Microsoft, Facebook oppose Kiwi spying Bill

Potential for a new interception legislation in New Zealand has been hit by another blow, with companies that may be subject to surveillance saying they will either have none or it, or it'll affect whether they do business in the country.
Written by Michael Lee, Contributor

A number of technology companies, including Microsoft and Facebook and have criticised New Zealand's "Spying on Kiwis" Bill during a Law and Order Select Committee in Parliament Thursday, claiming that it could discourage US providers from offering services in the country.

The piece of draft legislation in question is the Telecommunications (Interception Capability and Security) Bill. It was first introduced into Parliament in May and referred to the Law and Order Committee for review. It sets out obligations that network operators must follow to assist in the interception of information in the interests of national security. Several companies and individuals have made submissions into the Bill, including Facebook, Huawei, Vodafone, Microsoft and the New Zealand Police Association.

On Thursday, however, representatives from Microsoft and Google fronted up to the committee and said that the pending legislation conflicted with existing legal arrangements in the US.

Fairfax NZ News reports that Microsoft corporate affairs manager Waldo Kuipers pointed to the US Electronic Communications Privacy Act as one example of conflicting legislation. It requires that US-based providers keep customer communications under wraps, in direct contravention of New Zealand requests for information.

"If the proposed law leads to a situation where a US-based provider must choose between breaking New Zealand law and breaking US law, where it is headquartered and based, they may be forced to withdraw their service from New Zealand," he said.

Kuiper's own submission for Microsoft (PDF) says that businesses would be discouraged from setting up businesses in New Zealand because the Bill does not make it clear who is required to meet the interception requirements.

"It is not difficult to see that technology providers will be more reluctant to invest in building new services in New Zealand or deploying them in New Zealand. Technology providers will be unable to plan for interception capability obligations with any certainty when building services."

From the network operators themselves, Telecom NZ notes in its submission (PDF) that the Bill misses the point by targeting the network layer and that application providers that sit "over the top (OTT)" of the network are beyond their control.

"In this day and age it is not realistic or sustainable to expect network operators to have the full responsibility to intercept over the top services that they do not have control over rather than enforcing against the application provider of those services themselves who do have control over those services," its submission notes.

The New Zealand Police Association's submission (PDF) has backed the Bill as it stands, but also made an acknowledgement of the very issue that Telecom has raised, questioning whether the encrypted communications would be able to be intercepted.

"The Committee should be aware that the clear potential exists for the use of 'over the top' application service providers (encrypted communications platforms which [are] operating on, but are not part of a communications network). In order to ensure interception capability obligations remain effective into the future, we suggest the Committee consider whether the bill's provisions are adequate to ensure coverage of such technologies," the Association's submission read.

Vodafone NZ states that the Bill should be modified to go after OTT providers such as Skype, WhatsApp, Snapchat and Viber. In its current form, Vodafone states that it could comply with an intercept request, but that "the communication would be unusable because it is encrypted by the OTT provider."

Facebook will have none of this, with its submission (PDF) recommending that the Committee clarify the Bill to ensure that social networks like itself are not subject to the legislation.

It criticised the broad approach of the Bill, calling for more specific laws where interception was concerned.

"We believe that narrow, targeted, proportional rules should always be preferred over blanket rules requiring interception and accessibility. Blanket rules requiring data retention and accessibility are blunt tools, which have the potential to infringe on civil liberties and constrain economic growth."

On the other hand, Huawei appears to be worried in its submission (PDF) that the Bill could represent another way to cut its operations out of the country without reason, in a similar manner to what has happened in Australia's National Broadband Network.

It worries that the Bill will exclude "particular vendors from being able to participate in key projects with little or no benefit for security outcomes" and calls for the government to establish a common, objective process to measure the security of hardware used for security assurance.

A few submissions suggested ways of providing fair testing would be to use Common Criteria, the international ISO 27001 standard for information security, or set up an industry-funded testing lab to create a New Zealand Security Evaluated Products Register.

Both Labour and Greens representatives have openly opposed the Bill, with Greens MP Steffan Browning stating that the Bill should be called the "TELCOs (Spying on Kiwis) Bill" or "TELCOs (Let's Get Hacked) Bill" when it was first read in parliament and that it is a "disgusting abuse of legislative power."

"What we are doing here is putting in laws to make it legal for those agencies to spy on us. We do not need to rely on them hacking in any more, because we are setting up laws for them to do it," he said.

Nationals MP and the Minister for Communications and Information Technology Amy Adams said that the Bill is necessary to ensure flexibility and responsiveness and that it simply formalises the close work that the government already does with telecommunications providers.

"The provisions in this bill will ensure that New Zealand’s telecommunications providers have a clear understanding of how to meet their interception obligations and will safeguard our telecommunications infrastructure. The bill will provide greater certainty and transparency for the telecommunications industry and the New Zealand public."

Labour MP Clare Curran has called it a "major and frightening expansion" of government powers and potentially a step towards an authoritarian approach to government.

"New Zealanders should be aware that this bill covers their email, their texts, Twitter, other social media, Skype, and private encrypted discussions through chat sites and cloud services such as Microsoft Lync, Dropbox, Google Drive, and Mega. It would include any business operating cloud services," she said.

Lastly, New Zealand First appears to be sitting on the fence, with Richard Prosser MP stating that it would support the Bill, but on the conditions that there are sufficient oversights and safeguards put in place to protect New Zealanders' rights.

"If [national security] objectives can be met and at the same time the freedoms, rights, and civil liberties of New Zealanders can be assured, then New Zealand First has no issue with supporting this bill."

The Committee is due to present its report on the Bill by September 20.

Editorial standards