New Zealand Spy Agency To Vet Network Builds, Provider Staff

Bismillah (993337) writes "The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."

Not Illogical

[EmperorArthur]

It's not illogical at all. You just mandate that all traffic goes through a room controlled by the government for "Lawful Intercept." That way you can say that it's done for law enforcement, but the reality is they're emulating the USA and keeping everything while also MITMing anything they feel like.

Re:Not Illogical

[Travis+Mansbridge]

NZ is one of the "Five Eyes" in the ECHELON group, also sometimes referred to as AUSCANNZUKUS for Australia, Canada, New Zealand, UK and US. It's likely that they don't just emulate the USA and keep the info, they most likely turn it right over to the NSA and their counterparts in those countries.

Re:Not Illogical

[Jack+Griffin]

Facebook, Google and Microsoft have opposed it because it the GCSB is getting in on their game. I used to live in NZ. Despite the Kim Dotcom saga, the govt there is still to be less feared than the American Big Data industry. If you ever get the chance to see the locally produced Cops show 'Motorway Patrol', you will see the usual fears of govt and law enforcement don't apply in this place. I believe NZ is currently rated the least corrupt country on Earth.

Re:Not Illogical

[viperidaenz]

Americans don't speak English.

Re:Not Illogical

[master5o1]

Oz Can Suck Us is what I read every time.

Re:Not Illogical

[AK+Marc]

but the reality is they're emulating the USA and keeping everything while also MITMing anything they feel like.

The lawful intercept for the fibre connections is MITM-proof. Unless they are going to make Chorus spend billions re-doing the network, the "read only" taps will be useless for MITM attacks.

When they routed Kim Dotcom's traffic through the government MITM servers just before the raid (illegally at the time) the hit in performance was enough that it was noticeable and traced.

The government just isn't that smart.

As an immigrant...

[DigMarx]

I have permanent residency (and thus voting rights), and I think tha**THE GOVERNMENT OF NEW ZEALAND IS DOING THE RIGHT THING**his is a load o**JOHN KEY IS A GREAT MAN**ollocks.

What I can't understand is...

[Kittenman]

... why NZ is seen as a hot bed of terrorism, naughtiness and general mayhem. The lead item on the news last night was a political hopeful having to pay back about $350 after claiming on a flight for a friend. Wow. This isn't a country where much happens.

Re:What I can't understand is...

[ASDFnz]

Most likely they are getting strong armed by the USA or the EU.

It is the US, ever since 9/11 the US has mandated a pile of legislation changes that their trading partners must make.

With any luck NZ will make the changes and then never enforce them.

Re:What I can't understand is...

[PPH]

This isn't a country where much happens.

Are you kidding? There are orcs everywhere!

Just start referring to the GCSB as the Eye of Sauron and be done with it.

Re:What I can't understand is...

[interkin3tic]

Why is terrorism seen as such a threat in the US? According to this, 2600 americans were injured by air fresheners in 1996. Here's a list of injuries and deaths due to terrorism. If 96 was a good indication, it looks like air fresheners are BY FAR the bigger threat.

Politicians, law enforcement, and media sell fear. That's the real reason why NZ is ramping up anti-terrorism.

I'd really like to see a law requiring citizens to take a low dose of anti-anxiety medication. Everyone over the age of 16. We'd colonize mars by 2030, cure cancer, solve climate change, prevent overpopulation, and end most violent crime if we would just stop wasting so much fucking time, energy, and tax dollars in stupid illogical fear.

And yes, I have seen "Serenity" and I'm willing to risk it.

Trouble with other countrys' standards

[davecb]

If you have to have software that's designed to meet a required lowness of confidentiality, you'll be the only country writing it. You probably won't trust another tin-pot country's software, and will have to keep doing it all yourself.

Vendors want to sell software that meets the highest standards, so they can sell it into lots of countries, not write individual specials for every tin-pot dictator on the planet.

