the crimes amendment act 2003 and the government communications security act 2003 – an...
Post on 08-Aug-2018
213 Views
Preview:
TRANSCRIPT
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
1/36
The Crimes Amendment Act 2003 and the GovernmentCommunications Security Act 2003 An Interrelated History.
In early 2000, it was decided that the GCSB should be placed on a statutory footing similar
to that of the NZSIS.1
We shape our tools and thereafter our tools shape us.2
IntroductionIn March 2003 the New Zealand Parliament enacted the Government Communications Security Act
2003, formalising the existence of the Government Communications Security Bureau, which had
been in existence since 1977, as a Department of State.
This paper argues that the reasons for the legislation came about as a result of a number of
amendments that were proposed to the Crimes Act 1961 that were the subject of the CrimesAmendment Bill 1999 as well as the stated objective of making New Zealands security arrangements
more transparent and accountable. The amendments related to the enactment of a number of
sections of the Crimes Act dealing with computer crime. As the legislation progressed until its
ultimate enactment in 2003, various changes to sections relating to computer crimes and
interceptions of communications meant that the existence of the GCSB had to be formalised hence
the legislation. It is argued that these amendments, associated as they were with communications
technology, drove the GCSB into the legislative light from the shadows it had previously occupied. It
could be suggested that, from a point of view of transparency of Government surveillance activities,
this was a good thing.
This paper will trace the legislative events that resulted in the enactment of the computer crimes
amendments to the Crimes Act and the associated moves towards the enactment of the
Government Communications Security Act. It does not set out to offer any opinion on the content of
the legislation other than to demonstrate its interaction. It will conclude with some observations on
the legislative process surrounding the legislation in question and raise some questions for
consideration on the wider issue of the nature of liberty in a new information paradigm.
Computer Crimes Legislation 1989 1999In New Zealand, computer crime legislation was first proposed in 1989 in the Crimes Bill 1989, which
proposed the creation of two offences in relation to computer misuse: accessing a computer for a
dishonest purpose and damaging or interfering with a computer system. The Crimes ConsultativeCommittee proposed a number of changes to the clauses recommending that there should be three
separate offences accessing a computer and obtaining a benefit or causing a loss, accessing a
computer with intent to obtain a benefit or to cause a loss, and a summary offence of unauthorised
access to a computer punishable by a maximum of six months imprisonment.3 The amendment was
abandoned when other matters in the Bill failed to obtain government support.
1 History of the GCSB Government Communications Security Bureauhttp://www.gcsb.govt.nz/about-
us/history.html(last accessed 18 August 2013). As will become clear, this is an inaccurate statement.2
Marshall McLuhan Understanding Media: The Extensions of Man (Sphere Books, London, 1967).3 New Zealand Law Commission Computer Misuse (New Zealand Law Commission, Wellington 1999 Report 54)
at [3].
http://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.html -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
2/36
In 1998 interest in computer crime was sparked by two incidents which were rapidly followed by a
Law Commission report on computer misuse.
The hacking incidentsOn 26 August 1998 Andrew Garrett began harvesting usernames and passwords from Xtra users
computers and subsequently released information to Chris Barton of the New Zealand Herald thathe had managed to compromise the security of the Xtra servers. What Garrett had in fact done was
to use a Trojan Horse program to obtain the passwords of those computer owners. He made no
secret of his involvement but, because of a dispute that he had with Telecom at the time,
characterised the issue as one of Xtras security. He was later prosecuted and convicted of five
offences arising out of his activities.4
In November 1998, 4,000 files were deleted from the Ihug Home Pages Server. No one was
prosecuted, although investigation revealed that a 17-year-old New Zealander committed the action
by effectively hacking the Ihug home pages server in California.5
Computer crime and the adequacy of the existing law moved into sharp focus. The LawCommission had been examining aspects of E-Commerce but there had also been concerns
about dishonest activity in the electronic banking context which had resulted in a Law
Commission report in December 1998 entitled Dishonestly Procuring Valuable Benefits6
following upon the case of R v Wilkinson.7 That report also suggested a wider review of Part
X of the Crimes Act 1961 which dealt with property offending. The Law Commission began
to focus its attention upon computer crime.
The Ministry of Justice had also been considering issues arising out of computer misuse. The
Minister for Justice announced a proposal to introduce into the House of Representatives
legislation which would create criminal offences for certain types of computer misuse.8
Because of the imminence of a Bill, on 13 May 1999 the Law Commission issued a final
report on computer misuse which was confined to concepts and which did not include draft
legislation. The Commission stated:
While we would have preferred more time to consider the form of the legislative
changes we consider it important for our work to be available both to the Ministry
and the public in time for it to be of use.9
4
R v Garrett[2001] DCR 955; R v Garrett (No 2) [2001] DCR 912. For a brief but useful account of the case seeInformation about Criminal Law and the Net Case Study 1 Netsafe
http://www.netsafe.org.nz/archive/criminal/criminal_case1.html(last accessed 21 August 2013). See also Paul
Brislen ISPs Please with Verdict in Hacker Case" Computerworld 18 July 2001.
http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/(last accessed 21 August
2013) Paul Brislen Hacker Case Creates Precedent Computerworld 18 July 2001.
http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/(last accessed 21 August
2013).5 Ihug Boost Security after Hacker Hits 100 Accounts New Zealand Herald, 1 February 2001
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894.6 New Zealand Law Commission Wellington 1998 Report 51.7 [1999] 1 NZLR 403.8
New Zealand InfoTech Weekly 11 April 1999, 1.9 NZ Law Commission Computer Misuse above n. 2 p.ixhttp://www.lawcom.govt.nz/project/computer-
crime?quicktabs_23=report(last accessed 21 August 2013).
http://www.netsafe.org.nz/archive/criminal/criminal_case1.htmlhttp://www.netsafe.org.nz/archive/criminal/criminal_case1.htmlhttp://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.netsafe.org.nz/archive/criminal/criminal_case1.html -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
3/36
The Law Commission Computer Misuse ReportThe Law Commission report on computer misuse10 analysed the law relating to computer misuse
and suggested that criminal liability be extended to actions in the electronic environment that, in
their parallels in the real world, were not unlawful.
The Commission considered that legislation dealing with computer misuse must address the
following elements:
Unauthorised interception of data stored in a computer;
Unauthorised accessing of data stored in a computer;
Unauthorised use of data stored in a computer;
Unauthorised damaging of data stored in a computer
As to the offences of unauthorised access and interception the Commission stated:
The offences of unauthorised access and interception should require proof by the
prosecution of intent:
in relation to the interception offence, the prosecution should be required to establish an
intention to intercept:
in relation to the offence of access, the prosecution should be required to establish an
intention to:
cause loss or harm to the person entitled to the data or to some third party; or
gain some form of benefit or advantage either personally or to a third party.
We propose that the terms loss or harm and benefit or advantage be given a wide
meaning and not be limited to pecuniary losses or benefits. In the case of offences involving
use and damage, proof of carelessness should be sufficient to establish an offence.11
The Law Commission also stated:
that the existing criminal law is inadequate to deal with computer misuse.
