Personal tools
You are here: Home InternetNZ Activity Submissions Archive Older Submission to Law and Order Select Committee

Submission to Law and Order Select Committee

Introduction

The Internet Society of New Zealand, Inc (ISOCNZ) is a non-profit society established in 1995 to foster co-ordinated and co-operative development of the Internet in New Zealand. We also work to safeguard the Internet's philosophy of open and uncensored exchange of information. Our membership includes Internet service providers, web designers, public information groups and Internet users.

The Society is an independent body, not allied to any particular section of the industry, open to anyone who wants to influence Internet evolution and a leading commentator on Internet issues.

We represent member views to politicians, industry influencers and the media, and guide development of Internet policy, oversee use and expansion of the New Zealand domain name space, and guard Internet standards. The Society is the delegated manager for the New Zealand Domain Name Space (".nz").

1. ISOCNZ Broadly Supports the Underlying Principles

ISOCNZ broadly supports the principles underlying the amendments proposed by the Crimes Amendment Bill (No.6), and supports the application of rules similar to those on interception of telephone calls and radio transmissions, to communications on the Internet and similar computer networks.

However ISOCNZ is concerned that there are important differences between the technologies (particularly between telecommunications technology and computer technology) which need to be allowed for in the law, and is concerned that the Bill does not yet adequately take all of these differences into account.

ISOCNZ also notes that historically communication over the Internet and similar networks has been considered, by those "in the know", to be visible to anyone who cared to look. While this is somewhat less true in modern networks (due to "network switching" network technology amongst other factors), it is still generally true.

Because of this, encryption has traditionally been recommended where privacy and security are a concern. The use of encrypted Virtual Private Networks (VPNs) is a particular growth area on the Internet at present. A Virtual Private Network is created by configuring two computers to encrypt everything they send between themselves (often including traffic that was originated on other computers). This creates a section of the network where it is not possible to look at what is being sent, because the encryption obscures the actual data being sent from those who do not have the decryption key, so that all that someone looking on sees is "random" data which makes no sense. The computers which are exchanging the data know how to decrypt it, so can see the original data.

Even if this Bill is passed into law, ISOCNZ will continue to recommend the use of suitable encryption technology, including VPNs, to those who are concerned about privacy and security, from a purely pragmatic point of view.

Accordingly, ISOCNZ urges Parliament to ensure suitable strong encryption technology remains available to New Zealanders.

ISOCNZ believes this is essential to ensure New Zealand's place in the growing electronic commerce markets, and the New Economy.

2. Concerns about Definitions

2.1 "Interception device" too broadly applicable

Many of the amendments proposed by the Bill make reference to an "interception device", which the Bill defines as, inter-alia, "... any device ... that is capable of being used to intercept a private communication ...".

Particularly in relation to computer technology ISOCNZ considers this definition to be too broad. Most personal computers in use in offices, and in many homes, today in New Zealand include a network card, usually to attach to an Ethernet network. Because of the way in which computer networks work, the network card in one PC can "hear" all of the things that other computers attached to the same (physical) computer network are saying.

Normally computer network cards are configured to "politely ignore" what other computers are saying, only reporting things that they hear directly addressed to them. (This is primarily a computer efficiency measure, so that the computer does not have to interpret everything being sent, only the things sent to it. However it can also have a privacy effect as well).

With the use of a very small piece of software, many versions of which are freely available and some of which are installed by default onto many computers, the network card can be told to report everything that it hears.

In other words, the same network card that is used for communication is equally capable of "interception" of other communication on the network. This is an inherent part of the way that (Ethernet) computer networks operate.

The effect is as if an ordinary telephone was included in the definition of a "listening device". Almost everyone with a modern personal computer for use at work, or at home, would be in possession of an "interception device".

Such a definition of "interception device" could lead to the law proposed by the Bill being applied in circumstances where it was not originally intended.

