Posts

The Telecommunications Interception Capability and Security Bill

/2 Comments/in /by

UPDATE: I’ve been emailed by the Ministry to tell me I’ve got parts of this wrong – as I said, it’s a first take on the bill and I’m still working through all the ramifications so that’s not surprising.

I’ve included the changes and clarifications the Ministry has suggested below.

I’m working my way through the new Telecommunications
Interception Capability and Security Bill (known as TICSA) and although I’m not
done yet, there are a few issues that we need to discuss.

Basically this bill will allow the security agencies to
spy on phone calls, TXT messages, emails and other data transfers, much as they
do today under our existing law.

(EDIT: The Ministry points out that this bill is about the telcos, not the agencies themselves, and the obligations placed on the telcos themselves. Well, yes).

The current Act, in place since 2006 (EDIT: Actually, 2004) allows the security
services to contact a telco and demand they make certain communications
available to the authorities. They must have a warrant to do this – you can’t
just ring up like they do in the movies and get someone to dig around a bit.
None of the telcos would stand for that.

The Act has been working well, but apparently there are
enough issues with it to require an update – hence the new bill.

The bill deals with two key issues – network management
and interception.

Network management is new – under this proposed bill the
telcos must work with GCSB when deploying their networks, must agree to consult
with the GCSB with regard to key decisions that may affect national security
(or, I’m alarmed to read, New Zealand’s economic wellbeing, which frankly is
quite a broad addition to the old regime) and must agree to inform the GCSB
whenever it makes changes to the network that may impact on national security
(or again on our economic wellbeing).

(EDIT: The Ministry says network management is not new, that in fact the GCSB works in partnership with network operators today. That’s as may be, but the emphasis from the new bill is new and the explicit formalisation of the relationship goes beyond what is contained in the current bill)

EDIT: The Ministry says the bill:

·        
requires network operators to engage in good
faith with the government on the design, build and operation of networks where
this may affect New Zealand’s national security or economic wellbeing;

·        
requires network operators to notify the GCSB of
certain proposals such as procurement decisions or changes in relation to areas
of particular national security interest (those areas are set out in the Bill);

·        
sets out a stepped process for network operators
and the government to agree, where possible, on the response to an identified
network security risk).

Does this mean the GCSB will be directing the telcos in
their network rollouts? Does it mean certain vendors will be unable to provide
gear for certain parts of the network? Does it mean those telcos that already
use a certain provider (I’m thinking here specifically of Huawei but it could
be anyone) be excluded from certain key government contracts?

This rings alarm bells for me because any government
involvement beyond wanting to simply use the networks is fraught. These are
commercial entities that already face challenging economic times and adding in
yet another layer of complexity is far from ideal.

The other half other half of the bill covers interception
and the idea that the telcos must make their networks “able to be
intercepted” should the need arise.

(EDIT: The Ministry would like me to point out that the current bill requires telcos to work with government agencies. Yes, that’s a given – I’m not suggesting they aren’t already doing some of this.)

Here I must confess to some moral ambiguity. On the one
hand, government-led security services have no business demanding we hand over
anything that may incriminate us. If the police (or SIS or GCSB) want to prove
I’m breaking the law then it’s up to them to prove it. I should not, as an
individual, be required to help. I’m innocent until proven guilty – that is,
unless I own a computer and then I’m required by law to help the police find
evidence to convict me.

Think I’m making that up? It’s part of the Crimes Act,
introduced post 911 to help police get round the tricky business of people
using this newfangled “encryption” stuff to hide their crooked
business dealings.

For me, this is taken to a whole new level by the
requirement on telcos that their networks be made “able to be
intercepted” (is that “interceptable”? Computer says no). Now my
telco is required to help the police prove I’m a criminal. This upsets me
greatly, not because I am a criminal but because I shouldn’t have to prove that
I’m not.

Having said that, I know the police have solved some
fairly major crimes by having access to telco records and I know that the
creation of the internet has been one of the biggest boons in policing of those
responsible for child pornography. The internet is a giant copying machine and
anyone sharing objectionable material leaves a trail a mile wide.

So I’m torn on the general need for interception at this
level. It also annoys me that the security services are, in effect, outsourcing
the entire thing to the telcos and demanding that the telcos spend money on
staff and technology which, if left to their own devices, would not be needed
in the day-to-day commercial running of the network. These things all add cost
to the network operators’ budgets and it’s a cost that doesn’t deliver a return
so it will indeed get passed on to users, yet again.

The bill introduces a multi-stage approach to defining
its telcos. If you’re a small operator or a wholesale-only operator, the
interception requirement is less than if you’re a fully-fledged telco with lots
of customers. You’re only required to make your network “intercept
ready” or “intercept accessible” whereas the big telcos have to
provide the full intercept capability. Oh and the minister (one of three
ministers) can decide which category you fall into as the need arises.

The law also says it applies to companies based in New
Zealand or overseas, which is entertaining. Quite how the bill can be applied
to, say, a VPN service based in Uzbekistan is an interesting one, but this
catch-all concept means that the new TICSA will be applied to Facebook, Google,
Yahoo and all the other “over the top” providers (including
presumably Skype and Viber) as well.

Apparently the security agencies already deal with such
offshore entities whenever they need to, but this bill will formalise that
arrangement.

Curiously, the bill also gives the government the ability
to ban a product if the government decides it can’t be made interceptable.
Imagine, if you will, the TUANZ encrypted email and storage service that makes
sure your highly sensitive documents are stored and transmitted with the
greatest of encryption levels. If the security agencies decide that’s going to
be a problem, the government will simply ban us from offering it.

