Government proposal for telecommunications security legislation changes

Forums › ICT Policies and Regulation › Government proposal for telecommunications security legislation changes

1 | 2 | 3 | 4 | 5 | 6

juha

1317 posts

Uber Geek

Trusted

#815227 10-May-2013 13:08

SaltyNZ: I note that (24)(3)(b)(vi) on page 25 of the intercepts bill requires operators to decrypt any communications for which they have supplied the encryption service. So whilst this does not mean that (for example) Telecom could be held liable for not decrypting GMail, it would preclude a New Zealand company from providing a service such as SpiderOak, where the design is intended to prevent SpiderOak from being able to decrypt user data.

My reading of (24)(6)(a) - which could be wrong; I'm an engineer, not a lawyer - seems to imply they could instead hold Google liable to decrypt GMail as services are offered in New Zealand, although Google is not a New Zealand company.

That's what I am told as well - Skype too, although with the way it's apparently set up now, there's no need to decrypt anything for wiretaps.

Google does have an office in NZ but whether or not that brings it into our jurisdiction for the above I don't know.

--
Juha

Juha

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#815233 10-May-2013 13:12

That would be an interesting fight -- if I ran Google, I would give serious consideration to simply saying **** you to the NZ government and withdraw all services to New Zealand. The resulting public backlash would at the very least cause the laws to be shaken up, and possibly even topple a government. Beware of taking away the citizen's shiny...

Wouldn't work everywhere, but Google is probably at least on par with with NZ's GDP.

Luckily for all of you, I don't run Google.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#815240 10-May-2013 13:30

juha:
gzt: That is not great reporting for the ITU. The article is not particularly accurate and the claims it makes about the Tuanz blog post it links to are mostly incorrect. The bill clearly indicates telcos are not required to break encryption:

A network operator must, in order to comply with subsection
(1)(c), decrypt a telecommunication on that operator’s public
telecommunications network or telecommunications service
if— (a)
the content of that telecommunication has been en-crypted; and
(b) the network operator intercepting the telecommunica-
tion has provided that encryption.

However, subsection (3) does not require a network operator
to—
(a) decrypt any telecommunication on that operator’s pub-
lic telecommunications network or telecommunications
service if the encryption has been provided by means of
a product that is—
(i) supplied by a person other than the operator and
is available on retail sale to the public; or
(ii) supplied by the operator as an agent for that prod-
uct; and
(b) ensure that a surveillance agency has the ability to de-
crypt any telecommunication.

Telecommunications Interception Capability and Security Bill

Edit: In summary, the bill does not require telcos to decrypt encryption that they have not provided. Yeah, that is still a valid concern for many reasons - but this is not the same as saying telcos are required to break "encyrption" [sic].

So you were there, when I spoke to the MBIE and asked them that question, straight up? They did not deny that breaking encryption was a requirement.

Second, the draft was not available at the time of writing.

Third, TICSA as proposed will rope in OTT operators - I have legal opinion on that. Try reading the the above more carefully; it's your comment that's inaccurate, not the story which quotes the actual government department that has drafted the law.

Fourth, you might want to consider what is happening elsewhere with these sorts of laws, in the United States for instance.

--
Juha

Most of the confusion occurred because I incorrectly assumed Freitasm was linking to a new article. This was not the case. It turns out the article itself was published on April 24th long before the text of the bill became available.

juha

1317 posts

Uber Geek

Trusted

#815244 10-May-2013 13:46

gzt:
Most of the confusion occurred because I incorrectly assumed Freitasm was linking to a new article. This was not the case. It turns out the article itself was published on April 24th long before the text of the bill became available.

The feedback I've had and seen from the industry is that there's confusion as to what exactly is expected with the new law.

That's probably not a good thing, and I'll continue to seek clarification on the details.

--
Juha

Juha

gzt

17104 posts

Uber Geek

Lifetime subscriber

#815278 10-May-2013 14:41

In addition to the above. Earlier I asserted that Juha's article in relation to the TUANZ blog post was inaccurate in a critical point of fact. I was incorrect about this. In reality it is only a minor typo the source of confusion.

The article quotes TUANZ saying: "somehow crack the security of Microsoft, Google, and Apple". A quick search of the TUANZ blog post does not find that quote. Because,

TUANZ in the blog says: "somehow crack the security of Microsoft, of Google, of Apple [...]".