However, it would be possible to redraft existing law to cover the types of computer
misuse to which we have referred in this report. If an attempt is made to amend the
existing provisions of the Crimes Act 1961 to make them fit the matters discussed in
this paper, there is a grave risk of error either by imposing criminal liability where itshould not be imposed or by omitting provisions that ought to be included. We have
no doubt that the only neat and sensible solution is to either have a separate statute
dedicated to crimes of computer misuse, or, to have a distinct part within the Crimes
Act 1961 relating to computer misuse.12
The Law Commission concluded that the current criminal law was inadequate to deal with
unauthorised computer access and a reform of the law was required. It defined access as
10 Ibid.11
Ibid. p. xii.12 Ibid. at [80].
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
4/36
covering a situation where a person without authority, whether through physical or
electronic means, obtains access to data stored on a computer. It also considered that the
prosecution should be required to establish:
first, that the accused gained unauthorised access to data, and secondly that at
the time of access, the accused had an intention to cause loss or harm or gain abenefit or advantage.
In the Law Commissions view, criminal intent was needed to avoid trivialising the criminal
law by making every unauthorised access a criminal offence. This meant that those who
gained access simply to achieve the prize of access will not be criminally liable for their
actions. In other words, pure hacking will remain outside the scope of the law.
The thrust of the Commissions recommendations was therefore directed towards the
protection of the data or contents of the computer system rather than extending the
prohibition to access as such. In the Commissions view, the access had to be accompaniedby an element of intentional wrongdoing involving the data.
This limited scope was extended as the computer misuse provisions of the Crimes Act
Amendment Bill (No 6) made their way through the legislative process.
The Introduction of the Crimes Amendment Bill (No 6) October 1999In October 1999, the Crimes Act Amendment Bill (No 6) was introduced to Parliament and
referred to select committee. The Bill was expansive, proposing a number of changes to the
criminal law, but significantly created four new computer-based offences. In summary,
these are as follows:
1. s 305ZE(1) accessing a computer system and dishonestly or by deception
obtaining a financial benefit or causing loss;
2. s 305ZE(2) accessing a computer system with intent to obtain a benefit or
cause loss;
3. s 305ZF(1)(a) damaging or interfering with a computer system with intent
to cause serious damage; and
4. s 305ZF(2)(a) recklessly damaging or interfering with a computer system
knowing that serious damage is likely to result.
On 5 October 1999 at the second reading of the Bill, the then Minister of Justice Mr Tony
Ryall made the following observations:
As the Minister of Justice I have made it clear that in respect of our legislation there
are a number of imperatives that we the Parliament must work on in the next few
years. The first is to make our legislation technology-neutral. There is no point in
putting definitions of particular hardware or software into legislation, because such
technology may not exist in a few years' time. It is vital that we make our legislation
technology-neutral and describe the nature and the form of the offence rather than
the specifics of the mechanism by which it was done. We want to make sure that our
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
5/36
legislation is harmonised with international information technology and
technological crime legislation. Also, we want to develop further work in terms of
encryption and security. But this Bill will go some way in terms of putting into
practice the Government's work programme, and it is my expectation that there will
be further legislation in this area next year.13
Thus the Minister was wisely avoiding technology-specific legislation and rather focussed
upon the behaviour associated with a technology as the target of the legislation. He went on
to say:
This Bill creates new offences in relation to the misuse of and damage to computer
systems. .. It will be an offence to access a computer and dishonestly---and that
means without authority or by deception---obtain a financial benefit, or cause a loss
to someone. This offence has a maximum penalty of 7 years' imprisonment. The
second new computer offence is essentially an ``attempt offence'' and has a
maximum penalty of 5 years' imprisonment.
The other new computer offences relate to damaging a computer with intent to
cause damage or being reckless as to whether serious damage occurs. These have a
7-year penalty.
A definition of ``computer'' is not included. As I said earlier on, it is unlikely that such
a definition would keep up with changing technology. Other jurisdictions have taken
various approaches to this issue in their criminal statutes. England, for example, does
not define it, whereas the United States does. As Minister, I will welcome comments
on this in submissions to the select committee.14
The Minister then went on to address the issue of access without authorisation
without any associated intention to commit an unlawful act.
The Government has also decided at this stage not to include an offence relating to
unauthorised access of a computer. We recognise that this is a serious problem that
needs addressing, but it does actually need quite a lot more work and consideration.
However, I did not want to delay action on these changes at this stage. When
someone from an outside firm manages to gain access to the firm's computer,
commonly known as hacking, there is probably general agreement that this should
be a criminal offence. However, I believe an offence should also cover employees
who are not authorised, or go outside their authority to access information.
Employers will therefore need to have clear levels of authority in place if such an
offence is to be proven. This issue is more difficult, but we intend to put forward
such an offence early next year.15
Thus, unauthorised access was clearly on the table, but required further work. Of
especial interest is the suggestion that employees should be liable if they were
13
Crimes Amendment Bill Second Reading Hansard 5 October 1999.14 Ibid.15 Ibid.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
6/36
unauthorised or went beyond their authorisation to access computer systems. As will be
seen, this was the subject of a specific exemption when the Bill was finally enacted and
appears in s. 252(2).
In the debate, Phil Goff MP castigated the Government for delaying action on computer
crime and pointed to what he saw as the motivation for the amendments.
Last year a hacker destroyed 4,500 web pages hosted by the Internet Group.
Another hacker breached the password security of Telecom's Internet service
provider XTRA, and nothing was done because the law was not in place.
Finally, after a decade, the Government has been sufficiently embarrassed by those
people getting away with those offences that it has brought to this House a new Bill.
I welcome the provisions of the Bill but they have been too long in coming and I
think the select committee will have to examine whether, even now, they are
sufficiently strong to deal with the computer crimes that are happening in oursociety.16
Mr Goff then went on to consider the absence of the offence of unauthorised access to
computer systems:
What we have not yet got is the further offence of hacking into a computer system,
and the Minister has said that he is not yet ready to do this. So we still have that
problem, and he hopes that next year something will be done. Next year! That will
be some 11 years after the Crimes Bill and still the Minister has not acted.
Paul Swain MP looked at the broader picture that he considered the legislation did not
address:
The point really is that the member does not get it. It is not just about hacking, and
it is not just about computer crime, it is about a whole pile of other things as well. It
is about the whole issue of security across the Internet, which implies security for
electronic commerce. It is about the protection of intellectual property rights, which
is an issue of the Internet, and an issue of electronic commerce. For example, it is
about protecting and promoting consumer rights in cyberspace. That is what
electronic commerce is about. Computer crime and hacking are only a little tiny partof a much bigger picture.
The Bill was referred to a Select Committee. However, in November 1999 there was an
election and the National Government was replaced by a Labour-led Government under
Helen Clark. It was under the new Government that further developments, heralded by
speakers from both sides of the House in 1999, were considered and proposed.
16
Ibid. As it happens Mr Goff was later proven to be incorrect. The Xtra hacker Andrew Garrett wasprosecuted and convicted of offences existing under the law as it stood arising out of his action see R v
Garrettabove n. 4.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
7/36
Supplementary Order Paper 85 2 November 2000On 2 November 2000, Keith Locke MP had a question for the Prime Minister:
Would the proposed changes to the Crimes Amendment Bill (No 6), if passed, allow
the Government Communications Security Bureau, under certain circumstances, to
intercept e-mail communications of New Zealanders; if so, what would the
circumstances be, and what authorisation would be required?17
The Prime Minister replied
No. The proposed changes provide specifically that the Government
Communications Security Bureau may only intercept private communications which
are both---
(a) Private communications of a foreign organisation or foreign person (or
a representative or agent of a foreign organisation or foreign person);
and
(b) Private communications which contain, or may reasonably be
expected to contain, foreign intelligence.
