NZ spy law could rock nation’s ICT sector


By Dylan Bushell-Embling
Thursday, 08 August, 2013


NZ spy law could rock nation’s ICT sector

Proposed new bills from the New Zealand government that would grant more powers to spy on residents and new monitoring obligations for service providers have attracted strong criticism.

The amendments have so far prompted nationwide demonstrations from New Zealand citizens, objections from technology giants including Google and Microsoft, and hacking-based protests from a group calling itself Anonymous NZ.

One of the laws would allow the Government Communications Security Bureau (GCSB) to intercept the communications of New Zealanders on behalf of the police, defence forces and security agency NZSIS.

It would drop a section prohibiting spying activity on New Zealanders as it applies to the domestic functions of the bureau.

Current law governing the GCSB effectively makes it unlawful for the GCSB to conduct spying on New Zealand permanent residents. This includes the bureau’s work spying on Megaupload co-founder Kim Dotcom prior to his arrest for copyright violation on behalf of the US in 2012.

But New Zealand’s Attorney General has argued that the intent of the original GCSB law was to allow domestic surveillance, and that this is only disallowed due to sloppy wording.

The amendment would also allow for the collection of metadata from New Zealanders under a warrant signed by the Prime Minister.

While the proposed amendment has undergone some changes at the behest of the political opposition - including the removal of a mechanism that would have allowed other agencies to be authorised to request GCSB assistance - its passage through parliament has still been delayed.

A second contentious proposed amendment would update the obligations of service providers operating in New Zealand to provide lawful interception capabilities for police and intelligence agencies.

One change would specify a duty for service providers to assist with circumventing encryption. The amendment would apply to both domestic companies and international companies with a presence in the market.

New Zealand network operators would also be obliged to report security breaches to the GCSB, and to work with the Bureau - and through it the government - on network security matters that might affect New Zealand’s national security or economic health.

InternetNZ chief executive Jordan Carter said the two bills “raise serious legal and economic issues that must be resolved. The proposed rules would enable wider state surveillance of private communications without appropriate safeguards for internet users’ privacy.”

The bills are lacking in proper oversight, he said, putting the PM at the centre of the GCSB without the input of a panel or a judge.

InternetNZ has recommended changes including requiring an active judge to sign up on interception warrants, and a clearer explanation of how metadata will be handled.

Telecommunications Users’ Association of New Zealand (TUANZ) CEO Paul Brislen said the two amendments together “represent a gross extension of the powers of the GCSB, and will mean phone companies become de facto collectors of all New Zealanders’ information on the basis that it could be useful at some point in the future”.

The amendments could have a severe impact on New Zealand ISPs and the ICT industry, he warned. “The GCSB will have final say on changes to key network elements, and can go so far as to veto the choice of commercial partners,” he said. “No more Huawei-built equipment.”

New Zealand software companies will be unable to produce secure applications that can’t be cracked by the GCSB, which will affect their competitiveness overseas, he added. And Google, Apple and Microsoft are probably unable to comply with the rules due to US privacy laws, so may have to pull out of the market.

IBRS advisor Jorn Bettin said the bills could also make New Zealand networks less secure. “The legislation directly encourages the construction of highly centralised and brittle information architectures,” he said, noting that the best way to reduce risk exposure partly involves moving to decentralised network architectures.

The concerns over the lack of oversight, the scope of the bills and the reach it would give the GCSB must be addressed before they can be passed, TUANZ’s Brislen said. “But unfortunately it looks like the government is content to drag the GCSB into a political bloodbath rather than build consensus on the matter.”

Image courtesy Terry Robinson

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd