The Crimes Amendment Act 2003 and the Government Communications Security Act 2003 An Interrelated History.

In early 2000, it was decided that the GCSB should be placed on a statutory footing similar to that of the NZSIS. 1 We shape our tools and thereafter our tools shape us. 2

Introduction
In March 2003 the New Zealand Parliament enacted the Government Communications Security Act 2003, formalising the existence of the Government Communications Security Bureau, which had been in existence since 1977, as a Department of State. This paper argues that the reasons for the legislation came about as a result of a number of amendments that were proposed to the Crimes Act 1961 that were the subject of the Crimes Amendment Bill 1999 as well as the stated objective of making New Zealands security arrangements more transparent and accountable. The amendments related to the enactment of a number of sections of the Crimes Act dealing with computer crime. As the legislation progressed until its ultimate enactment in 2003, various changes to sections relating to computer crimes and interceptions of communications meant that the existence of the GCSB had to be formalised hence the legislation. It is argued that these amendments, associated as they were with communications technology, drove the GCSB into the legislative light from the shadows it had previously occupied. It could be suggested that, from a point of view of transparency of Government surveillance activities, this was a good thing. This paper will trace the legislative events that resulted in the enactment of the computer crimes amendments to the Crimes Act and the associated moves towards the enactment of the Government Communications Security Act. It does not set out to offer any opinion on the content of the legislation other than to demonstrate its interaction. It will conclude with some observations on the legislative process surrounding the legislation in question and raise some questions for consideration on the wider issue of the nature of liberty in a new information paradigm.

Computer Crimes Legislation 1989 1999

In New Zealand, computer crime legislation was first proposed in 1989 in the Crimes Bill 1989, which proposed the creation of two offences in relation to computer misuse: accessing a computer for a dishonest purpose and damaging or interfering with a computer system. The Crimes Consultative Committee proposed a number of changes to the clauses recommending that there should be three separate offences accessing a computer and obtaining a benefit or causing a loss, accessing a computer with intent to obtain a benefit or to cause a loss, and a summary offence of unauthorised access to a computer punishable by a maximum of six months imprisonment. 3 The amendment was abandoned when other matters in the Bill failed to obtain government support.

History of the GCSB Government Communications Security Bureau http://www.gcsb.govt.nz/aboutus/history.html (last accessed 18 August 2013). As will become clear, this is an inaccurate statement. 2 Marshall McLuhan Understanding Media: The Extensions of Man (Sphere Books, London, 1967). 3 New Zealand Law Commission Computer Misuse (New Zealand Law Commission, Wellington 1999 Report 54) at [3].

In 1998 interest in computer crime was sparked by two incidents which were rapidly followed by a Law Commission report on computer misuse.

The hacking incidents

On 26 August 1998 Andrew Garrett began harvesting usernames and passwords from Xtra users computers and subsequently released information to Chris Barton of the New Zealand Herald that he had managed to compromise the security of the Xtra servers. What Garrett had in fact done was to use a Trojan Horse program to obtain the passwords of those computer owners. He made no secret of his involvement but, because of a dispute that he had with Telecom at the time, characterised the issue as one of Xtras security. He was later prosecuted and convicted of five offences arising out of his activities. 4 In November 1998, 4,000 files were deleted from the Ihug Home Pages Server. No one was prosecuted, although investigation revealed that a 17-year-old New Zealander committed the action by effectively hacking the Ihug home pages server in California. 5

