Provision of Real-time Lawful Interception Assistance

The information outlined below represents the law as in effect at April 2016. On 11 May 2014 the TICA was repealed and fully replaced by the TICSA. The TICSA contains much of the same requirements set out in the TICA, and goes further in introducing new obligations. For completeness, note that under the TICSA, network operators are now required to register certain details, such as their contact details and details of their general operations, on the register of network operators set up by the Commissioner of Police.

THE TELECOMMUNICATIONS (INTERCEPTION CAPABILITY AND SECURITY) ACT 2013

The TICSA is New Zealand’s primary piece of legislation governing the interception of telecommunications. The TICSA requires a network operator to assist a surveillance agency in the interception of telecommunications upon receipt of an interception warrant or evidence of other lawful interception authority (for the purposes of this report, these two forms of interception authority will together be referred to as interception warrants and only distinguished when necessary).

The government has the legal authority to issue an interception warrant, giving rise to an obligation for a network operator to assist in the interception of telecommunications under the TICSA, under the following enactments:

• the Government Communications Security Bureau Act 2003 (the GCSB Act);
• the Search and Surveillance Act 2012 (SAS Act); and
• the New Zealand Security Intelligence Service Act 1969 (the NZSIS Act).

Section 24 of the TICSA requires a network operator who is shown a copy of an interception warrant authority to assist a surveillance agency in the interception of individual customer communications by:

• making available any officers, employees or agents who are able to provide any reasonable technical assistance that may be necessary for the agency to intercept a telecommunication that is subject to the interception warrant; and
• taking all other reasonable steps that are necessary for the purpose of giving effect to the interception warrant, including, among other things, assisting to:
  • • identify and intercept telecommunications without intercepting telecommunications that are not authorised to be intercepted;
    • carry out the interception of telecommunications unobtrusively, without unduly interfering with any telecommunications, and in a manner that protects the privacy of telecommunications that are not authorised to be intercepted; and
    • undertake the actions efficiently and effectively, and:
    • if it is reasonably achievable, at the time of transmission of the telecommunication; or
    • if it is not reasonably achievable, as close as practicable to that time.

In addition, Section 9 of the TICSA requires network operators with more than 4,000 customers to ensure that every public telecommunications network that the operator owns, controls or operates and every telecommunications service that the operator provides in New Zealand has an interception capability. An interception capability includes the duty to ensure that the interception capability is developed, installed and maintained (see Section 9(3) of the TICSA).

Under Section 10(1) of the TICSA, a network operator will have complied with this interception capability obligation if every surveillance agency that is authorised by an interception warrant is able to:

• identify and intercept telecommunications without intercepting telecommunications that are not authorised to be intercepted;
• obtain call-associated data relating to telecommunications (other than telecommunications that are not authorised to be intercepted);
• obtain call-associated data and the content of telecommunications (other than telecommunications that are not authorised to be intercepted) in a usable format;
• carry out the interception of telecommunications unobtrusively, without unduly interfering with any telecommunications, and in a manner that protects the privacy of telecommunications that are not authorised to be intercepted; and
• undertake these actions efficiently and effectively at the time of transmission of the telecommunication or, if it is not reasonably achievable to do so, as close as practicable to that time.

Notably, under Sections 14 and 15 of the TICSA, a network operator does not have to provide an interception capability in respect to:

• any infrastructure-level service it provides (ie the provision of a physical medium, such as optical fibre cable, over which telecommunications are transmitted); or
• any wholesale network service it provides (ie a service provided by a network operator to another network operator over a network it owns and operates). Although, the network operator must still ensure that the wholesale network service is ‘intercept accessible’, as that phrase is defined under Section 12 of the TICSA.

However, the Minister for Communications and Information Technology, on application by a surveillance agency (see Section 17 of the TICSA), reserves the right to make a direction requiring a network operator providing an infrastructure-level service or a wholesale network service to:

• provide full interception capabilities in respect to the service in the manner described under Section 10(1) of the TICSA; or
• ensure that the service is ‘intercept accessible’ or ‘intercept ready’ (as those terms are defined in Sections 11 and 12 of the TICSA).

