The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 – An...

8/22/2019 The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.

1/36

The Crimes Amendment Act 2003 and the GovernmentCommunications Security Act 2003 An Interrelated History.

In early 2000, it was decided that the GCSB should be placed on a statutory footing similar

to that of the NZSIS.1

We shape our tools and thereafter our tools shape us.2

IntroductionIn March 2003 the New Zealand Parliament enacted the Government Communications Security Act

2003, formalising the existence of the Government Communications Security Bureau, which had

been in existence since 1977, as a Department of State.

This paper argues that the reasons for the legislation came about as a result of a number of

amendments that were proposed to the Crimes Act 1961 that were the subject of the CrimesAmendment Bill 1999 as well as the stated objective of making New Zealands security arrangements

more transparent and accountable. The amendments related to the enactment of a number of

sections of the Crimes Act dealing with computer crime. As the legislation progressed until its

ultimate enactment in 2003, various changes to sections relating to computer crimes and

interceptions of communications meant that the existence of the GCSB had to be formalised hence

the legislation. It is argued that these amendments, associated as they were with communications

technology, drove the GCSB into the legislative light from the shadows it had previously occupied. It

could be suggested that, from a point of view of transparency of Government surveillance activities,

this was a good thing.

This paper will trace the legislative events that resulted in the enactment of the computer crimes

amendments to the Crimes Act and the associated moves towards the enactment of the

Government Communications Security Act. It does not set out to offer any opinion on the content of

the legislation other than to demonstrate its interaction. It will conclude with some observations on

the legislative process surrounding the legislation in question and raise some questions for

consideration on the wider issue of the nature of liberty in a new information paradigm.

Computer Crimes Legislation 1989 1999In New Zealand, computer crime legislation was first proposed in 1989 in the Crimes Bill 1989, which

proposed the creation of two offences in relation to computer misuse: accessing a computer for a

dishonest purpose and damaging or interfering with a computer system. The Crimes ConsultativeCommittee proposed a number of changes to the clauses recommending that there should be three

separate offences accessing a computer and obtaining a benefit or causing a loss, accessing a

computer with intent to obtain a benefit or to cause a loss, and a summary offence of unauthorised

access to a computer punishable by a maximum of six months imprisonment.3 The amendment was

abandoned when other matters in the Bill failed to obtain government support.

1 History of the GCSB Government Communications Security Bureauhttp://www.gcsb.govt.nz/about-

us/history.html(last accessed 18 August 2013). As will become clear, this is an inaccurate statement.2

Marshall McLuhan Understanding Media: The Extensions of Man (Sphere Books, London, 1967).3 New Zealand Law Commission Computer Misuse (New Zealand Law Commission, Wellington 1999 Report 54)

at [3].
http://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.html


2/36

In 1998 interest in computer crime was sparked by two incidents which were rapidly followed by a

Law Commission report on computer misuse.

The hacking incidentsOn 26 August 1998 Andrew Garrett began harvesting usernames and passwords from Xtra users

computers and subsequently released information to Chris Barton of the New Zealand Herald thathe had managed to compromise the security of the Xtra servers. What Garrett had in fact done was

to use a Trojan Horse program to obtain the passwords of those computer owners. He made no

secret of his involvement but, because of a dispute that he had with Telecom at the time,

characterised the issue as one of Xtras security. He was later prosecuted and convicted of five

offences arising out of his activities.4

In November 1998, 4,000 files were deleted from the Ihug Home Pages Server. No one was

prosecuted, although investigation revealed that a 17-year-old New Zealander committed the action

by effectively hacking the Ihug home pages server in California.5

Computer crime and the adequacy of the existing law moved into sharp focus. The LawCommission had been examining aspects of E-Commerce but there had also been concerns

about dishonest activity in the electronic banking context which had resulted in a Law

Commission report in December 1998 entitled Dishonestly Procuring Valuable Benefits6

following upon the case of R v Wilkinson.7 That report also suggested a wider review of Part

X of the Crimes Act 1961 which dealt with property offending. The Law Commission began

to focus its attention upon computer crime.

The Ministry of Justice had also been considering issues arising out of computer misuse. The

Minister for Justice announced a proposal to introduce into the House of Representatives

legislation which would create criminal offences for certain types of computer misuse.8

Because of the imminence of a Bill, on 13 May 1999 the Law Commission issued a final

report on computer misuse which was confined to concepts and which did not include draft

legislation. The Commission stated:

While we would have preferred more time to consider the form of the legislative

changes we consider it important for our work to be available both to the Ministry

and the public in time for it to be of use.9

4

R v Garrett[2001] DCR 955; R v Garrett (No 2) [2001] DCR 912. For a brief but useful account of the case seeInformation about Criminal Law and the Net Case Study 1 Netsafe

http://www.netsafe.org.nz/archive/criminal/criminal_case1.html(last accessed 21 August 2013). See also Paul

Brislen ISPs Please with Verdict in Hacker Case" Computerworld 18 July 2001.

http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/(last accessed 21 August

2013) Paul Brislen Hacker Case Creates Precedent Computerworld 18 July 2001.

http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/(last accessed 21 August

2013).5 Ihug Boost Security after Hacker Hits 100 Accounts New Zealand Herald, 1 February 2001

http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894.6 New Zealand Law Commission Wellington 1998 Report 51.7 [1999] 1 NZLR 403.8

New Zealand InfoTech Weekly 11 April 1999, 1.9 NZ Law Commission Computer Misuse above n. 2 p.ixhttp://www.lawcom.govt.nz/project/computer-

crime?quicktabs_23=report(last accessed 21 August 2013).
http://www.netsafe.org.nz/archive/criminal/criminal_case1.htmlhttp://www.netsafe.org.nz/archive/criminal/criminal_case1.htmlhttp://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.lawcom.govt.nz/project/computer-crime?quicktabs_23=reporthttp://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/http://www.netsafe.org.nz/archive/criminal/criminal_case1.html


3/36

The Law Commission Computer Misuse ReportThe Law Commission report on computer misuse10 analysed the law relating to computer misuse

and suggested that criminal liability be extended to actions in the electronic environment that, in

their parallels in the real world, were not unlawful.

The Commission considered that legislation dealing with computer misuse must address the

following elements:

Unauthorised interception of data stored in a computer;

Unauthorised accessing of data stored in a computer;

Unauthorised use of data stored in a computer;

Unauthorised damaging of data stored in a computer

As to the offences of unauthorised access and interception the Commission stated:

The offences of unauthorised access and interception should require proof by the

prosecution of intent:

in relation to the interception offence, the prosecution should be required to establish an

intention to intercept:

in relation to the offence of access, the prosecution should be required to establish an

intention to:

cause loss or harm to the person entitled to the data or to some third party; or

gain some form of benefit or advantage either personally or to a third party.

We propose that the terms loss or harm and benefit or advantage be given a wide

meaning and not be limited to pecuniary losses or benefits. In the case of offences involving

use and damage, proof of carelessness should be sufficient to establish an offence.11

The Law Commission also stated:

that the existing criminal law is inadequate to deal with computer misuse.

