alone take up terabytes of space and it’s only growing. Apparently the world’s data doubles every two years – currently (according to the internet so it must be true) we have around 1.8 zettabytes of data. I have no idea how many zeros that is but the handy graphic says it’s roughly 200 billion HD movies each running for two hours.

Storing all the transient stuff (typically the “metadata” that the spooks like because they can access it without a warrant in the US) is non-trivial and is a cost the telcos wouldn’t carry other than at the behest of the government. We will end up carrying that cost, of course, because telcos pass on costs to customers.

And really, do you want a spy agency bogged down with petabytes of cat videos, Facebook postings and tweets about breakfast? Wading through that lot is also non-trivial and frankly just asking for trouble.

I also wonder just what heinous crime has been committed against New Zealand’s sovereignty that requires such a drastic step as spying on every New Zealander’s online lives. Did I miss the terrorist strike? Is Tasmania poised to invade us? Did a secretive German industrialist set up shop in New Zealand with a plan for world domination? Other than the ones we know about, obviously.

I can think of no rationale for a system that allows intelligence agencies (through a legal sleight of hand) to gather and retain information about my day to day life.

This then is the reason I’m opposed to increasing our own intelligence agencies’ abilities in this area. It isn’t based on practical matters such as cost or signal-to-noise ratio. It’s based on the basic premise that we are innocent until proven guilty and that government in all its various forms should keep its nose out of my business, regardless of how banal or tedious my life actually is.

The new GCSB bill and Telecommunications Interception bill are before parliament at the moment. Submissions on the Interception bill are due by the 13th of June and given the news breaking in the US and UK this week we’ve asked for an extension to that time line so we can better understand just what these two bills mean for New Zealanders. It’s important we get this right as there are a lot of moving parts so we need the extra time to really come to grips with just what is being proposed. Is it going to be a police state or will we retain our right to privacy. That’s what’s at stake here.

Mr Ren

/in /by

At the end of our meeting, one of my fellow inquisitors leaned over and told me “We’ve just been to a master class in politics” and I’d have to agree. Ren Zhengfei, the founder of Chinese equipment maker Huawei, dealt easily with questions of security, expansion plans, succession planning, retirement, his relationship with the Chinese Communist Party and human rights issues.

Speaking via a translator, Ren told us he is going to spend the next five to ten years reinventing Huawei, taking it away from its roots as a centrally controlled Chinese company and making it into a global de-centralised conglomerate. It’s a move from “international” to “global” – rather than sending out Chinese managers to run local operations that don’t have any true autonomy, Ren says he’d rather “those who can hear the gunfire direct operations on the ground”, and that it will be a painful time for HQ as it moves from control to a support function.

But that aside, Ren is upbeat about the future of the company. Don’t expect to see Huawei list on a stock exchange any time soon – Ren says that would change the company in a way he’s uncomfortable with. Today the company focuses on the customers – all too often he says listed companies focus on their shareholders and returning a profit to them. By ensuring that he doesn’t have to return an ever greater percentage of his revenue to shareholders, Ren can not only keep costs down but ensures customers feel they’re getting a good level of value for their money.

This intrigues me. I’ve dealt with a lot of companies over the years that say they’re customer centric. So many, in fact, that it’s almost become code for “but we will stiff you if there’s a buck in it”. Monopoly rents, cosy duopolies, not being quite evil enough to get regulated – most listed companies seem willing to operate at the edge of the acceptability envelope, sometimes stepping over the line and upsetting their customers to the point where either they flock to another provider or, if that’s not possible, the cold dead hand of regulation falls on the industry.

Locally, Ren is just as upbeat about New Zealand. We are, he says, one of the leaders in the world when it comes to telecommunications. We clearly are very dear to Ren and to Huawei – two of the three mobile operators are using Huawei kit and Ren will have been talking UFB with the government and lobbying Chorus to use its gear.

And to that end, Huawei will set up an innovation centre with Telecom NZ to help develop all the various bits and pieces that both fixed and mobile deployments will uncover.

That’s great news – as Huawei moves to a global model, where centres of excellence drive Huawei’s business, that places us if not in the inner circle then within cooee of it.