The expressions ``foreign organisation'', ``foreign person'', and ``foreign
intelligence'' are defined in the proposed amendment in such a way as to make it
clear that the Government Communications Security Bureau may not intercept the
communications of New Zealanders, whether in e-mail or any other form.18
Mr Locke was referring to Supplementary Order Paper 85 (SOP 85) and the question
arose because of its scope. SOP 85 was not restricted to adding the criminalisation of
unauthorised access to a computer system. There were a number of other changes tothe Crimes Act dealing with Part 9A of the Crimes Act dealing with crimes against
personal privacy and the unauthorised use of interception devices. Exceptions were
provided where interception of communications was authorised by law. The
amendments to the Crimes Amendment Bill proposed by SOP 85 were quite wide-
ranging and in some respects reflected what could be called scope creep in dealing
with the involvement of law and new communications technologies.
Before looking at SOP 85 it is necessary to briefly talk about the legislative structure of
the Crimes Act. Like most statutes the Crimes Act is divided into a number of parts. The
Law Commission recognised this when it recommended that any provisions relating tocomputer crimes should have their own part.
The Crimes Amendment Bill (No 6) covered a number of proposed amendments to the
Crimes Act, particularly in the area of property offences. Property offences are covered
in Part 10 of the Crimes Act. Within that part there are a number of subdivisions
unlawful taking, burglary, robbery and blackmail, crimes involving deceit, money
laundering, receiving, forgery and counterfeiting, coinage, arson, damage and waste.
17 Hansard 2 November 2000.18 Hansard 2 November 2000.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
8/36
The Amendment Bill proposed that computer crimes would have their own subdivision
within Part 10 of the Crimes Act.
There are two other parts of the Crimes Act that were involved in SOP 85 and were
related to legislation involving new technologies. Part 9A dealt with crimes against
personal privacy and focussed on the use of listening devices and prohibitions on
recording private conversations using listening devices. Part 11A involved obtaining
evidence by way of listening devices. Essentially, both parts dealt generally with bugging
conversations, prohibitions against such activity and the provision of exceptions in the
case of law enforcement. Part 11A provided a strict regime for obtaining warrants by the
Police for the use of listening devices, and the circumstances where the fruits of the use
of listening devices (and later, interception devices) could be admitted as evidence.
In essence SOP 85 replaced references to listening devices with the term interception
device19 updating the legislation to cover not only contemporaneous bugging but the
wider power to hear, listen to, record, monitor, acquire, or receive the communicationwhile it is in transit.20
The overall scheme of the amendments were to maintain earlier prohibitions on the use
of listening devices and an extension to interception devices for the intentional
interception of private communications. There are exceptions provided where the
person intercepting the private communication is a party to the communication. SOP 85
provided another exemption. The prohibition was not to apply to the interception of
private communications by any interception device operated by the Government
Communications Security Bureau for the purpose of intercepting private
communications that are both"(a) private communications of-"(i) a foreign organisation, or foreign person; or
"(ii) a representative or agent of a foreign organisation,
or foreign person; and
"(b) private communications that contain, or may reasonably
be expected to contain, foreign intelligence.
Now provisions regarding changes to the law relating to offences against privacy and the warranted
bugging by the Police for the purposes of obtaining evidence had not been a part of the original Bill,
and as I suggested the proposals contained in SOP 85 reflected significant scope creep. In addition
there was a proposed change to the computer crimes provisions. The offence of access to a
19 An interception device was defined in SOP 85 as any electronic, mechanical, or electromagnetic
instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a
private communication. Hearing aids were excluded along with a provision for an exemption made by the
Governor-General by Order in Council.20 This was the position in s.312A of Crimes Act 1961 after the 2003 amendments had been enacted. The
provisions of Part 11A have been repealed and the circumstances where private communications may be
lawfully intercepted are now part of the Search and Surveillance Act 2012.SOP 85 proposed a slightly more complex approach in that the private communication could be intercepted at
any time during the period beginning with the time the communication is sent and ending at the time that the
intended recipient is able to have access to it. When the Bill was reported back by the Law and OrderCommittee the wording was changed from that proposed by SOP 85 to read while it is transit from the person
sending the communication to the person intended to receive it.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
9/36
computer system without authorisation. The wording of the new section (s. 305ZFA in SOP 85) as
proposed reads as follows:
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally
accesses, directly or indirectly, any computer system or part of a computer system without
authorisation knowing that he or she is not authorised to access that computer system orpart of that computer system or being reckless as to whether or not he or she is authorised
to access that computer system or part of that computer system.
By prohibiting access to computer systems, within the context of the new provisions relating to
interception and privacy of communications the Government had to provide for exceptions for
organisations which might be involved in this activity. Accordingly, SOP 85 contained this provision:
(l) Section 305ZFA does not apply if the person accessing a computer system or part of a
computer system-
a) is an employee of the Government Communications Security Bureau; and
(b) is discharging his or her duty as an employee of the Government
Communications Security Bureau to collect foreign intelligence; and
( c) is authorised, in writing, by the Minister responsible for the Government
Communications Security Bureau.
(2) The Minister responsible for the Government Communications Security Bureau may
authorise an employee of the Government Communications Security Bureau to access a
computer system or part of a computer system of a specified foreign organisation or foreign
person if the Minister-
(a) has consulted with the Minister of Foreign Affairs and Trade; and
(b) is satisfied that-
(i) there are reasonable grounds to believe that no New Zealand citizen or
person ordinarily resident in New Zealand is specified as a foreign
organisation or foreign person whose computer system may be accessed;and
(ii) the access is necessary for the purposes of collecting foreign intelligence;
and
(iii) the value of the information sought to be obtained justifies the access;
and
(iv) the information is not likely to be obtained by other means.
There were also qualified exemptions for the SIS where an interception warrant under the SIS
legislation had been issued and for law enforcement agencies who accessed a computer system
under the execution of an interception warrant, search warrant or other legal authority.
Speaking to the introduction of SOP 85, the Associate Justice Minister, Paul Swain MP, said of the
changes to parts 9A and 11A:
They are not currently included in the bill. The purpose of the interception proposals is to
extend the offences and warrants to cover electronic technology. One of the main purposes
of the Crimes Amendment Bill (No 6) is to ensure that property offences cover electronic
technology. I believe that the proposals in the Supplementary Order Paper have sufficient
commonality with the bill to be included in it.21
21 Hansard 16 November 2000.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
10/36
He then went on to consider the creation of the new offence of unauthorised access he referred to
it as hacking and the ramifications of that proposal. And this is where the interrelationship with
other aspects of the law relating to the use of electronic technologies come into play. Mr Swain said:
The bill contains a new computer offence---that is, accessing a computer system without
authorisation, which is commonly referred to as hacking. Currently, in New Zealand it is not
unlawful for anyone to hack into someone else's computer. The bill makes hacking unlawful,with a penalty of imprisonment for up to 2 years for those convicted of that offence. It is
designed to bring us into the 21st century, and to bring us up to speed with new technology.
