Posts

Collateral Damage

Hat tip to former InternetNZ Chief Executive Vikram Kumar
for his discovering that the TICS and GSCB bills include forcing telcos to
install backdoors
into their networks.

This goes a long way past “making sure the data can be
handed over to the authorities” which we’re still unhappy with and goes a long
way out of my comfort zone, especially given the way international intelligence
agencies are using their powers around the world.

So what’s driving the government rush to enact these laws?
Can it be that New Zealand is a hot bed of international terrorists and that we
need to severely curtail public freedoms in order to ensure our on-going
security?

Clearly this isn’t the case. Nor was it the case when the
Urewera raids took place under the auspices of anti-terrorist activity –
charges that were later withdrawn and eventually dropped entirely from the
case.

But even that wasn’t the start to all of this. An online
chat with Judge David Harvey reminded me of the Crimes Amendment Act,
introduced in 2003 which took away our right to remain silent.

Sorry, did you not realise?

If you own a computer (roughly 110% of the population these
days) you’d better know exactly what’s on it, including those pesky system
files that you’ve neither seen nor looked at, because under the Crimes
Amendment Act, you’re entirely responsible for files on your computer.

In addition, if you have encrypted files (I presume I have)
then you’re required by law to hand over the encryption keys to those files.

So if, for argument’s sake, you have a system file somewhere
that you’ve never seen and which you’ve no way of decrypting, you’re still
responsible for it and if a nice policeman taps you on the shoulder and says
“decrypt that file” you’re up for three months’ jail and a fine of $2000 if you
don’t comply.

Harvey described that as synonymous with a police officer
asking you where you were “on the night in question” and you refusing to answer
– something you’re perfectly entitled to do 
– and then ending up in the cells for three months.

Even with that level of intrusion we aren’t quite at the
source, because I remembered an even earlier conversation about the
International Law Enforcement Telecommunications Seminar
(ILETS).

In 1999, ILETS was telling police representatives from
around the world that what the world really needs is a terrorist event of grand
enough scale that the citizens will clamour for police intervention on a
massive scale. Indeed, ILETS (of which New Zealand was a member) encouraged
participants to draft legislation and PR strategies ready for the day when such
an event would occur and which would then give these agencies the support
needed to get bills passed in the various parliaments.

ILETS was set up by the FBI in the early 1990s and included
representatives from New Zealand, Australia, the UK, US and Canada (sound
familiar?) to promote a “universal wiretap ability” in the newly emerging
internet world.

Governments would be encouraged to gradually allow police
and affiliated agencies more powers to monitor and track movements online so as
to ensure police agencies were able to keep up with criminals. Terrorists were
just an excuse.

From there we moved on to the Search and Surveillance Act, introduced in 2012 and the expansion of police powers that included. 

Today we face the introduction of the badly flawed GCSB bill
and shortly, the TICS bill. Both will enable relevant security agencies (and
the police, and potentially IRD and potentially all manner of other government
agency) to access our most secret data and indeed track our real-world
movements thanks to those handy GPS-enabled tracking devices we all carry.

I’m all in favour of the police having the right tools for
the job. If there was evidence that nefarious agents were using encrypted
pathways to communicate and to plan illegal activities, that massive online
money laundering were taking place, that terrorist cells were active or even present
in New Zealand and that we faced a clear and present danger, then I would
support giving the right agencies the right tools. But no such evidence has
been presented or even hinted at, and the badly-drafted laws mean our nascent
cloud computing industry might well be snuffed out before it gets off the
ground in a commercial “blue on blue” incident.

New Zealand needs access to world’s best IT practices if
we’re to compete. We can and should grow our own businesses to take part in the
global economy. We should be able to buy in the best of breed hardware and
technology needed to enable our economy to grow.

