PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE

THE TELECOMMUNICATIONS (INTERCEPTION CAPABILITY AND SECURITY) ACT 2013

The Telecommunications (Interception Capability and Security) Act 2013 (TICSA) is New Zealand’s primary piece of legislation governing the interception of telecommunications. The TICSA requires a network operator to assist a surveillance agency in the interception of telecommunications upon receipt of an interception warrant or evidence of other lawful interception authority (for the purposes of this report, these two forms of interception authority will together be referred to as interception warrants and only distinguished when necessary).

The government has the legal authority to issue an interception warrant, giving rise to an obligation for a network operator to assist in the interception of telecommunications under the TICSA, under the following enactments:

  • the Government Communications Security Bureau Act 2003 (GSCB Act);
  • the Search and Surveillance Act 2012 (SAS Act); and
  • the New Zealand Security Intelligence Service Act 1969 (NZSIS Act).

Section 24 of the TICSA requires a network operator who is shown a copy of an interception warrant authority to assist a surveillance agency in the interception of individual customer communications by:

  • making available any officers, employees or agents who are able to provide any reasonable technical assistance that may be necessary for the agency to intercept a telecommunication that is subject to the interception warrant; and
  • taking all other reasonable steps that are necessary for the purpose of giving effect to the interception warrant, including, among other things, assisting to
    • identify and intercept telecommunications without intercepting telecommunications that are not authorised to be intercepted;

to carry out the interception of telecommunications unobtrusively, without unduly interfering with any telecommunications, and in a manner that protects the privacy of telecommunications that are not authorised to be intercepted; and

undertake the actions efficiently and effectively and:

  • if it is reasonably achievable, at the time of transmission of the telecommunication; or
  • if it is not reasonably achievable, as close as practicable to that time.

In addition, section 9 of the TICSA requires network operators with more than 4,000 customers to ensure that every public telecommunications network that the operator owns, controls, or operates and every telecommunications service that capability includes the duty to ensure that the interception capability is developed, installed and maintained (see section 9(3) of the TICSA).

Under section 10(1) of the TICSA, a network operator will have complied with this interception capability obligation if every surveillance agency that is authorised by an interception warrant is able to:

  • identify and intercept telecommunications without intercepting telecommunications that are not authorised to be intercepted;
  • obtain call associated data relating to telecommunications (other than telecommunications that are not authorised to be intercepted);
  • obtain call associated data and the content of telecommunications (other than telecommunications that are not authorised to be intercepted) in a usable format;
  • carry out the interception of telecommunications unobtrusively, without unduly interfering with any telecommunications, and in a manner that protects the privacy of telecommunications that are not authorised to be intercepted; and
  • undertake these actions efficiently and effectively at the time of transmission of the telecommunication or, if it is not reasonably achievable to do so, as close as practicable to that time.

Notably, under sections 14 and 15 of the TICSA, a network operator does not have to provide an interception capability in respect to:

  • any infrastructure-level service it provides (i.e. the provision of a physical medium, such as optical fibre cable, over which telecommunications are transmitted); or
  • any wholesale network service it provides (i.e. a service provided by a network operator to another network operator over a network it owns and operates). Although, the network operator must still ensure that the wholesale network service is intercept accessible, as that phrase is defined under section 12 of the TICSA.

However, the Minister for Communications and Information Technology, on application by a surveillance agency (see section 17 of the TICSA), reserves the right to make a direction requiring a network operator providing an infrastructure-level service or a wholesale network service to:

  • provide full interception capabilities in respect to the service in the manner described under section 10(1) of the TICSA; or
  • ensure that the service is intercept accessible or intercept ready (as those terms are defined in sections 11 and 12 of the TICSA).

Network operators providing these infrastructure-level or wholesale network services are typically subject to less strenuous requirements under the TICSA, only being required to be “intercept ready” or “intercept accessible” as opposed to having full interception capability. Similarly, under section 20 of the TICSA, the Governor-General of New Zealand may, by Order in Council, on the recommendation of the Minister for Communications and Information Technology, make regulations requiring particular network operators, regardless of the service which they operate, to comply with section 9 of the TICSA and thus ensure that their services have full interception capability.

Section 24 of the TICSA also requires a network operator who is shown a copy of an interception warrant to assist a surveillance agency by making available any officers, employees or agents who are able to provide any reasonable technical assistance that may be necessary for the agency to intercept a telecommunication that is subject to the warrant or authority. Therefore, under the TICSA, on receipt of an interception warrant a network operator could be required to assist in the implementation of interception capabilities on the network operator’s network.

