close
MENU
Hot Topic Scrutiny
Hot Topic Scrutiny
4 mins to read

The surprising sweep of GCSB powers under new telco intercept bill

Fri, 10 May 2013

Phone company already have to be networks have to be "interceptable." The current Telecommunications Interception Capability Act (2004) lets the GCSB, SIS and police snoop on phone networks, provided they've got a warrant.

But an update to the law gives the GCSB sweeping new powers.

The Telecommunications Interception Capability and Security Bill (TICS), which has just passed its firs reading in Parliament (it's a companion piece of legislation to the new GCSB Act), means a network operator has to consult with the spy agency before making changes to its equipment - and much more besides.

If they don't cooperate, they'll face fines of between $50,000 and $500,000 a day.

"The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand," says Tech Liberty's Thomas Beagle.

Lawyer Michael Wigley details, "Obligations apply where a 'network operator' – which is defined widely – plans changes in key parts of the network, such as the network operations centre, data aggregation (stored or transitory), customer information and databases.

"Applicable changes include changes to equipment, systems, services, control and ownership. Early on in its plans (eg before going to request for proposals on a tender), the network operator must tell GCSB of its plans."

Phew. That's a lot of areas where the spy agency can stick its oar in.

And what will the GCSB be looking for? Threats to national security, or threats to economic well-being. 

Telecommunications Users Association head Paul Brislen is among pundits who find the latter exceptionally vague, and hard to define.

"Does this mean the GCSB will be directing the telcos in their network rollouts?," Mr Brislen asks.

"Does it mean certain vendors will be unable to provide gear for certain parts of the network? Does it mean those telcos that already use a certain provider - I'm thinking here specifically of Huawei but it could be anyone - be excluded from certain key government contracts?"

And indeed it's easy to think of Huawei, given the Chinese company has already been blocked from bidding on business around Australia's National Broadband Network (NBN).

Among other local projects, the keenly-priced Huawei is supplying kit for Telecom's 4G rollout (displacing long-time mobile network partner Alcatel-Lucent, and management services and hardware for Ultrafast Fibre's UFB rollout. The company is also 2degrees' primary network equipment supplier.

Mr Wigley also picks on the economic security risk provision, but says there's an element of "punching at clouds."

He looks to the situation in the US, where no phone company uses Huawei equipment, and security software company Symantec last year pulled out of a multi-billion dollar alliance with Huawei, apparently under threat that it could lost government business. A Congressional committee warned against doing business with Huawei - but as the Chinese companies and its supporters were quick to point out, it failed to make any detailed accusations.

"Some critics of what the Senate Committee did believe that the attack on Huawei boils down to trade protection: keep the Chinese out to shore up domestic US suppliers, under the guise of cyber-risk," Mr Wigley says.

Under the new intercept legislation, there's a process for telcos and the GCSB to agree on whether an equipment maker poses a security or economic threat.
 
If they can't agree on the latter, the GCSB minister (usually the Prime Minister) will have to consult with the Trade Minister - a process of external control Mr Wigley describes as challenging.
 
And indeed it's difficult to visualise John Key and Tim Groser sitting down to access the potential economic threat to New Zealand of say, Huawei gear being used X part or Y part of Telecom's network (though you'd also have to say the Chinese company isn't in much danger of losing its NZ business, given the GCSB doesn't seem to have had any issue with Huawei so far).
 
"This highlights how hard it is to get legislation like this correctly balanced to ensure the ability to deal with cyber-terrorism and the like, while sufficiently protecting telco rights," says Mr Wigley (who has acted for Kordia and 2degrees, among other industry clients).
 
"Telcos should not be unreasonably forced to spend more money and configure networks differently, unless justified."
 
Mr Beagle notes one piece of positive news for telcos on this front. After ICT Minister Amy Adams broadly outlined the legislation, phone companies feared they would have to bear the burden and cost of decrypting encrypted traffic. But the bill passed in Parliament this week only requires them to crack a message if they encrypted it themselves.
 
The Dotcom factor - getting even simple stuff wrong
Mr Wigley also worries that if the GCSB gets into the highly areas such as network design, equipment selection and how customer information is to be stored in databases, it magnifies opportunities for things to be handled poorly.
 
"The recent Dotcom GCSB fiasco, with revelations of over 80 other breaches of the GCSB Act in relation to New Zealanders, shows how important it is to get this right.  If the simple stuff is handled badly, what about [more complicated] things?"
 
Read more analysis from Messrs Wigley, Brislen and Beagle in their respective guest opinion piece for NBR Weekend Review, on NBR's home page Saturday and Sunday.
 
 
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
The surprising sweep of GCSB powers under new telco intercept bill
29283
false