Interception: what needs fixing

The government is going to update the Telecommunications Interception Act which came into effect in 2004.

Nearly a decade on it's a good idea to review these things and to make sure we have a process that works, that the need is still the same, that the players involved are still doing the same things in the same way.

The Act allows the police, or SIS or GCSB, to call on the telcos for information about customers. Typically this involves a search warrant or similar legal document made out about a particular customer's account. Telcos can then intercept TXT messages or phone calls or data connections. They can track email trails, they can locate cellphones using GPS or cellsite triangulation. They can access your communications.

Typically the telcos take this kind of intrusion very seriously indeed. They have teams that handle these enquiries, they move with urgency and they get the job done.

(Incidentally, this is partly why the copyright notices cost $35 each - the same team that considers whether or not a search warrant is valid will also look at a copyright infringement notice because both documents are legally challenging and because they involve infringing on a customer's privacy to a huge degree. It's not as simple as looking up the records for an IP address and sending on the notice.)

The government says the Act needs updating. It says there are two arms to this legislation - interception and network security.

Interception seems to me, at any rate, to be working well. The telcos respond quickly (I've not heard of a telco not responding in a timely fashion) but won't have a bar of the government agencies taking shortcuts. For a while there was talk of the police faxing through warrants rather than showing up. That was deemed unacceptable pretty sharpishly and I haven't heard anything similar since then.

Network security, likewise, works well. The GCSB stays out of the way and the telcos roll out state of the art deployments that should be as secure as they can be. Ironically, the Act requires the telcos make their networks hackable - that is, the Act itself is a single point of weakness, albeit one tucked away inside the networks' operation centres. Left to their own devices, the telcos wouldn't be willing to entertain any question about their security capabilities. It's a selling point, it's basic hygiene and it's vital to their on-going commercial role.

So what needs fixing?

Well, since 2004 the telco world has changed. No longer do we buy all our services from our telcos. Instead we buy a pipe and get our services from other providers.

Currently these over the top providers (OTT) offer TXT, email and data-centric comms but shortly I'm sure it'll be voice as well (think Viber, Skype and the like). These services show up to the network operators as bits of data, encrypted by a third party player, sent from one device to another. They have little visibility of what the content is (they can make an educated guess of course - certain services use certain ports, for example) and they certainly can't crack that encryption to see what's going on.

Over the top providers don't always need the telcos' support to operate, so it makes it very difficult for the telcos to capture this data on behalf of agencies which might, in say three months' time or a year or more, need to access it.

The new Bill will, apparently, require the telcos to work closely with the GCSB on network security.

I wonder what that means. Will the telcos (private, commercial entities) be required to do things the way the GCSB wants? Will they be required to build things in to their networks that they might not want to include? Things that give them no commercial benefit?

Secondly, I wonder what the enforcement protocols are all about. Are the telcos moving so slowly they need a kick in the pants? What kind of enforcement are we talking about - monetary? Something else? Will we need to start registering telcos in some formal manner so we can revoke that registration should they not fall into line?

Will we be introducing a regime that forces telcos to somehow crack the security of Microsoft, of Google, of Apple? How will that fly with these companies? How enforceable is that from New Zealand?

And if we think about it, aren't these OTT providers telcos in and of themselves? Don't we consider Microsoft, for example, to be a telco? It owns Skype - clearly the world's biggest telco - and it sells OTT services that used to be the purview of the telcos. Surely our definition of what a telco is needs to be updated?

Let's take Microsoft's Office 365 as an example. If you buy it from Dick Smith, you get a box with a code and away you go to download and use the service. If you buy it online from Microsoft itself they don't bother with the box, but the product is the same.

Buy it from a telco (a Gen-i or a system integrator for example) and it's a telco service and will be governed by the Interception Act. Will that not drive customers to avoid the telcos? Will that not cost the telcos in terms of both lost sales and implementation costs?

The danger is of course that all this cost will be dumped on the telcos. There's no commercial gain to the telcos in doing any of this - the storage needed, the interception gear required, the teams they'll have to pay to make it all work - so that cost will be passed on to the users.

On top of that, we run the risk of trying to do the impossible. If a government says simply "make it so" and steps back, we could see telcos being penalised for not hacking Gmail accounts. Is that what we need? Is that going to do anyone any good at all?

Without knowing what the problem is the government wants to solve, it's rather tricky to understand where this is all going. All of the above is based on the Minister's press release, which is rather brief. The Bill itself will be available next month and TUANZ will be taking a close look at the detail. It's important we get this right because if we get it wrong the consequences could be quite miserable.

Paul Brislen is CEO of Tuanz, the Telecommunications Users Association.