Government proposal for telecommunications security legislation changes

Forums › ICT Policies and Regulation › Government proposal for telecommunications security legislation changes

1 | 2 | 3 | 4 | 5 | 6

17104 posts

Uber Geek

Lifetime subscriber

#814397 9-May-2013 11:40

1080p:
gzt:
1080p: It infringes on *none* of our personal liberties and simply clarifies the requirements for internet providers have the capability to comply with already legal wiretapping warrants.

Wrong. The government press releases are extremely misleading. The bill does way more than clarify wiretapping requirements for internet service providers.

Specifically?

Quoting the stated purpose and principles of the bill says nothing about the actual effect of the bill in the real world.

It will take me more than a day to answer your question in detail. But, expect an answer.

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#814404 9-May-2013 11:48

Having a Statute(s) that cover this type of activity gives protection to a degree. It means that if those involved act outside the statues then there is legal recourse. If there is no governing statute(s) there is little legal recourse.

1080p

1332 posts

Uber Geek
Inactive user

#814409 9-May-2013 11:49

gzt:
1080p:
gzt:
1080p: It infringes on *none* of our personal liberties and simply clarifies the requirements for internet providers have the capability to comply with already legal wiretapping warrants.

Wrong. The government press releases are extremely misleading. The bill does way more than clarify wiretapping requirements for internet service providers.

Specifically?

It will take me more than a day to answer your question in detail.

Quoting the stated purpose and principles of the bill says nothing about the actual effect of the bill in the real world.

Because the effects it may have would literally take more than a day to describe or because you haven't actually taken a look at the legislation?

Sure, I understand that the intentions of the bill do not directly translate in to real world effects but nothing in the legislation provides any reasonable doubt that the bill will do more than it intends to.

From my first reading:

1) Network operators must be able to assist (be accessible, provide decryption where able) $GOVT in all lawful interception requests.

2) Network operators must notify when security breaches are detected.

3) Network operators must register and in certain circumstances provide an employee suitable for a security clearance.

Even a hint as to how this legislation could be abused would be nice before I begin a second reading.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#814455 9-May-2013 12:44

KiwiNZ: Having a Statute(s) that cover this type of activity gives protection to a degree. It means that if those involved act outside the statues then there is legal recourse. If there is no governing statute(s) there is little legal recourse.

I agree that statutes and oversight are absolutely necessary to govern this activity.

At this time only one of the many cases of GCSB's illegal activity are known, and this occurred only because the target was charged with an offence and because the target could a afford a lawyer canny enough to expose GCSB's illegal involvement. The Prime Minister authorised this illegal action. Regardless of the ongoing court drama, the action authorised was illegal.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#814463 9-May-2013 12:53

KiwiNZ: Having a Statute(s) that cover this type of activity gives protection to a degree. It means that if those involved act outside the statues then there is legal recourse. If there is no governing statute(s) there is little legal recourse.

So I guess we should expect the minister responsible for oversight of GCSB up before the courts on criminal charges for knowingly authorising illegal action shortly.

<Crickets>

Yeah, I didn't think so. :-(

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#814474 9-May-2013 13:10

SaltyNZ:
KiwiNZ: Having a Statute(s) that cover this type of activity gives protection to a degree. It means that if those involved act outside the statues then there is legal recourse. If there is no governing statute(s) there is little legal recourse.

So I guess we should expect the minister responsible for oversight of GCSB up before the courts on criminal charges for knowingly authorising illegal action shortly.

<Crickets>

Yeah, I didn't think so. :-(

Under the Westminster system that NZ government is based the Minister should resign, but yeah that won't happen, he will have a brain fade and forget Westminster.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#815071 10-May-2013 10:36

NZ telcos face new obligations under interception law

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#815079 10-May-2013 10:49

That is not great reporting for the ITU. The article is not particularly accurate and the claims it makes about the Tuanz blog post it links to are mostly incorrect. The bill clearly indicates telcos are not required to break encryption:

A network operator must, in order to comply with subsection
(1)(c), decrypt a telecommunication on that operator’s public
telecommunications network or telecommunications service
if— (a)
the content of that telecommunication has been en-crypted; and
(b) the network operator intercepting the telecommunica-
tion has provided that encryption.

