Lost opportunity to make the GCSB Bill better for internet users

The Government had the opportunity to improve the privacy pitfalls of the GCSB Bill in Parliament last week, but it elected not to.

The GCSB Bill threatens Internet users’ right to privacy because it would expand the power of the State to intrude into our private, online communications, but without respecting limits required by the laws of New Zealand, or international treaties that New Zealand has signed up to, like the International Covenant on Civil and Political Rights.^[1]  In other words, it looks as if the Government is about to pass a law that would not be consistent with existing New Zealand legislation; the GCSB Bill is “inconsistent with the rights to freedom of expression and freedom from unreasonable search or seizure under [New Zealand’s Bill of Rights Act]”.^[2]

As a matter of principle, human rights, including the right to privacy, should apply online. We’ve said as much in our written and oral submissions to the Intelligence and Security Committee. Last week, the Government had the opportunity to heed not only InternetNZ’s suggestions for improvements to the Bill’s privacy protections, but those of:

• the statutory body that, under the law, works “to assist and promote, for the purpose of upholding the rule of law and facilitating the administration of justice in New Zealand, the reform of the law”, ^[3] that is, the New Zealand Law Society;
• the Commissioner who, under the law, reports “to the Prime Minister on any other matter relating to privacy that, in the Commissioner’s opinion, should be drawn to the Prime Minister’s attention”, ^[4] that is, the Privacy Commissioner; and
• the Commission that, under the law, reports “to the Prime Minister on the implications of any proposed legislation or proposed policy of the Government that [it] considers may affect human rights”, ^[5] that is, the Human Rights Commission.

Each of these New Zealand institutions conveyed to the Prime Minister, and the Intelligence and Security Committee, that the Bill was inadequate in various ways, fulfilling their statutory functions in doing so. It was last week, during the Committee of the Whole House, when Supplementary Order Papers on Part 1 of the Bill were being debated and voted upon, that the Government had the opportunity to acknowledge the concerns of these esteemed institutions, as well as those of the public who, through nationwide protests, unequivocally demonstrated disapproval of the Government’s intentions.

Although fifteen SOPs were voted on, some with excellent suggestions from our point of view, the Government supported two which brought minimal improvement to the Bill. 

Better Oversight: SOP No 323 by Rt Hon Winston Peters
This SOP was the only one that would have added better supervision over the GCSB’s spying process.

It was rejected by seven votes. ^[6]

To understand why this would have been an improvement you have to consider what oversight is currently lacking. Putting aside the question of warrantless interception (which is used for passive collective of data by the GCSB), under the Bill, what has to happen before the GCSB can target you? 

Under the new section 8C, the GCSB is permitted to provide advice and assistance to the Police, the Defence Force or the SIS, to help them with their investigations. In this case, there is oversight by the Inspector-General of Intelligence and Security.

But the GCSB could target you on its own accord in the name of defending New Zealand’s cybersecurity. In this case, the Director of the GCSB would ask the Prime Minister and the Commissioner of Security Warrants to sign off on a warrant that allows the GCSB to intercept your communications. ^[7] (Note: this is where the TICS Bill comes in, which could require Microsoft, for example, to give the GCSB access to your Skype account ^[8]).  If you are here on a work or student visa, if you’re a tourist or a visiting dignitary from another country, for example, the GCSB could target you for pretty much anything. [9] The Minister doesn’t need the co-signature of the Commissioner of Security Warrants, but he does have to consult the Minister of Foreign Affairs. ^[10] 

Conventional Kiwi trust in those in charge does not equate to adequate oversight. Many have said that the Bill needs to provide for better oversight, including Sir Bruce Ferguson, who used to run the GCSB. The system set up doesn’t give that; it is a thin governance structure. The Prime Minister is at the centre of the oversight process, as the Minister responsible for the GCSB, the person who appoints the Commissioner of Security Warrants, and the person who leads Cabinet and the Ministers within it. By its design, the oversight system in the current Bill has no one who is outside of the tent to give the spying order a second look and, accordingly, it’s not naturally constructed to prevent any abuse by those who run it. Undoubtedly there is a need for surveillance powers, but they need to be exercised within tight limits, under good oversight, and with respect for people’s right to privacy. This isn’t a contradiction – it’s the heart of the balance the legislation has to get right.

