Vendors question new interception law

Global technology vendors are asking for changes to a proposed interception law in New Zealand that, as it stands, will require interception capabilities from online service providers as well as telcos.

Having passed the Government Communications Services Bureau (GCSB) Act two weeks ago, beefing up the powers of the cybersecurity agency in the face of protests, the government is bracing for a further round of popular opposition to the Telecommunications (Interception Capability and Security) Bill (TICS Bill [PDF]).

The Bill will come back before parliament as further revelations about NSA spying from whistleblower Edward Snowden loom and as Kim Dotcom's fight against extradition and illegal interception continues in local courts, online, and in the media.

Questions also remain about the relationship between the GCSB and the NSA.

A trio of global vendors is expressing concerns in submissions to the TICS Bill.

Chinese telecommunications equipment vendor Huawei, which has been excluded from supplying its gear to national broadband network rollouts in Australia and elsewhere due to security concerns, submitted that the Bill as written is potentially discriminatory and not vendor neutral.

"Given the commentary surrounding the proposed reforms, we do have concerns that the security standards proposed in the TICS Bill will be imposed in a way that excludes particular vendors from being able to participate in key projects with little or no benefit for security outcomes," the company wrote in its submission.

"We believe it is essential that any specific security requirements imposed are objectively justified, vendor neutral, and give affected industry players a genuine opportunity to understand and address specific concerns."

Huawei said a regulatory impact statement identified that the proposed regime would allow selective enforcement that would enable specific vendors to be excluded from projects, rather than focusing on how to mitigate security risks.

Huawei is supplying gear to New Zealand's Ultra-Fast Broadband (UFB) Network project, and, until recently, vendor financed the rollout of a third mobile network for challenger 2Degrees. It also supplies kit to other New Zealand telecommunications providers.

But more controversial than telecommunications interception is the inclusion of online service providers in the Bill. That provision drew responses from Microsoft and Facebook.

Microsoft New Zealand submitted (PDF) that while the draft legislation strives for balance, it is in need of substantial work if the legislation is to reflect "the reality of today's technology and global flows of information".

"The stated purpose of the legislation in clause 5 is that the interception assistance should not 'create barriers to the introduction of new or innovative technology' and that there should be the 'freedom to choose system design features and specifications that are appropriate'," Microsoft wrote.

However, the company wrote that it believes those objectives would not be met for several reasons, including conflicting international obligations.

"Technology providers will be placed in an invidious position if they are forced to choose which country's laws to break, or discontinue a service," the company wrote.

Microsoft also warned that the Bill could lead to "dramatic extensions to the scope of surveillance agency oversight without parliamentary oversight" because it will allow executive decisions to extend the range of organisations that are required to be intercept ready or intercept accessible without any public or parliamentary supervision.

"Microsoft submits that all decisions to extend obligations to be intercept ready and intercept accessible to additional organisations or classes of organisations should be made openly by parliament, not by an individual minister."

Like Huawei, Microsoft expressed concern about the neutrality of the law to individual vendors, and added that uncertainty could reduce access to new innovations in New Zealand. It also wrote that interception capabilities may not always be feasible, especially in regard to peer-to-peer communications.

Microsoft warned that law enforcement of international services can only have a satisfactory solution if it is resolved consistently on a multilateral basis with full understanding of the technology.

"New technologies that function globally across multiple jurisdictions could be significantly constrained by inconsistent border-based laws. We encourage New Zealand to be thoughtful in developing an approach that is interoperable with other nations, and to seek to find the right balance in cooperation with other sovereign nations rather than working alone."

Facebook submitted that the Bill should be clarified and narrowed in scope.

"Firstly, the committee should ensure that there is no potential for confusion that stored messaging services such as those provided by Facebook could be interpreted as being within the remit of the Bill," it wrote.

"Secondly, we encourage the committee to take account of five important principles in narrowing the scope of this Bill to ensure that the proper balance is struck between user privacy on the one hand, and national security and law enforcement interests on the other."

These are that any procedure be structured to give regard to: Proportionality; due process; efficiency and cost; the need for transparency; and with regard to jurisdictional concerns.

"The uncertain scope of the current Bill and proposed structure has the potential to stifle the delivery of and development of innovative services in New Zealand, and will potentially create regulatory environment with which compliance is not technically and legally possible."

Digital rights activist group Tech Liberty has also submitted on the Bill, arguing that spy agency GCSB should not have oversight and control of communications networks in New Zealand.

"No need for this has been established, and the use of an agency whose main focus is spying on external organisations is inappropriate and open to abuse," the group wrote, recommending the establishment of a "coordinating and consultative, not controlling, network security body".

It also opposed the use of secret intercept evidence in court.

"We find the idea of evidence being presented in court that cannot be seen by the defendant and their lawyer to be extremely offensive to the right to a fair trial as promised by section 25 of the Bill of Rights Act," it wrote.

Tech Liberty recommended that this provision be removed, or, if it is retained, that the appointment of a special court advocate be mandatory rather than optional.