ISOCNZ recommends that the definition of "interception device" be more restricted. In the case of computer technology, the law should explicitly require "a combination of hardware and software "intended for interception", rather than merely "being capable of being used for" that purpose.

2.2 Interception without an "interception device"

In addition, there are techniques within computer networks other than a separate "interception device" by which one computer may receive information ultimately destined for another computer.

2.2.1. "Proxy Caches"

A common situation is where one computer acts as a "proxy" for another computer, for instance requesting a webpage on behalf of another computer, and then passing back the answer to the originating computer. This can be done by explicit settings in the computer originating the request, or "transparently" by special settings on the computer network of, for example, an Internet Service Provider (ISP).

ISPs typically have "transparent proxy caches" configured to receive all requests for web pages automatically, without requiring any special settings by the user. The proxy cache then looks at the request being made to see if it is one which has been made recently. If the request has been made recently, the proxy cache returns the answer that it retrieved recently to the user. Otherwise it asks the original computer to which the request was sent for the answer, saves a copy of the answer, and returns the answer to the user.

Transparent proxy caches are used for several legitimate purposes, including:

  • To give users who ask for pages which are frequently requested a quick answer, saving the user time; and
  • to reduce the number of requests made to the computer which holds the webpage, to avoid overloading it (or the computer network) with requests.

To use transparent proxy caches for these purposes is commonplace. If the transparent proxy cache does its job properly, the users may be unaware that their request was sent through a transparent proxy cache.

2.2.2 Hidden Redirection

The flip side to the existence of this technology is that anyone with sufficient access to the computer network can arrange for any requests intended for one computer to be redirected to another computer of their choice. By acting like the transparent proxy cache (making the request on behalf of the original requester, and passing the answer back), the original requester may be unaware that their traffic has been intercepted. In the computer security industry, a situation like this is called a "man in the middle" attack.

This "man in the middle" attack provides a way whereby traffic may be intercepted without an explicit "interception device". The interception is performed instead by changing the configuration of the computer network so that the traffic is sent somewhere else before it is sent on to its final destination. Such a situation does not appear to be covered by the proposed legislation.

2.2.3 "Store and Forward"

In addition to these "hidden" means of interception, there are other opportunities for interception of some computer network traffic without an "interception device". A common situation is where a "store and forward" approach is used in sending the traffic. For instance, with email a message is typically sent from the users computer to their ISP's mail server. The mail server at the ISP stores a copy of the message for awhile, and periodically attempts to deliver it to the mail server of the destination user. When it is delivered to the mail server of the destination user, it will be stored there until some later time when the destination user collects their mail.

Hours, if not days, can elapse between the first user sending the message, and the second user picking it up from their mail server. During most of this time a copy of the message is sitting on a mail server somewhere. The easiest way for someone to intercept that message would be to gain access (legitimately or illegitimately) to the mail server the message is sitting on, and then read the message, or take a copy of it. This would not involve an "interception device" and thus the proposed legislation appears not to cover the email for most its journey between the sender sending the message and the receiver actually reading it.

The Privacy Act 1993 may cover the email while it is on the mail server, but only for email between natural persons. And the Privacy Act 1993 does not provide the same range of legislative measures, such as offences for interception.

ISOCNZ recommends that the proposed legislation be extended to cover both the "man in the middle" attack (altering the network configuration so the traffic goes somewhere else first), and also interception while traffic is being held on a computer such as a mail server. Such an extension may require focusing more on the intention of the person intercepting the traffic, than on the means by which they do so, as there is no "interception device" in these situations.

2.3 "Intercept" duration is not sufficiently long

The Bill extends the definition of "intercept" to cover [Section 216A - Interpretation] "(b) any time during the period beginning with the time the communication is sent and ending at the time the intended recipient is able to have access to it", in addition to interception while the communication is taking place.

Particularly in the context of "store and forward" systems, such as email, it appears that the protection against interception will stop too soon. For instance it is arguable that once the message reaches the mail server of the intended recipient, which may be at their ISP, then the "intended recipient is able to have access to it", and the protection ends. This could be interpreted to mean that the protection against interception would not apply when the recipient downloads the message from their ISP.

