Here in New Zealand, we’re part of the ‘Five Eyes’ and our intelligence agencies have suffered the same as their intel partners as a consequence of the Snowden documents. Recently, New Zealand has seen instances of agencies acting outside the law due to misinterpretation of those laws. Therefore, in 2013, those laws were changed and the government committed to regular reviews of our intelligence and security agencies. In March this year, the first Independent Review of Intelligence and Security (IRIS), conducted by NZ’s next Governor-General and a former Deputy Prime Minister, released its report entitled Intelligence and Security in a Free Society.
The IRIS report comes in at almost 180 pages, and not surprisingly, not too many people seem to have read it or are talking about it (or at least they’re not doing so on the Internet). At InternetNZ, we wanted to distill all the contents of this report down to a much more readable nine page briefing.
Our briefing is split into sections – outlining what we do and don’t like about the report and its recommendations, and we have raised some pertinent questions about process, and what happens next.
The Good News
First off, the report has some really good aspects. More oversight, further powers for our Inspector-General of Intelligence and Security and a better and more consistent warranting system are just some of the recommendations we like. I want to draw attention to two that I think, if acted upon, should be of interest to the global Internet community.
Metadata is just data and should be treated the same way
The reviewers have correctly seen that metadata is a hugely powerful surveillance tool. They have recommended that metadata surveillance should be warranted and subject to the same processes that intelligence agencies need to do for other content surveillance or human intelligence operations.
This matters to everyone on the Internet. For example, law enforcement capturing and analysing the headers of someone’s’ emails, or even IP packets, should be subject to the same judicial oversight as reading the contents.
If you want to spy on someone…get a warrant!
The other great recommendation is that all surveillance and spying should be authorised. Meaning no more of these rationalisations around actions in public places or non-private communications not needing warrants. The report is unequivocal in its recommendation that if the government wishes to conduct surveillance on a New Zealander, then they should have a warrant for it. One of the biggest concerns we have with the current legislative definition of private communication in NZ is that it is so circular and vague, it could be read to enable widespread, non-warranted surveillance of our Internet communications.
The Bad News
New Zealand’s Government Communications Security Bureau (GCSB) does spy on the Pacific rim, and it uses an array of high tech and invasive tools to uncover secrets (the job of a foreign intelligence agency). For New Zealanders, it’s disappointing that the report suggests that the GCSB may soon be able to turn these abilities onto a domestic audience.
Of international interest, however, is the report’s commentary on ‘going dark.’ This is the fact that as more and more people are starting to use end-to-end encryption to ensure their privacy online, global law enforcement is finding it harder and harder to spy on people.
This is such a concern for the global intelligence community that the FBI has a page dedicated to it.
The problem is: so much of the debate is being framed in terms of encryption being used “by terrorists, by criminals, by pedophiles, by bad people of all sorts.” All the while ignoring the fact that there are very legitimate reasons why the global community requires a level of privacy through the use of encryption. Sadly, what little the reviewers say about encryption, feeds into this narrative of encryption helping ‘bad things’ to happen.
APNIC has a history of encouraging encryption technologies – be they DNSSEC or more recently some of the research into DANE. Having all encryption technologies being described as a tool used in the ‘dark web’ is a commentary that, as an industry, we need to change.
But, the reality is, encryption is good for personal security, it’s good for organisational security and it’s good for national security. One of the trade-offs of ubiquitous, end-to-end encryption is that law enforcement and surveillance agencies won’t be able to access content in the vast majority of cases. As General Michael Hayden, former director of CIA and NSA, has put it:
“Give up content. Content’s going away. There is a natural arc to technological progress. It’s going to make content more and more and more difficult to extract from communications and it’s really not going to matter a whole lot what the federal government thinks about that. Accept that reality.”
Would you like to know more about New Zealand’s Independent Review of Intelligence and Security? Visit the review’s corner of the NZ Ministry of Justice’s website.
Andrew Cushen is the Deputy Chief Executive of InternetNZ.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.