Q+A Paul Brislen and Russel Norman Interview and Amy Adams
New Spy Bill Will Hold Kiwi ICT Companies
Source: TVNZ – One News Story
Another spy bill making its way through Parliament is raising concerns for the future of the technology sector in New Zealand.
The Telecommunications Interception Capability and Security (TICS) Bill would, with a warrant, force telecommunications companies and online service providers like Google and Apple to give the GCSB access to users' private information.
Telcos would also have to consult with the GCSB when developing new products and services.
Telecommunications Users Association of New Zealand chief executive Paul Brislen told TV ONE's Q+A this morning that the bill could affect what international services are offered in New Zealand and may hold Kiwi companies back from making it internationally.
"The GCSB will have to advise telcos on how they build their network, which parts they add, what they remove, the structure of the network itself even presumably down to which vendors they use to build the network.
He described that consultation process as a "great concern".
"If we're out of step with most of the other places that are being innovative and developing new software products to sell overseas, New Zealand will once again miss out on the opportunities that that provides."
But Minister for Communications and Information Technology Amy Adams said Mr Brislen's fear for the New Zealand technology sector was based on misinformation that suggested the TICS bill provided a "back door" for the GCSB to gather information.
"If you're a network operator, you should consult with the GCSB on the design of critical parts of your infrastructure. It doesn't give the GCSB the right to veto it, it doesn't give them the right to control how the network runs, and interestingly, it doesn't apply at all to ICT companies who are service providers."
It would actually reduce the compliance cost on ICT companies, she said.
All the bill does is look at how police or other agencies, who have a warrant, work with the GCSB, Ms Adams said.
"This sort of implication that this is a great new power grab is simply wrong," she said.
"There is no back door, there is no ability for the
GCSB to get extra information under this bill, there is no
ability to access stored or historic data, it is
simply about real-time interception."
Real-time interception of communications is critical to solving "most, almost all" of the serious cases police deal with, she said, and as a result the bill is really about protecting New Zealanders from crime.
"And I think most New Zealanders accept there's a need for that."
Service providers already have a "duty to assist" police in their investigations under the current law, she said.
NZ's cyber security agency?
Mr Brislen and Green Party co-leader Russel Norman argued that the GCSB should not be the country's cyber security agency.
"I think the industry had a lot more faith in an arm's length industry... rather than giving a spy agency the role of oversight and management," Mr Brislen said.
Mr Norman agreed, saying that it would be difficult to look at what agencies working with the GCSB were doing.
"In terms of freedom, it's a slow moving thing. You're not going to notice tomorrow that you feel like you're more constrained."
He compared the legislation to the 1991 Building Act, saying that leaky houses didn't start appearing the next year, but ten years down the track.
"Likewise, once we give these powers to these agencies they'll grow in confidence over time and they'll start to access more and more of our data.
"Do we really want our cyber security agency to be the GCSB? Because it does have conflicts of interest."
Mega chief executive Vikram Kumar said internet users should assume that the Government is able to access everything they do on sites like Facebook, Gmail and Twitter whenever it likes.
"Assume that everything online is being recorded, stored and analysed, at least for maybe five to 10 years," he said.
Q+A, 11-midday Sundays on TV ONE and one
hour later on TV ONE plus 1. Streamed live
Thanks to the support from NZ On Air.
Q+A is on Facebook, http://www.facebook.com/NZQandA#!/NZQandA and on Twitter, http://twitter.com/#!/NZQandA
CORIN DANN INTERVIEWS PAUL BRISLEN AND RUSSEL NORMAN
Joining us now is Paul Brislen from TUANZ in the studio and Greens Co-Leader Russel Norman in Wellington. Good morning to you both. I’ll start with you, Paul. Why, again, should we be so worried about this legislation? Isn’t this just the mechanics of what we’ve been debating re: the GCSB Bill?
PAUL BRISLEN - Telecommunications Users Association of NZ
Well, it is, in many respects. We’ve decided we can spy on New Zealanders, and this is going to frame up how we’re going to do that. But there are a series of concerns. And, as you saw in the clip, [from Dita de Boni] how will this affect international services being offered here? How will it affect the telcos themselves? Because the GCSB gains a new role in all of this, which is oversight of the building of the networks, but also for us, we’ve got a concern around what it will mean for those companies that are based in NZ trying to sell their electronic goods overseas - whether they will be able to-
CORIN So that’s the economic damage, potentially. But let’s just start with the issue of the expansion of powers. Is this an expansion of powers? They will be able to spy on things they couldn’t previously?
PAUL They will be able to look at things they couldn’t previously, but, for my money, um, the important-
CORIN What like? Can you give us some examples?