ISOCNZ recommends that the wording of sub-clause (b) of the definition of "intercept" be changed to make it clear that the protection lasts for the whole time the traffic is on its way from the sender to the recipient.

2.4 Exception to "Private communication" too broad

In the context of computer networks, [Section 216A - Interpretation] sub-clause (b) of the definition of "private communication" which excludes "such a communication occurring in circumstances in which any party ought reasonably to expect that the communication may be intercepted by some other person not having express or implied consent of any party to do so" appears to be too broad an exception.

Because of the way that computer networks operate (discussed above), a person with knowledge of computer networks should reasonably expect that there is a chance of any communication they make over the computer network being intercepted and read, unless they taken steps to encrypt the communication to prevent others from reading it even if it is intercepted.

While not all users of computer networks may be aware of just how easily their messages may be seen, it is an inherent part of the technology and widely known, and anyone reasonably familiar with the technology should be anticipate that any unencrypted communication may be intercepted. Apart from computers typically being configured to "politely ignore" what other computers are saying, the situation is analogous to speaking in a crowded room where one could be overheard.

In the context of computer networks, ISOCNZ would recommend that sub-clause (b) of the definition of "private communication" be limited so as to only exclude those situations where someone has explicit or implied consent to listen to or intercept the traffic. ISOCNZ believes that "implied consent" will cover all the situations where communications might be legitimately intercepted.

3. "Interception" Part of Routine Computer Network Maintenance

ISOCNZ notes that the "interception" of network traffic is used as a routine measure in developing and maintaining computer networks and computer programs that operate over computer networks. Use of such techniques is not restricted to Internet Service Providers (ISPs) but is widely used as an invaluable day-to-day diagnostic tool on computer networks around the country, for example, within a company's internal computer network Such "interception" is typically of short duration and focused on solving a particular problem, but will occasionally extend over a longer time period to capture information about problems which occur only sporadically. Some interception, particularly that focused on monitoring the security of computer systems on the network, will be ongoing but focused on "suspicious" activity that shouldn't normally be occurring.

ISOCNZ is concerned that the proposed Bill would restrict such invaluable useful activities. While the Bill does propose an exception for Internet Service Providers, this exception does not appear to be sufficiently broad to cover the many other useful activities.

ISOCNZ is also aware that some organisations, as part of monitoring the activities of their staff, monitor the activity on their computer networks. ISOCNZ believes such monitoring is only acceptable providing all parties are aware that it is occurring, and of the purpose and limits of the monitoring, but should not be prohibited in those circumstances.

ISOCNZ suggests that more general exceptions to the limits on "interception" be included in the Bill, such as:

  • interception as part of routine network maintenance/diagnostics including security monitoring (not just limited to ISPs)
  • interception as part of diagnosing problems with computer software that uses the network, during development of the software, and its implementation
  • interception by the owner of the network (and any staff or contractors they authorise to do so) for any purpose, providing the users of the network are notified of the (possibility of) interception.
  • interception where a "reasonable person" would assume that the communication were likely to be intercepted (this may also be covered by the exception to "private communication" in sub-clause (b) of its definition).

ISOCNZ also suggests that rules similar to those in the Privacy Act 1993 concerning the use of intercepted information, and the notification to users of the network, be included in the Bill to cover information intercepted under one of these exceptions.

4. Accessing a Computer System Without Authorisation

The Bill proposes a section 305ZFA which creates an offence of intentionally accessing a (part of a) computer system without authorisation, knowing that they are not authorised. ISOCNZ supports the addition of this offence.

However ISOCNZ is concerned that sub-clause (2) of the proposed section 305ZFA is ambiguous, and could be read to indicate that someone who was authorised to access one part of a computer system did not commit an offence if they then accessed another part of the computer system which they were not authorised to access, depending on what "it" is taken to refer to in the sub-clause.