However, it would be possible to redraft existing law to cover the types of computer

misuse to which we have referred in this report. If an attempt is made to amend the

existing provisions of the Crimes Act 1961 to make them fit the matters discussed in

this paper, there is a grave risk of error either by imposing criminal liability where itshould not be imposed or by omitting provisions that ought to be included. We have

no doubt that the only neat and sensible solution is to either have a separate statute

dedicated to crimes of computer misuse, or, to have a distinct part within the Crimes

Act 1961 relating to computer misuse.12

The Law Commission concluded that the current criminal law was inadequate to deal with

unauthorised computer access and a reform of the law was required. It defined access as

10 Ibid.11

Ibid. p. xii.12 Ibid. at [80].


4/36

covering a situation where a person without authority, whether through physical or

electronic means, obtains access to data stored on a computer. It also considered that the

prosecution should be required to establish:

first, that the accused gained unauthorised access to data, and secondly that at

the time of access, the accused had an intention to cause loss or harm or gain abenefit or advantage.

In the Law Commissions view, criminal intent was needed to avoid trivialising the criminal

law by making every unauthorised access a criminal offence. This meant that those who

gained access simply to achieve the prize of access will not be criminally liable for their

actions. In other words, pure hacking will remain outside the scope of the law.

The thrust of the Commissions recommendations was therefore directed towards the

protection of the data or contents of the computer system rather than extending the

prohibition to access as such. In the Commissions view, the access had to be accompaniedby an element of intentional wrongdoing involving the data.

This limited scope was extended as the computer misuse provisions of the Crimes Act

Amendment Bill (No 6) made their way through the legislative process.

The Introduction of the Crimes Amendment Bill (No 6) October 1999In October 1999, the Crimes Act Amendment Bill (No 6) was introduced to Parliament and

referred to select committee. The Bill was expansive, proposing a number of changes to the

criminal law, but significantly created four new computer-based offences. In summary,

these are as follows:

1. s 305ZE(1) accessing a computer system and dishonestly or by deception

obtaining a financial benefit or causing loss;

2. s 305ZE(2) accessing a computer system with intent to obtain a benefit or

cause loss;

3. s 305ZF(1)(a) damaging or interfering with a computer system with intent

to cause serious damage; and

4. s 305ZF(2)(a) recklessly damaging or interfering with a computer system

knowing that serious damage is likely to result.

On 5 October 1999 at the second reading of the Bill, the then Minister of Justice Mr Tony

Ryall made the following observations:

As the Minister of Justice I have made it clear that in respect of our legislation there

are a number of imperatives that we the Parliament must work on in the next few

years. The first is to make our legislation technology-neutral. There is no point in

putting definitions of particular hardware or software into legislation, because such

technology may not exist in a few years' time. It is vital that we make our legislation

technology-neutral and describe the nature and the form of the offence rather than

the specifics of the mechanism by which it was done. We want to make sure that our


5/36

legislation is harmonised with international information technology and

technological crime legislation. Also, we want to develop further work in terms of

encryption and security. But this Bill will go some way in terms of putting into

practice the Government's work programme, and it is my expectation that there will

be further legislation in this area next year.13

Thus the Minister was wisely avoiding technology-specific legislation and rather focussed

upon the behaviour associated with a technology as the target of the legislation. He went on

to say:

This Bill creates new offences in relation to the misuse of and damage to computer

systems. .. It will be an offence to access a computer and dishonestly---and that

means without authority or by deception---obtain a financial benefit, or cause a loss

to someone. This offence has a maximum penalty of 7 years' imprisonment. The

second new computer offence is essentially an ``attempt offence'' and has a

maximum penalty of 5 years' imprisonment.

The other new computer offences relate to damaging a computer with intent to

cause damage or being reckless as to whether serious damage occurs. These have a

7-year penalty.

A definition of ``computer'' is not included. As I said earlier on, it is unlikely that such

a definition would keep up with changing technology. Other jurisdictions have taken

various approaches to this issue in their criminal statutes. England, for example, does

not define it, whereas the United States does. As Minister, I will welcome comments

on this in submissions to the select committee.14

The Minister then went on to address the issue of access without authorisation

without any associated intention to commit an unlawful act.

The Government has also decided at this stage not to include an offence relating to

unauthorised access of a computer. We recognise that this is a serious problem that

needs addressing, but it does actually need quite a lot more work and consideration.

However, I did not want to delay action on these changes at this stage. When

someone from an outside firm manages to gain access to the firm's computer,

commonly known as hacking, there is probably general agreement that this should

be a criminal offence. However, I believe an offence should also cover employees

who are not authorised, or go outside their authority to access information.

Employers will therefore need to have clear levels of authority in place if such an

offence is to be proven. This issue is more difficult, but we intend to put forward

such an offence early next year.15

Thus, unauthorised access was clearly on the table, but required further work. Of

especial interest is the suggestion that employees should be liable if they were

13

Crimes Amendment Bill Second Reading Hansard 5 October 1999.14 Ibid.15 Ibid.


6/36

unauthorised or went beyond their authorisation to access computer systems. As will be

seen, this was the subject of a specific exemption when the Bill was finally enacted and

appears in s. 252(2).

In the debate, Phil Goff MP castigated the Government for delaying action on computer

crime and pointed to what he saw as the motivation for the amendments.

Last year a hacker destroyed 4,500 web pages hosted by the Internet Group.

Another hacker breached the password security of Telecom's Internet service

provider XTRA, and nothing was done because the law was not in place.

Finally, after a decade, the Government has been sufficiently embarrassed by those

people getting away with those offences that it has brought to this House a new Bill.

I welcome the provisions of the Bill but they have been too long in coming and I

think the select committee will have to examine whether, even now, they are

sufficiently strong to deal with the computer crimes that are happening in oursociety.16

Mr Goff then went on to consider the absence of the offence of unauthorised access to

computer systems:

What we have not yet got is the further offence of hacking into a computer system,

and the Minister has said that he is not yet ready to do this. So we still have that

problem, and he hopes that next year something will be done. Next year! That will

be some 11 years after the Crimes Bill and still the Minister has not acted.

Paul Swain MP looked at the broader picture that he considered the legislation did not

address:

The point really is that the member does not get it. It is not just about hacking, and

it is not just about computer crime, it is about a whole pile of other things as well. It

is about the whole issue of security across the Internet, which implies security for

electronic commerce. It is about the protection of intellectual property rights, which

is an issue of the Internet, and an issue of electronic commerce. For example, it is

about protecting and promoting consumer rights in cyberspace. That is what

electronic commerce is about. Computer crime and hacking are only a little tiny partof a much bigger picture.

The Bill was referred to a Select Committee. However, in November 1999 there was an

election and the National Government was replaced by a Labour-led Government under

Helen Clark. It was under the new Government that further developments, heralded by

speakers from both sides of the House in 1999, were considered and proposed.

16

Ibid. As it happens Mr Goff was later proven to be incorrect. The Xtra hacker Andrew Garrett wasprosecuted and convicted of offences existing under the law as it stood arising out of his action see R v

Garrettabove n. 4.


7/36

Supplementary Order Paper 85 2 November 2000On 2 November 2000, Keith Locke MP had a question for the Prime Minister:

Would the proposed changes to the Crimes Amendment Bill (No 6), if passed, allow

the Government Communications Security Bureau, under certain circumstances, to

intercept e-mail communications of New Zealanders; if so, what would the

circumstances be, and what authorisation would be required?17

The Prime Minister replied

No. The proposed changes provide specifically that the Government

Communications Security Bureau may only intercept private communications which

are both---

(a) Private communications of a foreign organisation or foreign person (or

a representative or agent of a foreign organisation or foreign person);

and

(b) Private communications which contain, or may reasonably be

expected to contain, foreign intelligence.