Huawei’s point of difference is often seen as being the cheapest provider around – Ren says that’s not so. If anything, the difference is maths.

Huawei’s R&D team have developed pretty smart algorithms to cope with multiple aerials, multiple spectrum ranges, multiple generations so instead of paying for a 2G and 3G network, customers paid for one network. That means the network deployment costs are a lot less which means in effect, as Ren says, Huawei is sharing the profit with its customers.

It’s a nice way of looking at it and customers seem to love it. Huawei has the lion’s share of the 4G deployments around the world and there’s no sign of it slowing down. There’s really only one speedbump on the horizon, and that’s the increasingly hysterical noise coming out of the US Trade Representatives Office about Huawei’s security risk.

Ren says Huawei isn’t doing anything in the US and isn’t likely to but it will work everywhere else, including New Zealand. Quite how that gels with the government’s proposed GCSB and Telco Intercept bills remains to be seen.

Ren is a consummate public relations man. He knows how to play to the crowd, how to get the most out of a joke even via a translator and how to say the right things at the right time, without appearing too smooth. He also has manners – and when he poured himself a glass of water, he made sure to pour one for the extremely competent, hard working translator by his side. I can’t think of another CEO at that level who would be so charming.

The Telecommunications Interception Capability and Security Bill

/2 Comments/in /by

UPDATE: I’ve been emailed by the Ministry to tell me I’ve got parts of this wrong – as I said, it’s a first take on the bill and I’m still working through all the ramifications so that’s not surprising.

I’ve included the changes and clarifications the Ministry has suggested below.

I’m working my way through the new Telecommunications
Interception Capability and Security Bill (known as TICSA) and although I’m not
done yet, there are a few issues that we need to discuss.

Basically this bill will allow the security agencies to
spy on phone calls, TXT messages, emails and other data transfers, much as they
do today under our existing law.

(EDIT: The Ministry points out that this bill is about the telcos, not the agencies themselves, and the obligations placed on the telcos themselves. Well, yes).

The current Act, in place since 2006 (EDIT: Actually, 2004) allows the security
services to contact a telco and demand they make certain communications
available to the authorities. They must have a warrant to do this – you can’t
just ring up like they do in the movies and get someone to dig around a bit.
None of the telcos would stand for that.

The Act has been working well, but apparently there are
enough issues with it to require an update – hence the new bill.

The bill deals with two key issues – network management
and interception.

Network management is new – under this proposed bill the
telcos must work with GCSB when deploying their networks, must agree to consult
with the GCSB with regard to key decisions that may affect national security
(or, I’m alarmed to read, New Zealand’s economic wellbeing, which frankly is
quite a broad addition to the old regime) and must agree to inform the GCSB
whenever it makes changes to the network that may impact on national security
(or again on our economic wellbeing).

(EDIT: The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today. That’s as may be, but the emphasis from the new bill is new and the explicit formalisation of the relationship goes beyond what is contained in the current bill)

EDIT: The Ministry says the bill:

·        
requires network operators to engage in good
faith with the government on the design, build and operation of networks where
this may affect New Zealand’s national security or economic wellbeing;

·        
requires network operators to notify the GCSB of
certain proposals such as procurement decisions or changes in relation to areas
of particular national security interest (those areas are set out in the Bill);

·        
sets out a stepped process for network operators
and the government to agree, where possible, on the response to an identified
network security risk).

Does this mean the GCSB will be directing the telcos in
their network rollouts? Does it mean certain vendors will be unable to provide
gear for certain parts of the network? Does it mean those telcos that already
use a certain provider (I’m thinking here specifically of Huawei but it could
be anyone) be excluded from certain key government contracts?

This rings alarm bells for me because any government
involvement beyond wanting to simply use the networks is fraught. These are
commercial entities that already face challenging economic times and adding in
yet another layer of complexity is far from ideal.

The other half other half of the bill covers interception
and the idea that the telcos must make their networks “able to be
intercepted” should the need arise.

(EDIT: The Ministry would like me to point out that the current bill requires telcos to work with government agencies. Yes, that’s a given – I’m not suggesting they aren’t already doing some of this.)