Computer crime and the adequacy of the existing law moved into sharp focus. The Law Commission had been examining aspects of E-Commerce but there had also been concerns about dishonest activity in the electronic banking context which had resulted in a Law Commission report in December 1998 entitled Dishonestly Procuring Valuable Benefits 6 following upon the case of R v Wilkinson. 7 That report also suggested a wider review of Part X of the Crimes Act 1961 which dealt with property offending. The Law Commission began to focus its attention upon computer crime. The Ministry of Justice had also been considering issues arising out of computer misuse. The Minister for Justice announced a proposal to introduce into the House of Representatives legislation which would create criminal offences for certain types of computer misuse.8 Because of the imminence of a Bill, on 13 May 1999 the Law Commission issued a final report on computer misuse which was confined to concepts and which did not include draft legislation. The Commission stated: While we would have preferred more time to consider the form of the legislative changes we consider it important for our work to be available both to the Ministry and the public in time for it to be of use. 9
R v Garrett [2001] DCR 955; R v Garrett (No 2) [2001] DCR 912. For a brief but useful account of the case see Information about Criminal Law and the Net Case Study 1 Netsafe http://www.netsafe.org.nz/archive/criminal/criminal_case1.html (last accessed 21 August 2013). See also Paul Brislen ISPs Please with Verdict in Hacker Case" Computerworld 18 July 2001. http://www.computerworld.co.nz/article/512709/isps_pleased_verdict_hacker_case/ (last accessed 21 August 2013) Paul Brislen Hacker Case Creates Precedent Computerworld 18 July 2001. http://www.computerworld.co.nz/article/512710/hacker_case_creates_precedent/ (last accessed 21 August 2013). 5 Ihug Boost Security after Hacker Hits 100 Accounts New Zealand Herald, 1 February 2001 http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=114894. 6 New Zealand Law Commission Wellington 1998 Report 51. 7 [1999] 1 NZLR 403. 8 New Zealand InfoTech Weekly 11 April 1999, 1. 9 NZ Law Commission Computer Misuse above n. 2 p.ix http://www.lawcom.govt.nz/project/computercrime?quicktabs_23=report (last accessed 21 August 2013).
4

The Law Commission Computer Misuse Report The Law Commission report on computer misuse 10 analysed the law relating to computer misuse and suggested that criminal liability be extended to actions in the electronic environment that, in their parallels in the real world, were not unlawful. The Commission considered that legislation dealing with computer misuse must address the following elements:
Unauthorised interception of data stored in a computer; Unauthorised accessing of data stored in a computer; Unauthorised use of data stored in a computer; Unauthorised damaging of data stored in a computer As to the offences of unauthorised access and interception the Commission stated: The offences of unauthorised access and interception should require proof by the prosecution of intent: in relation to the interception offence, the prosecution should be required to establish an intention to intercept: in relation to the offence of access, the prosecution should be required to establish an intention to: cause loss or harm to the person entitled to the data or to some third party; or gain some form of benefit or advantage either personally or to a third party. We propose that the terms loss or harm and benefit or advantage be given a wide meaning and not be limited to pecuniary losses or benefits. In the case of offences involving use and damage, proof of carelessness should be sufficient to establish an offence. 11

The Law Commission also stated: that the existing criminal law is inadequate to deal with computer misuse. However, it would be possible to redraft existing law to cover the types of computer misuse to which we have referred in this report. If an attempt is made to amend the existing provisions of the Crimes Act 1961 to make them fit the matters discussed in this paper, there is a grave risk of error either by imposing criminal liability where it should not be imposed or by omitting provisions that ought to be included. We have no doubt that the only neat and sensible solution is to either have a separate statute dedicated to crimes of computer misuse, or, to have a distinct part within the Crimes Act 1961 relating to computer misuse. 12 The Law Commission concluded that the current criminal law was inadequate to deal with unauthorised computer access and a reform of the law was required. It defined access as
10 11

Ibid. Ibid. p. xii. 12 Ibid. at [80].

covering a situation where a person without authority, whether through physical or electronic means, obtains access to data stored on a computer. It also considered that the prosecution should be required to establish: first, that the accused gained unauthorised access to data, and secondly that at the time of access, the accused had an intention to cause loss or harm or gain a benefit or advantage. In the Law Commissions view, criminal intent was needed to avoid trivialising the criminal law by making every unauthorised access a criminal offence. This meant that those who gained access simply to achieve the prize of access will not be criminally liable for their actions. In other words, pure hacking will remain outside the scope of the law. The thrust of the Commissions recommendations was therefore directed towards the protection of the data or contents of the computer system rather than extending the prohibition to access as such. In the Commissions view, the access had to be accompanied by an element of intentional wrongdoing involving the data. This limited scope was extended as the computer misuse provisions of the Crimes Act Amendment Bill (No 6) made their way through the legislative process. The Introduction of the Crimes Amendment Bill (No 6) October 1999 In October 1999, the Crimes Act Amendment Bill (No 6) was introduced to Parliament and referred to select committee. The Bill was expansive, proposing a number of changes to the criminal law, but significantly created four new computer-based offences. In summary, these are as follows: 1. s 305ZE(1) accessing a computer system and dishonestly or by deception obtaining a financial benefit or causing loss; 2. s 305ZE(2) accessing a computer system with intent to obtain a benefit or cause loss; 3. s 305ZF(1)(a) damaging or interfering with a computer system with intent to cause serious damage; and 4. s 305ZF(2)(a) recklessly damaging or interfering with a computer system knowing that serious damage is likely to result. On 5 October 1999 at the second reading of the Bill, the then Minister of Justice Mr Tony Ryall made the following observations: As the Minister of Justice I have made it clear that in respect of our legislation there are a number of imperatives that we the Parliament must work on in the next few years. The first is to make our legislation technology-neutral. There is no point in putting definitions of particular hardware or software into legislation, because such technology may not exist in a few years' time. It is vital that we make our legislation technology-neutral and describe the nature and the form of the offence rather than the specifics of the mechanism by which it was done. We want to make sure that our

