There’s been a lot of confusion in the media recently about how much the GCSB will be able to spy on New Zealanders when the GCSB Bill passes.

When even Peter Dunne gets it badly wrong in the “Ask Me Anything” article he did in the National Business Review (see q4 from Rick Shera), claiming that they could only spy on NZers on behalf of the Police/SIS/NZDF, we thought we should clear some things up by looking at the legislation.

Note: All references to the legislation are to the version reported back by the Intelligence and Security Committee combined with the changes in Mr Dunne’s SOP (PDF).

Spying on behalf

Firstly, everyone agrees that section 8C of the Bill will allow the GCSB to spy on New Zealanders on behalf of the SIS, Police or NZ Defence Force. This is the “giving assistance” part and it appears to be limited to only doing things that the original agency would have the legal authority to do.

Recent changes include more clarity about the GCSB’s assistance being subject to the originating agency’s oversight (e.g. the Independent Police Complaints Authority for work performed for the Police) and requiring any new agencies to be added by legislation rather than by an Order in Council.

GCSB spying on New Zealanders

The GCSB also has the power do its own spying on New Zealanders as part of its new cybersecurity purpose (defined in section 8A). “to do everything that is necessary or desirable to protect the security and integrity of the communications and information infrastructures”.

The main interception powers are granted by section 15A and this makes it very clear that both interception warrants and access authorisations can be granted for the GCSB to spy on New Zealanders under purpose 8A (cybersecurity).

Interception warrants vs access authorisations

It’s worth explaining the difference between interception warrants and access authorisations. An interception warrant (15A(1)(a)) is granted to spy on:

one or more specific people or a class of person

communications made in one or more specific places or classes of place

communications sent from or to overseas

An access authorisation (15A(1)(b)) allows the GCSB to access a particular or class of “information infrastructure” which is further defined as “electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks”.

Therefore an interception warranted is targeted at a person or place (although the targeting can be very, very broad), whereas an access authorisation allows general access to all the information on a particular computer system, network or phone system, or a specified type of all of those systems.

The only difference between those granted for spying on foreigners and those for spying on New Zealanders, is that the ones targeting New Zealanders have to be signed off by the Commissioner of Security Warrants as well as the Prime Minister. The Commissioner is appointed by the Prime Minister.

Doesn’t section 14 stop the GCSB spying on New Zealanders?

The new section 14 only stops the GCSB from spying on New Zealanders for purpose 8B (intelligence gathering and analysis). It does not apply to any surveillance done in relation to cybersecurity (purpose 8A) or done on behalf of other agencies (purpose 8C).

The new section 15C does stop the GCSB deliberately intercepting privileged communications (e.g. to your lawyer). However, see note below about incidentally gained intelligence.

Warrantless spying?

Section 16 of the GCSB Act also allows certain forms of spying without a warrant or access authorisation. However, the bill adds section 16(1A) which says that this cannot be done for the purpose of intercepting the communications of New Zealanders. (See the notes below about metadata and incidentally gained intelligence.)

Putting it all together

So what does all this mean?

Most importantly it clearly shows that the GCSB can spy on New Zealanders for its own purposes without doing it on behalf of another agency.

We see that this has been deliberately set up to allow mass surveillance either now or in the future. For example, the GCSB could apply for an access authorisation for access to “New Zealand’s mobile networks” and, after being signed off by the Prime Minister and the Commissioner for Security Warrants, they could then use that access authorisation to collect all phone calls, texts and data sent over the mobile networks.

This collected information could then be analysed and the resulting intelligence given to the Minister and any person, whether in New Zealand or overseas, authorised by the Minister (section 8A(c)).

In theory this activity would have to be done as part of their purpose to “protect the security and integrity of the communications and information infrastructures” but we see that this could be interpreted rather widely.

Other issues

There are also a number of other issues around spying on New Zealanders that we haven’t directly addressed in this article:

Metadata – There are a number of places in the bill that put limits on intercepting “private communications”, but in the past the GCSB has interpreted that as only including the actual call, not the related data (e.g. when, who, how long, etc). Does this mean that the GCSB still thinks it can collect this metadata without a warrant or access authorisation? The bill is silent on this issue.

Incidentally gained intelligence – when the GCSB does collect information it shouldn’t, it can still use that information if it would help prevent or detect serious crime, save lives, or be useful for the security or defence of New Zealand. This is a fairly large loophole in many of the limitations in the Bill.

Access authorisation for the GCSB – section 14 prohibits the GCSB from intercepting NZers private communications for purpose 8B intelligence gathering but they can do so for purpose 8A cybersecurity. Could the GCSB then obtain an access authorisation for access to its own database of already intercepted cybersecurity data for intelligence gathering purposes?

Sharing data overseas – how much of this data can be shared overseas? There appear to be no limits other than that the Minister must approve who it is shared with.

Collecting data from overseas – can the GCSB get data from overseas agencies (e.g. the NSA) that it couldn’t legally intercept itself? Can it share data for the purpose of cybersecurity and then be given it back to be used for general intelligence?

What about data that New Zealanders store overseas? – are there different rules for information that New Zealanders store overseas with companies such as Google and Facebook?

Feedback and updates

Think we’ve got this wrong? Feel free to leave a comment with your interpretation. We’ll make any necessary corrections or additions as required.