ICT Minister Amy Adams has just released a statement outlining how the government plans to "modernise" the Telecommunications (Interception Capability) Act 2004
Under the proposed changes, network operators such as phone companies and ISPs "will be obliged to engage with the Government through the GCSB on network security, where it might affect New Zealand’s national security and economic well-being."
Ms Adams says telecommunications providers are already required to have interception technology in place, to assist police and security agency investigations, under current legislation. The update was designed to make the process easier.
The GCSB already has intercept authority (along with the SIS and police) but the obligation to work with law enforcement agencies on security is a new wrinkle, Tech Liberty co-founder Thomas Beagle tells NBR.
What could this involve? Telecommunications Users Association (Tuanz) head Paul Brislen says most modern networks encrypt traffic. "So rather than spend money breaking such encryption, the GCSB will be able to engage with the telcos directly - assuming the paperwork is in order."
He also wonders how some of the sweeping provisions will work in practices, such as the obligation, "To engage with the Government through the GCSB on network security, where it might affect New Zealand’s national security and economic well-being.".
The Tuanz boss also raises his eyebrow over the minister's comments that "These requirements will be backed by a graduated enforcement regime, with escalating responses available if significant national security risks are raised."
NBR asked Ms Adams for more detail on what that would entail. [UPDATE: Amy Adams' office told NBR: "More details will be available when the legislation is introduced next month."]
A senior manager with one of the big phone companies, who did not want to be named, tells NBR his key concern is that although Ms Adams talks about the definition of a phone company expanding, "It's not clear how far they'll expand the net. Our sense is they'll keep the same old people [the traditional phone companies] in the net because it’s easy for them rather than thinking about where the industry is going."
He would like to see the companies behind so-called over-the-top (OTT) services, such as Microsoft with its voice and video chat service Skype, made responsible for legal intercepts.
But he suspects "that will be put in the too hard basket."
this mean the GCSB will direct network operators to certain types of security or the opposite – that network operators will advise the GCSB on how to intercept such traffic?"
On Monday, Prime Minister John Key outlined changes to the GCSB Act (2003) that would allow the spy agency to spy on locals - although analyst Paul Buchanan pointed out the bureau has always had powers to work with other agencies.
ckeall@nbr.co.nz
RAW DATA: Statement from ICT Minister Amy Adams
Telecommunications security legislation to be modernised
Communications and Information Technology Minister Amy Adams has announced the Government plans to modernise the Telecommunications (Interception Capability) Act 2004 to ensure it remains effective in a rapidly-changing telecommunications environment, and also intends to create a new formalised network security regime.
The proposed changes relate to obligations for telecommunications companies, and are focused on modernising the existing interception capability regime and introducing a formal and transparent framework for network security.
The changes will not in any way alter the authority of police or intelligence and security agencies to intercept telecommunications, or reduce the checks and balances on how these agencies can access and use private communications information. These matters are dealt with under separate legislation.
In addition, the privacy requirements imposed on telecommunications companies under the Act are to remain unchanged.
“The ability of government agencies to work effectively with telecommunications companies is a vital part of the Government’s role in protecting the country from crime and protecting our national security,” Ms Adams says.
“For example, interception of telecommunications has long been used to investigate and prosecute serious offending such as homicides and serious drug crimes. It has also been used in emergencies such as armed offender situations or kidnappings, to combat threats to national security, and prosecute cybercrime, both domestically and internationally.”
In regards to network security, the proposed changes will mean network operators will be obliged to engage with the Government through the GCSB on network security, where it might affect New Zealand’s national security and economic well-being.
These requirements will be backed by a graduated enforcement regime, with escalating responses available if significant national security risks are raised.
“Updating the legislation will ensure that New Zealand’s telecommunications companies have a clearer understanding of how to meet their interception obligations while ensuring network infrastructure remains secure, as we move to an increasingly online world.”
The Act will be renamed the Telecommunications (Interception Capability and Security) Act. Further details of the proposed changes will be publically available next month when the updated legislation is introduced to the House.
Questions and Answers
What is telecommunications interception capability?
Lawful telecommunications interception relates to the technical ability of New Zealand government agencies (the Police, the NZSIS and the GCSB) to intercept private telecommunications, where they have lawful authority to do so.
These agencies use interception to prevent crime and protect our national security.
What is network security?
Network security involves ensuring that telecommunications networks do not contain unauthorised ability to copy or divert data, are safe from unauthorised access, and do not allow others to carry out espionage or disrupt services.
Why are telecommunications companies required to have interception equipment available?
Telecommunications network operators are already required to have specialised interception equipment available under the Telecommunications (Interception Capability) Act 2004.
The equipment is used to provide technical assistance to New Zealand Police and the country’s security and intelligence agencies to carry out interception warrants.
These agencies use interception to prevent crime and protect our national security.
Why are changes needed to interception capability and network security?
Changes are needed to update the existing interception capability requirements and to establish a more formal and transparent framework for network security. This is because technology is changing rapidly, reliance on the internet and on information communications technology is increasing and the structure of the telecommunications industry is becoming more complex, with a greater number of specialist providers.
What are the benefits of the interception capability changes?
The proposed changes will make it easier for telecommunications companies to understand and comply with their obligations, as these will be clearer and better targeted. This will reduce compliance costs, deliver a more efficient system and provide a more effective enforcement system.
Will these changes to interception capability increase the authority of government agencies to access business and personal data?
No. These changes relate only to obligations on telecommunications companies.
The authority of New Zealand government agencies to carry out lawful interception, and the checks and balances on their work, is covered in separate legislation.
What are the benefits of the new framework for network security?
The Government already works closely with telecommunications providers to address potential national security risks relating to the design, build and operation of telecommunications infrastructure.
The new framework will provide greater certainty and transparency for the industry, the Government, and the wider public.
The proposed changes will mean network operators will be obliged to engage with the Government on network security matters, and to inform the Government of network decisions that may be of significant security interest.
These requirements will be backed by a graduated enforcement regime, with escalating responses available if significant national security risks were raised.
Chris Keall
Wed, 17 Apr 2013