By NICKY HAGER – Sunday Star Times
GO TO the heart of one of Telecom or Vodafone’s mobile phone exchanges and you’ll find the whole system – covering a quarter of the country – is run by a single computer, no bigger than a small freezer.
Cables lead off to all the company’s cellphone towers and other parts of the network. A main cable, connecting all those phone users to the world, comes out the top of the computer and passes directly into a unit in the rack above. One cable goes into the unit but two come out: one continuing out to the world, the other coiling off to secret equipment marked “LI” on the system diagrams. “LI” stands for “lawful interception”.
Not long ago, police and Security Intelligence Service (SIS) interception meant tapping your landline phone or bugging your kitchen. Now, under a new surveillance regime ushered in by the 2004 Telecommunications (Interception Capability) Act, a basic interception warrant also allows them access to all your emails, internet browsing, online shopping or dating, calls, texts and location for mobile phones, and much more – all delivered almost instantaneously to the surveillance agencies.
To catch other sorts of communications, including people using overseas-based email or other services, all the local communications networks are wired up as well, to monitor messages en route overseas.
Interception equipment built permanently into every segment of the country’s communications architecture will provide the sort of pervasive spying capability we normally associate with police states.
These developments have been introduced quietly. Neither the government nor the phone and internet companies are keen to advertise their Big Brotherish activities. This doesn’t sound like New Zealand and in fact it was largely pushed on New Zealand from overseas.
The origins of New Zealand’s new system can be traced back 10 years to when British researchers uncovered European Union police documents planning exactly the same sort of surveillance system in Europe. The secret plan, known as Enfopol 98, and reported on by the Weekly Telegraph in 1999, aimed to create “a seamless web of telecommunications surveillance” across Europe, and involved EU nations adopting “International User Requirements for Interception”, to standardise surveillance capabilities.
The researchers found that the moves followed “a five-year lobbying exercise by American agencies such as the FBI”. “When completed, the system will provide a global regime,” it said. New Zealand had been in dialogue with US and European authorities on joining the scheme as early as 1995.
Civil liberties council spokesman Michael Bott says the new capabilities are part of a step-by-step erosion of civil rights in New Zealand. He said people need places to be themselves, talk about their secrets or sound off about politics, without having to wonder who’s listening.
“The fear is that citizens become accustomed to living in a surveillance society and, over time, freedoms of speech and belief are chilled and diminished.”
Bott doesn’t accept claims made by the police and SIS that the expansion from simple phone taps to interception of all electronic communications won’t significantly extend agencies’ powers of surveillance. “When the police invade your house for a search they have to leave a copy of the warrant behind, so at least the citizen has a chance to challenge its legitimacy.
“The contents of email are just as personal as the contents of your underwear drawer – love letters, business accounts, travel plans and the rest – but [with internet surveillance] we never know the police have been snooping and so can’t challenge it.”
But Police Association vice-president Stuart Mills says the new capabilities are required because “criminal networks are using the internet and other new technologies to communicate”. He said: “That’s what the police have to focus on, because they’re obviously aware of the impact that organised crime and drugs is causing at the moment.”
Mills said police would prioritise where they used the new powers and were “not just going to search mum and dad just for the sake of it.” He said: “If they’re not committing criminal offences, there shouldn’t be any concern.”
TECHNICIANS INVOLVED in installing the spying equipment into telecommunication networks told the Sunday Star-Times about black boxes 13cm high and 48cm wide used by internet and phone companies that are labelled on internal system diagrams as “LI”.
The black boxes and other surveillance gear have been kept secret by the companies concerned. Approached by the Star-Times, phone companies declined to discuss their intercept capabilities and most network companies simply did not reply. Technicians were unwilling to talk on the record as their companies are “sensitive” about helping spy on their customers.
The deadline for installing the surveillance gear was April last year, but many companies missed it. In August 2009, four months after the deadline, a telecoms industry body published Guidelines for Interception Capability to help companies comply, and in last year’s budget Police Minister Judith Collins approved extra police funds to subsidise companies installing surveillance devices on telecommunications networks.
ISPs are asked to install a computer outlet that provides a “mirror” of all its email and internet traffic. This should connect to a lockable cabinet where the police or spy agencies can temporarily place their own surveillance equipment.
A second, preferred, approach is for network companies to install intercept equipment that can capture traffic from ISPs as it travels along their cables. Such taps allow surveillance agencies to intercept New Zealanders who use overseas email services such as Gmail.
DURING THE years that New Zealand was being lobbied from abroad to join the “global regime” for telecoms surveillance, police and SIS in New Zealand were also keen on new surveillance powers. They had bugged land-line phones for decades but were having trouble intercepting mobile phones. Telecom voluntarily installed new equipment in the mid-1990s to allow eavesdropping on its mobile phone network. But the surveillance staff were having no luck bugging Bell South’s (later Vodafone’s) mobile network, which used encryption to give customers greater privacy.
In a 2001 cabinet committee policy paper, police said SIS was “impeded in its ability to intercept or decrypt an increasing number of communications”. It said this would restrict the SIS’s ability “to contribute to the international effort to restrict terrorism”.
One of the barriers to effective bugging, the cabinet committee paper said, was the size of the bills they were receiving from telecoms operators. Remarkably, by the early 2000s Telecom was charging government agencies nearly $500,000 a year for assisting search warrants and Vodafone had set “an annual fee of $800,000-$1 million”. The risk, wrote the SIS, was that in the future police wouldn’t be able to afford all the bugging it wanted to do.
