The GCSB hearing

All the media coverage of yesterday’s committee hearing into the GCSB bill centred on Kim Dotcom but for my money the real discussion came in Thomas Beagle’s presentation.

Thomas runs Tech Liberty and is, on reflection, one of the most principled people I know. His views are based on some very clear, well-thought out beliefs about civil liberties in the age of the all-powerful network and I agree with most of his views and ideas, albeit in a more watered down form. He’s quite right when it comes to copyright issues, the extent to which technology offers governments the ability to monitor and invade our lives and the need to counter that with some strong, clearly defined limits on those powers.

We disagree, for example, on whether there should even be a GCSB or security apparatus in New Zealand to begin with. Thomas’s view is the more principled – mine is less well founded but more pragmatic. Too many politics classes at university I fear, or perhaps not enough.

Thomas’s submission focused on two key issues: the scope of the GCSB’s reach under the new legislation and the concept of “metadata” and what that means in this day and age.

Thomas quite rightly points out that the scope of the GCSB is being extended, not tidied up as the Prime Minister would have you believe. Instead of being banned from spying on New Zealanders at home, the GCSB will be empowered to do so. This is a major leap, a huge change in both the operational parameters and the brief the GCSB works under and, when combined with Vikram Kumar’s point about the inclusion of a new role – spying not just for national security issues but also for “commercial” reasons, potentially opening up the use of the GCSB by such vital New Zealand operations as Fonterra (don’t laugh – search out the stories about the US use of Echelon to spy on Airbus on behalf of Boeing during some tense negotiations) and you’ll see scope creep of the highest order.

But it’s metadata and the definitions, or rather lack thereof, that concern me most. Metadata – information about information – can be as banal as the details you see on your phone bill. That is, it’s the information about who you called, how long you talked and what you paid. It’s not the conversation itself.

So far so what, but in this day and age of mobility, metadata includes your location because everyone of us carries a cellphone and every cellphone knows where it is in the world in order to connect to the network.

Unfortunately the GCSB bill doesn’t define metadata. It doesn’t rule it in or out of scope, it doesn’t even mention the term. We’re none the wiser as to what metadata can or cannot be gathered and neither, I suspect, is the GCSB.

I was also unimpressed with the PM’s assertion that those who don’t like it can either stay off the internet or encrypt their communications. Staying off the internet is a facile point of view and as he well knows the sister bill to this one – the Telecommunications (Interception and Security) Bill – effectively outlaws encryption that cannot be cracked by the GCSB.

New Zealand businesses need to be able to fight it out on the world stage without fear that the GCSB is handing highly important intellectual property over to US or other allied “authorities” without realising what they’re giving away. Given the news out of Europe about the level of US spying, New Zealand will have to tread very carefully on the international stage. On the one hand our security alliance is with the US and its traditional allies. On the other, our trading alliances are increasingly with those who stand on the other side of the fence – China and south east Asia.

It’s vitally important we get this right not only for Thomas’s principled views around civil liberties but also because of my pragmatic views around trade relationships. That’s a tricky position to be in and TUANZ urges the government to think carefully before plowing ahead with a law that puts both liberty and economy at risk.

Quis custodiet ipsos custodes

I’ve spent the past few days talking to various journalists about the GCSB, Big Brother and spying on citizens.

To be honest, I’m a tad uncomfortable with the whole thing. Spies, spooks and state surveillance are a bit “tin foil hat” for my liking. I’ve had several emails and phone calls to the effect that I should watch out for black helicopters and that the only thing stopping the drone strike is my cellphone dropping out (seriously, what is that about? Central Auckland, no less).

In a theoretical world, the spies would spy on high priority folk like diplomats and bomb makers and other spies. They’d have secret alliances and counter-alliances and no doubt secret handshakes as well. We commoners would be below the radar and we’d be left alone to get on in peace.

In a theoretical world, we wouldn’t be bothered by any of this kind of nonsense and the only time we’d care is when the spies leave their briefcases (complete with meat pies, copies of Playboy and a file marked “TOP SECRET”) in a taxi in Wellington somewhere. Then we’d all have a laugh and go back to work.

Sadly we don’t live in such a world. Instead, we face a security service that seems keen on the idea of storing all our online communications in perpetuity on the off chance that some years from now they might want to have a poke around and pull something out that could be juicy enough to justify their endeavours. It could be a politician who is making life difficult for them, it could be a department head they’d rather see the back of, it could be a journalist who has a source and won’t say who it is.

Just as bad, if not worse, is the model that this surveillance will take. Instead of user pays, the expectation is that the telcos will have to pay for it. Store every email, TXT message and the “metadata” about every phone call? No problem – make the telcos do it. They won’t want to keep that kind of information, of course. TXT messages alone take up terabytes of space and it’s only growing. Apparently the world’s data doubles every two years – currently (according to the internet so it must be true) we have around 1.8 zettabytes of data. I have no idea how many zeros that is but the handy graphic says it’s roughly 200 billion HD movies each running for two hours.