The expressions ``foreign organisation'', ``foreign person'', and ``foreign

intelligence'' are defined in the proposed amendment in such a way as to make it

clear that the Government Communications Security Bureau may not intercept the

communications of New Zealanders, whether in e-mail or any other form.18

Mr Locke was referring to Supplementary Order Paper 85 (SOP 85) and the question

arose because of its scope. SOP 85 was not restricted to adding the criminalisation of

unauthorised access to a computer system. There were a number of other changes tothe Crimes Act dealing with Part 9A of the Crimes Act dealing with crimes against

personal privacy and the unauthorised use of interception devices. Exceptions were

provided where interception of communications was authorised by law. The

amendments to the Crimes Amendment Bill proposed by SOP 85 were quite wide-

ranging and in some respects reflected what could be called scope creep in dealing

with the involvement of law and new communications technologies.

Before looking at SOP 85 it is necessary to briefly talk about the legislative structure of

the Crimes Act. Like most statutes the Crimes Act is divided into a number of parts. The

Law Commission recognised this when it recommended that any provisions relating tocomputer crimes should have their own part.

The Crimes Amendment Bill (No 6) covered a number of proposed amendments to the

Crimes Act, particularly in the area of property offences. Property offences are covered

in Part 10 of the Crimes Act. Within that part there are a number of subdivisions

unlawful taking, burglary, robbery and blackmail, crimes involving deceit, money

laundering, receiving, forgery and counterfeiting, coinage, arson, damage and waste.

17 Hansard 2 November 2000.18 Hansard 2 November 2000.


8/36

The Amendment Bill proposed that computer crimes would have their own subdivision

within Part 10 of the Crimes Act.

There are two other parts of the Crimes Act that were involved in SOP 85 and were

related to legislation involving new technologies. Part 9A dealt with crimes against

personal privacy and focussed on the use of listening devices and prohibitions on

recording private conversations using listening devices. Part 11A involved obtaining

evidence by way of listening devices. Essentially, both parts dealt generally with bugging

conversations, prohibitions against such activity and the provision of exceptions in the

case of law enforcement. Part 11A provided a strict regime for obtaining warrants by the

Police for the use of listening devices, and the circumstances where the fruits of the use

of listening devices (and later, interception devices) could be admitted as evidence.

In essence SOP 85 replaced references to listening devices with the term interception

device19 updating the legislation to cover not only contemporaneous bugging but the

wider power to hear, listen to, record, monitor, acquire, or receive the communicationwhile it is in transit.20

The overall scheme of the amendments were to maintain earlier prohibitions on the use

of listening devices and an extension to interception devices for the intentional

interception of private communications. There are exceptions provided where the

person intercepting the private communication is a party to the communication. SOP 85

provided another exemption. The prohibition was not to apply to the interception of

private communications by any interception device operated by the Government

Communications Security Bureau for the purpose of intercepting private

communications that are both"(a) private communications of-"(i) a foreign organisation, or foreign person; or

"(ii) a representative or agent of a foreign organisation,

or foreign person; and

"(b) private communications that contain, or may reasonably

be expected to contain, foreign intelligence.

Now provisions regarding changes to the law relating to offences against privacy and the warranted

bugging by the Police for the purposes of obtaining evidence had not been a part of the original Bill,

and as I suggested the proposals contained in SOP 85 reflected significant scope creep. In addition

there was a proposed change to the computer crimes provisions. The offence of access to a

19 An interception device was defined in SOP 85 as any electronic, mechanical, or electromagnetic

instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a

private communication. Hearing aids were excluded along with a provision for an exemption made by the

Governor-General by Order in Council.20 This was the position in s.312A of Crimes Act 1961 after the 2003 amendments had been enacted. The

provisions of Part 11A have been repealed and the circumstances where private communications may be

lawfully intercepted are now part of the Search and Surveillance Act 2012.SOP 85 proposed a slightly more complex approach in that the private communication could be intercepted at

any time during the period beginning with the time the communication is sent and ending at the time that the

intended recipient is able to have access to it. When the Bill was reported back by the Law and OrderCommittee the wording was changed from that proposed by SOP 85 to read while it is transit from the person

sending the communication to the person intended to receive it.


9/36

computer system without authorisation. The wording of the new section (s. 305ZFA in SOP 85) as

proposed reads as follows:

Every one is liable to imprisonment for a term not exceeding 2 years who intentionally

accesses, directly or indirectly, any computer system or part of a computer system without

authorisation knowing that he or she is not authorised to access that computer system orpart of that computer system or being reckless as to whether or not he or she is authorised

to access that computer system or part of that computer system.

By prohibiting access to computer systems, within the context of the new provisions relating to

interception and privacy of communications the Government had to provide for exceptions for

organisations which might be involved in this activity. Accordingly, SOP 85 contained this provision:

(l) Section 305ZFA does not apply if the person accessing a computer system or part of a

computer system-

a) is an employee of the Government Communications Security Bureau; and

(b) is discharging his or her duty as an employee of the Government

Communications Security Bureau to collect foreign intelligence; and

( c) is authorised, in writing, by the Minister responsible for the Government

Communications Security Bureau.

(2) The Minister responsible for the Government Communications Security Bureau may

authorise an employee of the Government Communications Security Bureau to access a

computer system or part of a computer system of a specified foreign organisation or foreign

person if the Minister-

(a) has consulted with the Minister of Foreign Affairs and Trade; and

(b) is satisfied that-

(i) there are reasonable grounds to believe that no New Zealand citizen or

person ordinarily resident in New Zealand is specified as a foreign

organisation or foreign person whose computer system may be accessed;and

(ii) the access is necessary for the purposes of collecting foreign intelligence;

and

(iii) the value of the information sought to be obtained justifies the access;

and

(iv) the information is not likely to be obtained by other means.

There were also qualified exemptions for the SIS where an interception warrant under the SIS

legislation had been issued and for law enforcement agencies who accessed a computer system

under the execution of an interception warrant, search warrant or other legal authority.

Speaking to the introduction of SOP 85, the Associate Justice Minister, Paul Swain MP, said of the

changes to parts 9A and 11A:

They are not currently included in the bill. The purpose of the interception proposals is to

extend the offences and warrants to cover electronic technology. One of the main purposes

of the Crimes Amendment Bill (No 6) is to ensure that property offences cover electronic

technology. I believe that the proposals in the Supplementary Order Paper have sufficient

commonality with the bill to be included in it.21

21 Hansard 16 November 2000.


10/36

He then went on to consider the creation of the new offence of unauthorised access he referred to

it as hacking and the ramifications of that proposal. And this is where the interrelationship with

other aspects of the law relating to the use of electronic technologies come into play. Mr Swain said:

The bill contains a new computer offence---that is, accessing a computer system without

authorisation, which is commonly referred to as hacking. Currently, in New Zealand it is not

unlawful for anyone to hack into someone else's computer. The bill makes hacking unlawful,with a penalty of imprisonment for up to 2 years for those convicted of that offence. It is

designed to bring us into the 21st century, and to bring us up to speed with new technology.

