Revealed: govt plans secret orders to service providers once spy bill becomes law
[Since the the first draft of the legislation, we have known the TICS Bill - the companion legislation to the GCSB Bill - makes it mandatory for telecommunications network operators (e.g. Telecom, Vodafone, 2degrees) to make their networks interceptable. The Bill leaves it to the ICT Minister's discretion whether this provision is extended to cover service providers - defined as companies that provide a telecommunications service, but that do not operate a network. Examples of service providers include the likes of Microsoft with its Skype service, Google with Talk and Hangouts and Apple's FaceTime and iMessage. Almost any online service is on the table - Editor]
The government is planning to issue secret orders to service providers when the Telecommunications (Interception Capability and Security) Bill ("TICS Bill") becomes law to force them to create interception capability for surveillance agencies. This has been approved by cabinet and is therefore official government policy.
What's not clear is if the mechanism of a Ministerial directive will also be used to gag the service provider? Or is the secrecy merely a guise to allow compliant service providers to pretend they haven't been forced to create a backdoor for the government?
Either way, the impact on New Zealand online service providers, and New Zealand as a country, could be truly devastating.
I was expecting the documents to be heavily redacted and information narrowly limited to the scope of my request. That they are. What I wasn't expecting was something that, as far as I know, has never been publicly disclosed or discussed before.
Para 104 of the December 2012 "Technical Paper: Telecommunications Interception Capability and Network Security" by MBIE (page 19 of the combined document); para 109 of the paper to the Cabinet Committee on Domestic and External Security Coordination (page 62); and para 37 of the Cabinet paper (page 74) all confirm the same thing:
A Ministerial directive will be used to secretly/confidentially impose an obligation to create interception capabilities by individually named service providers (referred to as "deem-in" but what I call a backdoor) "so as not to publicly announce a lack of capability in a particular service."
The Government is therefore going to be using secret orders to specific service providers directing the creation of interception capability, allowing real-time access by surveillance agencies
"Service providers" in the TICS Bill is very wide and includes every online service to end-users, including those that aren't normally considered a telecommunications service as such. The authorised surveillance agencies are the SIS, GCSB, NZ Police, and any government department declared to be one for that purpose.
Coming across plans for secret Ministerial directives was completely unexpected.
I can see nothing in the TICS Bill that requires a service provider to keep a Ministerial directive secret.
If secrecy is compulsory, there needs to be some sort of gag order, otherwise the service provider could make the secret directive public.
The stated rationale of secrecy is to minimise competitive disadvantage to the directed service provider.
If the 'bad guys' know a particular service provider has been forced to provide the Government with a backdoor, they will simply use other providers of the same service. This defeats the very purpose of requiring the interception capability and puts the directed service provider at a commercial disadvantage. Actually, it is likely to ruin the service provider.
As the 'bad guys' move from service to service in response to the government's 'whack-a-mole' approach of progressively forcing more and more service providers to create backdoors, the whole exercise become self-defeating.
The government's use of secret Ministerial directives seems a way to counter this by not letting people know which service provider has been forced to create a backdoor.
However, the consequences of this approach are very damaging and dangerous- when you don't know who to trust, you trust no one. There will be a loss of confidence across all service providers in New Zealand. A lack of information is quickly filled by rumour and FUD (fear, uncertainty and doubt).
As an example of just how bad the consequences are, consider how there is now a loss of trust in all US-based online service providers from Snowden's revelations. While there may be debate about the exact nature of the backdoor, there is no doubt that 9 online companies - Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple- do provide the US Government with secret, lawful access. Gag orders makes things worse- two email providers facing actual or potential secret orders have shut down but are unable to provide any real information, stoking FUD.
As a consequence of the loss of trust, The Information Technology & Innovation Foundation (ITIF) has projected a $35 billion loss to US cloud companies. A Forrester analyst projects global losses at $180 billion. Meanwhile, European companies are likely to get an advantage over New Zealand and US companies, including a greater push to keep things within Europe.
Official government policy
Examples from around the world show just how corrosive secret spying capability orders and gag orders are to trustworthiness, both to the country and its online service providers. Secrecy also aids compliant online service providers, happy to go along with the Government without insisting on a warrant, protected by the Principle 11 exceptions in the Privacy Act. A real corporate-government surveillance partnership.
Secret orders, secret compliance, secret evidence in courts... we just need secret courts to complete New Zealand's descent into a totalitarian state.
People will quickly figure out that they have no way of knowing which particular service provider has or hasn't given the government a backdoor. The logical approach would be to assume that all service providers are compromised.
Which business is going to take the risk that their, say, Board papers or accounts, are secretly available in real-time to the NZ Police, SIS, GCSB, and the Five Eyes partners? In particular, overseas businesses will be spooked from doing business with any New Zealand based online service provider. They will know that warrants can be issued to safeguard New Zealand's economic well-being just as easily as they are for national security and law enforcement.
Will this strengthen the case for the likes of Google and Microsoft to pull out of New Zealand rather than risk getting a secret directive for a backdoor from the ICT Minister?
Will New Zealand cloud companies decide to move out to more democratic countries?
In the name of protecting online service providers from competitive disadvantage, the Government could well ruin the entire New Zealand online services industry. The economic impact on New Zealand online service providers and the country's international standing could be truly devastating.
Rather than seize the moment to be a global leader in enacting sensible, proportionate and effective laws, the Government is making laws 'just in case' they are required in the future, with no evidence that service providers are part of the problem. I hope others will join me in calling for the Government to not go down this path. Once trust is lost, getting it back is going to be difficult if not impossible.
Former State Services Commission strategy & innovation manager and InternetNZ chief executive Vikram Kumar is CEO of Mega. He wrote and researched this article in a personal capacity. He posts at Internet Ganesha.