Here I must confess to some moral ambiguity. On the one
hand, government-led security services have no business demanding we hand over
anything that may incriminate us. If the police (or SIS or GCSB) want to prove
I’m breaking the law then it’s up to them to prove it. I should not, as an
individual, be required to help. I’m innocent until proven guilty – that is,
unless I own a computer and then I’m required by law to help the police find
evidence to convict me.

Think I’m making that up? It’s part of the Crimes Act,
introduced post 911 to help police get round the tricky business of people
using this newfangled “encryption” stuff to hide their crooked
business dealings.

For me, this is taken to a whole new level by the
requirement on telcos that their networks be made “able to be
intercepted” (is that “interceptable”? Computer says no). Now my
telco is required to help the police prove I’m a criminal. This upsets me
greatly, not because I am a criminal but because I shouldn’t have to prove that
I’m not.

Having said that, I know the police have solved some
fairly major crimes by having access to telco records and I know that the
creation of the internet has been one of the biggest boons in policing of those
responsible for child pornography. The internet is a giant copying machine and
anyone sharing objectionable material leaves a trail a mile wide.

So I’m torn on the general need for interception at this
level. It also annoys me that the security services are, in effect, outsourcing
the entire thing to the telcos and demanding that the telcos spend money on
staff and technology which, if left to their own devices, would not be needed
in the day-to-day commercial running of the network. These things all add cost
to the network operators’ budgets and it’s a cost that doesn’t deliver a return
so it will indeed get passed on to users, yet again.

The bill introduces a multi-stage approach to defining
its telcos. If you’re a small operator or a wholesale-only operator, the
interception requirement is less than if you’re a fully-fledged telco with lots
of customers. You’re only required to make your network “intercept
ready” or “intercept accessible” whereas the big telcos have to
provide the full intercept capability. Oh and the minister (one of three
ministers) can decide which category you fall into as the need arises.

The law also says it applies to companies based in New
Zealand or overseas, which is entertaining. Quite how the bill can be applied
to, say, a VPN service based in Uzbekistan is an interesting one, but this
catch-all concept means that the new TICSA will be applied to Facebook, Google,
Yahoo and all the other “over the top” providers (including
presumably Skype and Viber) as well.

Apparently the security agencies already deal with such
offshore entities whenever they need to, but this bill will formalise that
arrangement.

Curiously, the bill also gives the government the ability
to ban a product if the government decides it can’t be made interceptable.
Imagine, if you will, the TUANZ encrypted email and storage service that makes
sure your highly sensitive documents are stored and transmitted with the
greatest of encryption levels. If the security agencies decide that’s going to
be a problem, the government will simply ban us from offering it.

Interestingly, they won’t necessarily tell me about it
(if TUANZ was based off shore) but rather would tell the telcos and ISPs in New
Zealand that it was banned, because they would be deemed to be
“reselling” the service, even though all the ISP are doing is giving
my customers access to the service. And if they don’t remove the service from
“sale” in New Zealand they’re liable for fines that accumulate on a
daily basis.

On top of all that, we have a police-held register of
ISPs and telcos, which must be kept up to date at all times. Yes, we’re getting
a “licensed ISP” regime without any of the benefits.

All of this concerns me. We’ll need to submit on it, if
the government opens up the bill to public submission (something it may choose
to avoid). While I’m always wary of getting involved in any conversation about
security agencies and various tin-foil hat (black tin-foil hat, no less)
conspiracies, I do object to having my right to privacy treated in a cavalier
manner. Hopefully we can make some suggestions that will improve this bill
before it’s passed into law.

For more reading on this I suggest you have a look at
Thomas Beagle’s excellent piece over at Tech Liberty. Thomas is a much faster
reader than I am and he’s done a good job of working through the various parts
of the bill. We’ll need to do a lot more of that before the government gets to
decide on interception of our communications.

Interception

/in /by

The government is going to update the Telecommunications Interception Act which came into effect in 2004.

Nearly a decade on it’s a good idea to review these things and to make sure we have a process that works, that the need is still the same, that the players involved are still doing the same things in the same way.

The Act allows the police, or SIS or GCSB, to call on the telcos for information about customers. Typically this involves a search warrant or similar legal document made out about a particular customer’s account. Telcos can then intercept TXT messages or phone calls or data connections. They can track email trails, they can locate cellphones using GPS or cellsite triangulation. They can access your communications.