PAUL Well, uh, I mean, previously they weren’t allowed to look at New Zealanders or residents of NZ at all legally. That’s now solidified under the GCSB Bill. This takes it a step further. The GCSB will be able to- will have to advise telcos on how they build their network, which parts they add, what they remove, the structure of the network itself, even, presumably, down to which vendors they use to build the network. So that’s going to be a great concern to companies like Huawei, which are under grave suspicion in the United States, and you’ve got a real issue there around whether this is a security matter or a free trade matter from the American point of view.
CORIN All right. Russel Norman, you’ve described the GCSB Bill, obviously, as a threat to freedom. How can it be a threat to freedom when they still need a warrant to get this information? I mean, there has to be- there’s oversight there.
RUSSEL NORMAN - Greens
They need a warrant for some of it. I mean, if you’re targeting foreign communications, you don’t need a warrant, even though you might in the process also intercept NZ communications-
CORIN But John Key has said in the first instance, certainly, he won’t allow access to those New Zealanders’ content.
RUSSEL Well, if you recall, John Key, what he said is he went on national television and said, ‘Oh, no, under this law, they can’t look at the content of the emails.’ And then he had to correct his statement and said, actually, they can. So I’m pretty dubious about the Prime Minister’s statement on any of this. I mean, you know, in terms of freedom, right, you know, it’s a slow-moving thing. So you’re not going to notice tomorrow that suddenly you feel like you’re more constrained just because the bill’s passed. But it’s a bit like the ’91 Building Act. Like, when National pushed that through, we didn’t have leaky houses the next year, but 10 years down the track, you find that we’ve got a whole problem with leaky houses. Likewise, once we give these powers to these agencies, they’ll grow in confidence over time, and they’ll start to access more and more data.
CORIN But that’s why we’ve got greater oversight that’s been put into the legislation. That’s what that’s there for.
RUSSEL Well, I mean, if you look at the legislation, we don’t really have significantly greater oversight at all. The Intelligence and Security Committee, the only democratic oversight, still basically can’t look at what these agencies are going. So there still isn’t any fundamental democratic oversight.
CORIN Isn’t there a bit of scaremongering here? Because there’s the perception that they’re suddenly going to be able to look at all your Facebook and all that sort of stuff, but only with a warrant, and we’re talking nine, 10 cases a year so far, aren’t we?
RUSSEL Well, it’s true that the GCSB, according the Kitteridge Report, was only acting illegally nine times a year, or so they tell us. We don’t really know what the truth is, how often they’re acting unlawfully. What we do know is under the GCSB Bill, the information that they’re able to get via this bill, the TICS Bill that we’re talking about now, they can pass to US agencies. Um, so it is kind of like the GCSB Bill provided the legal framework; this bill provides some of the technical backdoor so they can get a backdoor into your provider, get the information, pass it to their Five Eyes network. I mean, I think the bigger point we’ve got to ask ourselves is does it really make sense to have the GCSB as our cyber security agency? Because this is our external spying agency, do we really want our cyber security agency to be the GCSB? Because it does have conflicts of interest.
CORIN Ok, I’ll come to you, Paul Brislen. You were nodding there. You agree with that?
PAUL Yeah. We used to have an agency called the Centre for Critical Infrastructure Protection, which was run by the GCSB but at arm’s length. That was subsumed into the GCSB some time ago. I think the industry had a lot more faith in an arm’s length agency whose role was purely to look after the security of network infrastructure, rather than giving a spy agency the role of oversight and management.
CORIN How worried are you - Russel Norman touched on this - about our reputation as an independent country, with the US involvement, Five Eyes, those types of things, if this is seen as too heavy handed by our government?
PAUL Well, that’s right. It is a big issue, because our trading partners are the very people that we’re supposed to be keeping an eye on from a security point of view. We’re talking about China, South-East Asia, in many respects. It wasn’t that long ago that the Americans were using data taken from the Five Eyes predecessor, Echelon, and using that to sway negotiations between Boeing and Airbus, and NZ was dragged into that discussion quite unnecessarily.
CORIN But these are big-picture trade issues. Why should the average New Zealander be worried about that?
PAUL We have most of our dairy trade at the moment residing with one country, with China. They’re our biggest trading partner in terms of dairying, and yet we’re now signing deals in a security sense that put us on the other side of the fence with the Americans.
CORIN And is there a risk also that we’re going to see a stifling of the IT industry? Entrepreneurs, those types of things, who are going to be put off because of these extra rules?