Yet these laws mean we won’t be able to do that. Local
businesses won’t be able to deploy internationally because our laws mean
they’ll have to hand over sensitive customer data to New Zealand officials, and
who would buy such a product? International businesses will have to decide
whether or not to operate in such an environment locally, and some businesses
could potentially be excluded from New Zealand because of the laws themselves.
Will Apple or Google chose to operate in New Zealand under laws that contradict
and are explicitly outlawed in the US
? Will Huawei be able to build world class
infrastructure here if they’re not on the “friendly” list?

The collateral damage from these bills has the potential to
be huge. The cost of implementation alone is likely to be massive and will be
borne by the telcos and network operators who will, of course, pass it on to
customers, but the lost opportunity for our ICT industry could potentially
dwarf even that price.

Ian Apperley, an independent cloud computing consultant who blogs at whatisitwellington.com, has written a great piece about the potential size of the market and the cost if we miss out.

It’s a quick and dirty economic analysis but I suspect that’s more than we’ve undertaken at government level.

Electronic McCarthyism

The government’s committee looking after the GCSB bill has
reported back and made very few changes in light of the overwhelming opposition
to the law change.

Currently opposed to the bill are the Privacy Commissioner,
the Human Rights Commission, InternetNZ, the Law Society, dozens of individual
submitters, the Labour party, the Green party, possibly NZ First and of course
TUANZ.

In favour of the bill is the government and, presumably, its
security allies the US, Australia, the UK and Canada.

Increasingly, New Zealand trades with China, yet it is China
that is specifically listed as a potential threat from what we can read of the
advice to government over this bill and its sister, the Telecommunications
(Interception and Security) Bill which is still proceeding unhindered through
the political process, albeit “under urgency”.

We have a number of issues with the two bills, not least of
which is the cost it will impose on the industry and which will, inevitably, be
passed on to customers.

Under the bills, not only will the telcos be required to
store information they normally wouldn’t bother with, but they’ll also be
required to consult with the GCSB over changes to the network up to and
including which vendors they wish to use.

Assume for a moment that Chinese company Huawei is making
huge inroads into network deployments around the world and that US companies
are upset by this. Assume that Huawei is providing a better product at a
cheaper price and is currently engaged by all our major telcos in one form or
another. Assume that the GCSB still thinks China is the enemy and that Huawei
is a puppet of the Chinese political system.

What will that mean for our future network deployments?

Will Telecom, Vodafone, 2Degrees, Orcon and Slingshot and
all the rest be forced to use non-Chinese technology?  Will they be required to only use “friendly”
technology providers, even if the cost is 20% more and the deployment that much
slower?

Will the GCSB balk at a request from a telco to move to technology
that passes email and TXTs through the network rather than decrypting and
storing them for future retrieval?

Will the GCSB ban Apple or Google or any other provider from
selling certain “uncrackable” products in New Zealand or ban New Zealand companies
from developing similar products for sale overseas?

In decades to come, will the GCSB be able to trawl through a
political leader’s entire online history looking for signs of being a teenager
in order to embarrass or block that person from office?

If all that seems unlikely to you then you’ll have no
problem with the bills as they stand. But even then there’s a problem.

The US Electronic Communications Privacy Act (ECPA)
specifically excludes US-based companies from providing the kind of support the
GCSB and TICS bills demand. Under this law it is illegal for US-based companies
to provide foreign intelligence services with access to such customer data.

So even if these bills are introduced, Google and Apple,
Microsoft and all the rest will be unable to comply without facing legal action
in the US, presumably from the US government itself.

We’ve not been shown any pressing need to change our laws,
and most New Zealanders it seems are unhappy about the level of intrusion into
their lives these bills represent.

Just as difficult is the position it puts New Zealand in
with regard to both our trading partner, China, and our security partner, the
United States.

We don’t need to rush into a decision. There is no “clear
and present danger” that requires New Zealand to enact these laws without first
considering the obvious ramifications both at home and abroad. We need to get
this kind of thing right, because the consequences are grave indeed.