Inspire Net’s OpenLI system (centre, with green light) can capture specific voice and internet communications. Photo / Dave Mills
COMMENT:
When former communications minister Amy Adams upgraded telecommunications law in 2013 to enable police and intelligence agencies to eavesdrop on internet-transmitted communications, techies in New Zealand went pale when they saw the demands.
From the following year, telcos and internet providers with more than 4,000 customers over a sixmonth period had to provide full interception capability when served with a warrant.
Smaller providers had to be ready to help authorities under the new Telecommunications (Interception Capability and Security) Act of 2013, or be slapped with hair-raisingly large fines if they couldn't.
It was one of those seemingly intractable "we don't care how you do it, just get it done" edicts that governments at times issue.
Confusion reigned among providers about how to become TICSA compliant. Network engineer Dave Mill at Palmerston North-based internet provider Inspire Net recalls asking the police what to do and was told it was easy.
"Just go to this conference in Switzerland and buy a solution for about a million dollars, and you're done," the police told Mill.
That was the first problem: Mill looked into lawful intercept (LI) solutions and discovered it was big business. There were cheaper solutions floating around, but the cost still ranged from a few hundred thousand to half a million up front.
Then there is ongoing maintenance charges, and Mill estimated that it would have cost Inspire at least $150,000 to $200,000 a year, money that the provider would have to recoup from customers.
Forking out that much money for proprietary software and become dependent on overseas vendors for support for something that might or might not be compliant with New Zealand requirements seemed like a terrible idea.
That was the second problem: the government had not gazetted the TICSA standards so providers did not know how to deliver intercepted data to the police and spy agencies.
Police meanwhile were in a bind too. Mill said their only recourse under TICSA was to haul non-compliant providers in front of the High Court. Providers could be fined up to $500,000 with ongoing daily penalties in the tens of thousands, but that would simply kill off smaller providers who couldn't afford pricey LI solutions anyway.
As far as Mill knows, to date no telco or provider has been taken to court for not being TICSA compliant.
Nevertheless the threat of TICSA was real and Mill started talking to fellow network operators about coming up with an LI solution that would be free and open source so that everyone could use it without licensing charges.
The discussions were helped by the government finally gazetting the standards TICSA required, and just under two years ago, the OpenLI project [openli.nz] kicked off.
OpenLI is coded by the University of Waikato's WAND Network Research Group, and is European Telecommunications Standards Institute (ETSI) compliant.
Being built with open source components, OpenLI is free for anyone to download and use, WAND's Dr Richard Nelson said.
OpenLI can be used to capture both voice and internet communications as specified in a warrant. The software is designed to only intercept specified communications and filter out everything else not covered by warrants, which was one of the challenges programmer Shane Alcock faced when he started coding OpenLI just over 18 months ago.
"You might have multiple warrants that expire at different times covering the same person from the police and GCSB for example," Alcock explained.
Another challenge is the increased speeds of internet connections, with many people now being hooked up to 1 gigabit per second Ultra Fast Fibre, and 10 Gbps being trialled. Mill believes OpenLI should scale up accordingly, and can handle 7-8 Gbps data streams currently.
The intercepted data has to be delivered to the police in a particular format as well and Alcock and Nelson are at pains to explain that OpenLI does not access or modify the captured information in anyway, for legal reasons. By automating the interception process, OpenLI avoid privacy implications for providers as well, as it doesn't require staffers to view the captured data.
Furthermore, under TICSA, network operator staff need to have government security clearance.
What about encrypted communications then? "We don't break encryption, OpenLI just delivers the data as-is." Nelson said.
"Presumably the police have some way to deal with encryption, New Zealand being a Five-Eyes member and everything," he added.
Alcock now has a student to assist him with OpenLI development which in turn is being sponsored by Inspire Net, Vocus, Trustpower, Catalyst and a range of smaller providers who now have access to software that enables them to comply with the law without a ruinous expense.
While there's been no interest or acknowledgement at the government level, police are happy with OpenLI, according to Nelson and Alcock.
The flipside, Mill points out, is that the 19 or so providers in New Zealand have no excuse anymore as there is now an affordable LI solution that meets the required standards and which has earnt accolades in the local Hi Tech Awards this year.
Brazil has shown interest in OpenLI and the software might be used by other countries too; WAND doesn't track who downloads OpenLI and surveillance spooks don't like to talk about what they do.
How does OpenLI sit with personal ethics? It can be used by anyone to spy on communications, but this isn't a problem for Nelson and Alcock, who said they're willing to assist with anyone who has lawful intercept requirements.
Mills said there are only five agencies in the country that would intercept communications, and it happens rarely, only when there are some pretty heinous criminal activities going on that the vast majority of people would want to be stopped.
"Also, after Christchurch, the atmosphere has changed," Mill said.
"Whereas before people would object to communications being spied upon, there's now more support for doing that if it can prevent another Christchurch," he added.
The OpenLI project is unique in the world, and its members are now looking ahead to ensure the software continues to be maintained by more developers, Alcock said.
There's plenty of incentive for the industry to chip in if only to make commercial LI developers unhappy, as Mill suggests tongue-in-cheek.