SOP 323 would have helped with oversight because it would have required every warrant to be reviewed by a three-person panel made up by a retired judge, someone from the police and someone from the Defence Force, all of whom would be selected by the Commissioner, not the Prime Minister. Putting this SOP into the Bill would have result in a marked improvement, acknowledging a number of concerns. But it was rejected by the governing parties in Parliament.

Better Policy Practice: SOP No 305 by David Shearer 
This SOP would have allowed for a review of the role of New Zealand’s intelligence and security agencies, providing a more replete background against which the most appropriate policy decisions would have been built for New Zealand.

It was rejected by one vote. ^[11]

The GCSB Bill’s expansion of surveillance powers was rushed into being without a proper examination of the role of New Zealand’s intelligence agencies. The Privacy Commissioner specifically recommended that “further time should be spent to determine the best shape for this legislation and that a body such as the Law Commission should be invited to consider the matter in more detail”. [12] There was consensus from our panel on this legislation at NetHui that further discussion on the balance between intrusive, though necessary, State surveillance and the protection of privacy is desperately required. 

Such a nationwide discussion is especially important in light of how we’ve so quickly taken up communication via the Internet. The following passage is from a document drafted by a number of privacy and legal experts, titled International Principles on the Application of Human Rights to Communications Surveillance. It explains the lag between advancement of the State’s technical capabilities to eavesdrop on people over the Internet, and the development (or lack thereof) of the law in light of such increased capabilities:

Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications created limits to State communications surveillance. In recent decades, those logistical barriers to surveillance have decreased and the application of legal principles in new technological contexts has become unclear. The explosion of digital communications content and information about communications, or "communications metadata" -- information about an individual’s communications or use of electronic devices -- the falling cost of storing and mining large sets of data, and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Meanwhile, conceptualisations of existing human rights law have not kept up with the modern and changing communications surveillance capabilities of the State, the ability of the State to combine and organize information gained from different surveillance techniques, or the increased sensitivity of the information available to be accessed.

Society has not had time to fully appreciate how things are changing because only now are whistleblowers exposing the extent of mass surveillance by governments. Especially in light of the Snowden revelations, a nationwide discussion should have occurred as part of the policy development process for this Bill.

When the Committee of the Whole gets to Part 3 of the Bill next week, Hon Peter Dunne’s SOP (No 308) would require periodic reviews of the intelligence and security agencies, the legislation governing them, and their oversight legislation. That is quite a bit of ground to cover, and according to Dunne’s SOP it’ll be done by two people with security clearance. They are appointed by the Attorney-General, who sets the terms of reference for the review not now but down the track. Their report, when presented to the House, would be subject to heavy redaction. It is difficult to determine if the report will be published at all. Dunne’s review looks at whether the system is running correctly, not whether it is correct for New Zealand in the first place.

Shearer’s SOP would have kicked off an independent inquiry into the purposes and functions of New Zealand’s intelligence agencies and required a report on any legislative proposals that would address what intelligence agencies should be doing. This inquiry represents the type of policy discussion that New Zealand should’ve been engaged on before the GCSB Bill was created. But that was rejected as well.

Improved Transparency: SOPs Nos 310, 312, 313 by Dr Russel Norman
Developing surveillance policy is a tricky business; much information about the agencies, how they work, and who they look at, cannot be exposed. At the same time, there needs to be trust between the public and the agencies tasked to protect it. A certain degree of transparency is necessary to build the trust between the government in its surveillance operations and the public.  This is especially true when an ever-increasing amount of those personal communications are conducted online these days.

A number of SOPs were proposed that would have increased transparency around the work of the GCSB, in a responsible way. SOPs 312 and 313, by Dr Norman, would have increased reporting requirements and, most importantly, required publication of some reports on the New Zealand Government website. These could have brought us closer in line with the UK. (By the way, why can’t we have a report liketheirs, which they publish on their website and which describes threat assessments and cyber security functions, amongst other things?)