Interestingly, they won’t necessarily tell me about it
(if TUANZ was based off shore) but rather would tell the telcos and ISPs in New
Zealand that it was banned, because they would be deemed to be
“reselling” the service, even though all the ISP are doing is giving
my customers access to the service. And if they don’t remove the service from
“sale” in New Zealand they’re liable for fines that accumulate on a
daily basis.

On top of all that, we have a police-held register of
ISPs and telcos, which must be kept up to date at all times. Yes, we’re getting
a “licensed ISP” regime without any of the benefits.

All of this concerns me. We’ll need to submit on it, if
the government opens up the bill to public submission (something it may choose
to avoid). While I’m always wary of getting involved in any conversation about
security agencies and various tin-foil hat (black tin-foil hat, no less)
conspiracies, I do object to having my right to privacy treated in a cavalier
manner. Hopefully we can make some suggestions that will improve this bill
before it’s passed into law.

For more reading on this I suggest you have a look at
Thomas Beagle’s excellent piece over at Tech Liberty. Thomas is a much faster
reader than I am and he’s done a good job of working through the various parts
of the bill. We’ll need to do a lot more of that before the government gets to
decide on interception of our communications.

Interception

/in /by

The government is going to update the Telecommunications Interception Act which came into effect in 2004.

Nearly a decade on it’s a good idea to review these things and to make sure we have a process that works, that the need is still the same, that the players involved are still doing the same things in the same way.

The Act allows the police, or SIS or GCSB, to call on the telcos for information about customers. Typically this involves a search warrant or similar legal document made out about a particular customer’s account. Telcos can then intercept TXT messages or phone calls or data connections. They can track email trails, they can locate cellphones using GPS or cellsite triangulation. They can access your communications.

Typically the telcos take this kind of intrusion very seriously indeed. They have teams that handle these enquiries, they move with urgency and they get the job done.

(Incidentally, this is partly why the copyright notices cost $25 each – the same team that considers whether or not a search warrant is valid will also look at a copyright infringement notice because both documents are legally challenging and because they involve infringing on a customer’s privacy to a huge degree. It’s not as simple as looking up the records for an IP address and sending on the notice.)

The government says the Act needs updating. It says there are two arms to this legislation – interception and network security.

Interception seems to me, at any rate, to be working well. The telcos respond quickly (I’ve not heard of a telco not responding in a timely fashion) but won’t have a bar of the government agencies taking shortcuts. For a while there was talk of the police faxing through warrants rather than showing up. That was deemed unacceptable pretty sharpishly and I haven’t heard anything similar since then.

Network security, likewise, works well. The GCSB stays out of the way and the telcos roll out state of the art deployments that should be as secure as they can be. Ironically, the Act requires the telcos make their networks hackable – that is, the Act itself is a single point of weakness, albeit one tucked away inside the networks’ operation centres. Left to their own devices, the telcos wouldn’t be willing to entertain any question about their security capabilities. It’s a selling point, it’s basic hygiene and it’s vital to their on-going commercial role.

So what needs fixing?

Well, since 2004 the telco world has changed. No longer do we buy all our services from our telcos. Instead we buy a pipe and get our services from other providers.

Currently these over the top providers (OTT) offer TXT, email and data-centric comms but shortly I’m sure it’ll be voice as well (think Viber, Skype and the like). These services show up to the network operators as bits of data, encrypted by a third party player, sent from one device to another. They have little visibility of what the content is (they can make an educated guess of course – certain services use certain ports, for example) and they certainly can’t crack that encryption to see what’s going on.

Over the top providers don’t always need the telcos’ support to operate, so it makes it very difficult for the telcos to capture this data on behalf of agencies which might, in say three months’ time or a year or more, need to access it.

The new Bill will, apparently, require the telcos to work closely with the GCSB on network security.

I wonder what that means. Will the telcos (private, commercial entities) be required to do things the way the GCSB wants? Will they be required to build things in to their networks that they might not want to include? Things that give them no commercial benefit?

Secondly, I wonder what the enforcement protocols are all about. Are the telcos moving so slowly they need a kick in the pants? What kind of enforcement are we talking about – monetary? Something else? Will we need to start registering telcos in some formal manner so we can revoke that registration should they not fall into line?

Will we be introducing a regime that forces telcos to somehow crack the security of Microsoft, of Google, of Apple? How will that fly with these companies? How enforceable is that from New Zealand?

And if we think about it, aren’t these OTT providers telcos in and of themselves? Don’t we consider Microsoft, for example, to be a telco? It owns Skype – clearly the world’s biggest telco – and it sells OTT services that used to be the purview of the telcos. Surely our definition of what a telco is needs to be updated?

Let’s take Microsoft’s Office 365 as an example. If you buy it from Dick Smith, you get a box with a code and away you go to download and use the service. If you buy it online from Microsoft itself they don’t bother with the box, but the product is the same.

Buy it from a telco (a Gen-i or a system integrator for example) and it’s a telco service and will be governed by the Interception Act. Will that not drive customers to avoid the telcos? Will that not cost the telcos in terms of both lost sales and implementation costs?

The danger is of course that all this cost will be dumped on the telcos. There’s no commercial gain to the telcos in doing any of this – the storage needed, the interception gear required, the teams they’ll have to pay to make it all work – so that cost will be passed on to the users.

On top of that, we run the risk of trying to do the impossible. If a government says simply “make it so” and steps back, we could see telcos being penalised for not hacking Gmail accounts. Is that what we need? Is that going to do anyone any good at all?

Without knowing what the problem is the government wants to solve, it’s rather tricky to understand where this is all going. All of the above is based on the Minister’s press release, which is rather brief. The Bill itself will be available next month and TUANZ will be taking a close look at the detail. It’s important we get this right because if we get it wrong the consequences could be quite miserable.