If we start to introduce laws that make hacking unlawful, issues immediately arise such as

whether there should be any exemptions. That arises automatically when we want to

introduce legislation such as this. The Government says that, yes, there should be

exemptions, and consequently certain qualified exemptions to the offences are proposed for

law enforcement and security agencies that are properly authorised. It is important to point

out that there will be proper authorisation for those exemptions, primarily through a search

warrant or interception warrant---two systems currently available to the police and security

agencies.22

As at 16 November 2000 there were provisions in the law for the issue of search and interception

warrants to the Police and SIS. Apart from the wording of the qualified exemption for the GCSB 23

there was no authority at law that enabled the issue of a search warrant or an interception warrant

to a member of the GCSB enabling access to a computer system, apart from an Order in Council that

related specifically to the Waihopai site. Mr Swain said that the exemption for the GCSB would

ensure greater transparency. The exemption is not limited to any particular site, as was then

the case.

Keith Locke had this to say about the scope creep of SOP 85.

The Associate Minister of Justice put stress on the bill being an anti-hacking measure and

an anti-interception measure, and of course we support any bill opposed to hacking or

interception. In fact, we asked the Minister to put such provisions in a separate

Supplementary Order Paper, but those few clauses against hacking and interception amount

to about only one page of this 12-page Supplementary Order Paper. The rest of the clauses

are a major assault on our privacy.

They give the police, the Security Intelligence Service, and the Government Communications

Security Bureau the right to hack into our computers and intercept our emails, faxes, and

message pagers. Mr Swain said this measure will enable agencies to catch criminals. No one

is disputing that we might be able to catch a few more criminals through such interception.Surveillance cameras placed on every street in the country might catch more criminals, but

we always have to ask ourselves what the cost is to our privacy. Do we really want to live in

a surveillance society? Electronic interception is not just a question of modernising police

22 Ibid. The emphasis is mine.23 Authorisation by the Minister in writing to an employee of the GCSB after being satisfied of the matters

contained in 305ZFC(2)(b)(i) (iv) i.e.

(i) there are reasonable grounds to believe that no New Zealand citizen or person ordinarily resident

in New Zealand is specified as a foreign organisation or foreign person whose computer system may

be accessed; and

(ii) the access is necessary for the purposes of collecting foreign intelligence; and(iii) the value of the information sought to be obtained justifies the access; and

(iv) the information is not likely to be obtained by other means.


11/36

and security agencies' powers beyond their present letter opening and telephone tapping, as

has been made out; computer interception is a whole different ball game. For example, the

Carnivore system, which the FBI uses, allows keyword searches through vast amounts of

email. Britain has a system called ``RIP''---which is a very appropriate name; it comes from

the Regulation of Investigatory Powers Bill---where a kind of black box is attached to the

servers of Internet providers, and the traffic is routed through to MI5.

There are several problems. The first problem is that the emails of many ordinary people will

be intercepted by the system just because they accidentally use certain keywords, and their

messages will be scrutinised. This has already happened with the Echelon system of which

the Waihopai station near Blenheim is a part. Emails and faxes passing through a Pacific

satellite are intercepted through keyword searches. Under this Supplementary Order Paper,

the government Communications Security Bureau, which runs Waihopai, will be allowed to

increase its power, including surveillance within New Zealand, and not just through that

Pacific satellite. Supposedly, the Government Communications Security Bureau is allowed to

spy only on foreigners---foreign people and foreign organisations. However, if we look at the

definitions of a target in this Supplementary Order Paper, we see that organisations likeGreenpeace or an international trade union federation would fit under those definitions.24

Tony Ryall MP, who, it will be remembered, introduced the Crimes Amendment Bill (No 6) made

these comments in support of the reference of SOP 85 to the select committee:

We also support the introduction of anti-hacking provisions. However, we remain

concerned that the Government is failing to address the issue of ``denial of service'' attacks.

We have commented several times to the Minister on the need to address that. His officials

tell him it has been fixed. That is questionable, considering that the rest of the computer

technology community says it has not been fixed.

The Supplementary Order Paper makes hacking---the unauthorised or reckless use of

computer systems---an offence. But it also provides qualified exemptions for the security

agencies---the Security Intelligence Service, the Government Communications Security

Bureau, and New Zealand Police. The Supplementary Order Paper makes it clear that

interception may be done only under a warrant from the appropriate authorities, as is the

case with a telephone tap.an agency, a person such as the Prime Minister, or the various

commissioners involved. The various agencies will get these warrants when they need them,

provided that they comply with the requirements of the legislation. The interception

warrants will be granted by independent bodies, as per the requirements of the

legislation.25

It is fair to conclude at this stage that Mr Ryall was referring to the Police and the SIS, both

organisations having statutory provisions for the issue of search or interception warrants.

But the concern of the National Party in Opposition is that when the police seek to tap a

telephone, or when the Security Intelligence Service seeks to tap a telephone, it is a discrete

action. It requires a warrant. It requires the police to take their equipment and attach it to

the telephone line or exchange as is necessary. The equipment does not stay there dormant;

it is taken away. It is used when there is a warrant. What concerns this Opposition is that the

Government is talking about installing permanent listening devices between Internet service

providers and the police and security agencies---permanent, hard-wired listening devices;

24 Hansard 16 November 2000.25 Ibid.


12/36

devices that are permanently affixed to the Internet service provider. We agree with Mr

Locke that that has the potential to be a wolf in sheep's clothing, and I want to explain to the

House why.

The police are allowed to access the Wanganui computer system only as authorised. That is

what the Minister will say about these hard-wired Internet connections---that the police canaccess them only when they have authority. But as Mr Locke explained, and as members of

this House are well aware, the Wanganui computer, the Law Enforcement System, from time

to time is accessed by police who are unauthorised, and for unauthorised purposes. That is

the risk with the Government's plan to put permanent, hard-wired listening devices between

Internet service providers and law enforcement agencies

I have no problem with the police and the Security Intelligence Service getting a warrant to

go to an Internet service provider and tap into the Internet for a distinct and specific case

that has been approved by a granting authority. What I am concerned about is the

Government having a permanent line into every Internet service provider in this country.

The reason I am concerned about that is that the Government can offer no guarantee thoselines will be used only for authorised and warranted purposes. Privacy is at stake. We know

that the Wanganui computer is misused from time to time, and the hard-wired listening

device that the police and agencies are discussing as we speak has the potential to be

misused. The computer industry today has sufficient technical and forensic expertise to

assist the security agencies and police without their having a permanent connection. I need

to be very much convinced that these permanent, hard-wired listening devices connected to

Internet service providers can be secure. We need to be assured that no one will be thinking

he or she can tap into the Internet to find out what emails are going backwards and

forwards from a tenant who owes him or her money. We need to be assured of that.

For the last 6 months in Britain a huge barney has been going on about the right that theBritish security agencies have been insisting on to connect hard-wired listening devices to

every Internet service provider. The National Party Opposition wants to make it clear to the

Minister that we understand why this legislation is needed for the security of New Zealand,

and we respect the fact that warrants will be granted to the police and the Security

Intelligence Service as appropriate, but we want an assurance about the processes that will

be put in place to facilitate that. We will not support permanent, hard-wired listening

devices between Internet service providers and security agencies in this country. It is just too

risky.26

Mr Ryall had no problem with the obtaining of information where a properly authorised warrant had

been obtained but his concerns moved towards the technology of interception of messages at

Internet Service Provider level. There was nothing in SOP 85 that addressed that particular solution,

although it is possible that Mr Ryall considered it feasible. His concerns were to be prophetic for

precisely that capability was the subject of the Telecommunications (Interception Capability) Act

2004

Matt Robson MP made these observations, sounding a warning about the scope of powers that may

be given to surveillance agencies:

Other provisions of the bill, affecting the powers given to the Security Intelligence Service

and the Government Communications Security Bureau, in our view need very careful

consideration. The reason is that any type of secret intelligence agency with those powers

26 Ibid.


13/36

can, if they are used in an untrammelled way, cause great public mischief. So we, as a party,

have always been keen to make sure that the powers of any secret intelligence-gathering

agency are very carefully circumscribed, are authorised by the public authorities, and are

only available for the purpose of detecting any criminal mischief---not used for spying, or for

looking at people's legitimate political opinions.27

Thus the concerns of members were not so much about the proposed new offence of unauthorised

access to a computer system. In fact there was support for that. The concerns were for the limited

exemptions that appeared not only in s. 305ZFC and the provisions of the amendments to Part 9A

following upon the extension of a listening device to an interception device. Privacy of

communications, a capability for potential to abuse the system and the use of intercepted

communications possibly for political purposes were exercising the minds of Members at the time.