These local concerns dovetailed with growing pressure from the United States and its allies to introduce much wider surveillance capabilities.
The Telecommunications (Interception Capability) Act was to be National government legislation, except they lost the 1999 election before the bill reached parliament. The police and SIS lobbied the new Labour-led government instead. Cabinet papers, like earlier ones for National, sought ministers’ agreement for a list of obligations to be imposed on telecommunications operators that came straight from the FBI-sponsored “interception capability” documents. The only issue discussed by cabinet before approving the plans was whether the government or network companies would pay to install the surveillance equipment.
Parliament passed the legislation under urgency in early 2004, following sister legislation several months earlier that gave the police and SIS legal powers to monitor all the email and other internet activity that was being made accessible by the new intercept capabilities.
The law gave network companies five years to install the intercept capabilities and the five years was up last year. Many network companies dragged their feet about installing the new surveillance equipment, despite government subsidy of the cost. After four years of inactivity, a consultant with police and SIS ties attended the NZ Network Operators Group conference in Dunedin last year to read them the riot act.
Dean Pemberton, who had previously set up and run “lawful interception” equipment at TelstraClear, told the roomful of network specialists what “the agencies” expected from them and said the agencies expected them to install devices that could intercept data and forward it to the agencies “on a minute by minute basis”. If companies didn’t have this gear in place, they risked a $500,000 fine and “should get a lawyer”, he said.
He warned: “Agencies take this very seriously… If you try to get wise then you’ll end up in the high court within hours. Don’t be a fool.”
Now, almost 15 years after police and SIS officers went to their first International Law Enforcement Telecommunications Seminar (ILETS) in Canberra, New Zealand is integrated into the “seamless web of telecommunications surveillance” around the globe – a system which from the start had primarily been about US agencies wanting surveillance capabilities beyond their borders.
And this may not be the end of the growth of surveillance in New Zealand. Europe is already at the next stage of surveillance expansion: “data retention”. This is where the email, internet and phone companies are forced by government to store all their customers’ emails, texts, internet use and phone data for, say, two years, making them available to police and spy agencies to trawl for people’s past correspondence and activities.
The EU has rules for data retention in place, requiring companies to keep data for between six months and two years, and the UK currently has a voluntary system.
It is likely New Zealand police and SIS officers have already attended secret overseas meetings on data retention. It’s a good bet they have made commitments to push for it in New Zealand and are already arguing privately in government that they can’t fight crime and protect national security without new data retention legislation. As civil liberties spokesman Michael Bott puts it, the erosion of civil rights is “death by a thousand cuts”.
THE INSIDE STORY
When the Sunday Star-Times first publicised the police and SIS’s surveillance plans in 2000, the government pooh-poohed the suggestion there had been foreign pressure – but refused to release any official papers. After months of work by the ombudsman, we were able to access internal documents and correspondence from the police, plus reports and memos prepared by officials within the Ministries of Commerce and Justice, to get the inside story.
1993: FBI started lobbying European countries to join a standardised surveillance system.
1995: New Zealand officials attended FBI-run International Law Enforcement Telecommunications Seminar (ILETS) in Canberra discussing “International User Requirements on Interception” to be imposed on telecommunications companies.
June 1996: Police and SIS met Justice and Commerce officials at the “Seventh Floor Glass Room” (probably SIS building) to propose legislation on forcing telcos to be interception-capable.
August 1996: ILETS Secretariat faxed NZ Police saying all EU members, plus the US, Canada and Norway, had “indicat[ed] their support for the International User Requirements on interception”, and requested a response from New Zealand.
October 2, 1996: ILETS repeated request. Police replied they were working with Ministry of Commerce to obtain government support.
October 28, 1996: NZ Police report said “a standard set of requirements for law enforcement agencies to intercept telecommunications had been developed” and by legislating for interception capabilities, New Zealand would “be seen to meet international expectations”.
November 1996: Officials met again in Glass Room. Police noted “an international desire” for “global interceptability”. Officials discussed interception capability legislation that would enable police “to respond positively” to the ILETS.
December 1996: ILETS wrote again, asking police for the name of “the appropriate minister or other political officeholder in your country” to whom the European Union Council president could write about adopting the International User Requirements.
1997: Police and SIS officials confirmed their commitment to the International User Requirements at ILETS meeting in Dublin.
December 1997: “Confidential” memo was sent to Prime Minister and SIS Minister Jenny Shipley seeking her support for interception capability legislation. National failed to introduce legislation before losing 1999 election.
2000: Labour takes over National government legislation.
2004: Telecommunications (Interception Capability) Act passed. All phone, email, internet and network companies had to build surveillance devices, conforming with the International User Requirements, into their communications equipment by 2009.
2009: Deadline for installation of new surveillance equipment.
SO WHAT ABOUT ENCRYPTION?
There is one flaw at the heart of the email surveillance plans. You can get around it by using digital encryption, which makes it impossible for anyone else to read the messages. Banks, companies and a growing number of individuals use encryption programmes (programmes such as “PGP” can be downloaded for free from the internet). Currently encryption is easily available only for email and computer hard drives; agencies can still watch all internet browsing and texting. In the 1990s, US surveillance agencies fought to stop the development and spread of encryption, but failed.