GCSB and its minister will have wide powers to control network component and configuration choices under the Telecommunications (Interception Capability and Security) Bill (TICSA).
Phone companies have always had to make their networks interceptable by the spy agency and police.
The GCSB will now be involved in the design of telecommunications networks upgrades from the moment a tender is issued.
Governments need powers to deal with cyber-crime and cyber-terrorism, and it is not realistic to have all those powers the subject of close judicial input, which is one of the key planks in controlling the powers of the executive: the powers of ministers and officials.
But clearly there must be sufficiently strong controls on the exercise of the executive’s powers; the recently uncovered abuses of those powers illustrates that the status quo is not adequate.
Below I look at where the Bill currently draws the balance, as a background to the question of where the line should ultimately be drawn. A balance between the views of civil libertarians and hawks. Government has noted it is open to appropriate change.
Two Bills have just been released: the GCSB Bill, to amend the existing GCSB legislation, and TICSA. TICSA:
The regime only applies to network changes and not the status quo networks. Obligations apply where a “network operator” – which is defined widely – plans changes in key parts of the network, such as the network operations centre, data aggregation, customer information databases.
Early on in its plans (eg, before going to RFP), the network operator must tell GCSB of its plans, unless GCSB has carved out a requirement to disclose by a prior notice.
There’s a process by which GCSB and the operator agree the change is acceptable. If there isn’t agreement, then, ultimately, the GCSB minister (usually the prime minister) makes the decision as to what the network operator can and can’t do.
There is a framework for decision making, revolving around the minister being satisfied that the powers are exercised to “prevent, mitigate or remove a significant network security risk”.
A “significant network security risk” is defined as a “significant risk to New Zealand’s national security or economic well-being”.
In theory there can be judicial review of the ministerial decision. In practice, judicial review is a blunt instrument for controlling executive powers.
For example, while the network operator can submit on why its network choices are appropriate, the classified nature of the decision making will often mean that the operator does not know what to say and what is relevant.
The operator can be forced to take inefficient and costly network implementations. If there are to be controls, checks and balances, other mechanisms may be needed (such as adequate monitoring by independent inspectors).
Huawei and “economic risk”
It’s challenging to set the framework so that it is workable while containing adequate protections. Take the definition of “significant network security risk”. That includes, as a separate item from “risk to security”, risk to “economic well-being”. On its face, that all seems understandable. But, play out the debate in the US against Huawei.
Some critics of what the Senate Committee did believe that the attack on Huawei boils down to trade protection: keep the Chinese out to shore up domestic US suppliers.
Now that seems to be “risk … to economic well-being” highlighted in NZ by the GCSB’s obligation to consult the Minister of Trade before making decisions on the network, in a situation where external control and monitoring of executive decisions is challenging.
This highlights how hard it is to get legislation like this correctly balanced.
The Dotcom factor
The recent Dotcom GCSB fiasco, with revelations of 88 other possible breaches in relation to New Zealanders, shows how important it is to get this right.
If the simple stuff is handled badly, what about other things?
The Rebecca Kitteridge report on GCSB is valuable reading in this area, including for highlighting how important the work of GCSB is, where, because of its confidential nature, only the bad stuff tends to emerge. Those on both sides of the debate (civil libertarians and hawks) should look to it for the balance.
Having said that, it may be that GCSB officials get off lightly in that report as to their apparent breaches.
The section in the GCSB Act on not spying on New Zealanders is easy to read and simple. It is in a short Act of only 20 pages; an Act that governs what the officials can do.
Also, the computer crimes in the Crimes Act must surely be understood by these specialists in computer intrusion etc. They apply to GCSB people, outside the legislative carve-out in the GCSB Act. Yet the ability to spy on New Zealaners, says the report, was even embedded in the GCSB operational manuals.
The justification (acting as an agency for SIS) seems tenuous. Of course, we don’t know the full facts in this covert area and there may be wider justification.
Perhaps that will emerge when decisions are made as to whether or not to exercise prosecutorial discretion to prosecute or not under the computer crimes regime in the Crimes Act, involving considerations around gamekeepers being held at least to standards applied to poachers.
Ms Kitteridge emphasises the bona fides and best intentions of the officials involved – and that is an appropriate factor in exercising discretion, and some officials might legitimately say that the manual permitted it. Public servants doing a difficult job in difficult circumstances.
But at the least, this real life situation highlights that it is important to get the balance right in this new legislation.
Michael Wigley is principal at Wellington law firm Wigley and Company. Email: michael.wigley@wigleylaw.com