PAUL Well, that’s the concern. If we are out of step with most of the other places that are being innovative and developing new software products to sell overseas, NZ will once again miss out on the opportunities that that provides. If we are seen to be a country that will allow backdoors to be built in, will allow the Americans access to private information, then potentially we are tainted with that brush. You know, organisations like Vikram [Kumar] with Mega provide a valuable service. A secure and encrypted locker that you can store files in. I run a business. I want to keep things secure for my shareholders, so why on earth would I then allow a NZ company to take that information and potentially give it to the American government?
CORIN And, Russel Norman, do you have concerns about obviously, again, those links overseas? I mean, can you explain to New Zealanders why we should be worried about whether the NSA or whoever else might be working with the GCSB?
RUSSEL Well, I mean, the GCSB is part of this Five Eyes network.
CORIN But they’re our traditional alliance. They’re our allies.
RUSSEL And the head of that network is the NSA in the United States, and that is now absolutely proven to be engaged in systematic, broad-scale surveillance of their citizens, and so that’s what the Five Eyes network is now up to. The GCHQ has been proved to be engaged in this as well in the UK. Why would we want to be engaged in that kind of thing? I think, um, the encryption stuff is interesting as well in that the reason why I think that’s interesting - and this is the conflict of interest for the GCSB - on the one hand, we’re moving a lot towards encryption, and people are going to encrypt more and more to protect their security. On the other hand, the GCSB doesn’t want encryption, and yet that’s what consumers are going to be moving towards. So the operator of the network, which is what the GCSB is going to become, won’t want exactly what consumers want, so we’re going to have this conflict between the two.
CORIN Russel Norman, we’ll have to leave it there. Green Party Co-Leader, thank you very much. And Paul Brislen from TUANZ.
PAUL Thank you.
CORIN DANN INTERVIEWS AMY ADAMS
Amy Adams is the minister responsible for the Telecommunications Interception Capability and Security Bill. She says there’s a lot of misinformation around the bill, and she joins Corin now.
Misinformation? What misinformation is there?
AMY ADAMS - Communications and IT Minister
Well, for example, in your lead-in piece, there was talk of a backdoor that’s going to allow the GCSB access to whole new swathes of information. That’s simply not correct. So, what this bill is doing is, first of all, looking at when there is a warrant, when there is a proper, lawful reason for the police or one of our agencies to look at data- And remember that that’s a critical part of law enforcement in this country. All this bill does is look at how those agencies work with the telecommunications companies to give effect to it. The laws we’ve had around this have been in place since 2004, but what we’ve noticed over that time is that the industry structure has changed significantly, and we now need to update that legislation to ensure it’s still appropriate. So this sort of implication that somehow this is a great, new power grab is simply wrong. There is no backdoor, there is no ability for the GCSB to get extra information under this bill, there is no ability to access stored or historic data. It is simply about real-time interception.
CORIN So what do they do, then? Because surely those telcos hold that information there for a certain amount of time so that in the event that you have a warrant, you can get it.
AMY No. This regime is entirely around real-time interception. And if you talk to the police, they are very clear that actually the ability to access real-time communication information is critical to solving almost all of the serious cases in NZ. So if we want to talk about protecting New Zealanders from crime, protecting New Zealanders from unlawful intrusion into their data, that is what this legislation is about.
CORIN So, let me just clarify here that information stored - say, someone’s internet traffic, Facebook comments from years gone by - you’re saying-
AMY This bill has nothing to do with it.
CORIN You’re saying the GCSB can never get access to that material?
AMY What I’m saying is this legislation does not provide any ability for any agency to access stored data. And, actually, when you look at how many of the supposed experts in the space are making allegations to the contrary, you really have to wonder whether they’ve even read the bill.
CORIN Why not, though, get access to that data?
AMY Well, I’m not saying that’s the case, but you’ve asked me on to talk about the TICS legislation, and I want to be really clear. There is nothing in the TICS legislation that puts a backdoor into any company, a backdoor into any network, gives the GCSB any wider powers than they already have or allows any access to stored data. This is simply about- In the main, it’s police accessing real-time communications to prevent and prosecute major crime. And I think that’s someone most New Zealanders accept there’s a very real need for.
CORIN Ok, but we’ve heard from the likes of Google, from the likes of Microsoft. They are all complaining about this bill. It is heavy-handed, it is draconian, forcing them to do things they don’t want to do.
AMY Well, there’s two things there. So, first of all, in my view, if you’re an offshore multinational, you have to comply with the same laws that we expect NZ companies to comply with, and that’s what Google and Microsoft are upset about. They don’t think that anyone who’s offshore should have to comply. Now, actually, in my view, if you’re selling services in NZ to New Zealanders, we expect you to comply-
CORIN So, we’re talking about Skype and those sorts of things, aren’t we?
