Demystifying the GCSB bill: Spies and lies
The contentious Government Communications Security Bureau and Related Legislation Amendment Bill was born out of an extraordinary tale of conspiracy, incompetence and political sabotage.
The plot is harder to follow than Tinker, Tailor, Soldier, Spy and not helped by various political – and other agendas – in play.
A year ago it came to light the GCSB had illegally spied on internet mogul Kim Dotcom. A subsequent report found it had also broken the law by snooping on dozens of Kiwis.
Prime Minister John Key says the bill is necessary to clarify the law – and that opponents are playing political games by objecting.
Regardless of opposition – which culminated in a rally in Auckland last night – it is likely to pass into law tomorrow, with a one-vote majority.
Key has accused critics and the media of spreading misinformation, but his garbled attempts to reassure the public with oversimplified arguments have served to confuse further.
WHAT YOU NEED TO KNOW
Key says that it’s “totally incorrect” that “the Government effectively through GCSB will be able to wholesale spy on New Zealanders”.
New Zealand is a member of the “Five Eyes” spying alliance which also includes the US, Australia, Canada and Britain. Revelations about mass surveillance by the United States’ National Security Agency in recent months have set alarm bells ringing worldwide, not least among its partner countries.
Suspicion persists that the US is using the GCSB and other agencies to harvest and trawl through communications across the globe. The timing of these new spying laws are a coincidence, but have fuelled concern and opposition.
The Government has steadfastly refused to say if the GCSB has access to or uses PRISM, a US system which sifts through data collected by internet giants such as Google and Microsoft.
The Government says the aim of the bill is to allow the GCSB to use its sophisticated technology and expertise to spy on Kiwis on behalf of the SIS, police or military. They had been doing this anyway for 10 years – but it was illegal. In most circumstances (but not all) surveillance of Kiwis can only be carried out under warrant, signed by the prime minister and the commissioner of security warrants.
A handful of provisions set out the new rules for surveillance of New Zealanders. Section 8 of the new bill permits the GCSB to spy on Kiwis on behalf of the SIS, police or military. Section 14 expressly prevents the GCSB snooping on Kiwis. But this only applies to its foreign intelligence gathering – not surveillance for cyber security or on behalf of those other agencies.
In short, the GCSB can spy on New Zealanders under the guise of preventing cyber attacks or on behalf of law enforcement agencies.
The “protection” outlined in section 14 is extended only to private communications – not metadata or any conversations that could “reasonably” be expected to be intercepted. Some critics argue that this definition of “private communications” is too loose – and question if anyone can realistically expect internet traffic to be “private.”
Key has argued that the new legislation does not add up to an expansion of the bureau’s powers.
At best, this is a distortion. The old law prohibits surveillance on Kiwis and their organisations and businesses. The entire purpose of the new bill is to allow the GCSB to carry out activities that were previously unlawful – much more than a clarification.
It widens the responsibilities of the GCSB – set up to carry out foreign intelligence – to domestic and a cyber-security function. Most significantly, the restrictions put on snooping on Kiwis do not apply to its cyber protection work.
The law also broadens significantly the powers given to the GCSB to spy on behalf of other agencies. The original law sets out that the GCSB may only co-operate in certain circumstances – protecting the safety of a person or in support of the prevention or detection of serious crime. The new law is much broader and states advice and assistance can be given “for the purpose of facilitating the performance of their functions”.
“[He] intends, under cyber-security warrants, to not allow the GCSB to access the content of New Zealanders’ communications, including emails … the prime minister would also expect the GCSB to seek the consent of the New Zealander involved, unless there were very good reasons not to do so,” a spokeperson for Key said last week.
There is actually nothing enshrined in the law to this effect.
Key says he will impose the condition that content is not accessed when he signs warrants.
The bill also lays down a “access authorisation” as a tool, which has caused considerable disquiet. It allows the GCSB to access “information infrastructure”.
These are electromagnetic emissions (which contain the information that an electronic device is displaying, storing or transmitting); communications or information technology systems and networks – and any communications (ie emails or texts) carried or contained on those systems. This could apply to internet companies or entire mobile networks.
A warrant or access authorisation is also not needed if private communications are sent from or received by a foreign organisation or person to a Kiwi or “contain, or may reasonably be expected to contain, foreign intelligence”.
This could include Kiwis working for overseas-based private firms or non-governmental organisations.
The legislation is also vague on what the GCSB actually defines as “metadata” – eg the information about when and by who a call, text or email is made, but not its content.
“If I wholesale blatantly flout the law as prime minister I’m never going to survive anyway.”
Key says he will resign if the GCSB conducts mass surveillance.
The law doesn’t actually forbid the type of wholesale surveillance that the NSA stands accused of.
Key can also not provide assurances for future prime ministers and he has refused to write these guarantees into the law.
There is concern that under the new law, the GCSB could apply for “access authorisation” for a mobile network, (under the cyber-security function) thus giving them access to all phone calls, texts, emails and other data sent via that network.
Considerable worry has been aired about the sharing of intelligence with other countries. The bill does not set down limits about what can and cannot be shared, only that it requires approval from the prime minister.
In June, Key responded to concern about the the NSA’s activities, saying: “We do exchange – and it’s well-known – information with our partners. How they gather that information, and whether they use techniques or systems like PRISM, I can’t comment on that. Sometimes I might know, sometimes I wouldn’t know.”
Oddly, Key revealed last week that mass surveillance of all communications would cost about $8 billion. Which begs the question, why was it costed in the first place?
The bill is necessary to protect New Zealanders from terror attacks. Key has cited Kiwis training in Yemeni al Qaeda cells, and a hypothetical attack on Auckland Airport.
The Security Intelligence Service assesses the security threat to New Zealand as “low.” The last “terror attack” was the 1985 sinking of the Rainbow Warrior.
A decade ago Algerian refugee Ahmed Zaoui was deemed a threat to security. He was last seen running a kebab van in Palmerston North.
In 2006 Saudi Arabian student pilot Rayed Mohammed Abdullah Ali was deported after being linked to one of the 9/11 hijackers.
Kiwi Mark Taylor was listed as a security interest in a 2010 diplomatic cable – he denies any links to terror organisations and has never faced any charges.
It might be that the security services are just really good at keeping New Zealanders safe.
However, it’s also worth pointing out that of the 88 Kiwis illegally spied on by the GCSB in the last 10 years, there were no arrests, court cases or prosecutions.
Cyber intrusions are on the rise – last year the GCSB reported a “significant increase” – from 90 to 134 – in the number of reported “serious attacks” against New Zealand government agencies, critical national infrastructure and private sector organisations. It also estimates that in the last 12 months cyber crime cost the country $625 million.