ISOCNZ recommends that sub-clause (2) be reworded to make it clear that that sub-clause (2) is a clarification concerned with access of a (part of a) computer system that the person is authorised to access, for a purposes other than the purpose for which they were given access.

ISOCNZ suggests the alternative wording:

"(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system, or part of a computer system, accesses that computer system, or part of a computer system, for a purpose other than the one for which they were given access."

ISOCNZ also notes that it will be important that the legislation makes a distinction between access to different parts of the computer system, as it is common for everyone to be allowed to view the web pages stored on a computer, but only a few select employees to be able to log in to the computer and run programs on it, or change what is stored on it.

5. Remote "Break-Ins" by Law Enforcement Agencies

The Bill proposes a section 305ZFD, excludes access gained under an interception warrant or other legal authority from the offence the bill proposes as section 305ZFA.

ISOCNZ is concerned that this could be read to permit law enforcement officials to remotely "break in" to computer systems as part of executing an interception warrant. This raises several concerns, including the risk that a law enforcement officials might inadvertently damage something on the system, and the concern that one "break in" looks very much like another.

A computer system administrator faced with a "break in" is unlikely to be able to tell it is a law enforcement "break in", and will need to follow the standard procedures when discovering a break in. These procedures typically include closing the computer system down (denying access to legitimate users), changing all the passwords, and either carefully checking the system to ensure nothing has been tampered with, or reinstalling all the software on the computer system from scratch.

The explanatory notes accompanying the Bill suggest that section 305ZFD is added simply to ensure that the current powers that law enforcement officials have to search a computer system remain intact.

ISOCNZ recommends that the proposed section 305ZFD be reworded so that it is clear that it permits only the existing powers of searching of computer systems which have been seized, or are on premises being searched; and that remote "break ins" by law enforcement officials, be expressly excluded.

6. Validity of Evidence

In a computer network, the sender and receiver of any communication are listed in the communication itself, typically as the computer which sent the information and the computer for which the information is intended.

Because this identification of the sender and receiver is part of the message itself, simply some of the bytes which make up the communication, it is possible for someone to pretend that the traffic was sent from a computer that it wasn't really sent from (or less usefully that it was sent to a computer that didn't really receive it).

Such a substitution of the identification of who sent and received the communication is essentially undetectable without having monitoring equipment at both the sender and receiver to ensure the information really did pass from the sender to the receiver. Simply monitoring the same computer network as the claimed sender or receiver is not sufficient to ensure that the traffic was really from the claimed sender, or to the claimed receiver, because a skilled user of any other computer on those networks could send a message claiming to be from or to another computer on that network.

Several computer programs already exist to pull of this sleight of hand, and techniques like this are used as part of computer break in attempts. (By having the computer wanting access pretend to be one that is allowed access, it gains all the privileges of the computer that is allowed access.)

A similar situation is seen with Unsolicited Commercial Email (UCE), also known as "spam", where the name listed as the "sender" of the message, is frequently not the person who really sent the message. People sending "spam" know that their message is unwelcome, and hide (usually fairly successfully these days) who they really are, pushing the blame onto someone else.

In the case of users dialing up their ISP there is a further consideration which can call evidence gained by intercepting traffic into question. Most ISPs which accept "dial up" users have a pool of "IP addresses" (Internet Protocol addresses), which are handed out on a "first come, first served" basis to users dialling up, for use during their call when communicating with other users on the Internet. As soon as the user hangs up, the IP address they were using goes back into the pool of addresses, and will be allocated to another user who dials up.

This means that if traffic is intercepted coming from Internet address "A" which is one of the addresses used in a "dial up" pool at an ISP, it could have been used by any user with access to that ISP. The only way to tie it back to a particular computer (and from there to a particular user) is through the records at the ISP to establish which user was connected using that Internet address at what time. Unless the time at which users connected and disconnected is very accurately and correctly recorded, and the time at which the traffic was intercepted was very accurately and correctly recorded, it may be impossible to determine which computer actually sent the traffic.