legislation is harmonised with international information technology and technological crime legislation. Also, we want to develop further work in terms of encryption and security. But this Bill will go some way in terms of putting into practice the Government's work programme, and it is my expectation that there will be further legislation in this area next year. 13 Thus the Minister was wisely avoiding technology-specific legislation and rather focussed upon the behaviour associated with a technology as the target of the legislation. He went on to say: This Bill creates new offences in relation to the misuse of and damage to computer systems. .. It will be an offence to access a computer and dishonestly---and that means without authority or by deception---obtain a financial benefit, or cause a loss to someone. This offence has a maximum penalty of 7 years' imprisonment. The second new computer offence is essentially an ``attempt offence'' and has a maximum penalty of 5 years' imprisonment. The other new computer offences relate to damaging a computer with intent to cause damage or being reckless as to whether serious damage occurs. These have a 7-year penalty. A definition of ``computer'' is not included. As I said earlier on, it is unlikely that such a definition would keep up with changing technology. Other jurisdictions have taken various approaches to this issue in their criminal statutes. England, for example, does not define it, whereas the United States does. As Minister, I will welcome comments on this in submissions to the select committee. 14 The Minister then went on to address the issue of access without authorisation without any associated intention to commit an unlawful act. The Government has also decided at this stage not to include an offence relating to unauthorised access of a computer. We recognise that this is a serious problem that needs addressing, but it does actually need quite a lot more work and consideration. However, I did not want to delay action on these changes at this stage. When someone from an outside firm manages to gain access to the firm's computer, commonly known as hacking, there is probably general agreement that this should be a criminal offence. However, I believe an offence should also cover employees who are not authorised, or go outside their authority to access information. Employers will therefore need to have clear levels of authority in place if such an offence is to be proven. This issue is more difficult, but we intend to put forward such an offence early next year. 15 Thus, unauthorised access was clearly on the table, but required further work. Of especial interest is the suggestion that employees should be liable if they were
13 14

Crimes Amendment Bill Second Reading Hansard 5 October 1999. Ibid. 15 Ibid.

unauthorised or went beyond their authorisation to access computer systems. As will be seen, this was the subject of a specific exemption when the Bill was finally enacted and appears in s. 252(2). In the debate, Phil Goff MP castigated the Government for delaying action on computer crime and pointed to what he saw as the motivation for the amendments. Last year a hacker destroyed 4,500 web pages hosted by the Internet Group. Another hacker breached the password security of Telecom's Internet service provider XTRA, and nothing was done because the law was not in place. Finally, after a decade, the Government has been sufficiently embarrassed by those people getting away with those offences that it has brought to this House a new Bill. I welcome the provisions of the Bill but they have been too long in coming and I think the select committee will have to examine whether, even now, they are sufficiently strong to deal with the computer crimes that are happening in our society. 16 Mr Goff then went on to consider the absence of the offence of unauthorised access to computer systems: What we have not yet got is the further offence of hacking into a computer system, and the Minister has said that he is not yet ready to do this. So we still have that problem, and he hopes that next year something will be done. Next year! That will be some 11 years after the Crimes Bill and still the Minister has not acted. Paul Swain MP looked at the broader picture that he considered the legislation did not address: The point really is that the member does not get it. It is not just about hacking, and it is not just about computer crime, it is about a whole pile of other things as well. It is about the whole issue of security across the Internet, which implies security for electronic commerce. It is about the protection of intellectual property rights, which is an issue of the Internet, and an issue of electronic commerce. For example, it is about protecting and promoting consumer rights in cyberspace. That is what electronic commerce is about. Computer crime and hacking are only a little tiny part of a much bigger picture. The Bill was referred to a Select Committee. However, in November 1999 there was an election and the National Government was replaced by a Labour-led Government under Helen Clark. It was under the new Government that further developments, heralded by speakers from both sides of the House in 1999, were considered and proposed.

