Posts
Take note New Zealanders!
Revealed: govt plans secret orders to service providers once spy bill becomes law
Revealed: govt plans secret orders to service providers once spy bill becomes law
Vikram
Kumar
18
August, 2013
Since
the the first draft of the legislation, we have known the TICS Bill -
the companion legislation to the GCSB Bill - makes it mandatory for
telecommunications network operators (e.g. Telecom, Vodafone,
2degrees) to make their networks interceptable. The Bill leaves it to
the ICT Minister's discretion whether this provision is extended to
cover service providers - defined as companies that provide a
telecommunications service, but that do not operate a network.
Examples of service providers include the likes of Microsoft with its
Skype service, Google with Talk and Hangouts and Apple's FaceTime and
iMessage. Almost any online service is on the table - Editor]
The
government is planning to issue secret orders to service providers
when the Telecommunications
(Interception Capability and Security) Bill
("TICS Bill") becomes law to force them to create
interception capability for surveillance agencies. This has been
approved by cabinet and is therefore official government policy.
What's
not clear is if the mechanism of a Ministerial directive will also be
used to gag the service provider? Or is the secrecy merely a guise to
allow compliant service providers to pretend they haven't been forced
to create a backdoor for the government?
Either
way, the impact on New Zealand online service providers, and New
Zealand as a country, could be truly devastating.
In
response to a request
under the Official Information Act in my personal capacity, I
received nine documents and merged them into one. The combined
document can be viewed
or downloaded
from Scribd.
I
was expecting the documents to be heavily redacted and information
narrowly limited to the scope of my request. That they are. What I
wasn't expecting was something that, as far as I know, has never been
publicly disclosed or discussed before.
Para
104 of the December 2012 "Technical Paper:
Telecommunications Interception Capability and Network Security"
by MBIE (page 19 of the combined document); para 109 of the paper to
the Cabinet Committee on Domestic and External Security Coordination
(page 62); and para 37 of the Cabinet paper (page 74) all confirm the
same thing:
A
Ministerial directive will be used to secretly/confidentially impose
an obligation to create interception capabilities by individually
named service providers (referred to as "deem-in" but what
I call a backdoor) "so as not to publicly announce a lack of
capability in a particular service."
The
Government is therefore going to be using secret orders to specific
service providers directing the creation of interception capability,
allowing real-time access by surveillance agencies
"Service
providers" in the TICS Bill is very wide and includes every
online service to end-users, including those that aren't normally
considered a telecommunications service as such. The authorised
surveillance agencies are the SIS, GCSB, NZ Police, and any
government department declared to be one for that purpose.
Coming
across plans for secret Ministerial directives was completely
unexpected.
I
can see nothing in the TICS Bill that requires a service provider to
keep a Ministerial directive secret.
If
secrecy is compulsory, there needs to be some sort of gag order,
otherwise the service provider could make the secret directive
public.
Competitive
disadvantage
The
stated rationale of secrecy is to minimise competitive disadvantage
to the directed service provider.
If
the 'bad guys' know a particular service provider has been forced to
provide the Government with a backdoor, they will simply use other
providers of the same service. This defeats the very purpose of
requiring the interception capability and puts the directed service
provider at a commercial disadvantage. Actually, it is likely to ruin
the service provider.
As
the 'bad guys' move from service to service in response to the
government's 'whack-a-mole' approach of progressively forcing more
and more service providers to create backdoors, the whole exercise
become self-defeating.
The
government's use of secret Ministerial directives seems a way to
counter this by not letting people know which service provider has
been forced to create a backdoor.
However,
the consequences of this approach are very damaging and dangerous-
when you don't know who to trust, you trust no one. There
will be a loss of confidence across all
service providers in New Zealand.
A lack of information is quickly filled by rumour and FUD (fear,
uncertainty and doubt).
As
an example of just how bad the consequences are, consider how there
is now a loss of trust in all
US-based online service providers from Snowden's revelations. While
there may be debate about the exact nature of the backdoor, there is
no doubt that 9
online companies -
Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube,
Apple- do provide the US Government with secret, lawful access. Gag
orders makes things worse- two email providers facing actual or
potential secret orders have shut
down
but are unable to provide any real information, stoking FUD.
As
a consequence of the loss of trust, The Information Technology &
Innovation Foundation (ITIF) has projected
a $35 billion loss to US cloud companies. A Forrester analyst
projects
global losses at $180 billion. Meanwhile, European companies are
likely
to get an advantage
over New Zealand and US companies, including a greater push to keep
things within Europe.
Official
government policy
Examples
from around the world show just how corrosive secret spying
capability orders and gag orders are to trustworthiness, both to the
country and its online service providers. Secrecy also aids compliant
online service providers, happy to go along with the Government
without insisting on a warrant, protected by the Principle 11
exceptions in the Privacy Act. A real corporate-government
surveillance partnership.
Secret
orders, secret compliance, secret evidence in courts... we just need
secret courts to complete New Zealand's descent into a totalitarian
state.
People
will quickly figure out that they have no way of knowing which
particular service provider has or hasn't given the government a
backdoor. The logical approach would be to assume that all service
providers are compromised.
Which
business is going to take the risk that their, say, Board papers or
accounts, are secretly available in real-time to the NZ Police, SIS,
GCSB, and the Five Eyes partners? In particular, overseas businesses
will be spooked from doing business with any New Zealand based online
service provider. They will know that warrants can be issued to
safeguard New Zealand's economic well-being just as easily as they
are for national security and law enforcement.
Will
this strengthen the case for the likes of Google and Microsoft to
pull out of New Zealand rather than risk getting a secret directive
for a backdoor from the ICT Minister?
Will
New Zealand cloud companies decide to move out to more democratic
countries?
In
the name of protecting online service providers from competitive
disadvantage, the Government could well ruin the entire New Zealand
online services industry. The economic impact on New Zealand online
service providers and the country's international standing could be
truly devastating.
Rather
than seize the moment to be a global leader in enacting sensible,
proportionate and effective laws, the Government is making laws 'just
in case' they are required in the future, with no evidence that
service providers are part of the problem. I hope others will join me
in calling for the Government to not go down this path. Once trust is
lost, getting it back is going to be difficult if not impossible.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.