Section 26 of the TICSA requires that, while assisting in the interception of a telecommunication, a network operator must take all practicable steps that are reasonable in the circumstances to minimise the likelihood of intercepting telecommunications that are not authorised to be intercepted.

Under section 114 of the TICSA, the cost of implementing the interception capability must be borne by the network operator. Subject to limited circumstances, the surveillance agency presenting the interception warrant is responsible for paying the actual and reasonable costs incurred by a network operator in assisting the agency (see section 115 of the TICSA).

An interception warrant requiring a network operator to assist in the interception of individual customer communications under the TICSA could be issued under the following enactments in the described circumstances:

GOVERNMENT COMMUNICATIONS SECURITY BUREAU ACT 2003 (GCSB ACT)

Under section 15A(1)(a) of the GCSB Act, the Director (defined as being the chief executive of the Government Communications Security Bureau (the GCSB)) can apply to the Minister responsible for the GCSB (the GCSB Minister) for an interception warrant authorising the use of interception devices to intercept particular kinds of communications. The GCSB Minister can grant the interception warrant if, among other things, the GCSB Minister is satisfied that that the proposed interception is for the purpose of cyber security and intelligence gathering. The interception warrant may request a person to give assistance that is reasonably necessary to give effect to the warrant (see section 15E of the GCSB Act). Therefore, an interception warrant issued under the GCSB Act may require a network operator to assist in the interception of telecommunications through the installation of interception devices on its own network, in compliance with its obligations under section 24 of the TICSA.

Section 24 of the GCSB Act imposes a duty on those assisting in an interception to minimise the likelihood of intercepting communications that are not relevant to the persons whose communications are to be intercepted.

SEARCH AND SURVEILLANCE ACT 2012 (SAS ACT)

Under section 53 of the SAS Act, a District Court Judge or a Judge of the High Court (a Judge) may issue a surveillance device warrant (a form of interception warrant under the TICSA) on application by an enforcement officer (in most cases, a constable). A Judge may grant a surveillance device warrant if the Judge is satisfied that there are reasonable grounds to suspect that an offence has been, or will be, committed and that the proposed use of the surveillance device will obtain information that is evidential material in respect of the offence. A surveillance device warrant permits, among other things, an enforcement officer to use an interception device to intercept a private communication and may specify that the enforcement officer use any assistance that is reasonable in the circumstances (see section 55(3)(f)). Therefore, an interception warrant issued under the SAS Act may require a network operator to assist in the interception of telecommunications through the installation of an interception device on its own network, in compliance with its obligations under section 24 of the TICSA.

THE NEW ZEALAND SECURITY INTELLIGENCE SERVICE ACT 1969 (NZSIS ACT)

Under section 4A(1) of the NZSIS Act, the Minister in charge of the New Zealand Security Intelligence Service (NZSIS) (the NZSIS Minister) and the Commissioner of Security Warrants may jointly issue a domestic intelligence warrant, or, under section 4A(2) of the NZSIS Act the NZSIS Minister acting alone may issue a foreign intelligence warrant (both intelligence warrants being a form of interception warrant under the TICSA). An intelligence warrant may be issued if the interception to be authorised is necessary for, among other things, the detection of activities prejudicial to security, or for the purpose of gathering foreign intelligence information essential to security. An intelligence warrant authorises a person to, among other things, intercept or seize any communication, document, or thing not otherwise lawfully obtainable by the person, including the installation or modification of any device or equipment. The Director of Security may request any person or organisation to give specified assistance to an authorised person for the purpose of giving effect to an intelligence warrant. Therefore, an intelligence warrant issued under the NZSIS Act may require a network operator to assist in the interception of telecommunications, in compliance with its obligations under section 24 of the TICSA.

DISCLOSURE OF COMMUNICATIONS DATA

THE TELECOMMUNICATIONS (INTERCEPTION CAPABILITY AND SECURITY) ACT 2013

Section 24 of the TICSA requires a network operator who is shown a copy of an interception warrant to assist a surveillance agency by, among other things, assisting in obtaining call associated data and the stored content relating to telecommunications.

Call associated data includes data that is generated as a result of the making of the telecommunication (whether or not the telecommunication is sent or received successfully) and that identifies the origin, direction, destination, or termination of the telecommunication, as well as more specific information (see section 3 of the TICSA). If the metadata relating to customer communications being requested by the government under an interception warrant falls within the definition of call associated data, a network operator would be required to assist the surveillance agency in obtaining that data.

