Telecom blows whistle on Search and Surveillance Bill
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Telecom is warning that provisions in the Search and Surveillance Bill, now before a Parliamentary select committee, could amount to unwarranted surveillance.
The company says in its submission that, as currently written, an order for a telecommunications operator to produce the “call-related information” of a particular customer, could effectively become a licence for continuous surrender of voice-call content information.
Surveillance is supposed to be a different class of investigative activity, more strictly controlled than an order to produce a document.
The problem, which Telecom says is “an apparent unintended drafting issue”, occurs in the section of the bill covering production orders. A production order is intended as an adjunct to the search-warrant process, to cover cases where it is easier for the person against whom the order is made to locate the information than it is for a law enforcement officer to do so.
“However, under the bill as drafted, ‘content’ could include, amongst other things, voice call information,” Telecom says. “This is not information held by network operators and could only be provided on a near real-time basis.”
An order to provide such content “considerably extends the intended scope of the production order’s regime and circumvents provisions that are intended to cover surveillance,” the telco says.
Further, the technology necessary to provide such content would be “extremely costly”, Telecom says. It may be necessary to install a number of systems to satisfy the requirements of each
enforcement agency (and there are more than 20 agencies to which the legislation will apply). “Telecom estimates total cost to add a single law enforcement agency would be of the order of $1.5 million to $1.8 million per agency,” says the submission.
The issue could be addressed by tightening the definition of content “so that it is clear ‘content’ only includes information that the network operator holds or is reasonably able to retain over the duration of a production order and does not, for example, include voice-call content,” Telecom says.
Furthermore, the ability to demand production of call-related information should be limited only to those agencies that deal with serious offences, Telecom suggests.
The problem of search effectively becoming surveillance is also raised by Otago University security specialist Dr Hank Wolfe in the context of a controversial provision, which many submitters and commentators have read as allowing a broad power to access and read information remotely from computers through an internet link.
Earlier this year Computerworld discussed this provision – under Clause 101(4)(k) of the Bill – with the office of its sponsoring minister, Simon Power. Back then a spokeswoman said remote access is only intended to be used where data of interest is stored in a computer system that is not accessible to a physical search, or when such data is in imminent danger of deletion.
However, the bill as worded does not unambiguously impose those limitations, say legal experts. One lawyer who is unconvinced is Rick Shera, a prominent member of InternetNZ, who has presented select committee submissions for previous bills on the organisation’s behalf.
“I know you were assured by the Minister’s office that there was no intention to apply the remote access provision widely, but there is nothing in the bill as I read it that clearly says they can or they can’t,” he says.
InternetNZ did not make a submission on the Search and Surveillance Bill. “The main issues with this bill are privacy related,” says spokesman Jordan Carter. “InternetNZ broadly supports what the Privacy Commissioner’s office has said regarding the bill and the amendments they have proposed in their submission. We will be advising the MPs on the Committee of our support for those amendments.”
It would have been ideal for InternetNZ to make its own submission, but there are a lot of other issues on its plate and resources are limited, Carter adds.
Privacy Commissioner Marie Shroff went public last week with similar doubts that unless more tightly regulated, online searches could become “general trawling exercises”.
Otago University’s Wolfe says this is one of several areas where the bill displays inadequate controls over “specificity” of the search warrant.
He foresees information irrelevant to any alleged offence being invisibly explored.
The most effective way of getting at private information being exchanged by a computer user would be to access data in transit at the user’s ISP, under a warrant served on the ISP, he says. That would potentially put the data of other users of that ISP into what is legally known as “plain view”, entitling enforcement officers to act on anything they see that might indicate an offence.
When an on-premises search is conducted, Wolfe says, a single forensic “snapshot” of the computer’s storage is taken and this is digitally hashed to preserve its integrity. This would be difficult to do remotely, he says. Online search also opens the possibility of repeated accesses to the same machine, again blurring the line between search and surveillance.
Moreover, Wolfe says, remote search removes the right normally accorded to the target of a physical search to examine the warrant and be provided with a copy of it at the time the search is conducted.