Network operators providing these infrastructure-level or wholesale network services are typically subject to less strenuous requirements under the TICSA, only being required to be intercept ready or intercept accessible as opposed to having full interception capability. Similarly, under Section 20 of the TICSA, the Governor- General of New Zealand may, by Order in Council, on the recommendation of the Minister for Communications and Information Technology, make regulations requiring particular network operators, regardless of the service they operate, to comply with Section 9 of the TICSA and thus ensure that their services have full interception capability.

Section 24 of the TICSA also requires a network operator who is shown a copy of an interception warrant to assist a surveillance agency by making available any officers, employees or agents who are able to provide any reasonable technical assistance that may be necessary for the agency to intercept a telecommunication that is subject to the warrant or authority. Therefore, under the TICSA, on receipt of an interception warrant a network operator could be required to assist in the implementation of interception capabilities on the network operator’s network.

Section 26 of the TICSA requires that, while assisting in the interception of a telecommunication, a network operator must take all practicable steps that are reasonable in the circumstances to minimise the likelihood of intercepting telecommunications that are not authorised to be intercepted.

Under Section 114 of the TICSA, the cost of implementing the interception capability must be borne by the network operator. Subject to limited circumstances, the surveillance agency presenting the interception warrant is responsible for paying the actual and reasonable costs incurred by a network operator in assisting the agency (see Section 115 of the TICSA).

An interception warrant requiring a network operator to assist in the interception of individual customer communications under the TICSA could be issued under the following enactments in the described circumstances:

GOVERNMENT COMMUNICATIONS SECURITY BUREAU ACT 2003 (GCSB ACT)

Under Section 15A(1)(a) of the GCSB Act, the Director (defined as being the chief executive of the Government Communications Security Bureau (the GCSB)) can apply to the Minister responsible for the GCSB (the GCSB Minister) for an interception warrant authorising the use of interception devices to intercept particular kinds of communications. The GCSB Minister can grant the interception warrant if, among other things, the GCSB Minister is satisfied that the proposed interception is for the purpose of cybersecurity and intelligence gathering. The interception warrant may request a person to give assistance that is reasonably necessary to give effect to the warrant (see Section 15E of the GCSB Act). Therefore, an interception warrant issued under the GCSB Act may require a network operator to assist in the interception of telecommunications through the installation of interception devices on its own network, in compliance with its obligations under Section 24 of the TICSA.

Section 24 of the GCSB Act imposes a duty on those assisting in an interception to minimise the likelihood of intercepting communications that are not relevant to the persons whose communications are to be intercepted.

SEARCH AND SURVEILLANCE ACT 2012 (SAS ACT)

Under Section 53 of the SAS Act, a District Court Judge or a Judge of the High Court (a Judge) may issue a surveillance device warrant (a form of interception warrant under the TICSA) on application by an enforcement officer (in most cases, a constable). A Judge may grant a surveillance device warrant if the Judge is satisfied that there are reasonable grounds to suspect that an offence has been, or will be, committed and that the proposed use of the surveillance device will obtain information that is evidential material in respect of the offence. A surveillance device warrant permits, among other things, an enforcement officer to use an interception device to intercept a private communication and may specify that the enforcement officer use any assistance that is reasonable in the circumstances (see Section 55(3)(f)). Therefore, an interception warrant issued under the SAS Act may require a network operator to assist in the interception of telecommunications through the installation of an interception device on its own network, in compliance with its obligations under Section 24 of the TICSA.

THE NEW ZEALAND SECURITY INTELLIGENCE SERVICE ACT 1969 (NZSIS ACT)

Under Section 4A(1) of the NZSIS Act, the Minister in charge of the New Zealand Security Intelligence Service (NZSIS) (the NZSIS Minister) and the Commissioner of Security Warrants may jointly issue a domestic intelligence warrant, or, under Section 4A(2) of the NZSIS Act, the NZSIS Minister acting alone may issue a foreign intelligence warrant (both intelligence warrants being a form of interception warrant under the TICSA). An intelligence warrant may be issued if the interception to be authorised is necessary for, among other things, the detection of activities prejudicial to security, or for the purpose of gathering foreign intelligence information essential to security. An intelligence warrant authorises a person to, among other things, intercept or seize any communication, document or item not otherwise lawfully obtainable by the person, including the installation or modification of any device or equipment. The Director of Security may request any person or organisation to give specified assistance to an authorised person for the purpose of giving effect to an intelligence warrant. Therefore, an intelligence warrant issued under the NZSIS Act may require a network operator to assist in the interception of telecommunications, in compliance with its obligations under Section 24 of the TICSA.