Ibid. As it happens Mr Goff was later proven to be incorrect. The Xtra hacker Andrew Garrett was prosecuted and convicted of offences existing under the law as it stood arising out of his action see R v Garrett above n. 4.

16

Supplementary Order Paper 85 2 November 2000

On 2 November 2000, Keith Locke MP had a question for the Prime Minister: Would the proposed changes to the Crimes Amendment Bill (No 6), if passed, allow the Government Communications Security Bureau, under certain circumstances, to intercept e-mail communications of New Zealanders; if so, what would the circumstances be, and what authorisation would be required? 17 The Prime Minister replied No. The proposed changes provide specifically that the Government Communications Security Bureau may only intercept private communications which are both--(a) Private communications of a foreign organisation or foreign person (or a representative or agent of a foreign organisation or foreign person); and (b) Private communications which contain, or may reasonably be expected to contain, foreign intelligence. The expressions ``foreign organisation'', ``foreign person'', and ``foreign intelligence'' are defined in the proposed amendment in such a way as to make it clear that the Government Communications Security Bureau may not intercept the communications of New Zealanders, whether in e-mail or any other form. 18 Mr Locke was referring to Supplementary Order Paper 85 (SOP 85) and the question arose because of its scope. SOP 85 was not restricted to adding the criminalisation of unauthorised access to a computer system. There were a number of other changes to the Crimes Act dealing with Part 9A of the Crimes Act dealing with crimes against personal privacy and the unauthorised use of interception devices. Exceptions were provided where interception of communications was authorised by law. The amendments to the Crimes Amendment Bill proposed by SOP 85 were quite wideranging and in some respects reflected what could be called scope creep in dealing with the involvement of law and new communications technologies. Before looking at SOP 85 it is necessary to briefly talk about the legislative structure of the Crimes Act. Like most statutes the Crimes Act is divided into a number of parts. The Law Commission recognised this when it recommended that any provisions relating to computer crimes should have their own part. The Crimes Amendment Bill (No 6) covered a number of proposed amendments to the Crimes Act, particularly in the area of property offences. Property offences are covered in Part 10 of the Crimes Act. Within that part there are a number of subdivisions unlawful taking, burglary, robbery and blackmail, crimes involving deceit, money laundering, receiving, forgery and counterfeiting, coinage, arson, damage and waste.

17 18

Hansard 2 November 2000. Hansard 2 November 2000.

The Amendment Bill proposed that computer crimes would have their own subdivision within Part 10 of the Crimes Act. There are two other parts of the Crimes Act that were involved in SOP 85 and were related to legislation involving new technologies. Part 9A dealt with crimes against personal privacy and focussed on the use of listening devices and prohibitions on recording private conversations using listening devices. Part 11A involved obtaining evidence by way of listening devices. Essentially, both parts dealt generally with bugging conversations, prohibitions against such activity and the provision of exceptions in the case of law enforcement. Part 11A provided a strict regime for obtaining warrants by the Police for the use of listening devices, and the circumstances where the fruits of the use of listening devices (and later, interception devices) could be admitted as evidence. In essence SOP 85 replaced references to listening devices with the term interception device 19 updating the legislation to cover not only contemporaneous bugging but the wider power to hear, listen to, record, monitor, acquire, or receive the communication while it is in transit.20 The overall scheme of the amendments were to maintain earlier prohibitions on the use of listening devices and an extension to interception devices for the intentional interception of private communications. There are exceptions provided where the person intercepting the private communication is a party to the communication. SOP 85 provided another exemption. The prohibition was not to apply to the interception of private communications by any interception device operated by the Government Communications Security Bureau for the purpose of intercepting private communications that are both"(a) private communications of"(i) a foreign organisation, or foreign person; or "(ii) a representative or agent of a foreign organisation, or foreign person; and "(b) private communications that contain, or may reasonably be expected to contain, foreign intelligence.
Now provisions regarding changes to the law relating to offences against privacy and the warranted bugging by the Police for the purposes of obtaining evidence had not been a part of the original Bill, and as I suggested the proposals contained in SOP 85 reflected significant scope creep. In addition there was a proposed change to the computer crimes provisions. The offence of access to a
An interception device was defined in SOP 85 as any electronic, mechanical, or electromagnetic instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a private communication. Hearing aids were excluded along with a provision for an exemption made by the Governor-General by Order in Council. 20 This was the position in s.312A of Crimes Act 1961 after the 2003 amendments had been enacted. The provisions of Part 11A have been repealed and the circumstances where private communications may be lawfully intercepted are now part of the Search and Surveillance Act 2012. SOP 85 proposed a slightly more complex approach in that the private communication could be intercepted at any time during the period beginning with the time the communication is sent and ending at the time that the intended recipient is able to have access to it. When the Bill was reported back by the Law and Order Committee the wording was changed from that proposed by SOP 85 to read while it is transit from the person sending the communication to the person intended to receive it.
19