The surveillance agency with the interception warrant is responsible for paying the actual and reasonable costs incurred by a network operator in assisting the agency.

An interception warrant requiring a network operator to assist in the obtaining of call associated data or stored content could be issued under the following enactments in the described circumstances:

  • The GSCB Act
    • In relation to section 15A(1)(a) of the GCSB Act, in particular circumstances the GCSB Minister may, under section 15A(1)(b) of the GCSB Act, grant an access authorisation (a form of interception warrant) authorising access to the information infrastructure of a network operator, which includes all communications and information contained within its communications systems and networks. The access authorisation may request a person to give assistance that is reasonably necessary to give effect to the authorisation (see section 15E of the GCSB Act). Therefore, an access authorisation issued under the GCSB Act may require a network operator to assist a surveillance agency by granting access to its communications contained in its information infrastructure, and hence any metadata (being information that would constitute a “communication”) and any stored communications that the network operator holds.
  • The SAS Act
    • A surveillance warrant could require a network operator to disclose metadata relating to customer communications to aid the enforcement officer in its interception efforts. Similarly, and in any event, a surveillance device warrant allows an enforcement officer to require a network operator to disclose call associated data in relation to a telecommunication of which the content the enforcement officer has intercepted (see section 55(3)(g) of the SAS Act) (i.e. if the content of the telecommunications had already been obtained by the enforcement officer through another means).
  • The NZSIS Act
    • As a document includes any information stored by any means (see definition under section 2(1) of the Official Information Act 1982), an interception warrant issued under the NZSIS Act could require the disclosure of all metadata information that a network operator holds, as well the stored content of telecommunications. A network operator would then, in being requiring to assist in the execution of a warrant, be required to obtain call associated data and communications content under section 24(b)(iii) of the TICSA (if the metadata requested under the SAS Act was not already held).

In addition, under sections 71 and 74 of the SAS Act, an enforcement officer may apply to an issuing officer for a production order against a person in respect of documents. Documents are defined as including call associated data (which could include metadata) and the content of telecommunications in respect of which, at the time an application is made for a production order against a network operator, the network operator has storage capability for, and stores in the normal course of its business, that data and content.

A production order will only be made if: • there are reasonable grounds to suspect that an specified offence has been, or will be, committed; • the documents sought by the proposed order are likely to constitute evidential material in respect of the offence; and • are in the possession or under the control of the person against whom the order is sought, or will come into his or her possession, or under his or her control while the order is in force (see section 72).

When the documents are produced under a production order, the enforcement officer may retain the original copies, or take copies, or require the person producing the documents to reproduce the information recorded in the documents in a usable form (see section 78 of the SAS Act). An original copy must be returned as soon as possible (see section 79 of the SAS Act).

NATIONAL SECURITY AND EMERGENCY POWERS

The government’s power to issue intelligence warrants (a form of interception warrant under the TICSA) on the grounds of national security under section 4A of the NZSIS Act, and the possible assistance the intelligence warrants can require from network operators, is outlined above.

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Under section 10 of the ITEPA, in the circumstances of an international terrorist emergency where emergency powers are exercisable, a constable may requisition any land, building or equipment within the area in which the emergency is occurring and place the property under the control of a constable. This could conceivably involve the requisitioning of a network operator’s network equipment.

Further, under the ITEPA a constable may, for the purpose of preserving life threatened by any emergency:

  • connect any additional apparatus to, or otherwise interfere with the operation of, any part of the telecommunications system; and
  • intercept private communications.

This power specified may be exercised only by, or with the authority of, a constable who is of or above the level of position of inspector, and only if that constable believes, on reasonable grounds, that the exercise of that power will facilitate the preservation of life threatened by the emergency. This power would again constitute a “lawful interception authority” under the TICSA (being a authority to intercept communications in an emergency situation granted to a member of a surveillance agency), thus imposing obligations on network operators to assist the enforcement officer under the TICSA just as they would be required in the situation of being shown an interception warrant.

Under section 18 of the ITEPA, no person who intercepts or assists in the interception of a private communication (such as a network operator) under section 10(3), or acquires knowledge of a private communication as a direct or indirect result of that interception, shall knowingly disclose the substance, meaning, or purport of that communication, or any part of that communication, otherwise than in the performance of that person’s duty.

OVERSIGHT OF THE USE OF THESE POWERS

Under section 15 of the GCSB Act, the GCSB Minister authorises a warrant if s/he is satisfied that the proposed interception is for the purpose of cyber security and intelligence gathering.