Typically the telcos take this kind of intrusion very seriously indeed. They have teams that handle these enquiries, they move with urgency and they get the job done.

(Incidentally, this is partly why the copyright notices cost $25 each – the same team that considers whether or not a search warrant is valid will also look at a copyright infringement notice because both documents are legally challenging and because they involve infringing on a customer’s privacy to a huge degree. It’s not as simple as looking up the records for an IP address and sending on the notice.)

The government says the Act needs updating. It says there are two arms to this legislation – interception and network security.

Interception seems to me, at any rate, to be working well. The telcos respond quickly (I’ve not heard of a telco not responding in a timely fashion) but won’t have a bar of the government agencies taking shortcuts. For a while there was talk of the police faxing through warrants rather than showing up. That was deemed unacceptable pretty sharpishly and I haven’t heard anything similar since then.

Network security, likewise, works well. The GCSB stays out of the way and the telcos roll out state of the art deployments that should be as secure as they can be. Ironically, the Act requires the telcos make their networks hackable – that is, the Act itself is a single point of weakness, albeit one tucked away inside the networks’ operation centres. Left to their own devices, the telcos wouldn’t be willing to entertain any question about their security capabilities. It’s a selling point, it’s basic hygiene and it’s vital to their on-going commercial role.

So what needs fixing?

Well, since 2004 the telco world has changed. No longer do we buy all our services from our telcos. Instead we buy a pipe and get our services from other providers.

Currently these over the top providers (OTT) offer TXT, email and data-centric comms but shortly I’m sure it’ll be voice as well (think Viber, Skype and the like). These services show up to the network operators as bits of data, encrypted by a third party player, sent from one device to another. They have little visibility of what the content is (they can make an educated guess of course – certain services use certain ports, for example) and they certainly can’t crack that encryption to see what’s going on.

Over the top providers don’t always need the telcos’ support to operate, so it makes it very difficult for the telcos to capture this data on behalf of agencies which might, in say three months’ time or a year or more, need to access it.

The new Bill will, apparently, require the telcos to work closely with the GCSB on network security.

I wonder what that means. Will the telcos (private, commercial entities) be required to do things the way the GCSB wants? Will they be required to build things in to their networks that they might not want to include? Things that give them no commercial benefit?

Secondly, I wonder what the enforcement protocols are all about. Are the telcos moving so slowly they need a kick in the pants? What kind of enforcement are we talking about – monetary? Something else? Will we need to start registering telcos in some formal manner so we can revoke that registration should they not fall into line?

Will we be introducing a regime that forces telcos to somehow crack the security of Microsoft, of Google, of Apple? How will that fly with these companies? How enforceable is that from New Zealand?

And if we think about it, aren’t these OTT providers telcos in and of themselves? Don’t we consider Microsoft, for example, to be a telco? It owns Skype – clearly the world’s biggest telco – and it sells OTT services that used to be the purview of the telcos. Surely our definition of what a telco is needs to be updated?

Let’s take Microsoft’s Office 365 as an example. If you buy it from Dick Smith, you get a box with a code and away you go to download and use the service. If you buy it online from Microsoft itself they don’t bother with the box, but the product is the same.

Buy it from a telco (a Gen-i or a system integrator for example) and it’s a telco service and will be governed by the Interception Act. Will that not drive customers to avoid the telcos? Will that not cost the telcos in terms of both lost sales and implementation costs?

The danger is of course that all this cost will be dumped on the telcos. There’s no commercial gain to the telcos in doing any of this – the storage needed, the interception gear required, the teams they’ll have to pay to make it all work – so that cost will be passed on to the users.

On top of that, we run the risk of trying to do the impossible. If a government says simply “make it so” and steps back, we could see telcos being penalised for not hacking Gmail accounts. Is that what we need? Is that going to do anyone any good at all?

Without knowing what the problem is the government wants to solve, it’s rather tricky to understand where this is all going. All of the above is based on the Minister’s press release, which is rather brief. The Bill itself will be available next month and TUANZ will be taking a close look at the detail. It’s important we get this right because if we get it wrong the consequences could be quite miserable.