SOP No 310 by Dr Norman would amend the Schedule in the Bill to require the Inspector-General of Intelligence and Security to respond to Official Information Act requests. This could give the public a “pressure release valve” and help rebuild trust. It remains to be seen whether SOP 310 will succeed. 

SOP 312 and 313 were rejected by a seven vote margin. [13]  

So – what, so far, has changed in the GCSB Bill?
The SOPs put forth by Rt Hon John Key and Hon Peter Dunne were approved. While they do not address the concerns of the majority of people and organisations who engaged in the legislative process, they do represent some slight improvements compared with the original draft legislation.

During oral submissions the Legislation Advisory Committee recommended that a set of principles be introduced to guide the performance of the GCSB’s functions. This suggestion was taken up by Mr Key, whose SOP states that the GCSB has to act:

• independently and impartially,
• with integrity and professionalism,
• in a manner that facilitates effective democratic oversight, and
• in accordance with New Zealand law and human rights standards recognised by New Zealand lawexcept to the extent that they are, in relation to national security, modified by an enactment.

Unfortunately, in the same breath, the new provision renders itself impotent by stating that the principles above “not impose particular duties on, or give particular powers to, the Bureau, the Director, or any employee of the Bureau”. [14] The reader is left to imagine how principles that explicitly have no effect can, well, have an effect.

Parts of Mr. Dunne’s SOP do represent actual improvements to the Bill. They would increase transparency by requiring reporting of the number of interception warrants and access authorisations issued, and on whether the GCSB has helped out the police, Defence Force or SIS with surveillance under the Bureau’s new section 8C function. While we can hold out hope for whether these reports are actually made public, at least they will be somewhere.

As explained by InternetNZ elsewhere, the changes to the Bill that Mr Key accepted in exchange for Mr Dunne’s support were an improvement, but fell short of what was needed, especially when it comes to the review that is provided for. And in the SOPs thus far presented, the Government had a genuine opportunity to respond to the public’s enthusiastic exercise of the democratic system. Yet, it largely paid the public concerns no mind.

Society’s digital footprint will continue to grow as our communications migrate online, making for easier storage and search. A positive of the GCSB Bill and the debate surrounding it is that New Zealanders are now developing an awareness of this new reality. While the government’s response to the public’s concern over the GCSB Bill inspires little confidence, one thing is for certain – New Zealanders can look back and say they did not idly stand by and tacitly accept government surveillance of their private communications. The government just chose to proceed with its own plans, and did not take account of what the public were saying.

Susan Chalmers is policy lead for InternetNZ, which admisters the .nz domain and advocates for a free and open internet.

Footnotes:

1. International Covenant on Civil and Political Rights, art 17. (“No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation; Everyone has the right to the protection of the law against such interference or attacks.”)

2. New Zealand Law Society “Submission to the Intelligence and Security Committee on the Government Communications Security Bureau and Related Legislation Amendment Bill 2013” (14 June 2013) at [9].

3. Lawyers and Conveyancers Act 2006, s 65(e).

4. Privacy Act 1993, s13(r).

5. Human Rights Act 1993, s 5(h)(iii).

6. (8 August 2013) 692 NZPD 18.

7. Government Communications Security Bureau and Related Legislation Amendment Bill 2013 (109-2), cl 14.

8. Cf Telecommunications (Interception Capability and Security) Bill 2013 (109-1), cl 35, which enables the Minister to require service providers to have the same obligation to be capable of interception as network operators.

9. Cf new sections 8A and 8B of the Bill, which should be read in light of the broad objectives of the GCSB, which are contained in new section 7.

10. Ibid.

11. See above, n 6.

12. Privacy Commissioner “Submission to the Intelligence and Security Committee on the Government Communications Security Bureau and Related Legislation Amendment Bill 2013” (17 June 2013), at [5.1].

13. See above, n 6.

14. Supplementary Order Paper 2013 (306) Government Communications Security Bureau and Related Legislation Amendment Bill 2013 (109-2), at 6 (new s 8CA).