Disclosure of Communications Data

THE TELECOMMUNICATIONS (INTERCEPTION CAPABILITY AND SECURITY) ACT 2013

Section 24 of the TICSA requires a network operator who is shown a copy of an interception warrant to assist a surveillance agency by, among other things, assisting in obtaining call associated data and the stored content relating to telecommunications.

Call-associated data includes data that is generated as a result of the making of the telecommunication (whether or not the telecommunication is sent or received successfully) and that identifies the origin, direction, destination or termination of the telecommunication, as well as more specific information (see Section 3 of the TICSA). If the metadata relating to customer communications being requested by the government under an interception warrant falls within the definition of call-associated data, a network operator would be required to assist the surveillance agency in obtaining that data.

The surveillance agency with the interception warrant is responsible for paying the actual and reasonable costs incurred by a network operator in assisting the agency.

An interception warrant requiring a network operator to assist in the obtaining of call-associated data or stored content could be issued under the following enactments in the described circumstances:

• The GSCB Act

In relation to Section 15A(1)(a) of the GCSB Act, in particular circumstances the GCSB Minister may, under Section 15A(1)(b) of the GCSB Act, grant an access authorisation (a form of interception warrant) authorising access to the information infrastructure of a network operator, which includes all communications and information contained within its communications systems and networks. The access authorisation may request a person to give assistance that is reasonably necessary to give effect to the authorisation (see Section 15E of the GCSB Act). Therefore, an access authorisation issued under the GCSB Act may require a network operator to assist a surveillance agency by granting access to its communications contained in its information infrastructure, and hence any metadata (being information that would constitute a ‘communication’) and any stored communications that the network operator holds.

• The SAS Act

A surveillance warrant could require a network operator to disclose metadata relating to customer communications to aid the enforcement officer in its interception efforts. Similarly, and in any event, a surveillance device warrant allows an enforcement officer to require a network operator to disclose call-associated data in relation to a telecommunication of which the content has already been intercepted by the enforcement officer (see Section 55(3) (g) of the SAS Act) (ie if the content of the telecommunications has already been obtained by the enforcement officer through another means).

• The NZSIS Act

As a document includes any information stored by any means (see definition under Section 2(1) of the Official Information Act 1982), an interception warrant issued under the NZSIS Act could require the disclosure of all metadata information that a network operator holds, as well as the stored content of telecommunications. A network operator would then, in being required to assist in the execution of a warrant, be required to obtain call-associated data and communications content under Section 24(b)(iii) of the TICSA (if the metadata requested under the SAS Act was not already held).

In addition, under Sections 71 and 74 of the SAS Act, an enforcement officer may apply to an issuing officer for a production order against a person in respect of documents. Documents are defined as including call-associated data (which could include metadata) and the content of telecommunications in respect of which, at the time an application is made for a production order against a network operator, the network operator has storage capability for, and stores in the normal course of its business, that data and content.

A production order will only be made if:

• there are reasonable grounds to suspect that a specified offence has been, or will be, committed;
• the documents sought by the proposed order are likely to constitute evidential material in respect of the offence; and
• the documents sought by the proposed order are in the possession or under the control of the person against whom the order is sought, or will come into his or her possession, or under his or her control while the order is in force (see Section 72).

When the documents are produced under a production order, the enforcement officer may retain the original copies, or take copies, or require the person producing the documents to reproduce the information recorded in the documents in a usable form (see Section 78 of the SAS Act). An original copy must be returned as soon as possible (see Section 79 of the SAS Act).

HARMFUL DIGITAL COMMUNICATIONS ACT 2015 (HDC ACT)

Under the HDC Act, the District Court can order that an online content host, among other things, takes down or disables public access to particular material that has been posted or sent and order that the identity of the author of an anonymous or pseudonymous communication be released to the court.

National Security and Emergency Powers

The government’s power to issue intelligence warrants (a form of interception warrant under the TICSA) on the grounds of national security under Section 4A of the NZSIS Act, and the possible assistance the intelligence warrants can require from network operators, is outlined above.

