Communications and Information Technology Minister Amy Adams has today tabled a Supplementary Order Paper to make further improvements to the Telecommunications (Interception Capability and Security) Bill. …
Clause 39 of the proposed Bill currently allows the responsible Minister to direct that a network operator must not resell an overseas telecommunications service in New Zealand where the interception capability, or lack of interception capability, raises a significant risk to law enforcement or national security.
It is proposed to remove Clause 39 from the Bill altogether, and, instead, matters of non-compliance could be addressed through the compliance framework.
Part 3 of the Bill deals with the partnership approach between the GCSB and network operators to protect network security.
To ensure that this interaction occurs in a timely manner, it is proposed to introduce the ability for the Minister responsible for the GCSB to make regulations that require decisions to be made under specific timeframes, in the event that decisions are not being made in a sufficiently timely way.
It is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators.
As a last resort, where network operators and the GCSB are unable to agree on how to respond to a network security risk, Clause 54 of the Bill currently provides that the responsible Minister may issue a direction.
Before the GCSB can ask the Minister to make a direction, a further check and balance will be introduced. The Commissioner of Security Warrants will now be required to carry out an independent review of the material that informed the GCSB’s risk assessment, and report on whether, in their opinion, the risk amounts to a significant risk to national security.
These looks like very welcome changes. The requirement for the Commissioner of Security Warrants (currently former Court of Appeal Judge Sir Bruce Robertson) to do an independent review in the very very unlikely event of the Government believing that what a network operator is planning could threaten national security, is sound.
“Although public input has resulted in significant improvements to the Bill, some of the submissions received did not reflect an accurate understanding of what the Bill does and does not do,” Ms Adams says.
“In particular, I would like to reassure people that this Bill does not change the authority of agencies to intercept telecommunications, it does not change existing privacy protections, and it does not require data to be stored or require stored data to be disclosed. The Bill only relates to real time interception.
This is a key point that many have missed – it is about real-time interception. The major users of this ability are the Police for ongoing criminal investigations.
There’s also a comparison table between the current law (TIC Act) and this proposed law (TICS Bill). I think they show that in some areas the law change actually reduces compliance costs on ISPs. There is no expansion of powers in terms of surveillance. There is an expansion in terms of the GCSB’s role in syber-security where they can (ultimately) ask for a Government order if they believe a proposed action would be a threat to national security.
Ironically that proposed power has its genesis in the opposition scaremongering over Huawei winning some contracts in New Zealand. They kept demanding the Government do something on the basis the Australian Government had excluded them from the NBN build there. The Government doesn’t believe there are any national security issues around Huawei, but it was the scaremongering that highlighted that even if there were, they actually had no power to exclude a company that did have national security issues. So a bit rich for opposition MPs to complain about a clause that their scaremongering created.
There’s still some elements of the bill which I’m not enthusiastic on. I don’t think ISPs (or network operators) should have to register with the GCSB as it sets a bad precedent. As far as I know there’s never been an issue with locating an ISP, and its directors. I’d prefer that clause to be removed. As I said, a precedent of an ISP needing to register with the Government is not healthy – even if well intentioned.
But the SOP by Amy Adams is a significant improvement to the bill, especially having the Commissioner of Security Warrants do an independent assessment if there is ever a stand off between the Government and an ISP over a proposed network build decision.
Also a useful read are these two diagrams showing how the interception and network security processes will work.