If we start to introduce laws that make hacking unlawful, issues immediately arise such as
whether there should be any exemptions. That arises automatically when we want to
introduce legislation such as this. The Government says that, yes, there should be
exemptions, and consequently certain qualified exemptions to the offences are proposed for
law enforcement and security agencies that are properly authorised. It is important to point
out that there will be proper authorisation for those exemptions, primarily through a search
warrant or interception warrant---two systems currently available to the police and security
agencies.22
As at 16 November 2000 there were provisions in the law for the issue of search and interception
warrants to the Police and SIS. Apart from the wording of the qualified exemption for the GCSB 23
there was no authority at law that enabled the issue of a search warrant or an interception warrant
to a member of the GCSB enabling access to a computer system, apart from an Order in Council that
related specifically to the Waihopai site. Mr Swain said that the exemption for the GCSB would
ensure greater transparency. The exemption is not limited to any particular site, as was then
the case.
Keith Locke had this to say about the scope creep of SOP 85.
The Associate Minister of Justice put stress on the bill being an anti-hacking measure and
an anti-interception measure, and of course we support any bill opposed to hacking or
interception. In fact, we asked the Minister to put such provisions in a separate
Supplementary Order Paper, but those few clauses against hacking and interception amount
to about only one page of this 12-page Supplementary Order Paper. The rest of the clauses
are a major assault on our privacy.
They give the police, the Security Intelligence Service, and the Government Communications
Security Bureau the right to hack into our computers and intercept our emails, faxes, and
message pagers. Mr Swain said this measure will enable agencies to catch criminals. No one
is disputing that we might be able to catch a few more criminals through such interception.Surveillance cameras placed on every street in the country might catch more criminals, but
we always have to ask ourselves what the cost is to our privacy. Do we really want to live in
a surveillance society? Electronic interception is not just a question of modernising police
22 Ibid. The emphasis is mine.23 Authorisation by the Minister in writing to an employee of the GCSB after being satisfied of the matters
contained in 305ZFC(2)(b)(i) (iv) i.e.
(i) there are reasonable grounds to believe that no New Zealand citizen or person ordinarily resident
in New Zealand is specified as a foreign organisation or foreign person whose computer system may
be accessed; and
(ii) the access is necessary for the purposes of collecting foreign intelligence; and(iii) the value of the information sought to be obtained justifies the access; and
(iv) the information is not likely to be obtained by other means.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
11/36
and security agencies' powers beyond their present letter opening and telephone tapping, as
has been made out; computer interception is a whole different ball game. For example, the
Carnivore system, which the FBI uses, allows keyword searches through vast amounts of
email. Britain has a system called ``RIP''---which is a very appropriate name; it comes from
the Regulation of Investigatory Powers Bill---where a kind of black box is attached to the
servers of Internet providers, and the traffic is routed through to MI5.
There are several problems. The first problem is that the emails of many ordinary people will
be intercepted by the system just because they accidentally use certain keywords, and their
messages will be scrutinised. This has already happened with the Echelon system of which
the Waihopai station near Blenheim is a part. Emails and faxes passing through a Pacific
satellite are intercepted through keyword searches. Under this Supplementary Order Paper,
the government Communications Security Bureau, which runs Waihopai, will be allowed to
increase its power, including surveillance within New Zealand, and not just through that
Pacific satellite. Supposedly, the Government Communications Security Bureau is allowed to
spy only on foreigners---foreign people and foreign organisations. However, if we look at the
definitions of a target in this Supplementary Order Paper, we see that organisations likeGreenpeace or an international trade union federation would fit under those definitions.24
Tony Ryall MP, who, it will be remembered, introduced the Crimes Amendment Bill (No 6) made
these comments in support of the reference of SOP 85 to the select committee:
We also support the introduction of anti-hacking provisions. However, we remain
concerned that the Government is failing to address the issue of ``denial of service'' attacks.
We have commented several times to the Minister on the need to address that. His officials
tell him it has been fixed. That is questionable, considering that the rest of the computer
technology community says it has not been fixed.
The Supplementary Order Paper makes hacking---the unauthorised or reckless use of
computer systems---an offence. But it also provides qualified exemptions for the security
agencies---the Security Intelligence Service, the Government Communications Security
Bureau, and New Zealand Police. The Supplementary Order Paper makes it clear that
interception may be done only under a warrant from the appropriate authorities, as is the
case with a telephone tap.an agency, a person such as the Prime Minister, or the various
commissioners involved. The various agencies will get these warrants when they need them,
provided that they comply with the requirements of the legislation. The interception
warrants will be granted by independent bodies, as per the requirements of the
legislation.25
It is fair to conclude at this stage that Mr Ryall was referring to the Police and the SIS, both
organisations having statutory provisions for the issue of search or interception warrants.
But the concern of the National Party in Opposition is that when the police seek to tap a
telephone, or when the Security Intelligence Service seeks to tap a telephone, it is a discrete
action. It requires a warrant. It requires the police to take their equipment and attach it to
the telephone line or exchange as is necessary. The equipment does not stay there dormant;
it is taken away. It is used when there is a warrant. What concerns this Opposition is that the
Government is talking about installing permanent listening devices between Internet service
providers and the police and security agencies---permanent, hard-wired listening devices;
24 Hansard 16 November 2000.25 Ibid.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
12/36
devices that are permanently affixed to the Internet service provider. We agree with Mr
Locke that that has the potential to be a wolf in sheep's clothing, and I want to explain to the
House why.
The police are allowed to access the Wanganui computer system only as authorised. That is
what the Minister will say about these hard-wired Internet connections---that the police canaccess them only when they have authority. But as Mr Locke explained, and as members of
this House are well aware, the Wanganui computer, the Law Enforcement System, from time
to time is accessed by police who are unauthorised, and for unauthorised purposes. That is
the risk with the Government's plan to put permanent, hard-wired listening devices between
Internet service providers and law enforcement agencies
I have no problem with the police and the Security Intelligence Service getting a warrant to
go to an Internet service provider and tap into the Internet for a distinct and specific case
that has been approved by a granting authority. What I am concerned about is the
Government having a permanent line into every Internet service provider in this country.
The reason I am concerned about that is that the Government can offer no guarantee thoselines will be used only for authorised and warranted purposes. Privacy is at stake. We know
that the Wanganui computer is misused from time to time, and the hard-wired listening
device that the police and agencies are discussing as we speak has the potential to be
misused. The computer industry today has sufficient technical and forensic expertise to
assist the security agencies and police without their having a permanent connection. I need
to be very much convinced that these permanent, hard-wired listening devices connected to
Internet service providers can be secure. We need to be assured that no one will be thinking
he or she can tap into the Internet to find out what emails are going backwards and
forwards from a tenant who owes him or her money. We need to be assured of that.