These considerations mean that, even with the best intentions, the evidence gained by intercepting traffic on a computer network may be subject to considerably more question than evidence gained by, say, a wire tap, where the voices of the people speaking clearly identify the conversation as being between those people.

There is also the risk of inadvertently capturing traffic from computers other than those being monitored due to the changes in who is using a particular IP address.

While such matters are obviously for a Court to consider when weighing up evidence, ISOCNZ feels it is important to point them out, so that the true limits of the gain from permitting the interception of traffic on computer networks can be weighed against the intrusion into the publics' privacy by such measures.

7. Other Potential Offences

The Bill introduces an offence of accessing a computer system without authorisation, which is analogous to trespass laws in the "real world". There are a number of other parallels between the "real world" and computer networks which should also be explored.

7.1 "Denial of Service" Attacks

For instance one destructive thing which occurs on computer networks occasionally is a "denial of service attack". Briefly, the intention of such an attack is to prevent legitimate users of a computer system from being able to use it effectively (or at all). A number of electronic commerce websites have fallen victim to such attacks over the past year, preventing their customers from accessing their website. In many cases it takes the effect of someone making (or arranging for others to make) so many requests that look just like legitimate requests that no one else's request can be answered.

The "denial of service" situation is similar to someone preventing customers from entering a shop, or a workplace, which is covered by existing law. It can also be compared with someone making nuisance phone calls, so that the phone is "always busy" and legitimate callers cannot get through, which is also covered by existing law.

7.2 "Viruses" and "Trojans"

Another destructive thing which receives a lot of media attention is the creation of computer "viruses" and "trojans". A "virus" is a program that spreads itself around without anyone's help, hitching a ride on email messages, word processing documents, and other computer programs. A "trojan" is a program that pretends that it will do one legitimate thing, and then either in addition to doing that or instead of doing that does something destructive, such as deleting things, or sending private information to someone else. In both cases a lot of effort can be required to clean up afterwards.

In addition computer viruses can consume a lot of resources spreading themselves around making it difficult for legitimate work to be done. In some situations "willful damage" charges may be applicable, but in other situations it may be difficult to prove willful damage.

ISOCNZ suggests considering whether existing legislation can be extended to cover these situations, or whether the Bill can be extended to cover these situations.

8. Use of Interception Powers

8.1 Security Services - Domestic

ISOCNZ would be concerned if the proposed powers granted to the security services to intercept communication were used routinely to "spy" on either individual people, or groups of people, which the security services were interested in. ISOCNZ believes these powers should be used for specifically targeted investigations, of limited duration, and would like to see this purpose mentioned in the legislation, or at least the legislative history.

8.2 Security Services - International

ISOCNZ is also concerned that proprietary information of New Zealand businesses that may be intercepted using these powers remains in New Zealand. There have been suggestions that intercepted information is routinely exchanged with overseas security intelligence agencies. And there have been reports that some overseas companies believe that their proprietary information has leaked to foreign competitors through exchanges of intercepted information by security intelligence agencies, such as the story "Brit accuses US of snooping", published by IDG on 30 January 2001. A copy of this story is available online and similar reports were published by ZDNet on 29 January 2001, entitled "Echelon: The French Fight Back" and "Echelon: The evidence" and other news services.

ISOCNZ believes it is important that the viability of New Zealand businesses, particularly technology based businesses important to the New Economy, are not undermined by this legislation, or the actions taken under the authority of the legislation.

Appendix One

RECOMMENDATIONS

2. ISOCNZ broadly supports the underlying principles

ISOCNZ urges Parliament to ensure suitable strong encryption technology remains available to New Zealanders. ISOCNZ believes this is essential to ensure New Zealand's place in the growing electronic commerce markets, and the New Economy.