Storing all the transient stuff (typically the “metadata” that the spooks like because they can access it without a warrant in the US) is non-trivial and is a cost the telcos wouldn’t carry other than at the behest of the government. We will end up carrying that cost, of course, because telcos pass on costs to customers.

And really, do you want a spy agency bogged down with petabytes of cat videos, Facebook postings and tweets about breakfast? Wading through that lot is also non-trivial and frankly just asking for trouble.

I also wonder just what heinous crime has been committed against New Zealand’s sovereignty that requires such a drastic step as spying on every New Zealander’s online lives. Did I miss the terrorist strike? Is Tasmania poised to invade us? Did a secretive German industrialist set up shop in New Zealand with a plan for world domination? Other than the ones we know about, obviously.

I can think of no rationale for a system that allows intelligence agencies (through a legal sleight of hand) to gather and retain information about my day to day life.

This then is the reason I’m opposed to increasing our own intelligence agencies’ abilities in this area. It isn’t based on practical matters such as cost or signal-to-noise ratio. It’s based on the basic premise that we are innocent until proven guilty and that government in all its various forms should keep its nose out of my business, regardless of how banal or tedious my life actually is.

The new GCSB bill and Telecommunications Interception bill are before parliament at the moment. Submissions on the Interception bill are due by the 13th of June and given the news breaking in the US and UK this week we’ve asked for an extension to that time line so we can better understand just what these two bills mean for New Zealanders. It’s important we get this right as there are a lot of moving parts so we need the extra time to really come to grips with just what is being proposed. Is it going to be a police state or will we retain our right to privacy. That’s what’s at stake here.

Mr Ren

At the end of our meeting, one of my fellow inquisitors leaned over and told me “We’ve just been to a master class in politics” and I’d have to agree. Ren Zhengfei, the founder of Chinese equipment maker Huawei, dealt easily with questions of security, expansion plans, succession planning, retirement, his relationship with the Chinese Communist Party and human rights issues.

Speaking via a translator, Ren told us he is going to spend the next five to ten years reinventing Huawei, taking it away from its roots as a centrally controlled Chinese company and making it into a global de-centralised conglomerate. It’s a move from “international” to “global” – rather than sending out Chinese managers to run local operations that don’t have any true autonomy, Ren says he’d rather “those who can hear the gunfire direct operations on the ground”, and that it will be a painful time for HQ as it moves from control to a support function.

But that aside, Ren is upbeat about the future of the company. Don’t expect to see Huawei list on a stock exchange any time soon – Ren says that would change the company in a way he’s uncomfortable with. Today the company focuses on the customers – all too often he says listed companies focus on their shareholders and returning a profit to them. By ensuring that he doesn’t have to return an ever greater percentage of his revenue to shareholders, Ren can not only keep costs down but ensures customers feel they’re getting a good level of value for their money.

This intrigues me. I’ve dealt with a lot of companies over the years that say they’re customer centric. So many, in fact, that it’s almost become code for “but we will stiff you if there’s a buck in it”. Monopoly rents, cosy duopolies, not being quite evil enough to get regulated – most listed companies seem willing to operate at the edge of the acceptability envelope, sometimes stepping over the line and upsetting their customers to the point where either they flock to another provider or, if that’s not possible, the cold dead hand of regulation falls on the industry.

Locally, Ren is just as upbeat about New Zealand. We are, he says, one of the leaders in the world when it comes to telecommunications. We clearly are very dear to Ren and to Huawei – two of the three mobile operators are using Huawei kit and Ren will have been talking UFB with the government and lobbying Chorus to use its gear.

And to that end, Huawei will set up an innovation centre with Telecom NZ to help develop all the various bits and pieces that both fixed and mobile deployments will uncover.

That’s great news – as Huawei moves to a global model, where centres of excellence drive Huawei’s business, that places us if not in the inner circle then within cooee of it.

Huawei’s point of difference is often seen as being the cheapest provider around – Ren says that’s not so. If anything, the difference is maths.

Huawei’s R&D team have developed pretty smart algorithms to cope with multiple aerials, multiple spectrum ranges, multiple generations so instead of paying for a 2G and 3G network, customers paid for one network. That means the network deployment costs are a lot less which means in effect, as Ren says, Huawei is sharing the profit with its customers.

It’s a nice way of looking at it and customers seem to love it. Huawei has the lion’s share of the 4G deployments around the world and there’s no sign of it slowing down. There’s really only one speedbump on the horizon, and that’s the increasingly hysterical noise coming out of the US Trade Representatives Office about Huawei’s security risk.

Ren says Huawei isn’t doing anything in the US and isn’t likely to but it will work everywhere else, including New Zealand. Quite how that gels with the government’s proposed GCSB and Telco Intercept bills remains to be seen.

