The proposed law in the Bill builds on the current regime so that many Telcos will have similar obligations, along with additional requirements. But some –such as wholesalers and dark fibre providers – will now start with reduced responsibilities. Also, it’s made clear that providers can subcontract and collaborate as to compliance. Some significant things don’t change, such as the current extent of decryption obligations.
Application of the Act in relation to foreign service providers and network operators is emphasised. There’ll be more providers to which the law applies than a standard telco.
Given the explicit international coverage of the Act, plus the width of what is a network operator and, beyond that, what is a service operator, many suppliers will need to consider where they stand in terms of obligations. The scope certainly goes beyond applying to the more traditional type of telco.
We’ve dealt with the proposed new right for the GCSB Minister to require a Telco not to implement or configure in certain ways at “Proposed GSCB powers to control Telcos’ network choices”.1 This piece deals with the changes to the existing interception capability regime. To be noted too is that, like the earlier legislation, this new Act would not set out the basis on which surveillance agencies can intercept: warrants, etc are dealt with in separate legislation, such as the GCSB Act, for which an amending Bill has been released.
Four levels of interception capability
The new regime will carry forward the current obligations as “full interception capability”: they remain largely the same, with some significant refinements. Added is the ability for the Minister to require information to be provided in specified usable format. Most Telcos have the “full interception capability” obligation.
Added will be three reduced levels of obligation, below full interception capability, so that network operators are allocated to one of the four levels :
- “Interception ready”: essentially the network operator needs to have predeployed access points, bandwidth and interfaces to enable interception should that be requested. This is the initial level of obligation applicable to small Telcos (less than 4,000 customers).
- “Interception accessible”: Telco must be willing and able to provide access to intercept, including availability of co-located space or backhaul to a place where relevant equipment can be housed. This applies to wholesalers as noted below.
- Nil obligation. This is the initial position for “infrastructure-level services” (defined as dark fibre and similar services (but not Layer 2 services such as Chorus and FX Layer 2 services)) save that they must report the names of their customers to a newly reported Registrar of network operators (including giving advance notice of new customers).
Network operators in relation to their networks provided at wholesale initially only have to be “interception accessible”. But this carve-out does not apply to:
- Wholesale network services supplied to, or by, overseas-based network operators;
- Purely resold telco services (that is, wholesale services resold by the Telco customer without technical modification to the service).
Given many Telcos supply at both wholesale and retail, there are demarcation issues to resolve.
Minister can require greater compliance beyond the three reduced levels
The Minister, where requested by a surveillance agency (such as the Police, SIS or GCSB) can up the required level of compliance from one of the lower three levels to one of the higher levels. In deciding what direction to give, the Minister must take into account matters such as security needs (which is stated to be the main concern), cost of compliance, the impact on competition in Telco markets, etc.
As well as the path of the Minister giving a direction, Government has an overlapping path to the same outcome via regulation.
Collaboration and sub-contracting
Wholesalers can charge others where they provide relevant interception services to their Telco customers. Network operators can also share and coordinate their approach but they need to keep the Director of GCSB in the loop. (This confirms an efficient approach).
Act extends beyond “network operators” to cover “service providers” too
The primary obligations are on what are defined as network operators. There is a relatively wide definition of network operators, beyond what is traditionally regarded as a telco. But, in addition, the Act has a category called “service providers”. Service providers end up having overlapping obligations if the Minister so decides (at one of the levels noted at the outset of this article). There’s a process for this to be done by the Minister.
Service providers include those that provide “telecommunication services” to end-users (over and above services provided by network operators. “Telecommunications services” are widely defined, to include “any goods, services, equipment, and facilities that enable or facilitate telecommunication”.
Resold international telecommunications services
The Minister can also direct that a network operator cannot provide “telecommunications services” supplied from outside NZ and resold by that network operator in NZ, if there are significant security or law enforcement risks (such services cover more than the “purely resold” category noted above). As outlined above, “telecommunications services” is very wide. Most NZ network operators rely heavily on, picking up the definition, overseas “goods, services, equipment, and facilities that enable or facilitate telecommunication”. When are they “resold” or otherwise?
Register of network operators and other compliance issues
- Each network operator must provide details to the Police for use by surveillance agencies, to be put in a register.
- Police appoint “designated officers” to facilitate dealings under the Act.
- The Bill anticipates that each network operator will have a secret-level securitycleared employee to deal with issues under the Act.
- The GCSB Director and “designated officers” can require the network operators (and service providers within scope) to provide information.
- Exemptions can be granted.
- There’s a compliance testing regime, plus a regime by which the operator certifies compliance via its CEO.
- The enforcement regime is tweaked to allow for a graduated response.
- There’s a regime by which evidence in court in relation to matters affected by this Act can be withheld from a party, its lawyer, press and/or the public, if the Attorney-General so requests and the Court so confirms. The s27 Crown Proceedings Act allowing information to be withheld by certificate from the PM is retained, however.
- There is a provision for a special advocate to be appointed to look after a party’s interests. This reflects the approach taken by the Chief High Court judge in the Dotcom case. While there clearly are safeguards in this regime and it may be that the balance is appropriate, the interface with human rights may call for close review. That leading legal source used often by lawyers – Wikipedia – describes Kafka’s famous book, The Trial, as telling “the story of a man arrested and prosecuted by a remote, inaccessible authority, with the nature of his crime revealed to neither him nor the reader”. The question is whether the balance is right in this Bill including retention of provisions such as s27 Crown Proceedings Act.
- But maybe the enforcement rights under this Act don’t raise as acutely the human rights issues applicable to the Zaoui’s and Dotcom’s of this world, and the balance is OK in this context?
Given the explicit international coverage of the Act, plus the width of what is a network operator and, beyond that, what is a service operator, many suppliers will need to consider where they stand in terms of obligations. The scope certainly goes beyond the more traditional type of telco model.