The quote at the beginning of this essay suggests that early in 2000, legislation for the GCSB was

contemplated. I suggest that the evidence surrounding the introduction of SOP 85 and the provisions

proposed in it lead to another conclusion. That conclusion is that as at 16 November 2000, such

legislation was not contemplated. My reasons for such a conclusion are these:1. No mention of any proposed legislation governing the GCSB was mentioned by any of the

speakers when SOP 85 was introduced.

2. When Keith Locke prosed his question to the Prime Minister on 2 November 2000 nomention was made by her in her reply of any proposed legislation governing the GCSB. If

such legislation had been in contemplation I would have thought it would be mentioned in

the answer. Instead the Prime Ministers answer reflected the terms of the qualified

exemption that appeared in s.305ZFC

3. The provisions of s. 305ZFC itself set out a process exempting GCSB employees from liabilityfor unauthorised access to computer systems. No mention is made of warrants. No mention

is made of any anticipated legislation. The process that is set out is reasonably clear. The

exemption applies to an employee of the GCSB who is discharging a duty as an employee tocollect foreign intelligence and is authorised in writing by the Minister for the GCSB. The

prerequisites are clear. S. 305ZFC then goes on to prescribe the circumstances whereby the

authorisation by the Minister in charge of the GCSB may be made. There had to be

consultation with the Minister of Foreign Affairs and Trade. The GCSB Minister had to be

satisfied that the target of the computer access was NOT a New Zealand citizen or person

ordinarily resident in New Zealand and that the target was a foreign organisation or person;

that access was necessary for the purposes of collecting foreign intelligence; that the value

of the information sought justified the access and that the information was not likely to be

obtained by other means. This is a fairly detailed prescription and would not have been so

detailed and specific, nor proposed as an amendment to the Crimes Act if the introduction

of legislation governing the GCSB had been contemplated.

Therefore, it is my conclusion that as at November 2000 the Government was content to allow the

GCSB to continue as it had before and that there was no GCSB specific legislation contemplated.28

However, it would later become necessary for some statutory framework to be put in place to

legitimise both the existence of the GCSB and the issue of search or interception warrants to it or its

employees. SOP 85 and the Crimes Amendment Bill No 6 were referred to the Law and Order Select

Committee which reported back on 18 July 2001. By that time the GCSB Bill had been introduced. So

27 Ibid.28

I say this on the basis of readily available public information. For the preparation of this essay I have notmade an Official Information Act enquiries nor have I had access to any policy documents that may have

suggested otherwise than what I have concluded.


14/36

we shall take a break from the chronology of the Crimes Amendment Bill (No. 6) and look at the

history of the GCSB.

The Government Communications Security Bureau Early HistorySince the Second World War, the New Zealand Government had a signals intelligence (SIGINT)capability. There was also a need to ensure that there was technical security (TECSEC) of

Government communications systems to prevent bugging and that its sensitive messages could

not be read by third parties (communications security, or COMSEC).

Until the establishment of the GCSB, these services were provided by bodies such as the

New Zealand Defence Force and the New Zealand Security Intelligence Service (NZSIS).29 In

1977, the then Prime Minister, Robert Muldoon, approved the formation of the GCSB, but its

functions and activities were kept secret.

In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis,

leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings

only acknowledged the GCSBs TECSEC and COMSEC functions, but not its SIGINT functions.

Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT

function in 1984.30

One of the most visible manifestations of the existence of the GCSB were the communications

facilities situated at Waihopai, distinguishable by the protective domes reminiscent of giant

puffballs.31 Another facility is operated at Tangimoana Station near Palmerston North.32

The GCSB BillThe GCSB Bill was introduced on 2 May 2001 and at the first reading of the Bill on 8 May

2001, Michael Cullen MP had this to say:

29 The functions now handled by the GCSB were split between three organisations:

- Communications security was the responsibility of the Communications Security Committee, basedaround the Prime Minister's office and the Ministry of Foreign Affairs.

- Signals intelligence was the responsibility of the Combined Signals Organisation, run by the military.- Anti-bugging measures were the responsibility of the Security Intelligence Service.

Government Communications Security Bureau Wikipedia

http://en.wikipedia.org/wiki/Government_Communications_Security_Bureau(last accessed 18 August 2013)30 History of the GCSB Government Communications Security Bureauhttp://www.gcsb.govt.nz/about-

us/history.html(last accessed 18 August 2013).31http://en.wikipedia.org/wiki/Waihopai_Station32Phil Goff MP made the following remarks when the GCSB Bill was introduced.

In its current form the Government Communications Security Bureau was set up back in 1977. In 1982 it

established a facility at Tangimoana, and that consolidated radio interception capability. In 1989 it opened up

a satellite communications interception station at Waihopai. Until now, over that 24-year period the

Government Communications Security Bureau has operated as a non-statutory organisation. Hansard 8 May

2001. See also the speech of Richard Worth MP at Hansard 25 March 2003 for a helpful background to the

GCSBhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-

communications-security-bureau-bill-%E2%80%94-in-committee (last accessed 22 August 2013)See alsohttp://en.wikipedia.org/wiki/Tangimoana_Station(last accessed 22 August 2013)
http://en.wikipedia.org/wiki/Government_Communications_Security_Bureauhttp://en.wikipedia.org/wiki/Government_Communications_Security_Bureauhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://en.wikipedia.org/wiki/Tangimoana_Stationhttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://en.wikipedia.org/wiki/Waihopai_Stationhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://www.gcsb.govt.nz/about-us/history.htmlhttp://en.wikipedia.org/wiki/Government_Communications_Security_Bureau


15/36

Since its creation in 1977, the Government Communications Security Bureau has

been a non-statutory organisation. The New Zealand Security Intelligence Service, on

the other hand, has had its own empowering legislation for more than 30 years. The

New Zealand Security Intelligence Service Act of 1969 established the service, and,

through a series of amendments since that time, continues to define its functions,

delineate the scope of its authority, and make provision for the issue of the

interception of warrants. Oversight of the activities of the Government

Communications Security Bureau, however, was significantly enhanced in 1996 by

the passage of the Inspector-General of Intelligence and Security Act and the

Intelligence and Security Committee Act. The bill before the House today serves to

remove the distinction between the firm statutory footing on which the New

Zealand Security Intelligence Service exists and the less clearly defined position of

the Government Communications Security Bureau.33

. In the absence of a legislative framework for the Government Communications

Security Bureau, for example, some people wrongly infer that the bureau's signalsintelligence operations target the communications of New Zealand citizens, that the

Government Communications Security Bureau exists only as an extension of a much

larger overseas signals intelligence operation, and that the bureau's operations are

beyond the scope of parliamentary scrutiny.

