The GCSB law
The GCSB law has completed its committee stage, and will pass its third reading today.
Some people would have you believe that this law is a massive change from the current GCSB law passed by Helen Clark. Well, they are partially right. It is significantly different. I’ve detailed below my analysis of some of the major differences between the 2003 Helen Clark law and the 2013 John Key law.
Helen Clark GCSB law 2003 | John Key GCSB law 2013 |
Inspector-General sole independent oversight | two person advisory panel to assist the Inspector-General of Intelligence and Security |
Inspector-General has no staff resources | Inspector-General has a Deputy |
Inspector-General role is essentially reactive | Inspector-General to proactively annually review GCSB procedures, policies and compliance and do unscheduled audits |
Inspector General not informed when a warrant is put on the register relating to a New Zealander | Inspector General is informed when a warrant is put on the register relating to a New Zealander |
GCSB can’t intercept the communications of a NZ citizen or permanent resident but can assist “any public authority” on any matter relevant to their functions, and unclear if the former prevents the latter | GCSB can’t intercept the communications of a NZ citizen or permanent resident but can assist (only the) Police, Defence Force or SIS even if it involves a NZer. |
No reporting of assistance given to other agencies | GCSB will be required to report annually on the number of instances when it has provided assistance to the Police, SIS or NZ Defence Force |
No reporting on number of warrants and authorisations | GCSB will also be required to report annually on the number of warrants and authorisations issued |
Intelligence and Security Committee has secret hearings to discuss the financial reviews of the performance of the GCSB and the SIS | Intelligence and Security Committee will hold public hearings annually to discuss the financial reviews of the performance of the GCSB and the SIS |
ISC does not have to publicly report to Parliament | ISC to report annually to Parliament on its activities |
No regular reviews of GCSB | An independent review of the operations and performance the GCSB and the NZSIS and their governing legislation in 2015, and thereafter every 5-7 years |
GCSB has a function to protect any information that any public authority or other entity produces, sends, receives, or holds in any medium | GCSB function to protect any communications that any public entity processed, stored, or communicated in or through information infrastructures |
No specification of limits of GCSB assistance | Specifies that GCSB can assist Police, Defence Force and SIS, but only for lawful activities such as where warrants have been granted |
IPCA has no jurisdiction | Gives the IPCA and the IGIS jurisdiction to review any assistance given to Police and SIS respectively |
No references to according to human rights standards | Specifies all functions of GCSB must accord with NZ law, and all human rights standards recognised by NZ law. |
No references to not undertaking partisan activity | Specifies GCSB can’t be involved in any action that helps or harms a political party |
No requirement to brief the Leader of the Opposition | GCSB Director required to brief Leader of Opposition regularly on major activities of GCSB |
Requires GCSB to destroy any records not relating to GCSB objectives or functions | Required GCSB to not retain any information on NZers collected incidentally as part of foreign intelligence operations unless relates to serious crime, loss of life or national security threats |
No special protection for legally privileged communications | Legally privileged communications explicitly exempted from scope of an interception warrant |
No requirement to have a policy on personal information retention and use | GCSB required to work with Privacy Commission to have a policy on personal information retention and use
|
No restrictions in GCSB Act on retaining personal information | GCSB can only retain personal information for a lawful purpose, and can’t keep longer than required for any lawful purpose |
This is not a complete analysis. I was hoping the Government may have such a document themselves, but it seems they don’t. So I put it together last night by comparing the 2003 Act and the latest SOP from the Government. I am sure I have missed out a couple of things, and over-simplified in a couple.
The point is to point out that the 2013 law is including a huge number of protections that the 2003 law is silent or, or missing. Those demanding the law not pass would have you implicitly think the status quo is superior. They are quite wrong, and mischievously so. Recall the current law does not ban the GCSB from assisting the Police and SIS. It has merely been said by lawyers to be unclear, and in fact the Inspector-General has said the assistance has been legal.
I think the Government has bent over backwards to put protections into the law, partly as a result of their coalition partners. Have a read of the existing law, and decide for yourself.
So my question to all the people demanding National MPs cross the floor and vote against the bill, is where were you in 2003? Where were the protests against the 2003 law? Where were the demands Labour MPs in 2003 voted down Helen Clark’s law?
Also I ask how many media stories have focused on an actual side by side analysis of the old and laws, detailing all the changes? Or have they just live-streamed protest meetings?
Now this is not to say I think the law being passed today is perfect. If I was Prime Minister I’d actually make the GCSB responsible for interceptions only, and give their cybersecurity role to another agency such as DIA. It would probably mean some loss of expertise, but it would reassure people that when GCSB are assisting agencies with cybersecurity they are not accessing personal communications. Worth remembering though that it is the 2003 law again which gave the GCSB this role. The 2013 law just clarifies the powers that can be used in that role.
I also think the focus on the GCSB law has been mis-placed. Far more focus should be on the companion TICS bill which I do have greater concerns about – such as requiring approval of network architecture, ISPs having to register with GCSB and the like. My hope is the select committee make some changes to that bill, which is due to be reported back on 20 September.