Privacy Commissioner - Te Mana Matapono Matatapu

Skip to content

State Access to Private Communications and Computer Systems

Supplementary report by the Privacy Commissioner to the Law and Order Committee in relation to Supplementary Order Paper No 85 to the Crimes Amendment Bill (No 6)

1. Background

1.1 On 13 December 2000 I submitted a report to the Minister of Justice on the legislative proposal before the Select Committee. The report was given to the Select Committee by the Minister and has been treated as a submission. On 15 March 2001 I appeared before the Committee to answer questions in relation to the report.

1.2 Paragraph 2.5 of the 24-page report stated:

"It is easy to think of the interception of communications or the accessing of a computer as affecting only the target of Police interest. However, the interception warrant system is not to protect only that person. Also of importance are the many other people affected by interceptions or computer related searches. Trawling or browsing through a myriad of personal information is being authorised in an unprecedented scale. A single interception warrant can, for instance, involve authorised listening into hundreds of conversations involving scores of individuals beyond the targeted individuals."

1.3 This paragraph appeared in an overview which set the scene in relation to the comments that followed on a clause by clause basis. The overview highlighted aspects of the amendments which both enhance and intrude into privacy. As is the nature of an overview, it attempted to distil or simplify issues which were discussed in detail later in the report.

1.4 In the short appearance before the Select Committee, which I was required to share with another person making submissions to the Committee, no questions were asked about that paragraph. Indeed, few questions were directed to me at all about the points made in the report or the 14 detailed recommendations it contained.

2. Chairperson's letter

2.1 I am therefore pleased at the Committee Chairperson's continuing interest in my views and offer this further report to amplify my comments.
2.2 In her letter requesting my attendance, the Chair of the Select Committee posed several questions. With reference to paragraph 2.5 I have been asked to clarify the following points:

• the specific provisions in the bill or the SOP that I consider provide for trawling or browsing through personal information on an unprecedented scale;
• whether it was my intention that the comment about trawling on an unprecedented scale refer both to interception and computer access provisions, and if it does refer to interception warrants, whether I had, when formulating my report, given consideration to the safeguards already provided for in the Crimes Act 1961.

3. Trawling and browsing

3.1 The words "trawling" and "browsing" are used only in paragraph 2.5. I can say this with some confidence because with ordinary software in my office I have been able to do a "trawl" through the 9055 word document, searching for any appearance of those words including derivations or words which sounded like them.

3.2 The bill authorises the interception of data. Previously, interception warrants related solely to oral communications. Private communications involving data may run to hundreds of pages of text. Browsing or trawling techniques will certainly be used to promptly identify material of interest, even if ultimately entire documents will be read by human beings.

3.3 The process of trawling is also relevant to data intercepts arranged through the co-operation of an Internet or communications services provider. Email traffic involves packets of data exchanged between and funnelled through computers. To find data relevant to a target specified in an interception warrant will presumably involve the use of devices, such as sniffers, and word-searching techniques.

3.4 One of the principal points of paragraph 2.5 was to emphasise that more individuals are affected by an intercept or a computer access than merely a target suspected of lawbreaking. If a target's telephone is tapped, the private communications of anybody who uses that telephone will be listened to. This includes both people calling in and calling out. Similar concerns arise with non-oral communications.

4. Unprecedented scale

4.1 I referred to intercepts being authorised on an "unprecedented scale". Authorised interception of data communication has not occurred before. It is unprecedented. The scale of potential intercepts is obviously enlarged.

4.2 One might calculate scale in various ways. In my report I focused upon the scale of the new statutory authorisation. In other words, the breadth of communication types to which an interception warrant would potentially apply. That is not to say that next year the Police will indeed be intercepting emails or other written electronic communications on a vast scale.

4.3 It may be more meaningful to contemplate a time 5 years from now. Given the advances we have already seen with information technology and the growth of the Internet, taken with national and international planning for e-commerce and e-government, one is bound to conclude that electronic data trails will form a prime focus of future policing. There are many examples overseas already. There have been increasing attempts by law enforcement interests to require communication service providers to archive traffic and content data which is no longer needed for providing services, to facilitate the possibility of law enforcement surveillance and investigation. Access to such databases, whatever the legal authorisation, may be by key word browsing.

5. GCSB

5.1 This bill provides an exemption for GCSB from the prohibition on accessing computers without authorisation. While the Government and Parliament have in the past done little to inform the public about what GCSB actually does, it appears that the Bureau monitors telecommunications and that this would almost certainly involve word searching or "trawling or browsing".

5.2 I might add that the exemption in this bill works in tandem with the recently introduced Government Communications Security Bureau bill. In my report I recommended delaying exemptions from the new laws for GCSB until it was placed on a statutory footing and subject to an interception warrant process. I note that the explanatory note to the Government Communication Security Bureau bill states that a primary policy objective of the bill is:

"To fill a gap in the existing legal structure that currently prevents the future expansion of GCSB's signals intelligence operations in particular areas that are likely to become increasingly important over time." [Emphasis added]

6. Crimes Act 1961 safeguards

6.1 I find remarkable the Chairperson's final question which asks, with respect to interception warrants, whether I had given due consideration to the safeguards already provided for in the Crimes Act 1961. It should be plain from the report that I had studied the scheme of safeguards created for interception warrants in the Crimes Act (and also in the Misuse of Drugs Amendment 1978). For instance, in specifically addressing the question of law enforcement exemption to the new computer access offence I stated:

"I am satisfied with the exemption for executing an interception warrant."