I reiterate today that the Government Communications Security Bureau does not set

out to intercept the communications of New Zealand citizens or permanent residents.

Furthermore, the reports of the Inspector-General of Intelligence and Security have

made it clear that any allegations to the contrary are without foundation. The

inspector-general has reported his judgment that the operations of the bureau haveno adverse or improper impact on the privacy or personal security of New

Zealanders.

Notwithstanding such assurances, the perception has remained in some quarters

that the bureau has been insufficiently accountable, and that its operational scope

has been inadequately defined. This bill puts the position of the bureau beyond

doubt as a legitimate agency of Government.34

Jenny Shipley MP described the Bill as the last step in what had been a series of legislative

measures that have brought New Zealand's security and intelligence framework into a much

more public setting than has been the case historically. She suggested that protection by a

strong legislative framework would be reassuring to New Zealanders. She did want to give

some assurances from her side of the House and she said:

..that this bill is about foreigners, and not about New Zealanders. For example, if a

communication is to be intercepted on a New Zealand network, it can be done only if

an interception warrant is secured. Therefore, it is on the record that it has been

gone through properly with all the levels of scrutiny that are now available, and

reviewed in addition to that scrutiny.

33 Hansard 8 May 2001.34 Ibid. The emphasis is mine.


16/36

There is a review of the process in retrospect, so that we can be satisfied that there

are no loopholes. New Zealanders can be assured, far more than ever before, that

we now have a very, very thorough process. It should give them complete

confidence that their interests are not being undermined while their interest in

having an adequate external security is being satisfied.35

Richard Prebble MP echoed Mrs Shipleys comment that the Bill completed the legislative

framework underpinning New Zealand security services whilst at the same time stating that

security agencies should be subject to some parliamentary scrutiny wider than just

Ministers. In describing GCSB activities since 1970 he claimed:

Of course it was always lawful, but because it was not under a statutory framework

and did not have specific parliamentary scrutiny, it was possible for people to make

up the most fanciful explanations of what our Government bureau was doing.36

The purpose of the legislation, according to Mr Phil Goff MP, was to introduce transparency,clarity and accountability to the entire framework of New Zealands security arrangements.

The Security Intelligence Service Act 1969 had been in place for many years. Clearly, it was

time that the GCSB should be placed on the same footing. At the same time, Mr Goff felt the

need to emphasise the assurances that had been given by Mr Cullen and Mrs Shipley.

The Government Communications Security Bureau, of course, could continue to

operate on the same basis as it has, but this Government believes it is preferable

that security and intelligence agencies operate within a clear legislative framework

that prescribes their powers and sets out their accountabilities. That is the purpose

of this bill. In that sense, this bill is an important step towards greater transparency

in the work of security and intelligence agencies.

Oversight of the Government Communications Security Bureau has already been

significantly advanced by the passage back in 1996 of the Inspector-General of

Intelligence and Security Act and the Intelligence and Security Committee Act. Both

those pieces of legislation have been important in ensuring that there is oversight

and supervision of security agencies. The Act created the position of Inspector-

General of Intelligence and Security, which, by tradition, is filled by a retired High

Court or Court of Appeal judge.

This bill contributes to a clear public understanding of the work of the Government

Communications Security Bureau by setting out what its legitimate roles are. The

legislation specifies the bureau's objective and functions. It creates a regime for the

interception warrants to be issued, and, likewise, for computer access authorisations

to be issued. The objective of the agency is to contribute to New Zealand's security

and defence, its international and economic well-being, and its general conduct of

international relations. It does that quite simply and quite openly by providing

foreign intelligence, including the interception of foreign communications.

35 Ibid.36 Ibid.


17/36

Clause 4 is a key clause because it provides legislative protection for the rights of

ordinary New Zealanders. It specifies, for example, that the bureau may not take any

action for the purpose of intercepting the communications of a New Zealand citizen

or a permanent resident unless that person is acting in the capacity of a

representative or an agent of a foreign Government or organisation.

In particular, this legislation makes it clear that the bureau's signal intelligence

operations do not target the communications of New Zealand citizens. That is not

simply a matter of faith, it is confirmed annually in the reports of the Inspector-

General of Intelligence and Security. The Inspector-General also provides

oversight to ensure that the operations of the bureau do not have an adverse or an

improper effect on the privacy or personal security of New Zealanders, and each year

his obligation---his role---is to confirm that this is the case.37

The Bill was then referred to the Security and Intelligence Committee and came back

before the House for its second reading on 19 November 2002. In the meantime, theLaw and Order Committee reported back to the House on the Crimes Amendment Bill

No 6 on 18 July 2001, two months after the GCSB Bill was introduced.

Nothing was said about why it was necessary to introduce the Bill at this precise time

other than the rather general remarks to the effect that it introduced transparency and,

as Ms Shipley said was the last step in the series of legislative measures that have

brought New Zealand's security and intelligence framework into a much more public

setting. So what had changed between November 2000 and May 2001 that necessitated

the introduction of the GCSB Bill, and that meant that there had to be clarity,

transparency and accountability in its operations. In a word the Internet.

If one looks at the earlier operations of the GCSB it had conducted its operations mainly

through the satellite stations situated at Waihopai and Tangimoana. Their work as all

about wireless signals monitoring and interception. The Internet had changed all that.

Although there are many ways of connecting to the Internet essentially the basic

structure of the Internet is a hardwired backbone to which people connect. This, and the

nature of digital technologies and communications were paradigmatically different from

the systems with which the GCSB had earlier dealt.

New and enhanced surveillance and monitoring capabilities were introduced by the newparadigm. Tools such as Carnivore an e-mail monitoring system operated by the FBI

and Echelon an established signals intelligence and analysis programme operated by

the five signatory states to the UK USA Security agreement (of which New Zealand was a

signatory) were directly involved in data and intelligence analysis involving aspects of

the Internet. If New Zealand was to fulfil its obligations within the context of

international security protocols, the scope of GCSB operations would have to be

extended. Part of that involved accessing computers without the knowledge or

authorisation of the operator, but with some form of approval process akin to a warrant.

And in this respect there was a problem created by the new offence proposed in SOP 85

37 Ibid. Again, the emphasis is mine.


18/36

and in the proposed widening of the scope of privacy protections in Part 9A of the

Crimes Act. Clearly the proposed s. 305ZFA was seen as insufficient, together with a

desire to clarify the scope of GCSB powers. The widened opportunities for surveillance

introduced by the Internet meant that the powers of the GCSB had to be widened

commensurately. In addition, with widened opportunities for surveillance activity, the

lack of an accountable and transparent system might attract adverse comment from the

Inspector-General of Intelligence and Security.

Concern was also expressed from other quarters. Bruce Slane, the Privacy Commissioner

at the time made a detailed submission on SOP 85. In the course of that submission he

expressed his concern with the privacy implications associated with large-scale

electronic surveillance. He was especially concerned with the position of the GCSB and

said:

A precursor to GCSB having the benefit of an exemption from the prohibition on the

use of listening devices, should be to place the Bureau on a statutory footing; and

create a statutory warrant process for the Bureau to undertake any intrusive activityparticularly where that activity would, if performed by any other person, constitute a

breach of the law.38

It should also be noted that the fateful day of 11 September 2001 was still some months

away.

