Proposed anti-hacking laws have a sting in their tail - they give the security services and police the right to read your e-mail.
Poor Paul Swain. The Minister for Information Technology is pushing through long-overdue legislation outlawing hacking, cyber-vandalism and electronic theft.
But instead of being hailed as a champion of our arrival in the information age, he is becoming known as the minister of snoop.
The legislation that has sparked concerns about security agencies and the police invading privacy through unfettered online access to our PCs and e-mail is the Crimes Amendment Bill (No 6). Mr Swain introduced amendments to the amendments now before Parliament's law and order select committee last week because New Zealand still has no anti-hacking laws.
The committee was almost ready to pass laws to stop people using a computer for a dishonest purpose such as stealing, or using one to cause damage, such as deleting files, passing on viruses or altering websites. Now it will hear submissions about laws to make unauthorised access to computers illegal - also known as electronic trespass, or hacking out of curiosity. In addition, the committee will consider making it illegal to intercept private communications in any medium - voice, fax, pager and e-mail. The Government wants the laws in place by June 30.
But there is a catch.
Hacking and e-mail interception will not be illegal if carried out by the Security Intelligence Service, the Government Communications Security Bureau and its Waihopai satellite spying site or the police. This has online discussion groups buzzing. There are three strands to the debate:
Under what conditions can security intelligence agencies and police access our computers and intercept our private e-mail?
According to the amendments, the SIS will intercept and hack when it has an interception warrant issued by the minister in charge - done when matters of national security are at stake. The GCSB will override the principle of the right to privacy when given permission by its minister - for the purpose of gaining foreign intelligence. The police must get a search warrant from the courts - just as they would to search your house or tap your phone. Interestingly, employees of telecommunications companies and internet services can also hack and intercept - but only for maintenance.
How will they do it?
The amendments do not really spell this out. And Mr Swain refuses to talk about specifics - saying that discussion should happen when the bill is referred back to Parliament. But on the face of it, once they have the authorisation, the security agencies and police can simply turn over the problem to their technical experts and place an "interception device" anywhere they wish. The new term replaces "listening device" in the Crimes Act and is defined broadly as "any electronic, mechanical, or electromagnetic instrument, apparatus, equipment, or any other device that is used, or is capable of being used to intercept a private communication."
The best location from which to intercept e-mail, monitor internet users' surfing habits or hack their PCs is their internet service provider's premises. So most users are guessing that is where the interception devices will be placed.
That is the way it is done in with the FBI's Carnivore system in the United States. When the FBI gets authorisation, it wheels in one of its Carnivore servers and hooks it up to the internet provider's servers. From back at headquarters the feds can then capture and record all packet traffic to and from a selected internet protocol (IP) address (the unique number you are assigned when online). It can also monitor all the subject's online movements and record the destinations and origins of outgoing and incoming e-mail.
What people fear about such surveillance is that police and security agencies could easily broaden their online snooping. Internet users are asking what is to stop police or Government agents going further than their warrant stipulates? Would anyone know if they did?
Of even greater concern is the possibility that the interception devices may be permanently "hardwired" at the internet provider's premises. That is the case in Britain, where the Government has passed the Regulation of Investigatory Powers law requiring all internet providers to have a "black box" which sends copies of e-mail to MI5 headquarters.
From a policing point of view, this is a dream come true - nationwide internet surveillance on tap. Plus the ability to covertly search the entire contents of any connected PC's storage disk - which in many cases will contain a lifetime of private information from love letters to business dealings.
How do we avoid it?
The discussion groups are quick to point out many ways to avoid online surveillance - using overseas e-mail accounts such as Hotmail, anonymiser services, proxy servers and encryption.
The latter is the scrambling of e-mail using special codes or keys. Scrambled messages are only unlocked when participants agree to exchange these keys as part of their communication. So when scrambled messages are intercepted, they are unreadable without the key. In Britain, senders must hand over encryption keys or risk jail.
So far the New Zealand legislation has no reference to the compulsory handing over of encryption keys. But the police freely acknowledge that there is no point in having online surveillance without the means to break encryption.
Mr Swain admits that further legislation will be required to make the bill work - but he is not saying what form that will take. And the Ministry of Economic Development confirms it is looking at proposals to modify the Telecommunication Act to require all telcos' networks to be "made capable of interception" - to ensure police can tap phones on networks such as Vodafone's, which has built-in encryption.
But the lack of information on how key parts of Mr Swain's snooping plan will be implemented has lead to wild speculation, including all manner of Big Brother conspiracy theories.
It has also led many to ask why such a costly scheme is necessary. Security experts and civil liberties lobbyists alike point out that technology is already available to monitor and intercept any form of communications. Why do we need online surveillance of an entire population to counteract the criminal actions of a few?
Links
FBI's Carnivore system
Regulation of Investigatory Powers law
Hotmail
Anonymizer
Cyberarmy
Herald Feature: Privacy
Related links
Snoopers' charter - do we need it?
AdvertisementAdvertise with NZME.