Image how much fun it will be, trying to write your own routers, your own google, your own facebook, etc, etc. All so you can lower the quality.

Re:As a father I do understand this...

[viperidaenz]

Her tits are covered....

Majority Rules

[Frosty+Piss]

As with the United States and Australia, the people of New Zealand (and other democracies and democratic republics) elect their government and thus have control over their politics.

One must assume that in all of these places, the majority agree with these policies.

Shocking? To me, but apparently, I'm not in the majority.

Re:Majority Rules

[Opportunist]

As long as corporations decide who we get to vote for, it doesn't matter who you vote for.

Re:Majority Rules

[mudshark]

You don't know much about NZ government, then. So much for those assumptions of yours.

The TICS legislation was introduced as an exercise in ass-covering along with another bill which made illegal electronic surveillance performed by the GCSB "lawful" ex post facto. Both bills were overwhelmingly unpopular and submissions from the public and interest groups were practically unanimous against.

Several opinion polls have indicated that the majority of the NZ population disagree (many vehemently) with their government on these laws, and when they passed it was only with a one-vote majority in the Parliament courtesy of an MP who is the sole representative of his minor party (who himself only got into office because of a pre-election backroom deal with the National party). The best part of all this is that this deciding MP was himself under suspicion of leaking internal documents about illegal conduct by the GCSB, and that his email and that of the journalist he was corresponding with were snooped on in the process.

For a tiny little island nation we sure do have more than our fair share of idiot politicians and inept law enforcement. Not to mention a system of government whose relationship with democracy grows more tenuous by the year and which resembles a bunch of nice ideas thrown together without any guarantees, such as an immutable and entrenched Bill of Rights. The GCSB and TICS legislation have done considerable harm to the notion of privacy as a basic human right in this country with dragnet surveillance and full feed-through to the NSA of whatever gets picked up.

When Jefferson said...

[Opportunist]

When Jefferson said "Where governments are afraid of the people, there is freedom" he obviously didn't take into account the possibility that governments could preemptively terrorize its people to avoid having to be scared of them.

Re:So what?

[Opportunist]

User privacy? Fuck that, they're afraid of a loss of revenue. Why pay them for it when you can get the info yourself?

Not compulsary.

[BlakJak-ZL1VMF]

There's no obligation for ISP's to have staff go through security clearances - in fact plenty wont pass the requirements (citizenship/residency for >10 years). ISP's can nominate staff to be vetted and those that're vetted, can be given more background as to why some information is being sought or why a particular issue is being flagged.
Important to note that the GCSB focus here is 'national security' and this isn't quite the same as lawful intercept for other purposes.

Security Clearance Requirement Explained

[BlakJak-ZL1VMF]

The guidance document as published at http://ncsc.govt.nz/assets/TICSA/NCSC-Guidance-for-Network-Operators.pdf states:

> To assist the GCSB and network operators to work together on network security risks, network operators
> may nominate a suitable employee (or employees) to apply for a SECRET level GCSB sponsored security
> clearance.
> Network operators may also, upon request, be required to nominate an individual for security clearance
> (section 75).
> Having cleared staff within network operators allows the GCSB to share certain information about network
> security risks that is classified. While these individuals cannot pass classified information to un-cleared
> colleagues, they will be able to give informed guidance on identifying and addressing network security
> risks.
> If a network operator does not have cleared staff, the GCSB will still seek to engage with them, and share
> what information it can about network security risks.

The legislation itself states:

A network operator must, within 10 working days _after being required to do so_ under subsection (2), (3), or (4),—

        (a) nominate a suitable employee to apply for a secret-level government-sponsored security clearance (a clearance); and

        (b) notify the employee of the nomination; and

        (c) give written notice of the name and contact details of that employee to the Registrar.

- so the vetting obligation isn't an obligation until the Network Operator is 'required'. The rationale for putting staff up for vetting seems sound, but as you can see from the last part of the quote from the guidance, they can still work with service providers that don't have cleared staff.