For the last 6 months in Britain a huge barney has been going on about the right that theBritish security agencies have been insisting on to connect hard-wired listening devices to
every Internet service provider. The National Party Opposition wants to make it clear to the
Minister that we understand why this legislation is needed for the security of New Zealand,
and we respect the fact that warrants will be granted to the police and the Security
Intelligence Service as appropriate, but we want an assurance about the processes that will
be put in place to facilitate that. We will not support permanent, hard-wired listening
devices between Internet service providers and security agencies in this country. It is just too
risky.26
Mr Ryall had no problem with the obtaining of information where a properly authorised warrant had
been obtained but his concerns moved towards the technology of interception of messages at
Internet Service Provider level. There was nothing in SOP 85 that addressed that particular solution,
although it is possible that Mr Ryall considered it feasible. His concerns were to be prophetic for
precisely that capability was the subject of the Telecommunications (Interception Capability) Act
2004
Matt Robson MP made these observations, sounding a warning about the scope of powers that may
be given to surveillance agencies:
Other provisions of the bill, affecting the powers given to the Security Intelligence Service
and the Government Communications Security Bureau, in our view need very careful
consideration. The reason is that any type of secret intelligence agency with those powers
26 Ibid.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
13/36
can, if they are used in an untrammelled way, cause great public mischief. So we, as a party,
have always been keen to make sure that the powers of any secret intelligence-gathering
agency are very carefully circumscribed, are authorised by the public authorities, and are
only available for the purpose of detecting any criminal mischief---not used for spying, or for
looking at people's legitimate political opinions.27
Thus the concerns of members were not so much about the proposed new offence of unauthorised
access to a computer system. In fact there was support for that. The concerns were for the limited
exemptions that appeared not only in s. 305ZFC and the provisions of the amendments to Part 9A
following upon the extension of a listening device to an interception device. Privacy of
communications, a capability for potential to abuse the system and the use of intercepted
communications possibly for political purposes were exercising the minds of Members at the time.
The quote at the beginning of this essay suggests that early in 2000, legislation for the GCSB was
contemplated. I suggest that the evidence surrounding the introduction of SOP 85 and the provisions
proposed in it lead to another conclusion. That conclusion is that as at 16 November 2000, such
legislation was not contemplated. My reasons for such a conclusion are these:1. No mention of any proposed legislation governing the GCSB was mentioned by any of the
speakers when SOP 85 was introduced.
2. When Keith Locke prosed his question to the Prime Minister on 2 November 2000 nomention was made by her in her reply of any proposed legislation governing the GCSB. If
such legislation had been in contemplation I would have thought it would be mentioned in
the answer. Instead the Prime Ministers answer reflected the terms of the qualified
exemption that appeared in s.305ZFC
3. The provisions of s. 305ZFC itself set out a process exempting GCSB employees from liabilityfor unauthorised access to computer systems. No mention is made of warrants. No mention
is made of any anticipated legislation. The process that is set out is reasonably clear. The
exemption applies to an employee of the GCSB who is discharging a duty as an employee tocollect foreign intelligence and is authorised in writing by the Minister for the GCSB. The
prerequisites are clear. S. 305ZFC then goes on to prescribe the circumstances whereby the
authorisation by the Minister in charge of the GCSB may be made. There had to be
consultation with the Minister of Foreign Affairs and Trade. The GCSB Minister had to be
satisfied that the target of the computer access was NOT a New Zealand citizen or person
ordinarily resident in New Zealand and that the target was a foreign organisation or person;
that access was necessary for the purposes of collecting foreign intelligence; that the value
of the information sought justified the access and that the information was not likely to be
obtained by other means. This is a fairly detailed prescription and would not have been so
detailed and specific, nor proposed as an amendment to the Crimes Act if the introduction
of legislation governing the GCSB had been contemplated.
Therefore, it is my conclusion that as at November 2000 the Government was content to allow the
GCSB to continue as it had before and that there was no GCSB specific legislation contemplated.28
However, it would later become necessary for some statutory framework to be put in place to
legitimise both the existence of the GCSB and the issue of search or interception warrants to it or its
employees. SOP 85 and the Crimes Amendment Bill No 6 were referred to the Law and Order Select
Committee which reported back on 18 July 2001. By that time the GCSB Bill had been introduced. So
27 Ibid.28
I say this on the basis of readily available public information. For the preparation of this essay I have notmade an Official Information Act enquiries nor have I had access to any policy documents that may have
suggested otherwise than what I have concluded.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
14/36
we shall take a break from the chronology of the Crimes Amendment Bill (No. 6) and look at the
history of the GCSB.
The Government Communications Security Bureau Early HistorySince the Second World War, the New Zealand Government had a signals intelligence (SIGINT)capability. There was also a need to ensure that there was technical security (TECSEC) of
Government communications systems to prevent bugging and that its sensitive messages could
not be read by third parties (communications security, or COMSEC).
Until the establishment of the GCSB, these services were provided by bodies such as the
New Zealand Defence Force and the New Zealand Security Intelligence Service (NZSIS).29 In
1977, the then Prime Minister, Robert Muldoon, approved the formation of the GCSB, but its
functions and activities were kept secret.
In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis,
leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings
only acknowledged the GCSBs TECSEC and COMSEC functions, but not its SIGINT functions.
Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT
function in 1984.30
One of the most visible manifestations of the existence of the GCSB were the communications
facilities situated at Waihopai, distinguishable by the protective domes reminiscent of giant
puffballs.31 Another facility is operated at Tangimoana Station near Palmerston North.32
The GCSB BillThe GCSB Bill was introduced on 2 May 2001 and at the first reading of the Bill on 8 May
2001, Michael Cullen MP had this to say:
29 The functions now handled by the GCSB were split between three organisations:
- Communications security was the responsibility of the Communications Security Committee, basedaround the Prime Minister's office and the Ministry of Foreign Affairs.
- Signals intelligence was the responsibility of the Combined Signals Organisation, run by the military.- Anti-bugging measures were the responsibility of the Security Intelligence Service.
Government Communications Security Bureau Wikipedia
http://en.wikipedia.org/wiki/Government_Communications_Security_Bureau(last accessed 18 August 2013)30 History of the GCSB Government Communications Security Bureauhttp://www.gcsb.govt.nz/about-
us/history.html(last accessed 18 August 2013).31http://en.wikipedia.org/wiki/Waihopai_Station32Phil Goff MP made the following remarks when the GCSB Bill was introduced.
In its current form the Government Communications Security Bureau was set up back in 1977. In 1982 it
established a facility at Tangimoana, and that consolidated radio interception capability. In 1989 it opened up
a satellite communications interception station at Waihopai. Until now, over that 24-year period the
Government Communications Security Bureau has operated as a non-statutory organisation. Hansard 8 May
2001. See also the speech of Richard Worth MP at Hansard 25 March 2003 for a helpful background to the
GCSBhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-
communications-security-bureau-bill-%E2%80%94-in-committee (last accessed 22 August 2013)See alsohttp://en.wikipedia.org/wiki/Tangimoana_Station(last accessed 22 August 2013)
http://en.wikipedia.org/wiki/Government_Communications_Security_Bureauhttp://en.wikipedia.org/wiki/Government_Communications_Security_Bureauhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://en.wikipedia.org/wiki/Government_Communications_Security_Bureau -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
15/36
Since its creation in 1977, the Government Communications Security Bureau has
been a non-statutory organisation. The New Zealand Security Intelligence Service, on
the other hand, has had its own empowering legislation for more than 30 years. The
New Zealand Security Intelligence Service Act of 1969 established the service, and,
through a series of amendments since that time, continues to define its functions,
delineate the scope of its authority, and make provision for the issue of the
interception of warrants. Oversight of the activities of the Government
Communications Security Bureau, however, was significantly enhanced in 1996 by
the passage of the Inspector-General of Intelligence and Security Act and the
Intelligence and Security Committee Act. The bill before the House today serves to
remove the distinction between the firm statutory footing on which the New
Zealand Security Intelligence Service exists and the less clearly defined position of
the Government Communications Security Bureau.33
. In the absence of a legislative framework for the Government Communications
Security Bureau, for example, some people wrongly infer that the bureau's signalsintelligence operations target the communications of New Zealand citizens, that the
Government Communications Security Bureau exists only as an extension of a much
larger overseas signals intelligence operation, and that the bureau's operations are
beyond the scope of parliamentary scrutiny.
