Last week, the Telecommunications Interception Capability and Security Bill passed its third reading by a vote of 61 to 59.
Communications Minister Amy Adams said the bill – which partners the controversial Government Communications Security Bureau bill, passed earlier this year – will “safeguard public safety and security”, but critics say it impinges on privacy and civil rights.
The TICS Bill is an update of the Telecommunications (Interception Capability) Act of 2004, but reframes the definition of “security” to give the GCSB powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by providers in New Zealand.
From the bill: “A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.”
This means that a network provider must be able to decrypt all digital communications, including emails and iMessages, as requested by a government surveillance agency. Under the bill, email providers, Trade Me forums and Mega count as service providers.
Software engineer Aurynn Shaw, 32, likens the encryption to a safe. “Under this law, the company that sold you the safe – the network provider – must always have a copy of the code used to unlock it, which they can be compelled to give to the government at any time, regardless of your wishes, as the owner of that safe. … It’s requiring them to part of an equation that they don't want to be a part of.”
All the government needs to demand the data is a warrant, she says.
“They just have to say ‘We want this’,” she says. “They have to be able to convince a judge to give them a warrant, obviously, but the basis of proof is not about whether or not you’re innocent, it’s about the discovery.”
Shaw says the new requirement for network providers to retain the ability to decrypt all digital communications presents a security threat, because data is now vulnerable to attacks from providers of encryption, as well as encryption itself.
The example she gives is of a Virtual Private Network, which extends a private network across a public network, like the kind that allows you to log into your work computer from home.
“The company that you work for, that is using this software, sets up private keys to make sure it’s an encrypted channel so that no one can eavesdrop. This bill requires that, at any time, the company that sold you the VPN could get into it, and unlock it for the purposes of government inspection.
“It’s less important to attack the corporation that you want to interfere with – say, a bank – than it is to attack the corporation that provided the VPN software, because they’re legally compelled to maintain decryption keys for everything.
“So that software becomes inherently insecure: you have to assume that everyone else can spy on it, and that this channel is now compromised.”
That software becomes inherently insecure: you have to assume that everyone else can spy on it
So, under the TICS Bill, access to our emails, draft Tweets, Facebook chats, and iMessages (texts are safe) is a warrant away. But if we have nothing to hide, we have nothing to fear, right?
“It’s not that you have nothing to hide, it’s like what goes on in your bedroom – even though it’s not bad or wrong, you don’t want everyone else to know about it,” says Shaw. “You still don’t want this to be able to be subpoenaed in court.”
Shaw says a general lack of technical literacy in New Zealand means people weren’t as “up in arms” about the bill as perhaps they should have been.
“There’s also a culture within technology that people who don’t know anything are therefore stupid,” she says. “Because of that, it makes it harder for a tech person to construct a cogent argument to help other people understand why it is a problem and why they should be up in arms about it.”
So, we should be much more paranoid than we are?
“Yes, yes we should.”
Cover image by Infomatique