Ren is a consummate public relations man. He knows how to play to the crowd, how to get the most out of a joke even via a translator and how to say the right things at the right time, without appearing too smooth. He also has manners – and when he poured himself a glass of water, he made sure to pour one for the extremely competent, hard working translator by his side. I can’t think of another CEO at that level who would be so charming.


The government is going to update the Telecommunications Interception Act which came into effect in 2004.

Nearly a decade on it’s a good idea to review these things and to make sure we have a process that works, that the need is still the same, that the players involved are still doing the same things in the same way.

The Act allows the police, or SIS or GCSB, to call on the telcos for information about customers. Typically this involves a search warrant or similar legal document made out about a particular customer’s account. Telcos can then intercept TXT messages or phone calls or data connections. They can track email trails, they can locate cellphones using GPS or cellsite triangulation. They can access your communications.

Typically the telcos take this kind of intrusion very seriously indeed. They have teams that handle these enquiries, they move with urgency and they get the job done.

(Incidentally, this is partly why the copyright notices cost $25 each – the same team that considers whether or not a search warrant is valid will also look at a copyright infringement notice because both documents are legally challenging and because they involve infringing on a customer’s privacy to a huge degree. It’s not as simple as looking up the records for an IP address and sending on the notice.)

The government says the Act needs updating. It says there are two arms to this legislation – interception and network security.

Interception seems to me, at any rate, to be working well. The telcos respond quickly (I’ve not heard of a telco not responding in a timely fashion) but won’t have a bar of the government agencies taking shortcuts. For a while there was talk of the police faxing through warrants rather than showing up. That was deemed unacceptable pretty sharpishly and I haven’t heard anything similar since then.

Network security, likewise, works well. The GCSB stays out of the way and the telcos roll out state of the art deployments that should be as secure as they can be. Ironically, the Act requires the telcos make their networks hackable – that is, the Act itself is a single point of weakness, albeit one tucked away inside the networks’ operation centres. Left to their own devices, the telcos wouldn’t be willing to entertain any question about their security capabilities. It’s a selling point, it’s basic hygiene and it’s vital to their on-going commercial role.

So what needs fixing?

Well, since 2004 the telco world has changed. No longer do we buy all our services from our telcos. Instead we buy a pipe and get our services from other providers.

Currently these over the top providers (OTT) offer TXT, email and data-centric comms but shortly I’m sure it’ll be voice as well (think Viber, Skype and the like). These services show up to the network operators as bits of data, encrypted by a third party player, sent from one device to another. They have little visibility of what the content is (they can make an educated guess of course – certain services use certain ports, for example) and they certainly can’t crack that encryption to see what’s going on.

Over the top providers don’t always need the telcos’ support to operate, so it makes it very difficult for the telcos to capture this data on behalf of agencies which might, in say three months’ time or a year or more, need to access it.

The new Bill will, apparently, require the telcos to work closely with the GCSB on network security.

I wonder what that means. Will the telcos (private, commercial entities) be required to do things the way the GCSB wants? Will they be required to build things in to their networks that they might not want to include? Things that give them no commercial benefit?

Secondly, I wonder what the enforcement protocols are all about. Are the telcos moving so slowly they need a kick in the pants? What kind of enforcement are we talking about – monetary? Something else? Will we need to start registering telcos in some formal manner so we can revoke that registration should they not fall into line?

Will we be introducing a regime that forces telcos to somehow crack the security of Microsoft, of Google, of Apple? How will that fly with these companies? How enforceable is that from New Zealand?

And if we think about it, aren’t these OTT providers telcos in and of themselves? Don’t we consider Microsoft, for example, to be a telco? It owns Skype – clearly the world’s biggest telco – and it sells OTT services that used to be the purview of the telcos. Surely our definition of what a telco is needs to be updated?

Let’s take Microsoft’s Office 365 as an example. If you buy it from Dick Smith, you get a box with a code and away you go to download and use the service. If you buy it online from Microsoft itself they don’t bother with the box, but the product is the same.

Buy it from a telco (a Gen-i or a system integrator for example) and it’s a telco service and will be governed by the Interception Act. Will that not drive customers to avoid the telcos? Will that not cost the telcos in terms of both lost sales and implementation costs?

The danger is of course that all this cost will be dumped on the telcos. There’s no commercial gain to the telcos in doing any of this – the storage needed, the interception gear required, the teams they’ll have to pay to make it all work – so that cost will be passed on to the users.

On top of that, we run the risk of trying to do the impossible. If a government says simply “make it so” and steps back, we could see telcos being penalised for not hacking Gmail accounts. Is that what we need? Is that going to do anyone any good at all?

Without knowing what the problem is the government wants to solve, it’s rather tricky to understand where this is all going. All of the above is based on the Minister’s press release, which is rather brief. The Bill itself will be available next month and TUANZ will be taking a close look at the detail. It’s important we get this right because if we get it wrong the consequences could be quite miserable.