I reiterate today that the Government Communications Security Bureau does not set
out to intercept the communications of New Zealand citizens or permanent residents.
Furthermore, the reports of the Inspector-General of Intelligence and Security have
made it clear that any allegations to the contrary are without foundation. The
inspector-general has reported his judgment that the operations of the bureau haveno adverse or improper impact on the privacy or personal security of New
Zealanders.
Notwithstanding such assurances, the perception has remained in some quarters
that the bureau has been insufficiently accountable, and that its operational scope
has been inadequately defined. This bill puts the position of the bureau beyond
doubt as a legitimate agency of Government.34
Jenny Shipley MP described the Bill as the last step in what had been a series of legislative
measures that have brought New Zealand's security and intelligence framework into a much
more public setting than has been the case historically. She suggested that protection by a
strong legislative framework would be reassuring to New Zealanders. She did want to give
some assurances from her side of the House and she said:
..that this bill is about foreigners, and not about New Zealanders. For example, if a
communication is to be intercepted on a New Zealand network, it can be done only if
an interception warrant is secured. Therefore, it is on the record that it has been
gone through properly with all the levels of scrutiny that are now available, and
reviewed in addition to that scrutiny.
33 Hansard 8 May 2001.34 Ibid. The emphasis is mine.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
16/36
There is a review of the process in retrospect, so that we can be satisfied that there
are no loopholes. New Zealanders can be assured, far more than ever before, that
we now have a very, very thorough process. It should give them complete
confidence that their interests are not being undermined while their interest in
having an adequate external security is being satisfied.35
Richard Prebble MP echoed Mrs Shipleys comment that the Bill completed the legislative
framework underpinning New Zealand security services whilst at the same time stating that
security agencies should be subject to some parliamentary scrutiny wider than just
Ministers. In describing GCSB activities since 1970 he claimed:
Of course it was always lawful, but because it was not under a statutory framework
and did not have specific parliamentary scrutiny, it was possible for people to make
up the most fanciful explanations of what our Government bureau was doing.36
The purpose of the legislation, according to Mr Phil Goff MP, was to introduce transparency,clarity and accountability to the entire framework of New Zealands security arrangements.
The Security Intelligence Service Act 1969 had been in place for many years. Clearly, it was
time that the GCSB should be placed on the same footing. At the same time, Mr Goff felt the
need to emphasise the assurances that had been given by Mr Cullen and Mrs Shipley.
The Government Communications Security Bureau, of course, could continue to
operate on the same basis as it has, but this Government believes it is preferable
that security and intelligence agencies operate within a clear legislative framework
that prescribes their powers and sets out their accountabilities. That is the purpose
of this bill. In that sense, this bill is an important step towards greater transparency
in the work of security and intelligence agencies.
Oversight of the Government Communications Security Bureau has already been
significantly advanced by the passage back in 1996 of the Inspector-General of
Intelligence and Security Act and the Intelligence and Security Committee Act. Both
those pieces of legislation have been important in ensuring that there is oversight
and supervision of security agencies. The Act created the position of Inspector-
General of Intelligence and Security, which, by tradition, is filled by a retired High
Court or Court of Appeal judge.
This bill contributes to a clear public understanding of the work of the Government
Communications Security Bureau by setting out what its legitimate roles are. The
legislation specifies the bureau's objective and functions. It creates a regime for the
interception warrants to be issued, and, likewise, for computer access authorisations
to be issued. The objective of the agency is to contribute to New Zealand's security
and defence, its international and economic well-being, and its general conduct of
international relations. It does that quite simply and quite openly by providing
foreign intelligence, including the interception of foreign communications.
35 Ibid.36 Ibid.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
17/36
Clause 4 is a key clause because it provides legislative protection for the rights of
ordinary New Zealanders. It specifies, for example, that the bureau may not take any
action for the purpose of intercepting the communications of a New Zealand citizen
or a permanent resident unless that person is acting in the capacity of a
representative or an agent of a foreign Government or organisation.
In particular, this legislation makes it clear that the bureau's signal intelligence
operations do not target the communications of New Zealand citizens. That is not
simply a matter of faith, it is confirmed annually in the reports of the Inspector-
General of Intelligence and Security. The Inspector-General also provides
oversight to ensure that the operations of the bureau do not have an adverse or an
improper effect on the privacy or personal security of New Zealanders, and each year
his obligation---his role---is to confirm that this is the case.37
The Bill was then referred to the Security and Intelligence Committee and came back
before the House for its second reading on 19 November 2002. In the meantime, theLaw and Order Committee reported back to the House on the Crimes Amendment Bill
No 6 on 18 July 2001, two months after the GCSB Bill was introduced.
Nothing was said about why it was necessary to introduce the Bill at this precise time
other than the rather general remarks to the effect that it introduced transparency and,
as Ms Shipley said was the last step in the series of legislative measures that have
brought New Zealand's security and intelligence framework into a much more public
setting. So what had changed between November 2000 and May 2001 that necessitated
the introduction of the GCSB Bill, and that meant that there had to be clarity,
transparency and accountability in its operations. In a word the Internet.
If one looks at the earlier operations of the GCSB it had conducted its operations mainly
through the satellite stations situated at Waihopai and Tangimoana. Their work as all
about wireless signals monitoring and interception. The Internet had changed all that.
Although there are many ways of connecting to the Internet essentially the basic
structure of the Internet is a hardwired backbone to which people connect. This, and the
nature of digital technologies and communications were paradigmatically different from
the systems with which the GCSB had earlier dealt.
New and enhanced surveillance and monitoring capabilities were introduced by the newparadigm. Tools such as Carnivore an e-mail monitoring system operated by the FBI
and Echelon an established signals intelligence and analysis programme operated by
the five signatory states to the UK USA Security agreement (of which New Zealand was a
signatory) were directly involved in data and intelligence analysis involving aspects of
the Internet. If New Zealand was to fulfil its obligations within the context of
international security protocols, the scope of GCSB operations would have to be
extended. Part of that involved accessing computers without the knowledge or
authorisation of the operator, but with some form of approval process akin to a warrant.
And in this respect there was a problem created by the new offence proposed in SOP 85
37 Ibid. Again, the emphasis is mine.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
18/36
and in the proposed widening of the scope of privacy protections in Part 9A of the
Crimes Act. Clearly the proposed s. 305ZFA was seen as insufficient, together with a
desire to clarify the scope of GCSB powers. The widened opportunities for surveillance
introduced by the Internet meant that the powers of the GCSB had to be widened
commensurately. In addition, with widened opportunities for surveillance activity, the
lack of an accountable and transparent system might attract adverse comment from the
Inspector-General of Intelligence and Security.
Concern was also expressed from other quarters. Bruce Slane, the Privacy Commissioner
at the time made a detailed submission on SOP 85. In the course of that submission he
expressed his concern with the privacy implications associated with large-scale
electronic surveillance. He was especially concerned with the position of the GCSB and
said:
A precursor to GCSB having the benefit of an exemption from the prohibition on the
use of listening devices, should be to place the Bureau on a statutory footing; and
create a statutory warrant process for the Bureau to undertake any intrusive activityparticularly where that activity would, if performed by any other person, constitute a
breach of the law.38
It should also be noted that the fateful day of 11 September 2001 was still some months
away.
