Here we go again. The Government’s penchant for novel laws is again taking an axe to the Internet in New Zealand. This time its legislative gun is trained on lawful interception and network security. Unfortunately, that gun isn’t going to be firing a silver bullet but wildly spraying grief for New Zealanders. Even the gung ho Americans are taking the time to talk, think through the complex issues, and refine their approach.
The legislative bullet is the Telecommunications (Interception Capability and Security) Bill or TICS Bill for short. The Bill covers ‘network operators’, ‘service providers’ and ‘resold overseas telco services’ in the name of national security, law enforcement and that vague term, economic well-being. In this post, I am taking a service provider view as it is an area where the Bill isn’t trying to formalise existing work with the NZ telcos.
In the Bill, a service provider is defined as “any person [other than a network operator] who provides a telecommunications service to an end-user”. Common examples include companies providing Voice over IP (Skype), email (Google), and messaging (Facebook, Twitter, Xbox as well as apps like iMessage, Viber, Snapchat, and WhatsApp). It also covers non-commercial services, e.g. remote access to employees.
It should be obvious that no service provider wants its services to be used for attacking a country’s national security interests and lawful action by enforcement authorities. Instead of whipping out the legislative gun, the Government should be first talking to service providers on the best ways to achieve this common goal. Service providers will be able to provide insights that the Government simply does not have on the complex technical, operational, financial and security issues.
While the Government has been talking to network operators for some time (though they rushed the TICS Bill in the end, probably to align with the so called urgency of the GCSB Bill), there has been no consultation with service providers that I’m aware of. Indeed, ‘consultation’ is insufficient in this case. There needs to be open and transparent discussions so that New Zealanders are fully aware of what’s going on and why it is justified. Service providers need to be treated as partners sharing a common goal.
Lack of evidence
During the first reading of the TICS Bill in Parliament, no National MP bothered to say more than a few lines. Absolutely no evidence or even description of the problems the Government is trying to solve by putting a jackboot to service providers have been presented during the debate or elsewhere. How can anyone then evaluate whether the proposed powers are proportionate, reasonable or even adequate? What happened to evidence-based policy making?
There have been some bland statements about the need to keep up with “faster, smarter, and globally reaching technologies, networks, and services.” That the law needs to keep up is true but where is the evidence of the size and nature of the real problems we face today? A far better way, as the Privacy Act shows, to keep laws relevant and up to date is a principles based approach.
Introducing the TICS Bill without publishing the Regulatory Impact Statement, especially when it could impose such huge costs on businesses that some of them may decide it is better to shut down, should be considered completely unacceptable by New Zealanders. Particularly given that it was completed on 12th March. The same goes for a Bill of Rights assessment.
Unbounded discretionary power
The TICS Bill provides unbounded and vast discretionary powers to Government and Ministers.
Take ‘national security’. It is not defined anywhere in the Bill. Yet the Bill provides for national security and law enforcement to be given primacy over service availability, compliance costs and innovation. A surveillance agency can use the pretext of not revealing classified information to impose such costs and technical requirements on a service provider (or a class of service providers) as to drive it out of business or frustrate non-commercial operations.
On the application of a surveillance agency (Police, SIS, GCSB, and any government department declared to be a law enforcement agency for the purposes of the TICS Bill) the Minister can require a service operator (or a class of service operators) to provide full interception capability like a network operator. There is a provision for the Minister’s directions to be looked at by a three member review panel but, again, there is unbounded discretion.
The only saving grace, if one can call it that, is that service providers aren’t lumped with intrusive meddling by the GCSB in the name of ‘preventing or mitigating network security risks’ like network operators are.
The absence of checks and balances, so vital to our democracy, in the name of keeping up with technological change and powers that may be needed ‘just in case’ is disingenuous.
It will be interesting to see how the likes of Microsoft, Google, Apple, Facebook, etc. react if the Government imposes requirements for full or partial interception capabilities on them. Will they really give the New Zealand Government a backdoor or spy on their customers and hand over decrypted messages in (or near) real time? That sounds highly unlikely.
Or, is the Government arming itself with these discretionary and intrusive powers to take action against select New Zealand based service providers over which it holds more sway? Some of these service providers may decide the costs and technical complexities are simply not worth it, leading to a big loss to the economy and innovative services for New Zealanders. That would be a big imposition in the absence of evidence of huge problems and risks today.
(To emphasise the obvious, the views here are my own and do not represent those of my employer or any other organisation.)