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Under Section 10 of the ITEPA, in the circumstances of an international terrorist emergency where emergency powers are exercisable, a constable may requisition any land, building or equipment within the area in which the emergency is occurring and place the property under the control of a constable. This could conceivably involve the requisitioning of a network operator’s network equipment.

Further, under the ITEPA, a constable may, for the purpose of preserving life threatened by any emergency:

• connect any additional apparatus to, or otherwise interfere with the operation of, any part of the telecommunications system; and
• intercept private communications.

This power specified may be exercised only by, or with the authority of, a constable who is of or above the level of position of inspector, and only if that constable believes, on reasonable grounds, that the exercise of that power will facilitate the preservation of life threatened by the emergency. This power would again constitute a ‘lawful interception authority’ under the TICSA (being an authority to intercept communications in an emergency situation granted to a member of a surveillance agency), thus imposing obligations on network operators to assist the enforcement officer under the TICSA just as they would be required to when shown an interception warrant.

Under Section 18 of the ITEPA, no person who intercepts or assists in the interception of a private communication (such as a network operator) under Section 10(3), or acquires knowledge of a private communication as a direct or indirect result of that interception, shall knowingly disclose the substance, meaning or purport of that communication, or any part of that communication, otherwise than in the performance of that person’s duty.

Oversight of the Use of Powers

Under Section 15 of the GCSB Act, the GCSB Minister authorises a warrant if, among other things, the Minister is satisfied that the proposed interception is for the purpose of cybersecurity and intelligence gathering.

Under Section 53 of the SAS Act, only a Judge may issue a surveillance device warrant. Further, only a Judge or a person such as a Justice of the Peace, Community Magistrate, Registrar or Deputy Registrar, who is for the time being authorised to, may act as an issuing officer under Section 108 of the SAS Act and make a production order.

Under Sections 158 and 159 of the SAS Act, a person who has an interest in the produced documents (ie a customer of a network operator) may apply to the District Court for access to, or the release of, the things produced.

Under Section 4A(5) of the NZSIS Act, when the identification of foreign capabilities that impact on New Zealand’s international or economic wellbeing is in issue, before issuing an intelligence warrant the NZSIS Minister must consult with the Minister of Foreign Affairs and Trade about the proposed intelligence warrant.

Censorship-related Powers

SHUT-DOWN OF NETWORK AND SERVICES

The government does not have the legal authority to order the shut-down of Vodafone’s network or services.

International Terrorism (Emergency Powers) Act 1987 (ITEPA)

Under Section 10 of the ITEPA, in the circumstances of an international terrorist emergency, a police constable may requisition any property (including land, buildings and equipment) of a network operator within the area in which the emergency is occurring. While it is conceivably possible that the practical effect of seizing certain equipment may mean that the relevant network operator’s network (such as Vodafone’s) is shut down, the Act does not give the government a legal right to shut down the network.

BLOCKING OF URLS & IP ADDRESSES

Films, Videos, and Publications Classification Act 1993

Under the Films, Videos, and Publications Classification Act 1993, viewing or owning certain types of material (for example, depictions of bestiality or child sex abuse) is forbidden; this applies to material accessed over the internet.

While there is no legal authority for the government to block a URL or IP address, the New Zealand Department of Internal Affairs operates the Digital Child Exploitation Filtering System (DCEFS) in partnership with a number of New Zealand internet service providers, including Vodafone. Participation in DCEFS is voluntary.

Under the DCEFS, the Department of Internal Affairs maintains a list of banned websites and their URLs. Using a routine protocol it has in place with the participating internet service providers, each time a person tries to access a website (banned or not), their request is routed through the Department of Internal Affairs’ server; that server filters each request to determine whether access to the website is allowed. If the website URL is on the list of banned websites, access to it is refused.

POWER TO TAKE CONTROL OF VODAFONE’S NETWORK

The government does not have the legal authority to take control of Vodafone’s network.

International Terrorism (Emergency Powers) Act 1987 (ITEPA)

Please see Section 1 ‘Shut-down of network and services’ above. While it is conceivable that the practical effect of the government’s use of its powers under the ITEPA could be used to the extent that the government effectively took control of a network provider’s network, the Act does not provide the government with explicit authority to do this.