The Law and Order Committee Report on the Crimes Amendment Bill No 6 18 July2001In its report the Committee made reference to the provisions relating to exemptions for
state agencies to interception procedures observing concerns at the:
inclusion of qualified exemptions for State agencies from the unauthorised accessoffence, and the belief that there are insufficient safeguards or controls on these
agencies to warrant these exemptions being granted
proposed changes to the definitions of "private communication" and"interception device", and the effect this has on the scope of authorised
interceptions by agencies such as the police and the GCSB.39
The GCSB Bill received special mention. It was observed that the Bill contained an
authorisation process, a requirement for annual reports and oversight of interception
warrants and computer access authorisations by the Inspector General. It was unclear
whether or not the GCSB would be enacted before the amendments to the Crimes Act
and for that reason the Law and Order Committee recommended that the GCSB
exemption be retained. Without that the GCSB would be unable to intercept any private
38 Report by the Privacy Commissioner to the Minister of justice on Supplementary Order Paper No 85 to the
Crimes Amendment Bill (No 6) 13 December 2000 at para 3.2.4. For additional concerns and especially a
critique of s. 305FZA see para. 3.4.1 3.4.5.39 Crimes Amendment Bill (No 6) and Supplementary Order Paper No 85 Report of the Law and Order
Committee (House of Representatives, Wellington 18 July 2001) p.3.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
19/36
communications in the interim which could pose a security risk to the country. However,
the Committee suggested that the authorisation process be tightened up.
We consider the following amendments will increase the level of transparency and
safeguards related to the exercise of the GCSBs interception operations, and will
also serve as interim measures between the enactment of this bill and the GCSB Bill.
Therefore, we recommend inserting the following authorisation requirements in
new clause 19, proposed new section 255
a written authorisation process
limitations to the term of an authorisation to no more than 12 months (subject to a
right of renewal)
irrelevant records must be destroyed.40
The Committee also went on to observe the interrelationship between computer access
and the offences against privacy.
We note that in exercising its functions in relation to intercepting "private
communications" the GCSB could, arguably, also be 'accessing a computer system'.This is because the definition of "computer system" includes "any communication
links between computers". The inclusion of the term "communication links" could
mean that in carrying out its interception functions the GCSB may also require an
authorisation for computer access for each intercepted communication, under the
unauthorised access offence.
Therefore, we consider a new subsection should be added in new clause 19,
proposed new section 255(4), which provides the GCSB with an exemption from the
unauthorised access offence to align it with its exemption from the interception
offence in clause 16B. This ensures that the GCSB is not at risk of committing thecomputer access offence when carrying out its interception operations, and would
have the same authorisation procedure for the same activity.
We recommend that new clause 19, proposed new section 255, be amended to
include an exemption for an employee of the GCSB when accessing communications
links between computers for purposes of foreign intelligence gathering.41
In terms of the exemption from an interception offence under Part 9A of the Act, the
Committee what the following to say within the context of intelligence gathering
capabilities as well as emphasising that the scope of those activities was restricted toforeign intelligence collection:
Under clause 16B(5), the GCSB is exempt from the offence in section 216B of the
Act that prohibits the use of listening devices to intercept private communications.
This in effect preserves the existing exemption held by the GCSB for its Waihopai
site, and extends the exemption to cover all interception devices operated by the
GCSB. This means that the exemption is no longer site specific.
Several submitters register concern about this exemption on the grounds that:
the GCSB does not have a statutory basis (discussed above)
40 Ibid. p.4.41 Ibid p. 4 -5.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
20/36
the scope of communications the GCSB can lawfully seek to access or
intercept is unclear and too broad, because of the descriptions of the
terms "foreign organisation", "foreign person", and "foreign intelligence".
We consider the exemption in clause 16B (5) is necessary in order to preserve the
existing foreign intelligence collection capabilities, for which no warrant is required.
Placing the exemption in the statute will increase public transparency in relation to
the Waihopai facility and, by extending the exemption to the other sites operated by
the GCSB, will avoid the risk that they may have to cease operations in order to avoid
committing an offence.
We recognise there is concern about the specific scope of communications that the
GCSB can collect as part of their lawful operations. We consider some of these
concerns may be allayed by further clarifying the definition of "foreign organisation"
for the purposes of the GSCBs foreign intelligence collection. This definition is
consistent with the definition in the GCSB Bill. We recommend the definition in
clause 16A be amended as follows:"foreign organisation means-
( a) a Government of any country other than New Zealand; or
(b) an entity controlled by the Government of any country other than New
Zealand; or
( c) a company or body corporate that is incorporated outside New
Zealand; or
(d) a company within the meaning of the Companies Act 1993 that is, for the
purposes of the Companies Act 1993, a subsidiary of any company or body
corporate incorporated outside New Zealand; or
( e) an unincorporated body of persons consisting exclusively of foreignorganisations or foreign persons that carry on activities
wholly outside New Zealand; or
(f) an international organisation; or
(g) a person acting in his or her capacity as an agent or a representative of
any Government, body, or organisation referred to in any of paragraphs (a) to
(f)".42
One interesting reference was made to the concept of remote access searches. The issue
was whether or not a search of a computer system may be carried out without entry
onto the premises where the computer was held, and whether there was a power underthe Summary Proceedings Act to conduct a remote access search.
We do not consider the bill provides the police with additional powers but acts to
preserve existing ones. This clause assists in the interpretation of the concept of
"authorisation" in clause 19, new section 305ZF A, by putting it beyond doubt that
law enforcement agency accessing of a computer system pursuant to existing
statutory and common law powers is not unauthorised access.
42 Ibid. p. 7-8.
-
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
21/36
We note there is some debate about whether the current law allows the police to
conduct remote searches. However, we do not believe the bill is the appropriate
vehicle to extend or restrict police search powers. We consider that the current
review being undertaken by the Law Commission into police search powers
(including consideration of new technology and related privacy concerns) is more
appropriate.
The issue of remote access searches remained in legal limbo until 2012 and the enactment
of the Search and Surveillance Act 2012 which provides for remote access searches.
However, there is still some dispute between whether or not a remote access search as
described above and referred to be the Privacy Commission may be covered by a normal;
search warrant (applying the extended definition of a computer system which, according
to some includes the entire Internet) or by a remote access warrant.43
As far as the computer crimes offences were concerned, the Committee recommended that
the proposed offence of accessing a computer system without authorisation shouldproceed. A few minor changes were made to the existing sections but there were two
additional provisions that were recommended. The first was that in addition to the offences
set out in the section relating to damaging or interfering with computer systems, there
should be the addition of an offence of causing a computer system to fail or deny service to
an authorised user.
The Committee also recommended the addition of a new offence the making, selling or
distributing of software for committing crime.
Both of these recommendations went forward and were incorporated into the Bill and therewas a restructuring of the numbering of the provisions of the Bill so what emerged from the
Select Committee may be shown as follows:
Section Amendment
249 Interpretation covering definition particularly of
access and computer system.
250 Creation of a new offence of accessing a computer
system for a dishonest purpose.
251 The creation of a new offence of damaging orinterfering with a computer system.
252 The creation of a new offence of making, selling or
distributing or possessing software for committing
a crime.
253 Accessing a computer system without
authorisation.