computer system without authorisation. The wording of the new section (s. 305ZFA in SOP 85) as proposed reads as follows: Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system or part of a computer system without authorisation knowing that he or she is not authorised to access that computer system or part of that computer system or being reckless as to whether or not he or she is authorised to access that computer system or part of that computer system. By prohibiting access to computer systems, within the context of the new provisions relating to interception and privacy of communications the Government had to provide for exceptions for organisations which might be involved in this activity. Accordingly, SOP 85 contained this provision: (l) Section 305ZFA does not apply if the person accessing a computer system or part of a computer systema) is an employee of the Government Communications Security Bureau; and (b) is discharging his or her duty as an employee of the Government Communications Security Bureau to collect foreign intelligence; and ( c) is authorised, in writing, by the Minister responsible for the Government Communications Security Bureau. (2) The Minister responsible for the Government Communications Security Bureau may authorise an employee of the Government Communications Security Bureau to access a computer system or part of a computer system of a specified foreign organisation or foreign person if the Minister(a) has consulted with the Minister of Foreign Affairs and Trade; and (b) is satisfied that(i) there are reasonable grounds to believe that no New Zealand citizen or person ordinarily resident in New Zealand is specified as a foreign organisation or foreign person whose computer system may be accessed; and (ii) the access is necessary for the purposes of collecting foreign intelligence; and (iii) the value of the information sought to be obtained justifies the access; and (iv) the information is not likely to be obtained by other means. There were also qualified exemptions for the SIS where an interception warrant under the SIS legislation had been issued and for law enforcement agencies who accessed a computer system under the execution of an interception warrant, search warrant or other legal authority. Speaking to the introduction of SOP 85, the Associate Justice Minister, Paul Swain MP, said of the changes to parts 9A and 11A: They are not currently included in the bill. The purpose of the interception proposals is to extend the offences and warrants to cover electronic technology. One of the main purposes of the Crimes Amendment Bill (No 6) is to ensure that property offences cover electronic technology. I believe that the proposals in the Supplementary Order Paper have sufficient commonality with the bill to be included in it. 21

21

Hansard 16 November 2000.

He then went on to consider the creation of the new offence of unauthorised access he referred to it as hacking and the ramifications of that proposal. And this is where the interrelationship with other aspects of the law relating to the use of electronic technologies come into play. Mr Swain said: The bill contains a new computer offence---that is, accessing a computer system without authorisation, which is commonly referred to as hacking. Currently, in New Zealand it is not unlawful for anyone to hack into someone else's computer. The bill makes hacking unlawful, with a penalty of imprisonment for up to 2 years for those convicted of that offence. It is designed to bring us into the 21st century, and to bring us up to speed with new technology. If we start to introduce laws that make hacking unlawful, issues immediately arise such as whether there should be any exemptions. That arises automatically when we want to introduce legislation such as this. The Government says that, yes, there should be exemptions, and consequently certain qualified exemptions to the offences are proposed for law enforcement and security agencies that are properly authorised. It is important to point out that there will be proper authorisation for those exemptions, primarily through a search warrant or interception warrant---two systems currently available to the police and security agencies. 22 As at 16 November 2000 there were provisions in the law for the issue of search and interception warrants to the Police and SIS. Apart from the wording of the qualified exemption for the GCSB 23 there was no authority at law that enabled the issue of a search warrant or an interception warrant to a member of the GCSB enabling access to a computer system, apart from an Order in Council that related specifically to the Waihopai site. Mr Swain said that the exemption for the GCSB would