This is in reality a trivial edit and not a factual error of any kind.

The article was published prior to the text of the bill and remains a valuable and insightful resource when understood in context. I look forward to seeing some of the implications briefly touched on there expanded in future articles.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#815304 10-May-2013 15:32

Unless section 47 can be satisfied by a one-off email to the Director that says 'Please take it as read that something will be changing every night' I predict a useless full time job sending a constant stream of notices to the Director... Honestly, there are people here EVERY NIGHT changing things. Same with Vodafone, and I don't imagine any other operator will be any different.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1246209 25-Feb-2015 10:29

A very interesting post on TechLiberty showing how the TICSA legislation is slowing down New Zelaand innovation - affecting REANZ and Google projects.

Trying to do the same in NZ, but govt's TICSA legislation makes deploying SDN/NFV in backbone networks challenging http://t.co/91MUpxfOnw

— Steve Cotter (@SteveCotter) February 22, 2015

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

deadlyllama

1260 posts

Uber Geek

Trusted

#1246224 25-Feb-2015 11:01

freitasm: A very interesting post on TechLiberty showing how the TICSA legislation is slowing down New Zelaand innovation - affecting REANZ and Google projects.

Trying to do the same in NZ, but govt's TICSA legislation makes deploying SDN/NFV in backbone networks challenging http://t.co/91MUpxfOnw

— Steve Cotter (@SteveCotter) February 22, 2015

That's what TICSA gets you: the hidebound Enterprise IT model. Sure, you can buy an expensive product and consultants. If you're big, and have lots of money, that's what you'd do anyway. If you're not, and want to do something clever yourself, with open source software? "What's the country of origin of Linux?"

At some stage I need to work out if I'm subject to TICSA. I provide free wifi to my neighbours. Using network equipment from Latvia.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#1246225 25-Feb-2015 11:04

deadlyllama:
At some stage I need to work out if I'm subject to TICSA. I provide free wifi to my neighbours. Using network equipment from Latvia.

IIRC from the wording of the act, then unless you have more than 4000 neighbours, no.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

deadlyllama

1260 posts

Uber Geek

Trusted

#1246228 25-Feb-2015 11:07

SaltyNZ:
deadlyllama:
At some stage I need to work out if I'm subject to TICSA. I provide free wifi to my neighbours. Using network equipment from Latvia.

IIRC from the wording of the act, then unless you have more than 4000 neighbours, no.

Clearly it affects REANNZ, and they have nowhere near 4000 customers. I'd guess the number was closer to 40.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#1246288 25-Feb-2015 12:21

deadlyllama:
Clearly it affects REANNZ, and they have nowhere near 4000 customers. I'd guess the number was closer to 40.

The wording of the act is vague (just one of its many problems). Section 13 clearly places any normal operator with less than 4000 customers in the lower level compliance category. However, there are other conditions that can put you back in the high level again. If your work has any national security implications as defined in other places, then even with less than 4000 customers you may still have to play by the big boys rules.

It's also possible that although they may only have 40 'customers' in terms of bills paid to them, the total number of end users might be higher. Finally, although they only have a few customers now, if they ever wish to produce something that could have a lot of customers, then they need to comply as if they were a large operator, or else they may flip the switch to open up services to the world, only to have the GCSB turn right around and flip it back off again because they were not consulted earlier.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

deadlyllama

1260 posts

Uber Geek

Trusted

#1246305 25-Feb-2015 12:30

SaltyNZ:
deadlyllama:
Clearly it affects REANNZ, and they have nowhere near 4000 customers. I'd guess the number was closer to 40.

The wording of the act is vague (just one of its many problems). Section 13 clearly places any normal operator with less than 4000 customers in the lower level compliance category. However, there are other conditions that can put you back in the high level again. If your work has any national security implications as defined in other places, then even with less than 4000 customers you may still have to play by the big boys rules.

It's also possible that although they may only have 40 'customers' in terms of bills paid to them, the total number of end users might be higher. Finally, although they only have a few customers now, if they ever wish to produce something that could have a lot of customers, then they need to comply as if they were a large operator, or else they may flip the switch to open up services to the world, only to have the GCSB turn right around and flip it back off again because they were not consulted earlier.

I guess I'm safe then. Sucks for our research sector, though, but I guess SDN doesn't contribute to housing bubbles or make cows more efficient.

1 | 2 | 3 | 4 | 5 | 6