43
This is a matter with which I have dealt in my examination of the cyber search provisions of the Search andSurveillance Act 2012.http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-
remote-access-searches/(last accessed 25 August 2013)
http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/ -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
22/36
254 A qualified exemption to access without
authorisation for the New Zealand Securities
Service.
255 A qualified exemption to access without
authorisation for the GovernmentCommunications Security Bureau.
It was not until 2003 that Parliament had another opportunity to consider and debate the
Committee Report. In the meantime there was further activity regarding the GCSB Bill. The
second reading debate resumed on 19 November 2002 and did not continue until 4 March
2003. The Bill received further consideration towards the end of March.
Keith Locke MP, a long-time opponent of the facility at Waihopai, expressed support for the
statutory recognition of an organisation that had for 25 years existed without statutory
foundation. He questioned whether the security of Government communications could notbe carried out by the New Zealand Police, expressing concern at the threat to privacy posed
by the GCSB. He said:
The main functions of the Government Communications Security Bureau are
purposesand these are the most expensive onesthat we should not
identify with. When we talk about communications security, the main facility
of the Government Communications Security Bureau is the Waihopai satellite
communications interception station near Blenheim..
Interception of communications, is very important. It is a considerable
invasion of our privacy when an agency like the Government
Communications Security Bureau is given the right to intercept electronic
communications, which we use so much these days, and, in tandem with the
Crimes Amendment Bill (No 6) and the Telecommunications (Interception
Capability) Bill, the powers to intercept electronic communications of all
types, plus the right to hack into peoples computersthat is, to access
peoples computers remotely, without them even knowing that that is
happening.44
Other members speaking commented upon the relationship of GCSB activities primarily in
regard to the privacy provisions contained in Part 9A of the Crimes Act. Mr Richard Worth
MP in particular made the following observation:
The first relates to the Crimes Act amendment that is set out in clause 26, and a
significant change to section 216B(2)(b) of the Crimes Act. Members opposite are
nodding quite clearly, because they have a close and sufficient familiarity with that
particular and very tricky provision. Section 216B is headed Prohibition on the use
of listening devices, and subsection (1) was itself amended in 1999. Basically, the
44
Hansard Debates 25 March 2003http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-
%E2%80%94-in-committee(last accessed 22 March 2013).
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committee -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
23/36
provision creates a term of imprisonment not exceeding 2 years for everyone who
intentionally intercepts any private communication by means of a listening device.
The particular change in clause 26 proposes to amend section 216B(2)(b) by inserting
after subparagraph (iii) a further subparagraph that the draughtsman has identified
as subparagraph (iii)(a). It contains the words: the Government Communications
Security Bureau Act 2001;. Members opposite will immediately be aware of the
huge significance of that change. That change is not necessarily the most significant
one, but it is certainly one worth commenting on.45
The Act was passed a few days later and received the assent of the Governor General on 1
April 2003. The concerns expressed by the Law and Order Committee regarding the
enactment of the GCSB Act had faded. There was now no longer the necessity for s. 305FZA
because the GCSB Act prescribed the circumstances where the GCSB could access
computers and intercept communication under warrant. So now the focus shifts to the final
stages of the Crimes Amendment Bill (No. 6)
Crimes Amendment Bill (No 6) June - July 2003The final stages of the passage of the Crimes Amendment Bill (No 6) came in June and July
2003. On 12 June 2003 the report of the Law and Order Committee was further considered,
Mr George Hawkins MP observing that the faster that the Bill progressed through the House
the better.46 There was further debate on 1 July 2003 with the final debate and third
reading on 4 July 2003. The new Act received Royal Assent on 7 July 2003 and commenced
on 1 October 2003.
On 12 June 2003 Brian Connell MP drew attention to the hacking provision introduced by
SOP 85, considering it important given the increasing reliance upon computer systems,
threats posed by terrorism and especially in the area of dishonesty and credit card fraud. He
closed by observing:
I raised the fact that this bill was first introduced in 1999. The world has moved on
quickly since then, and, moreover, it moves on more quickly in the area of e-
commerce and the computer world than in other areas. As a parting thought, I say
that this legislation, which I wholeheartedly support, needs to be frequently
reviewed in order to keep pace with the changing nature of the industry. There is no
point in dusting this legislation off and thinking that we have done our job as a
Parliament, if we do not continually look at it on a regular basis. My experience in
the industry suggests that every 2 or 3 years it would be appropriate to do that.47
Phil Goff MP observed that the passage of the GCSB Act meant that a number of provisions
in the Bill were no longer necessary.48
45 Ibid.46 Hansard 12 June 2003http://www.parliament.nz/en-
nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-
consideration-of-report(last accessed 22 August 2003).47 Ibid.48 Ibid. He was clearly referring to the prescription contained in s.305ZFA.
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-report -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
24/36
As the debate continued on 17 June 2003, Tony Ryall MP noted concerns that existed when
SOP 85 was introduced and the care that would be needed to ensure unwarranted
intrusions into the privacy of citizens did not occur.
There was considerable concern at the time the Supplementary Order Paper came
in that what was being proposed was a permanent attachment to the telephone
exchanges, with a continuous feed to the intelligence agencies, and only when the
intelligence agencies had a warrant would they actually turn that feed on and allow
them to monitor what was going on.49
Mark Alexander MP addressed the interrelationship between the Crimes Amendment Bill
and the passage of the GCSB Act.
I note the work of the select committee in examining this bill and the changes it has
made as far as ensuring that members of the Government Communications Security
Bureau and our other intelligence agencies will not be prosecuted under the bill for
the legitimate activities they can carry out in protecting national security and similar
matters. They are positive changes. One example is the recent GovernmentCommunications Security Bureau offshoot, the Centre for Critical Infrastructure
Protection, which I am led to believe is directed to protect our critical infrastructures
such as power grids, water supplies, and air travel, from Internet-based crime.50
On 1 July 2003, Keith Locke MP raised a matter of concern that the passage of the Crimes
Amendment Bill and the introduction of SOP 85 was a back-door move to increase the
ability for Government agencies such as the SIS and the GCSB to increase surveillance
activity.
Instead of improving our ability to apprehend lawbreakers, we are giving thoseagencies the ability to affect in some way our privacy, which is a right under the New
Zealand Bill of Rights Act that should be very much upheld in our society. No good
reason is given in this bill for doing that, and a lot of innocent people will get caught.
Members should think about how many emails they receive in a week and in a
yearit ends up being thousands and thousandsand if any one of the people who
send those emails is intercepted under these provisions, then a members
communications will also be intercepted and could end up being affected in that
way.
I accept that there has to be a balance, and sometimes we may give away, to some
extent, the hard-won right to privacy if there is a very clear community gain. That isthe real spirit of a crimes amendment bill, but no one gave any statistics or anecdotal
evidence to the Law and Order Committee through any stage of its consideration of
this bill to show that we would catch many extra criminals through giving the police
and the intelligence services that ability. We need such evidence if we are to give
away our privacy in that respect. This bill is about the Crimes Act and about catching
49 Hansard 17 June 2003http://www.parliament.nz/en-
nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94 (lastaccessed 22 August 2003).50 Ibid.
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94 -
8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.
25/36
criminals, and everyone knows that serious criminals can very easily avoid
interception using code, encryption, and those sorts of things.51
Ron Marks MP picked up the theme that the Bill seemed to focus more on surveillance than
on Crime. He said:
I
top related