ensure greater transparency. The exemption is not limited to any particular site, as was then the case.
Keith Locke had this to say about the scope creep of SOP 85. The Associate Minister of Justice put stress on the bill being an anti-hacking measure and an anti-interception measure, and of course we support any bill opposed to hacking or interception. In fact, we asked the Minister to put such provisions in a separate Supplementary Order Paper, but those few clauses against hacking and interception amount to about only one page of this 12-page Supplementary Order Paper. The rest of the clauses are a major assault on our privacy. They give the police, the Security Intelligence Service, and the Government Communications Security Bureau the right to hack into our computers and intercept our emails, faxes, and message pagers. Mr Swain said this measure will enable agencies to catch criminals. No one is disputing that we might be able to catch a few more criminals through such interception. Surveillance cameras placed on every street in the country might catch more criminals, but we always have to ask ourselves what the cost is to our privacy. Do we really want to live in a surveillance society? Electronic interception is not just a question of modernising police

Ibid. The emphasis is mine. Authorisation by the Minister in writing to an employee of the GCSB after being satisfied of the matters contained in 305ZFC(2)(b)(i) (iv) i.e. (i) there are reasonable grounds to believe that no New Zealand citizen or person ordinarily resident in New Zealand is specified as a foreign organisation or foreign person whose computer system may be accessed; and (ii) the access is necessary for the purposes of collecting foreign intelligence; and (iii) the value of the information sought to be obtained justifies the access; and (iv) the information is not likely to be obtained by other means.
23

22

and security agencies' powers beyond their present letter opening and telephone tapping, as has been made out; computer interception is a whole different ball game. For example, the Carnivore system, which the FBI uses, allows keyword searches through vast amounts of email. Britain has a system called ``RIP''---which is a very appropriate name; it comes from the Regulation of Investigatory Powers Bill---where a kind of black box is attached to the servers of Internet providers, and the traffic is routed through to MI5. There are several problems. The first problem is that the emails of many ordinary people will be intercepted by the system just because they accidentally use certain keywords, and their messages will be scrutinised. This has already happened with the Echelon system of which the Waihopai station near Blenheim is a part. Emails and faxes passing through a Pacific satellite are intercepted through keyword searches. Under this Supplementary Order Paper, the government Communications Security Bureau, which runs Waihopai, will be allowed to increase its power, including surveillance within New Zealand, and not just through that Pacific satellite. Supposedly, the Government Communications Security Bureau is allowed to spy only on foreigners---foreign people and foreign organisations. However, if we look at the definitions of a target in this Supplementary Order Paper, we see that organisations like Greenpeace or an international trade union federation would fit under those definitions. 24 Tony Ryall MP, who, it will be remembered, introduced the Crimes Amendment Bill (No 6) made these comments in support of the reference of SOP 85 to the select committee: We also support the introduction of anti-hacking provisions. However, we remain concerned that the Government is failing to address the issue of ``denial of service'' attacks. We have commented several times to the Minister on the need to address that. His officials tell him it has been fixed. That is questionable, considering that the rest of the computer technology community says it has not been fixed. The Supplementary Order Paper makes hacking---the unauthorised or reckless use of computer systems---an offence. But it also provides qualified exemptions for the security agencies---the Security Intelligence Service, the Government Communications Security Bureau, and New Zealand Police. The Supplementary Order Paper makes it clear that interception may be done only under a warrant from the appropriate authorities, as is the case with a telephone tap.an agency, a person such as the Prime Minister, or the various commissioners involved. The various agencies will get these warrants when they need them, provided that they comply with the requirements of the legislation. The interception warrants will be granted by independent bodies, as per the requirements of the legislation. 25 It is fair to conclude at this stage that Mr Ryall was referring to the Police and the SIS, both organisations having statutory provisions for the issue of search or interception warrants. But the concern of the National Party in Opposition is that when the police seek to tap a telephone, or when the Security Intelligence Service seeks to tap a telephone, it is a discrete action. It requires a warrant. It requires the police to take their equipment and attach it to the telephone line or exchange as is necessary. The equipment does not stay there dormant; it is taken away. It is used when there is a warrant. What concerns this Opposition is that the Government is talking about installing permanent listening devices between Internet service providers and the police and security agencies---permanent, hard-wired listening devices;
24 25

