NZ telcos face new obligations under interception law

New Zealand's modernised telecommunications interception law may include requirements for operators to break encyrption and protect networks against denial of service and unauthorised data access, but has been welcomed by Telecom New Zealand.

The proposed law is being led by the Ministry of Business, Innovation and Employement (MBIE), which administers the existing Telecommunications (Interception Capability) Act or TICA.

MBIE spokesperson Brad Ward said the structure of the telecommunications industry was very different from 2004, in New Zealand and overseas. 

"At the time, there was one incumbent telco and not much competition in the market," Ward said.

"Now there is different technology, more operators and the incumbent being structurally separated," Ward explained.

The goal of the new act is to clarify the obligations telcos and providers have to assist the three  government agences, the New Zealand Police, the Security Intelligence Service and the Government Communications Security Bureau when it comes to interception.

Ward said all three agencies would require warrants setting out exactly what they could intercept and access and from that point of view, the new law doesn't change anything.

Encryption thorny issue

The Telecommunications Users' Association of New Zealand has suggested the new act would force telcos, cloud and over the top providers to break encryption for communications.

Coupled with an unspecified enforcement regime, TUANZ asked if the new regime would force telcos to "somehow crack the security of Microsoft, Google, and Apple" and how these companies would react to such a requirement.

Ward said that telcos and other providers already had "a duty to assist" under the existing law, and that the new would introduce more flexibility.

What the enforcement regime would look like is yet to be decided however, and Ward admitted it could potentially lead to awkward situations where telcos may face penalties if they're unable to crack strong encryption as requested by government agencies.

The question of whether or not telcos needed to install new interception equipment in their networks depended to some extent on if they're wholesalers or retailers, Ward said. He played down the potential for burdensome financial costs.

"I believe the minister has said that she expects the cost of compliance [with the new act] not to rise," Ward said.

The country's largest telco, Telecom New Zealand, said it supported the rewrite of the act.

"Our industry structure has changed dramatically since the Act was implemented in 2004, and we support a review to update it," a Telecom spokesperson told iTnews.

"It will be important that any review can ensure a consistent application of interception requirements across all industry participants, rather than just traditional telcos/ network operators.

It will also be important is to ensure that any review minimises the cost burden of this regime on telecommunications companies," the spokesperson said.

Network protection and supplier vetting to be required

While the existing law deals mainly with the duty to provide interception capabilities, under the proposed law telcos will be obliged to "engage with the Government on network security matters", according to minister Adams.

Part of this new obligation includes assessing potential national security risks arising from designing or building new networks, Ward said, or if there's a significant change in who operates them for the telco.

The assessment will be done on a case-by-case basis, Ward said, and applies to all players and not just those from certain countries.

There may be a requirement to build network protection against denial of service attacks. 

"The goal is to prevent unauthorised access to copy or to divert services for espionage, as well as to stop disruption of these," Ward said.

Revision not Dotcom related

Despite the updates to the Act being released at the same time as NZ prime minister John Key proposed changes to the laws that govern how the country's signals intelligency agency, the Government Communications Security Bureau or GSCB can operate, Ward said the two are not directly connected.

"The Dotcom affair did not initiate the review of [the TICA]," Ward said.

"With the timing, it's understandable that there has been some discussion that the two legislative updates might be linked, but they're only so for national security reasons," he added.

Minister Key is proposing to lift the ban on GCSB being able to intercept communications of New Zealand citizens and residents, which until now have been illegal. A report [PDF] on the GCSB's compliance with the ban on interception of locals found that between 2003 and 2012, the agency had illegally eavesdropped on 88 people, including Megaupload founder Kim Dotcom who is now facing extradition to the United States for alleged copyright crimes.