Speedread

The GCSB Director’s press release on the Inspector-General’s apparent clearance of its activities is alarming:

  • His description of that clearance by the Inspector-General is contradictory;
  • The only report on this is by the monitored party and not by the monitor, in circumstances where not disclosing relevant parts of the monitor’s report cannot be justified by confidentiality needs;
  • GCSB claim that application of the GCSB Act is uncertain. The example the Director gives as uncertain seems decidedly clear, and not uncertain (and the other facets of the Act aren’t uncertain either);
  • The press release reports only compliance with the GCSB Act, with no reference as to whether there is investigation as to whether there are offences under the Crimes Act, particularly as to computer crimes and personal privacy interception provisions. Investigation by the Police as to whether there have been Crimes Act offences should be done by an independent and strong team;
  • The Rebecca Kitteridge report on the GCSB is valuable reading in this area, including for highlighting how important the work of GCSB is, where, because of its covert nature, only the bad stuff tends to emerge. Those on both sides of the debate (civil libertarians and hawks) should look to it for the balance. It is simply not enough to fly the civil liberties flag alone or to allow substantial discretion.
  • But there are now substantial signs that there are major problems at GCSB under the bonnet. As GCSB can get it so wrong where the issue is in the above-sea part of the iceberg, where scrutiny is possible, and where there is so much focus on what GCSB is doing, there are signs things may be badly wrong below the secret sea level.

The article below was first published in NBR Online on 25 May.

The GCSB director’s May 21 press release,1 stating “The Inspector-General formed a view that there have been no breaches” of the GCSB Act is alarming.

Inspector-General (I-G) of Intelligence and Security Paul Neazor’s report assessed the legality of GCSB surveillance of 88 New Zealand residents, first uncovered by the Kitteridge report. The Neazor report has not being made public; we only have the GCSB director’s press release to go on.

The release is alarming for what it says and for what it doesn’t say. It’s so alarming that there are now substantial signs there may be major problems in the GCSB iceberg below sea level that call for radical action.

If the GCSB can get it so wrong where there is some public scrutiny, what is happening elsewhere at the spy agency? That is ominous. The director attributes two different conclusions to I-G Paul Neazor. Having said the I-G found “no breaches”, he then says that “there were arguably no breaches, and the law is unclear”.

One of those two statements may be correct but they cannot both be correct (unless the I-G made a mistake, and that would be concerning anyway).

Is neither correct? That is reason enough to be concerned about what is happening here. This is important to get right. Given what is involved here, this is no mere nit-picking, and anyone who says so misses the point about just how important this area is in our society.

If there’s such basic error in a no-doubt carefully considered press release, what is happening secretly under the bonnet, where there isn’t vetting?

And why is the Director of the agency under review releasing his view on the I-G’s conclusions, and not the I-G: apparently the I-G’s report is not being released.

It’s beyond me why there is said to be so much uncertainty in interpreting the GCSB Act when that seems relatively straightforward (applying simple reading of the Act and/or using standard modern interpretation principles including as to purpose and context).

Pick up the example used by the Director in his press release to see what I mean:

Mr Fletcher says the Inspector-General is of the view that the interpretation of “communication of a person” is one of the issues where there are uncertainties in the interpretation of the GCSB Act, when it comes to metadata.

An example of metadata is the information on a telephone bill such as the time and duration of a phone call, but not the content of the conversation or identification of the people using the phone.

There are two obvious problems with this:

  1. Communication” has a definition in the Act that extends beyond the normal meaning of “communication”:

communication includes signs, signals, impulses, writing, images, sounds, or data that a person or machine produces, sends, receives, processes, or holds in any medium

How can that be interpreted in any way other than including data as to the time and duration of the call? The “communication” definition is very wide (it’s hard to think of anything remotely relevant that wouldn’t be included).

That conclusion is rammed home by the fact that the definition includes not only things that a person or machine “sends, receives” but includes what it “produces…processes or holds”. Explicitly something doesn’t have to be sent or received (ie communicated in the normal sense) to be “communication”.

It can simply be something a party “holds” (such as date and time information if that isn’t sent or received). “[T]ime and duration of a phone call” (ie, “communication” as defined) is “communication of a person”. Why is there uncertainty on what seems so simple and clear? It would be good to hear an explanation.

  1. Why has the Director chosen only the time and duration of a phone call as the example of metadata, and not included the key associated metadata used by intelligence agencies, namely, the contact address (phone number, email and IP address etc) of the sender and receiver (all of which is sent and received by the way so it is communicated in a normal sense), plus the names of the sender and receiver. There seems to be a spin away from what is really and obviously important. An intelligence agency would never track only time and duration alone (in fact it couldn’t do that) and it is the other metadata that has real sensitivities for the parties involved. Why in a carefully crafted press release does the Director downplay this?

While I am struggling to understand why this and other aspects of the Act cause interpretation difficulties, we haven’t seen the I-G’s and GCSB’s analysis to comment upon and of course there will be multiple fact scenarios.

No doubt some of the more than 80 scenarios will give rise to uncertainty, but I can see no reason - without knowing more - why there would be wide-spread uncertainty (and there seems to me to be little if any uncertainty in the example used by the Director, which implies there may not be a correct approach under the bonnet).

The analysis should be disclosed, and can be disclosed as there is no sensitivity, given the relevant facts can be kept under wraps (and suitably redacted or modified). This is a statutory interpretation exercise and the report can proceed on a series of hypothetical facts based on the actual situations.

Non-disclosure of that I-G report heightens concern, particularly given this unsatisfactory press release. Why is the monitored party the only one disclosing its understanding of the monitor’s report, especially when it is a gamekeeper that is being monitored not the poacher? And especially when there have been such basic problems at GCSB, and the agency needs to work hard to be seen to fix that.

Notable in the press release is that it is expressly limited to GCSB Act compliance. There is no report on any review as to whether the Crimes Act has been breached, especially as to the computer crimes and personal privacy interception provisions (as outlined in Proposed GCSB powers to control telcos’ network choices). 2

For example, if certain activities do not fall within the GCSB Act, that raises potential application of the Crimes Act, as the statutory GCSB carve-out from breaching the Crimes Act may not apply.

The I-G’s scope is the GCSB Act, so a Crimes Act review (such as whether there are alleged offences that should be prosecuted) would be done by other agencies.

But who and how?

The Police and SIS were involved in a number of the 80+ matters under review, and the Crimes Act has broad provisions dealing with offences by parties and accessories.

If there are offences, it might be that extends to implicate the Police and/or SIS as having committed offences as parties or accessories. I am not at all saying there are offences as we don’t have the facts, but rather that the question of who should review should be carefully considered. The Police should set up a relatively independent and strong team to consider if there are offences.

The GCSB must do better than this, even though they have a difficult and important task.

The Rebecca Kitteridge report3 on the GCSB is valuable reading in this area, including for highlighting how important the work of GCSB is, where, because of its covert nature, only the bad stuff tends to emerge. Those on both sides of the debate (civil libertarians and hawks) should look to it for the balance. It is simply not enough to fly the civil liberties flag alone or to allow substantial discretion.

For that reason, this article is not about the proposed law reform but about what has happened. Terrorism and other threats are real and major, as the examples listed by the Director in his release show, and do call for some incursion on civil liberties. The new law needs to get the balance right.

But there are now substantial signs that there are major problems at GCSB under the bonnet. As GCSB can get it so wrong where the issue is in the above-sea part of the iceberg, where scrutiny is possible, and where there is so much focus on what GCSB is doing, there are real signs things may be badly wrong below the secret sea level.