The Law and Order Committee Report on the Crimes Amendment Bill No 6 18 July2001In its report the Committee made reference to the provisions relating to exemptions for

state agencies to interception procedures observing concerns at the:

inclusion of qualified exemptions for State agencies from the unauthorised accessoffence, and the belief that there are insufficient safeguards or controls on these

agencies to warrant these exemptions being granted

proposed changes to the definitions of "private communication" and"interception device", and the effect this has on the scope of authorised

interceptions by agencies such as the police and the GCSB.39

The GCSB Bill received special mention. It was observed that the Bill contained an

authorisation process, a requirement for annual reports and oversight of interception

warrants and computer access authorisations by the Inspector General. It was unclear

whether or not the GCSB would be enacted before the amendments to the Crimes Act

and for that reason the Law and Order Committee recommended that the GCSB

exemption be retained. Without that the GCSB would be unable to intercept any private

38 Report by the Privacy Commissioner to the Minister of justice on Supplementary Order Paper No 85 to the

Crimes Amendment Bill (No 6) 13 December 2000 at para 3.2.4. For additional concerns and especially a

critique of s. 305FZA see para. 3.4.1 3.4.5.39 Crimes Amendment Bill (No 6) and Supplementary Order Paper No 85 Report of the Law and Order

Committee (House of Representatives, Wellington 18 July 2001) p.3.


19/36

communications in the interim which could pose a security risk to the country. However,

the Committee suggested that the authorisation process be tightened up.

We consider the following amendments will increase the level of transparency and

safeguards related to the exercise of the GCSBs interception operations, and will

also serve as interim measures between the enactment of this bill and the GCSB Bill.

Therefore, we recommend inserting the following authorisation requirements in

new clause 19, proposed new section 255

a written authorisation process

limitations to the term of an authorisation to no more than 12 months (subject to a

right of renewal)

irrelevant records must be destroyed.40

The Committee also went on to observe the interrelationship between computer access

and the offences against privacy.

We note that in exercising its functions in relation to intercepting "private

communications" the GCSB could, arguably, also be 'accessing a computer system'.This is because the definition of "computer system" includes "any communication

links between computers". The inclusion of the term "communication links" could

mean that in carrying out its interception functions the GCSB may also require an

authorisation for computer access for each intercepted communication, under the

unauthorised access offence.

Therefore, we consider a new subsection should be added in new clause 19,

proposed new section 255(4), which provides the GCSB with an exemption from the

unauthorised access offence to align it with its exemption from the interception

offence in clause 16B. This ensures that the GCSB is not at risk of committing thecomputer access offence when carrying out its interception operations, and would

have the same authorisation procedure for the same activity.

We recommend that new clause 19, proposed new section 255, be amended to

include an exemption for an employee of the GCSB when accessing communications

links between computers for purposes of foreign intelligence gathering.41

In terms of the exemption from an interception offence under Part 9A of the Act, the

Committee what the following to say within the context of intelligence gathering

capabilities as well as emphasising that the scope of those activities was restricted toforeign intelligence collection:

Under clause 16B(5), the GCSB is exempt from the offence in section 216B of the

Act that prohibits the use of listening devices to intercept private communications.

This in effect preserves the existing exemption held by the GCSB for its Waihopai

site, and extends the exemption to cover all interception devices operated by the

GCSB. This means that the exemption is no longer site specific.

Several submitters register concern about this exemption on the grounds that:

the GCSB does not have a statutory basis (discussed above)

40 Ibid. p.4.41 Ibid p. 4 -5.


20/36

the scope of communications the GCSB can lawfully seek to access or

intercept is unclear and too broad, because of the descriptions of the

terms "foreign organisation", "foreign person", and "foreign intelligence".

We consider the exemption in clause 16B (5) is necessary in order to preserve the

existing foreign intelligence collection capabilities, for which no warrant is required.

Placing the exemption in the statute will increase public transparency in relation to

the Waihopai facility and, by extending the exemption to the other sites operated by

the GCSB, will avoid the risk that they may have to cease operations in order to avoid

committing an offence.

We recognise there is concern about the specific scope of communications that the

GCSB can collect as part of their lawful operations. We consider some of these

concerns may be allayed by further clarifying the definition of "foreign organisation"

for the purposes of the GSCBs foreign intelligence collection. This definition is

consistent with the definition in the GCSB Bill. We recommend the definition in

clause 16A be amended as follows:"foreign organisation means-

( a) a Government of any country other than New Zealand; or

(b) an entity controlled by the Government of any country other than New

Zealand; or

( c) a company or body corporate that is incorporated outside New

Zealand; or

(d) a company within the meaning of the Companies Act 1993 that is, for the

purposes of the Companies Act 1993, a subsidiary of any company or body

corporate incorporated outside New Zealand; or

( e) an unincorporated body of persons consisting exclusively of foreignorganisations or foreign persons that carry on activities

wholly outside New Zealand; or

(f) an international organisation; or

(g) a person acting in his or her capacity as an agent or a representative of

any Government, body, or organisation referred to in any of paragraphs (a) to

(f)".42

One interesting reference was made to the concept of remote access searches. The issue

was whether or not a search of a computer system may be carried out without entry

onto the premises where the computer was held, and whether there was a power underthe Summary Proceedings Act to conduct a remote access search.

We do not consider the bill provides the police with additional powers but acts to

preserve existing ones. This clause assists in the interpretation of the concept of

"authorisation" in clause 19, new section 305ZF A, by putting it beyond doubt that

law enforcement agency accessing of a computer system pursuant to existing

statutory and common law powers is not unauthorised access.

42 Ibid. p. 7-8.


21/36

We note there is some debate about whether the current law allows the police to

conduct remote searches. However, we do not believe the bill is the appropriate

vehicle to extend or restrict police search powers. We consider that the current

review being undertaken by the Law Commission into police search powers

(including consideration of new technology and related privacy concerns) is more

appropriate.

The issue of remote access searches remained in legal limbo until 2012 and the enactment

of the Search and Surveillance Act 2012 which provides for remote access searches.

However, there is still some dispute between whether or not a remote access search as

described above and referred to be the Privacy Commission may be covered by a normal;

search warrant (applying the extended definition of a computer system which, according

to some includes the entire Internet) or by a remote access warrant.43

As far as the computer crimes offences were concerned, the Committee recommended that

the proposed offence of accessing a computer system without authorisation shouldproceed. A few minor changes were made to the existing sections but there were two

additional provisions that were recommended. The first was that in addition to the offences

set out in the section relating to damaging or interfering with computer systems, there

should be the addition of an offence of causing a computer system to fail or deny service to

an authorised user.

The Committee also recommended the addition of a new offence the making, selling or

distributing of software for committing crime.

Both of these recommendations went forward and were incorporated into the Bill and therewas a restructuring of the numbering of the provisions of the Bill so what emerged from the

Select Committee may be shown as follows:

Section Amendment

249 Interpretation covering definition particularly of

access and computer system.

250 Creation of a new offence of accessing a computer

system for a dishonest purpose.

251 The creation of a new offence of damaging orinterfering with a computer system.

252 The creation of a new offence of making, selling or

distributing or possessing software for committing

a crime.

253 Accessing a computer system without

authorisation.

43

This is a matter with which I have dealt in my examination of the cyber search provisions of the Search andSurveillance Act 2012.http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-

remote-access-searches/(last accessed 25 August 2013)
http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-and-remote-access-searches/


22/36

254 A qualified exemption to access without

authorisation for the New Zealand Securities

Service.

