In the SST, a story from Nicky Hager had the headline:
NZ’s cyber spies win new powers
Like many, I wondered what law change had been quietly passed into law in late 2009, without us noticing.
NEW CYBER-MONITORING measures have been quietly introduced giving police and Security Intelligence Service (SIS) officers the power to monitor all aspects of someone’s online life.
The measures are the largest expansion of police and SIS surveillance capabilities for decades, and mean that all mobile calls and texts, email, internet surfing and online shopping, chatting and social networking can be monitored anywhere in New Zealand.
Oh my God. When did this happen? Actually back in 2004. Not exactly new.
And it is not giving the SIS and Police the power to monitor themselves – it gave them the power to get a warrant to get a telco or ISP intercept communications – just as they have had the power for many decades to get a warrant to have phone calls intercepted.
Now this doesn’t mean I necessarily support the 2004 law change. I’ve blogged a series of articles highlighting draconian provisions in the Search and Surveillance Bill before Parliament. Nicky’s article would have been more useful however in 2004, than in 2010.
Police and SIS must still obtain an interception warrant naming a person or place they want to monitor but, compared to the phone taps of the past, a single warrant now covers phone, email and all internet activity. It can even monitor a person’s location by detecting their mobile phone; all of this occurring almost instantaneously.
Police say in the year to June 2009, there were 68 interception warrant applications granted and 157 people prosecuted as a result of those interceptions.
What would be interesting is the details of those 68 warrants – were they for all Internet activity, or just some?
The measures are the consequence of a law, the 2004 Telecommunications (Interception Capability) Act, which gave internet and network companies until last year to install devices allowing automated access to internet and cellphone data.
So these “new” powers have actually been in place for four to five years, for 95% of the Internet population.
In an associated article, Hager says:
Not long ago, police and Security Intelligence Service (SIS) interception meant tapping your landline phone or bugging your kitchen. Now, under a new surveillance regime ushered in by the 2004 Telecommunications (Interception Capability) Act, a basic interception warrant also allows them access to all your emails, internet browsing, online shopping or dating, calls, texts and location for mobile phones, and much more – all delivered almost instantaneously to the surveillance agencies.
To catch other sorts of communications, including people using overseas-based email or other services, all the local communications networks are wired up as well, to monitor messages en route overseas.
Interception equipment built permanently into every segment of the country’s communications architecture will provide the sort of pervasive spying capability we normally associate with police states.
Now Hager is right in that all telcos and ISPs have to have the capability to intercept all Internet communications by a user, if presented with a warrant. However what is not made clear in the article is that the ISPs themselves do the intercepting, and forward the data onto the appropriate authority. The article almost implies that the Police/SIS/GCSB can merely push a switch remotely, and hey presto your data flows to them.
The law gave network companies five years to install the intercept capabilities and the five years was up last year. Many network companies dragged their feet about installing the new surveillance equipment, despite government subsidy of the cost. After four years of inactivity, a consultant with police and SIS ties attended the NZ Network Operators Group conference in Dunedin last year to read them the riot act.
Dean Pemberton, who had previously set up and run “lawful interception” equipment at TelstraClear, told the roomful of network specialists what “the agencies” expected from them and said the agencies expected them to install devices that could intercept data and forward it to the agencies “on a minute by minute basis”. If companies didn’t have this gear in place, they risked a $500,000 fine and “should get a lawyer”, he said.
This part of the article is rather misleading, and I can speak from first hand knowledge as I was at that conference when Dean spoke.
The first thing people should understand is that Dean is what I call an alpha geek 🙂 He is one of the guys who built the Internet in New Zealand and he attends and presents almost every year without fail to the NZNOG Conference.
In 2008 he spoke of his experiences with the Interception Act requirements, and what you had to do to comply. I doubt a single person in the room saw this as Dean “laying down the law”, let alone the implication he was speaking on behalf of the SIS or Police. Dean was doing what he normally does – sharing his experiences with the technical community.
There’s some good research in Nicky’s article about how the FBI were a prime mover in the request for NZ to have the interception capability, and it is true many NZers will be unaware of the interception capability. However the article would have been a lot more useful in 2004 when the law was being considered, or in 2005 when the big telcos implemented it.
Next I await a story about how the Post Office has been given new powers to intercept and read postcards 🙂