Inspector-General of Intelligence and Security Cheryl Gwyn.
The electronic spy agency GCSB carried out "full take" collection of "all communications data of certain types" from the South Pacific, an inquiry has found.
But the inquiry by the Inspector General of Intelligence and Security Cheryl Gwyn has ruled that the way in which the Government Communications Security Bureau acted was inside the law.
In doing so, her report provides an unprecedented level of detail about how New Zealand carries out electronic intelligence gathering in the South Pacific.
The inquiry followed reporting by the NZ Herald, The Intercept news site and journalist Nicky Hager into the Snowden documents.
The documents included the claim there was "full take" collection from the South Pacific, which complainants to the GCSB took as confirmation the spy agency captured all communications.
Gwyn's report confirmed the accuracy of the "full take" practice the NZ Herald reported from Snowden's documents.
But she said there was a legal basis for the collection of communications by New Zealanders, who were protected at the time under law from GCSB intrusion.
Gwyn found there was "no evidence that GCSB acted outside the relevant authorisations and statutory prohibitions to any significant extent".
She said communications not relevant to the purposes of the GCSB were recognised in law and had to be destroyed.
"The GCSB Act therefore provided scope for collection methods such as "full take'."
Gwyn said "full take" was a "shorthand phrase" the GCSB used to describe collecting broad swathes of data that had been filtered from some satellite links.
Other Five Eyes partners - electronic spy agencies in Australia, Canada, the United Kingdom and United States - used the term "bulk collection" instead of "full take".
"It was applied only to satellite communications links assessed by GCSB as likely to carry communications of intelligence value."
Gwyn's report said the method "inherently involved the acquisition of some non-targeted communications".
"Full take" communications data was then searched using "selectors" - search terms likely to appear in communications such as phone numbers or email addresses.
The specific information brought back from those targeted searches was considered collected.
The GCSB was then constrained by law to keep only information linked to its objectives in legislation. "All else had to be destroyed."
The world is divided up by Five Eyes partners for shared surveillance, with New Zealand having responsibility for the South Pacific, among other areas.
Gwyn said: "If a country's telecommunications system is connected to rest of the world by satellite, in principle its international communications can be collected by intercepting communications to and from the satellite."
She said it was also possible to intercept domestic communications if they were over a satellite link in a domestic network.
While many South Pacific countries now relied on undersea cables "network connections to many outer islands are still provided by satellite".
She said there were some Pacific Islands nations which - during the time her investigation covered - "were largely dependent on satellites" for international connections.
There was no sign of interception of communications involving any of the people who complained to Gwyn about the GCSB's activities in the South Pacific.
She found two breaches which were documented but said those were "inadvertent" and both detected and fixed at the time.
The breaches did not reflect an "institutional disregard" for the controls to which the GCSB was subject, she said.
Gwyn said the "full take" data might only be kept for "a few minutes" while filtered data could be kept for years.
She said both filtered and unfiltered data had been shared with Five Eyes partners.
The reason for sharing included asking partners to use its systems to better analyse what had been collected.
She said it was "unlikely" those included private communications but was unable to confirm whether that was the case or if those partners still kept what had been shared.
Gwyn found the bureau had necessary procedures in place to cover its collection, including those recognising the New Zealand citizenship rights of those in the Cook Islands, Niue and Tokelau.
She also found that, until a law change in 2013, the GCSB did not seek warrant authorisation for intelligence collection through foreign partners.
That was because of a line in its legislation - removed in 2013 - which authorised collection "by co-operating with public authorities or other entities in New Zealand and abroad".
The law at the time also banned the collection of communications involving New Zealand citizens or residents unless that person was a spy working for another country.
Gwyn's report illustrates the upheaval visited upon the GCSB in the wake of the unlawful spying it carried out for police on German entrepreneur Kim Dotcom.
It underwent numerous reviews and legislation changes following the discovery the GCSB did not understand its own law barring it from spying on New Zealand residents, such as Dotcom.
The changes include updating the GCSB rules for spying, contained in a document called NZSID7 - the New Zealand Signals Intelligence Directive.
Between 2009 and 2013, the document did not include protections for New Zealanders' metadata - the electronic footprints that link people sharing communications.
"New Zealand persons or entities were not to be the primary subject of metadata analysis except where a written request was received from a New Zealand government agency."
An updated NZSID7 in 2013 and Nationality Policy in 2014 changed the rules around metadata and included it as a communication.
Other changes saw the GCSB shift from being allowed to collect privileged communications - including those involving doctors and lawyers - to being unable to do so from 2014.
Her report described how the GCSB's target list came out of the "Foreign Intelligence Requirements" document produced by ODESC, the powerful Officials' Committee for Domestic and External Security Coordination.
The "requirements" document had then been added to and later supplanted by the "National Intelligence Priorities" list which has more specific instructions on areas to focus intelligence gathering.
David Fisher is a member of a Reference Group formed by the Inspector General of Intelligence and Security intended to hear views on developments possibly relevant to the work of the oversight office. The group has a one-way function in offering views to the IGIS. It receives no classified or special information from the IGIS or the intelligence community. The information in this story was not sourced from Reference Group discussions.