Facebook, Google, Microsoft won't be exempt from proposed NZ 'PRISM' law

The New Zealand government has softened its contentious network surveillance bill by removing a ban on operators selling overseas services in the country if they are deemed in breach of national security requirements.

NZ Communications minister Amy Adams.

Communications and information technology minister Amy Adams yesterday tabled a supplementary order paper (PDF) with changes to the proposed Telecommunications (Interception Capability and Security) Bill (TCIS), based on feedback from from the public and the industry as well as recommendations from the parliamentary Law and Order select committee.

The bill requires that network operators working in New Zealand facilitate interception of traffic by domestic security agencies.

Adams has removed clause 39 of the TICS bill in the SOP, which allowed the responsible minister to prevent network operators from selling overseas telecommunications services in New Zealand if the interception capability or lack thereof threatened national security.

Adams declined to exempt from the new law overseas service providers that offer messaging.

Google, Yahoo, Facebook and Microsoft had protested that the proposed TICS law would conflict with privacy and other legislation in their home countries and threaten the IT industry in New Zealand.

However Adams said the administrative process would ensure that such conflicts would be addressed and did not agree that existing or alternative arrangements were sufficient to achieve the objectives of the proposed new law.

Secrecy around the process of the proposed new law will be strengthened, Adams said. New provisions that allow classified security information to be presented "in the absence of named parties such as journalists and members of the public" will be introduced.

Providers that do not comply with the proposed new law, which is expected to pass this week, face pecuniary penalties.

The chief executive of Kim Dotcom's Mega, Vikram Kumar, points out that removing clause 39 will have little actual effect.

"Clause 39 was intended to apply to overseas telecommunication services resold in New Zealand. This is opposed to service providers which are defined as both local and overseas suppliers of telecommunication services sold to end users directly," Kumar explains.

"Take a company like Microsoft with Skype or Apple with iMessage. In both these cases, there is a direct customer relationship with the end user. Hence, these companies are service providers under the TICS Bill and removal of clause 39 has no impact on them or their obligations under TICS," Kumar adds.

Virtual private networks by overseas suppliers sold to local telco customers would also be caught by TICS and its standard compliance framework, Kumar says, with New Zealand courts being able to impose penalties.

TICS bill diagram. Source: NZ Government

 

New Zealand Internet, information technology and telecommunications interests groups had earlier requested more time to consider the implications of the TICS bill, which opposition Labour says is being rushed through select committee stages and the third reading in parliament.

 

Calling the the hurried progress of the bill "an extraordinary abuse of process", opposition ICT spokesperson Clare Curran said there is almost no time to consider the impact of Adams' SOP.

 

"One of the worst things about this bill is the refusal to have meaningful and respectful discussions with the businesses which will be most affected [by it], or to acknowledge the impact on NZ consumers," Curran said.

 

She dismissed Adams' changes in the SOP as "not substantive" and "window dressing" and said the late paper indicates that government is concerned that there are serious deficiencies with the bill as it was returned from the select committee.

 

Telecommunications Users Association of NZ chief executive Paul Brislen says his organisation is glad to see the back of Clause 39.

"This would have required over the top providers of "uncrackable" software to either allow the NZ government access to the system or face not being allowed to sell the product or service in New Zealand. That would have seen Apple's iMessage, Mega's online service and countless others excluded from the New Zealand market," Brislen told iTnews.

Spy agency to vet network procurements

The country's signals intelligence agency the Government Communications Security Bureau or GCSB and the government will have the final say in network operators' procurement decisions, under the proposed new law.

 

Under the new process, network operators will have to inform the GCSB director of equipment purchase decisions. These will in turn be assessed to ascertain whether or not they raise a risk to New Zealand's national security. 

 

If the GCSB director considers that a procurement is a security risk, network operators can provide a proposal to address it. Should the GCSB find the proposal not satisfactory, the matter can be referred for an independent review by the Commissioner of Security Warrants.

 

After the independent review, the responsible minister issues a direction to the network operator to comply and address "the significant risk to New Zealand's national security," documents released by Adams' office say.

 

What constitutes a significant risk to national security was not defined by Adams but in the SOP, she promises the process will be done in a timely fashion.

 

Brislen called the new network security provisions a "fundamental problem with the bill." 

"The GCSB is an intelligence gathering organisation and that means it will be internally conflicted when it comes to helping network operators patch security flaws - international best practice is to separate the two roles into two different parts of government", Brislen says.

"For instance, National Security Agency in the United States does not run the Computer Emergency Response Team, which has a role similar to that proposed for the GCSB in terms of network security," Brislen added.

"Telcos need to be left to make buying decisions that are best for the telco in question - that is the only way to ensure we have an efficient network build. Having a government agency decide what can and can't be built in or left out means added cost and delays for the telcos and that cost will be passed on to customers," he said.