However, subsection (3) does not require a network operator
to—
(a) decrypt any telecommunication on that operator’s pub-
lic telecommunications network or telecommunications
service if the encryption has been provided by means of
a product that is—
(i) supplied by a person other than the operator and
is available on retail sale to the public; or
(ii) supplied by the operator as an agent for that prod-
uct; and
(b) ensure that a surveillance agency has the ability to de-
crypt any telecommunication.

Telecommunications Interception Capability and Security Bill

Edit: In summary, the bill does not require telcos to decrypt encryption that they have not provided. Yeah, that is still a valid concern for many reasons - but this is not the same as saying telcos are required to break "encyrption" [sic].

1080p

1332 posts

Uber Geek
Inactive user

#815189 10-May-2013 12:16

Come on juha...

"The Telecommunications Users' Association of New Zealand has suggested the new act would force telcos, cloud and over the top providers to break encryption for communications."

This does not seem true at all from reading the linked article which states:

"...they certainly can't crack that encryption to see what's going on."

Poor indeed. :/

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#815197 10-May-2013 12:25

This will a further example of poor legislation that will be very hard to administer and will eventually be rewritten.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#815200 10-May-2013 12:27

KiwiNZ: This will a further example of poor legislation that will be very hard to administer and will eventually be rewritten if we are lucky and someone who is a multi-millionaire Robin Hood character is affected by it, and manages to find out.

//FTFY

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

juha

1317 posts

Uber Geek

Trusted

#815215 10-May-2013 12:42

gzt: That is not great reporting for the ITU. The article is not particularly accurate and the claims it makes about the Tuanz blog post it links to are mostly incorrect. The bill clearly indicates telcos are not required to break encryption:

A network operator must, in order to comply with subsection
(1)(c), decrypt a telecommunication on that operator’s public
telecommunications network or telecommunications service
if— (a)
the content of that telecommunication has been en-crypted; and
(b) the network operator intercepting the telecommunica-
tion has provided that encryption.

However, subsection (3) does not require a network operator
to—
(a) decrypt any telecommunication on that operator’s pub-
lic telecommunications network or telecommunications
service if the encryption has been provided by means of
a product that is—
(i) supplied by a person other than the operator and
is available on retail sale to the public; or
(ii) supplied by the operator as an agent for that prod-
uct; and
(b) ensure that a surveillance agency has the ability to de-
crypt any telecommunication.

Telecommunications Interception Capability and Security Bill

Edit: In summary, the bill does not require telcos to decrypt encryption that they have not provided. Yeah, that is still a valid concern for many reasons - but this is not the same as saying telcos are required to break "encyrption" [sic].

So you were there, when I spoke to the MBIE and asked them that question, straight up? They did not deny that breaking encryption was a requirement.

Second, the draft was not available at the time of writing.

Third, TICSA as proposed will rope in OTT operators - I have legal opinion on that. Try reading the the above more carefully; it's your comment that's inaccurate, not the story which quotes the actual government department that has drafted the law.

Fourth, you might want to consider what is happening elsewhere with these sorts of laws, in the United States for instance.

--
Juha

Juha

gzt

17104 posts

Uber Geek

Lifetime subscriber

#815216 10-May-2013 12:44

1080p: Come on juha...

1080p, I'd be wary of attributing that debacle entirely to Saarinen. The post the article links to is three weeks old, and the article itself may have been written before the text of the bill was available. It is common for editors to publish old stuff they have on file just because it seems relevant now, without checking if it still is.

Edit: Just seen post above. Will respond.

juha

1317 posts

Uber Geek

Trusted

#815220 10-May-2013 12:53

gzt: It is common for editors to publish old stuff they have on file just because it seems relevant now, without checking if it still is.

No, it's not.

Juha

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#815226 10-May-2013 13:05

I note that (24)(3)(b)(vi) on page 25 of the intercepts bill requires operators to decrypt any communications for which they have supplied the encryption service. So whilst this does not mean that (for example) Telecom could be held liable for not decrypting GMail, it would preclude a New Zealand company from providing a service such as SpiderOak, where the design is intended to prevent SpiderOak from being able to decrypt user data.

My reading of (24)(6)(a) - which could be wrong; I'm an engineer, not a lawyer - seems to imply they could instead hold Google liable to decrypt GMail as services are offered in New Zealand, although Google is not a New Zealand company. EDIT: Likewise this would apply to Dropbox or SpiderOak, although I do not see how they would go about enforcing it, at least not in a reasonable time frame.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

1 | 2 | 3 | 4 | 5 | 6