Oversight of the Use of Powers (Censorship-related)

INTERNATIONAL TERRORISM (EMERGENCY POWERS) ACT 1987

Sections 5 to 8 govern police authority to use the emergency powers provided for under Section 10. Under Section 5, the police commissioner must inform the prime minister as soon as he or she believes that an emergency is occurring; the emergency may be an international terrorist emergency; and the exercise of emergency powers is or may be necessary to deal with that emergency. Upon being so informed, the prime minister may then hold a meeting with a minimum of three Ministers of the Crown to consider whether to authorise use of the emergency powers. If the Ministers of the Crown present at the meeting believe on reasonable grounds that an emergency is occurring, that may be an international terrorist emergency and the exercise of emergency powers is necessary to deal with the emergency, the Minister of the Crown presiding at the meeting may give notice in writing authorising the exercise of emergency powers by the police. Upon authorisation the Minister of the Crown who presided must inform the House of Representatives that the authorisation has been given and the reasons why it was given. The House of Representatives may resolve to, from time to time, extend that authorisation for no longer than seven days pursuant to Section 7. The House of Representatives may also, at any time, revoke the authorisation pursuant to Section 8. Section 6 requires the Minister who signs the notice authorising the use of emergency powers to inform the public by such means as are reasonable in the circumstances and to publish the authorised notice in the Gazette as soon as practicable.

The authority to exercise the emergency powers expires once the police commissioner is satisfied that the emergency has ended, or is deemed not to be an international terrorist emergency, or at the close of seven days after the day on which the notice under Section 5 was given, whichever is sooner.

Encryption and Law Enforcement Assistance

1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?

Yes. The TICSA requires a network operator who is shown a copy of an interception warrant to decrypt a telecommunication on its own public telecommunications network or service if it has provided the encryption.

Sections 10(3) and 24(4) of the TICSA require a network operator to, for the purpose of obtaining data in a usable format and in giving effect to an interception warrant, assist in decrypting a telecommunication on its own public telecommunications network or telecommunications service if it has provided the encryption for that telecommunication.

An interception warrant requiring a network operator to assist in decrypting a telecommunication it has encrypted could be issued as an access authorisation under the GSCB Act; a surveillance warrant under the SAS Act; and/or an intelligence warrant under the NZSIS Act (see earlier in this chapter under ‘Provision of real-time lawful interception assistance’ for a more detailed explanation of each of these types of warrant).

2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?

No. Under Sections 10(4) and 24(4) of the TICSA, a network operator is not required to decrypt a telecommunication on its own telecommunications network or service if the encryption has been provided by means of a product supplied by a person other than the network operator and is available on retail sale to the public or is supplied by the network operator as an agent for that product.

The default position under Sections 10(3) and 24(3)(vi) of the TICSA requires a network operator to, for the purpose of obtaining data in a usable format and/or in giving effect to an interception warrant, assist in decrypting a telecommunication on its own public telecommunications network or telecommunications service if it has provided the encryption for that telecommunication.

Furthermore, under Sections 10(4) and 24(4) of the TICSA, a network operator is not required to decrypt any such telecommunication if the encryption has been provided by means of a product that is supplied by a person other than the network operator and is available to the public or is supplied by the network operator as an agent for that product.

3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?

No, although the answer here is not legally certain.

The TICSA requires a network operator to, in certain circumstances, assist in decrypting a telecommunication on its own public telecommunications network or telecommunications service if it has provided the encryption for that telecommunication.

The default position under Sections 10(3) and 24(3)(vi) of the TICSA requires a network operator to, for the purpose of obtaining data in a usable format and/or in giving effect to an interception warrant, assist in decrypting a telecommunication on its own public telecommunications network or telecommunications service if it has provided the encryption for that telecommunication.

Under Sections 10(4) and 24(4) of the TICSA, a network operator is not required to decrypt any such telecommunication if the encryption has been provided by means of a product that is supplied by a person other than the network operator and is available to the public or is supplied by the network operator as an agent for that product.

It can be inferred from this that if the encryption has been provided by means of a product that is supplied by the network operator (not acting as an agent), then the network operator would be required to decrypt the telecommunication. However, no guidance or opinion has been issued by the telecommunications regulation in New Zealand on this subject.

4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.

Vodafone has not found any examples where this has occurred in New Zealand.