Under section 53 of the SAS Act, only a Judge may issue a surveillance device warrant. Further, only a Judge or a person, such as a Justice of the Peace, Community Magistrate, Registrar, or Deputy Registrar, who is for the time being authorised to, may act as an issuing officer under section 108 of the SAS Act and make a production order.

Under sections 158 and 159 of the SAS Act, a person who has an interest in the produced documents (i.e. a customer of a network operator) may apply to the District Court for access to, or the release of, the things produced.

Under section 4A(5) of the NZSIS Act, when the identification of foreign capabilities that impact on New Zealand’s international or economic well-being is in issue, before issuing an intelligence warrant the NZSIS Minister must consult with the Minister of Foreign Affairs and Trade about the proposed intelligence warrant.

CENSORSHIP RELATED POWERS

SHUT-DOWN OF NETWORK AND SERVICES

The government does not have the legal authority to order the shut-down of Vodafone’s network or services.

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Under Section 10 of the International Terrorism (Emergency Powers) Act 1987, in the circumstances of an international terrorist emergency, a police constable (not below the position of inspector) may requisition any property (including land, buildings and equipment) of a network operator within the area in which the emergency is occurring. While it is conceivably possible that the practical effect of seizing certain equipment may mean that the relevant network operator’s network (such as Vodafone’s) is shut down, the Act does not give the Government a legal right to shut down the network.

BLOCKING OF URLS & IP ADDRESSES

FILMS, VIDEOS, AND PUBLICATIONS CLASSIFICATION ACT 1993

Under the Films, Videos, and Publications Classification Act 1993, viewing or owning certain types of material (for example depictions of bestiality or child sex abuse) is forbidden; this applies to material accessed over the internet.

Whilst there is no legal authority for the government to block a URL or IP address, the New Zealand Department of Internal Affairs operates the Digital Child Exploitation Filtering System (“DCEFS”) in partnership with a number of New Zealand internet service providers, including Vodafone. Participation in DCEFS is voluntary.

Under the DCEFS, the Department of Internal Affairs maintains a list of banned websites and their URLs. Using a routine protocol it has in place with the participating internet service providers, each time a person tries to access a website (banned or not) their request is routed through the Department of Internal Affairs’ server; that server filters each request to determine whether access to the website is allowed. If the website URL is on the list of banned websites, access to it is refused.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

The government does not have the legal authority to take control of Vodafone’s network.

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Please see ‘Shut-down of network & services’ above. Whilst it is conceivable that the practical effect of the government’s use of its powers under the International Terrorism (Emergency Powers) Act 1987 could be used to the extent that the government effectively took control of a network provider’s network, the Act does not provide the government with explicit authority to do this.

OVERSIGHT OF THE USE OF POWERS

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Sections 5 to 8 govern police authority to use the emergency powers provided for under Section 10. Under Section 5 the police commissioner must inform the prime minister as soon as he or she believes that an emergency is occurring; the emergency may be an international terrorist emergency; and the exercise of emergency powers is or may be necessary to deal with that emergency.

Upon being so informed, the prime minister may then hold a meeting with a minimum of 3 Ministers of the Crown to consider whether to authorise use of the emergency powers. If the Ministers of the Crown present at the meeting believe on reasonable grounds that an emergency is occurring, that may be an international terrorist emergency and the exercise of emergency powers is necessary to deal with the emergency. The Minister of the Crown presiding at the meeting may give notice in writing authorising the exercise of emergency powers by the Police. Upon authorisation one of the Ministers responsible must inform the House of Representatives that the authorisation has been given and the reasons why it was given. The House of Representatives must then sit as soon as possible and may by resolution, from time to time, extend that authorisation for no longer than seven days pursuant to Section 7. The House of Representatives may also, at any time, revoke the authorisation pursuant to Section 8. Section 6 requires the Minister who signs the notice authorising the use of emergency powers to inform the public by such means as are reasonable in the circumstances and to publish the authorised notice in the Gazette as soon as practicable.

The authority to exercise the emergency powers expires once the police commissioner is satisfied that the emergency had ended, or is deemed not to be an international terrorist emergency, or at the close of seven days after the day on which the notice under Section 5 was given, whichever is sooner.

This information was originally published in the Legal Annexe to the Vodafone Group Law Enforcement Disclosure Report in June of 2014, which was updated in February of 2015.

Social

Follow us on Twitter @IndustryDialog