255 A qualified exemption to access without

authorisation for the GovernmentCommunications Security Bureau.

It was not until 2003 that Parliament had another opportunity to consider and debate the

Committee Report. In the meantime there was further activity regarding the GCSB Bill. The

second reading debate resumed on 19 November 2002 and did not continue until 4 March

2003. The Bill received further consideration towards the end of March.

Keith Locke MP, a long-time opponent of the facility at Waihopai, expressed support for the

statutory recognition of an organisation that had for 25 years existed without statutory

foundation. He questioned whether the security of Government communications could notbe carried out by the New Zealand Police, expressing concern at the threat to privacy posed

by the GCSB. He said:

The main functions of the Government Communications Security Bureau are

purposesand these are the most expensive onesthat we should not

identify with. When we talk about communications security, the main facility

of the Government Communications Security Bureau is the Waihopai satellite

communications interception station near Blenheim..

Interception of communications, is very important. It is a considerable

invasion of our privacy when an agency like the Government

Communications Security Bureau is given the right to intercept electronic

communications, which we use so much these days, and, in tandem with the

Crimes Amendment Bill (No 6) and the Telecommunications (Interception

Capability) Bill, the powers to intercept electronic communications of all

types, plus the right to hack into peoples computersthat is, to access

peoples computers remotely, without them even knowing that that is

happening.44

Other members speaking commented upon the relationship of GCSB activities primarily in

regard to the privacy provisions contained in Part 9A of the Crimes Act. Mr Richard Worth

MP in particular made the following observation:

The first relates to the Crimes Act amendment that is set out in clause 26, and a

significant change to section 216B(2)(b) of the Crimes Act. Members opposite are

nodding quite clearly, because they have a close and sufficient familiarity with that

particular and very tricky provision. Section 216B is headed Prohibition on the use

of listening devices, and subsection (1) was itself amended in 1999. Basically, the

44

Hansard Debates 25 March 2003http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-

%E2%80%94-in-committee(last accessed 22 March 2013).
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committeehttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill-%E2%80%94-in-committee


23/36

provision creates a term of imprisonment not exceeding 2 years for everyone who

intentionally intercepts any private communication by means of a listening device.

The particular change in clause 26 proposes to amend section 216B(2)(b) by inserting

after subparagraph (iii) a further subparagraph that the draughtsman has identified

as subparagraph (iii)(a). It contains the words: the Government Communications

Security Bureau Act 2001;. Members opposite will immediately be aware of the

huge significance of that change. That change is not necessarily the most significant

one, but it is certainly one worth commenting on.45

The Act was passed a few days later and received the assent of the Governor General on 1

April 2003. The concerns expressed by the Law and Order Committee regarding the

enactment of the GCSB Act had faded. There was now no longer the necessity for s. 305FZA

because the GCSB Act prescribed the circumstances where the GCSB could access

computers and intercept communication under warrant. So now the focus shifts to the final

stages of the Crimes Amendment Bill (No. 6)

Crimes Amendment Bill (No 6) June - July 2003The final stages of the passage of the Crimes Amendment Bill (No 6) came in June and July

2003. On 12 June 2003 the report of the Law and Order Committee was further considered,

Mr George Hawkins MP observing that the faster that the Bill progressed through the House

the better.46 There was further debate on 1 July 2003 with the final debate and third

reading on 4 July 2003. The new Act received Royal Assent on 7 July 2003 and commenced

on 1 October 2003.

On 12 June 2003 Brian Connell MP drew attention to the hacking provision introduced by

SOP 85, considering it important given the increasing reliance upon computer systems,

threats posed by terrorism and especially in the area of dishonesty and credit card fraud. He

closed by observing:

I raised the fact that this bill was first introduced in 1999. The world has moved on

quickly since then, and, moreover, it moves on more quickly in the area of e-

commerce and the computer world than in other areas. As a parting thought, I say

that this legislation, which I wholeheartedly support, needs to be frequently

reviewed in order to keep pace with the changing nature of the industry. There is no

point in dusting this legislation off and thinking that we have done our job as a

Parliament, if we do not continually look at it on a regular basis. My experience in

the industry suggests that every 2 or 3 years it would be appropriate to do that.47

Phil Goff MP observed that the passage of the GCSB Act meant that a number of provisions

in the Bill were no longer necessary.48

45 Ibid.46 Hansard 12 June 2003http://www.parliament.nz/en-

nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-

consideration-of-report(last accessed 22 August 2003).47 Ibid.48 Ibid. He was clearly referring to the prescription contained in s.305ZFA.
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-reporthttp://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94-consideration-of-report


24/36

As the debate continued on 17 June 2003, Tony Ryall MP noted concerns that existed when

SOP 85 was introduced and the care that would be needed to ensure unwarranted

intrusions into the privacy of citizens did not occur.

There was considerable concern at the time the Supplementary Order Paper came

in that what was being proposed was a permanent attachment to the telephone

exchanges, with a continuous feed to the intelligence agencies, and only when the

intelligence agencies had a warrant would they actually turn that feed on and allow

them to monitor what was going on.49

Mark Alexander MP addressed the interrelationship between the Crimes Amendment Bill

and the passage of the GCSB Act.

I note the work of the select committee in examining this bill and the changes it has

made as far as ensuring that members of the Government Communications Security

Bureau and our other intelligence agencies will not be prosecuted under the bill for

the legitimate activities they can carry out in protecting national security and similar

matters. They are positive changes. One example is the recent GovernmentCommunications Security Bureau offshoot, the Centre for Critical Infrastructure

Protection, which I am led to believe is directed to protect our critical infrastructures

such as power grids, water supplies, and air travel, from Internet-based crime.50

On 1 July 2003, Keith Locke MP raised a matter of concern that the passage of the Crimes

Amendment Bill and the introduction of SOP 85 was a back-door move to increase the

ability for Government agencies such as the SIS and the GCSB to increase surveillance

activity.

Instead of improving our ability to apprehend lawbreakers, we are giving thoseagencies the ability to affect in some way our privacy, which is a right under the New

Zealand Bill of Rights Act that should be very much upheld in our society. No good

reason is given in this bill for doing that, and a lot of innocent people will get caught.

Members should think about how many emails they receive in a week and in a

yearit ends up being thousands and thousandsand if any one of the people who

send those emails is intercepted under these provisions, then a members

communications will also be intercepted and could end up being affected in that

way.

I accept that there has to be a balance, and sometimes we may give away, to some

extent, the hard-won right to privacy if there is a very clear community gain. That isthe real spirit of a crimes amendment bill, but no one gave any statistics or anecdotal

evidence to the Law and Order Committee through any stage of its consideration of

this bill to show that we would catch many extra criminals through giving the police

and the intelligence services that ability. We need such evidence if we are to give

away our privacy in that respect. This bill is about the Crimes Act and about catching

49 Hansard 17 June 2003http://www.parliament.nz/en-

nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94 (lastaccessed 22 August 2003).50 Ibid.
http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94


25/36

criminals, and everyone knows that serious criminals can very easily avoid

interception using code, encryption, and those sorts of things.51

Ron Marks MP picked up the theme that the Bill seemed to focus more on surveillance than

on Crime. He said:

I

Date post:	08-Aug-2018
Category:	Documents
Upload:	djhdcj
View:	213 times
Download:	0 times

The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 – An...

Documents