The New Zealand parliament has narrowly passed into law a bill that will give the country's surveillance agencies powers to compel telcos to provide interception of all electronically transmitted communications.
According to NZ communications minister Amy Adams, the Telecommunications Interception Capability and Security (TICS) bill will "safeguard public safety and security".
On top of requiring providers with more than 4,000 customers over a six month period to provide full communications interception access to government security agencies, the new law also gives the Government Communications Security Bureau (GCSB) the final say in telco network equipment upgrades and new deployments.
Such a veto could bar Chinese telco equipment vendors like Huawei from the New Zealand market, said the chief executive of the Telecommunications Users Association of NZ, Paul Brislen.
Adams said the GCSB has "access to specialised information about potential vulnerabilities and threats" and that the security aspect of the new law helps "keep New Zealanders safe from unwelcome intrusions on our telecommunications networks, where these intrusions affect our national security."
“Network operators do not have access to this level of information, which can make it difficult to make informed decisions about the design, build and operation of their network," Adams claimed.
Telcos and ISPs must also ensure that they have staff with security clearance to assist with interception requests.
The bill has been criticised by online businesses such as Facebook, Microsoft and Google as being in conflict with United States privacy legislation and potentially damaging to IT firms operating in New Zealand.
Adams and the government would not exempt the likes of Facebook from the new law, but said there are administrative processes in place to prevent legal conflicts.
The chief executive of Kim Dotcom's new encrypted online storage venture MEGA, Vikram Kumar, told iTnews that he continues to believe that the new law will cost New Zealand businesses both in terms of direct costs of obligations as well as opportunity costs from no longer being seen as viable trusted alternatives to US-based ICT companies.
However Kumar doesn't believe MEGA will be compelled to decrypt its users' communications or files.
"The immediate impact, once the law comes into force, is a duty to assist in providing information about a service user when presented with a warrant or other lawful interception authority," he said.
"Mega’s current understanding is that it will not have to decrypt the content of a user’s file or communication as it would be unreasonable to do so," Kumar said.
To preempt itself from being "deemed in" as a network operator, MEGA will look at the options allowed under the new law to prevent this from happening, Kumar said.
One option is to open source the encryption used at MEGA and to make it publicly available. According to Kumar, this would remove any obligation on MEGA under the new law to decrypt user files and communications.