6.2 Paragraphs 4.1 through to 4.11, some four pages, are almost entirely devoted to the adequacy of the interception warrant safeguards. In the report I offer an abbreviated account of the legislative history of our current interception laws. The Crimes Act provisions are modelled upon the Misuse of Drugs Amendment Act 1978 which was introduced and enacted in the charged atmosphere leading to a general election. Central aspects of the law are sound, including the requirement for a judicial warrant issued by a High Court judge. However, there are unsatisfactory aspects. Certainly one key safeguard of interception law in a free and democratic society is that it be used only in truly exceptional cases not as an omnipresent surveillance tool. It will be no surprise to anyone who has witnessed the expansion of police powers that the 1978 law, originally presented as a special case, has been expanded by a succession of broader authorisations for interception

6.3 In my report, I suggested enhancing interception safeguards. Key recommendations included:

• placing responsibility with an official to audit compliance with the interception law and conditions on interception warrants - offering assurance that in cases in which prosecutions are not taken that the law is indeed adhered to;
• a notification requirement - informing affected individuals of the fact that the State has listened to their private conversations or read their private correspondence.

7. Law enforcement exemption allowing access to computer systems

7.1 Throughout my dealings with the Government over this measure, in my report and before the Select Committee, I have consistently accepted a case to enable law enforcement access to data communications. I have steered a "middle course." I do not accept law enforcement claims to be given routine access to electronic documents where society has previously respected personal privacy and commercial confidences in similar paper records. However, I do not see the Internet as being beyond the reach of ordinary laws including those allowing for interception of private communications in extraordinary cases.

7.2 Confidence in the ability to communicate securely and privately is a cornerstone of a free society. Security of computer systems is now absolutely central to this. My position is that State access without the authorisation of the owner of a computer system must only be allowed for clearly defined purposes which are manifestly in the public interest and subject to strong controls. The interception warrant process is appropriate for certain access into computer systems in those limited circumstances.

7.3 As outlined in my report, I am uneasy at the exemption contained in new section 305ZFD as it relates to "search warrants" and "other legal authority". I accept search warrants to be an appropriate instrument to provide authority to access a computer found on premises being searched or to access a computer that has been seized from premises being searched. However, it should not provide any authority for Police officers or other officials or inspectors to remain in their offices hacking into people's computer systems. That pernicious secret policing practice should not be allowed for ordinary law enforcement. A search warrant process would be completely inadequate to provide any satisfactory level of public assurance.

7.4 One problem with the reference to "other legal authority" is that there is no degree of certainty as to what is being authorised. Might the Executive simply issue regulations to allow covert access to computer systems for some perceived State interest? Will the common law, contract or State prerogative be asserted as providing legal authority? In my view only specific statutory authority, such as that provided in the computer access authorisation provision in the GCSB Bill, should suffice as an exemption to the Crimes Act.

7.5 In accordance with paragraphs 3.5.1 to 3.5.11 of my report, I offer the following redraft:

Qualified exemption to section 305ZFA offence for law enforcement agencies

(1) To avoid doubt, if access to a computer system or part of a computer system is gained by a law enforcement agency pursuant to a legal authority specified in subsection (2), such access does not constitute an offence under section 305ZFA.
(2) The legal authority referred to in subsection (1) is:
(a) an interception warrant;
(b) a search warrant, where the access is exercised in the course of searching premises specified in the search warrant or accessing a computer which has been lawfully seized from such premises pursuant to the warrant.

7.6 This redraft would have several advantages from a privacy perspective:

• the exemption is limited to law enforcement agencies explicitly - not just in the heading as in the existing proposed provision;
• the reference to "other legal authority" is omitted, thereby preventing new exemptions being created by regulation - the normal principles of statutory interpretation allows for new exemptions to be made by statute explicitly or implicitly;
• a search warrant will continue to be authorisation for access to a computer but only when that warrant is being executed in the normal and expected way, it does not provide cover for other officials to carry out covert hacking into computers.

7.7 In my view, this amendment would go some way towards addressing concerns about the possibility of State trawling or browsing through private computer systems.

B H Slane
Privacy Commissioner
10 May 2001

 

ATTACHMENT

LETTER FROM CHAIR OF COMMITTEE

3 May 2001

Mr B Slane
Privacy Commissioner
Office of the Privacy Commissioner
PO Box 466
AUCKLAND

Dear Mr Slane

Crimes Amendment Bill (No 6) and Supplementary Order Paper No 85

As you are aware, the Law and Order Committee is currently considering the Crimes Amendment Bill (No 6) (the bill) and Supplementary Order Paper No 85 (the SOP) to the bill.

We are writing to request that you appear before the committee to clarify comments made in paragraph 2.5 on page 3 of your supplementary submission entitled Report of the Privacy Commissioner to the Minister of Justice on Supplementary Order Paper No 85 to the Crimes Amendment Bill (No 6), dated 13 December 2000. We would like you to clarify the following points:

• The specific provisions in the bill or the SOP that you consider provide for trawling or browsing through personal information on an unprecedented scale.
• Whether it was your intention that your comment about trawling on an unprecedented scale refer to both interception and computer access provisions, and if it does refer to interception warrants, whether you had, when formulating your submission, given due consideration to the safeguards already provided for in the Crimes Act 1961.

We request that you attend our next committee meeting on Thursday, 10 May 2001, from 11.30am to 12.00pm. We have given leave for your evidence to be heard in private. The meeting will be held in Room 11.03, Bowen House, Parliament Buildings, Wellington.

Should you have any queries about our request, please contact Ms Tracey Rayner, Clerk of the Committee on (04) 471 9530.

Yours sincerely

Janet Mackey
Chairperson
Law and Order Committee