AMY Well, that’s right. So, the legislation currently, so the law we’re already working under, says that any of these service providers have a duty to assist. Now, what that means is that they have to provide all reasonable assistance. That’s already the law. That will still be the law.
CORIN But previously- But this is where there clearly is an expansion, because previously you wouldn’t have been able to access the likes of Skype or Google Chat or Microsoft Chat services.
AMY Well, that’s wrong, Corin. That’s wrong. So, the law right now says that all of those service providers have a duty to assist, which means they have to take all reasonable steps to comply with the warrant.
CORIN But you’ve given yourself powers in this law to call them in. Why put those powers in the law if you didn’t need to?
AMY Ok, so, what the legislation says is that the duty to assist that already applies continues to apply. And what we’ve said is that if, in the future, there is a need to step up from an operational basis to a higher level of pre-investment, then there’s a process for us to work through that.
CORIN What does that mean? A higher level of pre-investment?
AMY So, what that means is right now, if you’re a service provider, so if you’re a Google or a Skype, then you have to provide all reasonable steps to assist. That’s already the law. That will still be the law. That does not change. If, in the future, we find that operational reasons mean that it’s actually more useful for those companies to have pre-investment in the capability- So, rather than saying, ‘Yep, I’ll help. If you’ve got a warrant, come in and we’ll work with you to get the information we need, pre-provide some of that service, then we can work through a process to do it.’ The law doesn’t do it now because, frankly, there’s not the need or the process. But we have set up an ability for the law in time-
CORIN But you’re obviously worried that people that you’re targeting for whatever reason are using these over-the-top services, and you’re not even going to tell New Zealanders whether in fact you’re going require them to play ball.
AMY No, well, that’s not entirely true, either. So, if, for example, we were to expand the obligations to a class of provider, that’s done under regulations, and all the normal processes would be followed. So if it’s a one-off, case-by-case application, then it may be done confidentially if there’s a good reason, or it may be perfectly open, and we’d have to work through that as it applies. But let me be really clear - these sorts of obligations are already in place in Australia, they’re already in place in the UK, and they’re very similar to what’s in place in the US. This is not unusual. This is not a new thing.
CORIN That’s exactly the point that Russel Norman was making. He’s saying that this is taking us down the path towards the NSA in PRISM who have been found to have done widespread state surveillance.
AMY No, not at all, because Russel and, frankly, the last segment completely confused the discussion around the GCSB Bill, which, frankly, Russel has been running a campaign of misinformation on for some time to score points. Completely confusing that with what’s in this legislation. This is technical legislation around how lawful warrants are given effect to, and updating it, actually, is very sensible and reflects the modern reality of communication.
CORIN Ok, let’s move on from a, sort of, debate about the expansion of powers and the debate- Also, the IT industry’s saying this is going to scare off entrepreneurs, investors who want to get in, you know, small IT companies in NZ. Too much cost, too much of a burden.
AMY Yeah, but, again, look at what they’ve based that on. They’ve based that on the assumption that there’s a backdoor, which there simply is not. They’ve based it on the assumption that there’s an ability to access stored data, which there is not. They’ve based it on the assumption the GCSB has a right to dictate how they run their networks, which is completely incorrect.
CORIN But it’s in the law that they could face a $500,000 fine if they don’t provide services to the GCSB.
AMY No. So, what it says in the law is that if you are a network operator, you should consult with the GCSB on the design of critical parts of your infrastructure. It doesn’t give the GCSB the right to veto it. It doesn’t give them the right to control how the network runs, and, interestingly, it doesn’t apply at all to ICT companies who are service providers. It doesn’t apply at all. Now, actually, what the bill does, and the Regulatory Impact Statement makes this very clear, is reduce the compliance cost burden on ICT companies. So I would just suggest when these people are out there sort of chucking huge figures around that they need to go back and look at their assumptions. And, actually, my suggestion is that how are we going to invest anyone into the NZ ICT space if we can’t give assurance that our networks are secure, are resilient-?
CORIN Just one final point on that. You are going to be involved in the building of networks as well. Is that a sign that you were worried about the likes of Huawei from China coming here?
AMY No, I think what it’s saying is that right now we know that the GCSB has access to all sorts of threats and risk information that your average telco company doesn’t. So at the moment, what happens is the telcos usually come to the GCSB on an informal basis and work with them to identify if there are any threats they need to be aware of. That is completely non-legislated, it’s not transparent, and it’s certainly not a requirement. And, interestingly, in October last year, it was the Opposition who were jumping up and down, saying, ‘Why isn’t the government going to take steps to ban this company or ban that company?’ We don’t have the power to right now. This legislation would say that, actually, if there was a threat, we would have power to respond.
CORIN Amy Adams, thank you very much for your time.
AMY You’re welcome.