2. Concerns about definitions

2.1 "Interception device" too broadly applicable

ISOCNZ recommends that the definition of "interception device" be more restricted. In the case of computer technology, the law should explicitly require "a combination of hardware and software "intended for interception", rather than merely "being capable of being used for" that purpose.

2.2 Interception without an "interception device"

2.2.1. "Proxy Caches" and

2.2.2 Hidden Redirection and

2.2.3 "Store and Forward"

ISOCNZ recommends that the proposed legislation be extended to cover both the "man in the middle" attack (altering the network configuration so the traffic goes somewhere else first), and also interception while traffic is being held on a computer such as a mail server. Such an extension may require focusing more on the intention of the person intercepting the traffic, than on the means by which they do so, as there is no "interception device" in these situations.

2.3 "Intercept" duration is not sufficiently long

ISOCNZ recommends that the wording of sub-clause (b) of the definition of "intercept" be changed to make it clear that the protection lasts for the whole time the traffic is on its way from the sender to the recipient.

2.4 Exception to "Private communication" too broad

In the context of computer networks, ISOCNZ would recommend that sub-clause (b) of the definition of "private communication" be limited so as to only exclude those situations where someone has explicit or implied consent to listen to or intercept the traffic. ISOCNZ believes that "implied consent" will cover all the situations where communications might be legitimately intercepted.

3. "Interception" part of routine computer network maintenance

ISOCNZ suggests that more general exceptions to the limits on "interception" be included in the Bill, such as:

  • interception as part of routine network maintenance/diagnostics including security monitoring (not just limited to ISPs)
  • interception as part of diagnosing problems with computer software that uses the network, during development of the software, and its implementation
  • interception by the owner of the network (and any staff or contractors they authorise to do so) for any purpose, providing the users of the network are notified of the (possibility of) interception.
  • interception where a "reasonable person" would assume that the communication were likely to be intercepted (this may also be covered by the exception to "private communication" in sub-clause (b) of its definition).

ISOCNZ also suggests that rules similar to those in the Privacy Act 1993 concerning the use of intercepted information, and the notification to users of the network, be included in the Bill to cover information intercepted under one of these exceptions.

4. Accessing a computer system without authorisation

ISOCNZ recommends that sub-clause (2) be reworded to make it clear that that sub-clause (2) is a clarification concerned with access of a (part of a) computer system that the person is authorised to access, for a purposes other than the purpose for which they were given access.

ISOCNZ suggests the alternative wording:

"(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system, or part of a computer system, accesses that computer system, or part of a computer system, for a purpose other than the one for which they were given access."

ISOCNZ also notes that it will be important that the legislation makes a distinction between access to different parts of the computer system, as it is common for everyone to be allowed to view the web pages stored on a computer, but only a few select employees to be able to log in to the computer and run programs on it, or change what is stored on it.

5. Remote "break ins" by law enforcement agencies

ISOCNZ recommends that the proposed section 305ZFD be reworded so that it is clear that it permits only the existing powers of searching of computer systems which have been seized, or are on premises being searched; and that remote "break ins" by law enforcement officials, be expressly excluded.

6. Validity of evidence

While such matters are obviously for a Court to consider when weighing up evidence, ISOCNZ feels it is important to point them out, so that the true limits of the gain from permitting the interception of traffic on computer networks can be weighed against the intrusion into the publics' privacy by such measures.

7. Other potential offences

7.1 "Denial of Service" Attacks and

7.2 "Viruses" and "Trojans"

ISOCNZ suggests considering whether existing legislation can be extended to cover these situations, or whether the Bill can be extended to cover these situations.

8. Use of interception powers

8.1 Security Services - Domestic and

8.2 Security Services - International

ISOCNZ believes it is important that the viability of New Zealand businesses, particularly technology based businesses important to the New Economy, are not undermined by this legislation, or the actions taken under the authority of the legislation.

Submission prepared by the Internet Surveillance Working Group of ISOCNZ

Convenor: Ewen McNeill


Document Actions