Privacy , Standards, Regulations & Compliance

New Zealand Spy Law Rewrite Sparks Concerns

Bill Would Replace Four Acts Dating Back to the 1960s
New Zealand Spy Law Rewrite Sparks Concerns

New Zealand is rewriting the laws under which its intelligence agencies operate - a move the government says will create a clearer legal framework. But it's also one that critics fear inordinately expands electronic spying powers.

See Also: The Ultimate PIA and DPIA Handbook for Privacy Professionals

The Intelligence and Security Bill, introduced into Parliament on Aug. 15, seeks to replace four acts that govern the activities of the New Zealand Security Intelligence Service and the Government Communications Security Bureau, the country's equivalents of the U.S. Federal Bureau of Investigation and National Security Agency.

It's a lengthy, complicated bill that casts a broad remit for spy agencies well beyond fighting terrorism, for reasons including economic well-being and diplomacy. The government says the rewrite also means the agencies would be held to stronger, independent oversight to protect civil liberties.

Thomas Beagle, chairperson of the NZ Council for Civil Liberties, says even a strong oversight process doesn't matter if the agencies have wide leverage to spy. He contends the government's argument of creating clearer rules is misleading.

"That's actually a very loaded framing of the situation," Beagle says. "When they say 'unclear rules,' what they're actually often saying are rules that we don't want or we don't like anymore. Even if you've got a really great oversight process, if the allowable areas are too wide, the process doesn't really matter so much."

Spying Missteps

Similar to the U.S. and U.K., New Zealand has been grappling with civil liberties questions related to large-scale data collection by intelligence agencies. Over the last two decades, the rise in the use of mobile devices and the internet as communications tools has allowed spy agencies to collect granular detail about individuals' movements and communications, known in the spy business as signals intelligence.

New Zealand is part of Five Eyes, the signals intelligence collective that includes the U.S., U.K., Canada and Australia. All of the countries have laws in place that are, in theory, supposed to prevent intelligence agencies from collecting data on their own citizens without a warrant.

But the leaks of top secret NSA and British GCHQ documents in 2013 by former NSA contractor Edward Snowden detailed the impressive capabilities of spy agencies, showing deep access into the systems of telecom operators and major technology companies. New Zealand has experienced embarrassing missteps that raised questions over the oversight of its intelligence agencies.

In September 2012, Prime Minister John Key apologized after it was found GCSB provided information to New Zealand police about Megaupload founder Kim Dotcom, wanted in the U.S. on copyright infringement charges. Dotcom is a New Zealand permanent resident. Under the law, GCSB is prohibited from collecting private communications of citizens and permanent residents.

As many as 88 people, including Dotcom, may have been illegally spied upon by GCSB between 2003 and 2012, according to a 2013 compliance review of the GCSB, prompting a call for clearer legal rules be drawn up for the agency.

The Snowden documents also revealed that in 2012, the GCSB collaborated with the NSA in spying on Tony Fullman, a New Zealand citizen and activist who was mistakenly thought to have been planning a coup in Fiji. His home was raided and his passport was revoked, according to a September story in The Intercept.

The Bill's Provisions

As drafted, the bill would allow intelligence agencies to quickly obtain warrants in order to conduct surveillance on New Zealand citizens and permanent residents. Under a "triple lock" system, warrants would have to be approved by the country's attorney general and the chief commissioner of intelligence and would be subject to review by the inspector general of intelligence and security.

Although the agencies are supposed to minimize inadvertent data collection that would be illegal, the bill would allow that information to be shared - even outside New Zealand - if a situation is deemed life threatening.

New Zealand's government contends it's unclear under current law whether GCSC could be called upon, for example, to trace a New Zealand citizen's mobile phone communications if the person was lost at sea.

In a move to head off a Snowden-like leak, the bill also criminalizes the disclosure of classified information to anyone other than the inspector general of intelligence and security. That is already illegal, but the government says the changes consolidate and strengthen the law.

Oversight for how intelligence agencies operate would be conducted by the inspector general as well as the Intelligence and Security Committee.

Commenters Say Proposal Needs Refinement

The bill is now before the Foreign Affairs Defence and Trade Committee, which held hearings in October and received dozens of comments from private companies, organizations and government officials. Those submissions describe some of the concerns over the bill's language.

Vodafone New Zealand says the bill improves the clarity of the powers of the GCSB and SIS. But the telecom giant took issue with one part of the bill that would appear to encourage companies to make proactive disclosures to intelligence agencies. Vodafone says it would prefer specific warrants rather than ones requiring "discretionary assistance."

"This is because discretionary provision of data is not consistent with our commitment to protect the privacy of our customers," Vodafone writes. "It would require us to make difficult judgments that we are unlikely to have the necessary information to support."

The New Zealand Law Society took issue with clauses in the bill that would allow citizens to be targeted with a warrant for activities that fall under the broad category of affecting the "economic well-being of New Zealand." For example, a New Zealand lawyer could be targeted on the suspicion of acting on behalf of an Australian. "The Australian person for whom the lawyer is acting need not even have any relevance to the intelligence sought to be gathered under the warrant," the Law Society writes.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.