Hansard 16 November 2000. Ibid.

devices that are permanently affixed to the Internet service provider. We agree with Mr Locke that that has the potential to be a wolf in sheep's clothing, and I want to explain to the House why. The police are allowed to access the Wanganui computer system only as authorised. That is what the Minister will say about these hard-wired Internet connections---that the police can access them only when they have authority. But as Mr Locke explained, and as members of this House are well aware, the Wanganui computer, the Law Enforcement System, from time to time is accessed by police who are unauthorised, and for unauthorised purposes. That is the risk with the Government's plan to put permanent, hard-wired listening devices between Internet service providers and law enforcement agencies I have no problem with the police and the Security Intelligence Service getting a warrant to go to an Internet service provider and tap into the Internet for a distinct and specific case that has been approved by a granting authority. What I am concerned about is the Government having a permanent line into every Internet service provider in this country. The reason I am concerned about that is that the Government can offer no guarantee those lines will be used only for authorised and warranted purposes. Privacy is at stake. We know that the Wanganui computer is misused from time to time, and the hard-wired listening device that the police and agencies are discussing as we speak has the potential to be misused. The computer industry today has sufficient technical and forensic expertise to assist the security agencies and police without their having a permanent connection. I need to be very much convinced that these permanent, hard-wired listening devices connected to Internet service providers can be secure. We need to be assured that no one will be thinking he or she can tap into the Internet to find out what emails are going backwards and forwards from a tenant who owes him or her money. We need to be assured of that. For the last 6 months in Britain a huge barney has been going on about the right that the British security agencies have been insisting on to connect hard-wired listening devices to every Internet service provider. The National Party Opposition wants to make it clear to the Minister that we understand why this legislation is needed for the security of New Zealand, and we respect the fact that warrants will be granted to the police and the Security Intelligence Service as appropriate, but we want an assurance about the processes that will be put in place to facilitate that. We will not support permanent, hard-wired listening devices between Internet service providers and security agencies in this country. It is just too risky. 26 Mr Ryall had no problem with the obtaining of information where a properly authorised warrant had been obtained but his concerns moved towards the technology of interception of messages at Internet Service Provider level. There was nothing in SOP 85 that addressed that particular solution, although it is possible that Mr Ryall considered it feasible. His concerns were to be prophetic for precisely that capability was the subject of the Telecommunications (Interception Capability) Act 2004 Matt Robson MP made these observations, sounding a warning about the scope of powers that may be given to surveillance agencies: Other provisions of the bill, affecting the powers given to the Security Intelligence Service and the Government Communications Security Bureau, in our view need very careful consideration. The reason is that any type of secret intelligence agency with those powers
26

Ibid.

can, if they are used in an untrammelled way, cause great public mischief. So we, as a party, have always been keen to make sure that the powers of any secret intelligence-gathering agency are very carefully circumscribed, are authorised by the public authorities, and are only available for the purpose of detecting any criminal mischief---not used for spying, or for looking at people's legitimate political opinions. 27 Thus the concerns of members were not so much about the proposed new offence of unauthorised access to a computer system. In fact there was support for that. The concerns were for the limited exemptions that appeared not only in s. 305ZFC and the provisions of the amendments to Part 9A following upon the extension of a listening device to an interception device. Privacy of communications, a capability for potential to abuse the system and the use of intercepted communications possibly for political purposes were exercising the minds of Members at the time. The quote at the beginning of this essay suggests that early in 2000, legislation for the GCSB was contemplated. I suggest that the evidence surrounding the introduction of SOP 85 and the provisions proposed in it lead to another conclusion. That conclusion is that as at 16 November 2000, such legislation was not contemplated. My reasons for such a conclusion are these: 1. No mention of any proposed legislation governing the GCSB was mentioned by any of the speakers when SOP 85 was introduced. 2. When Keith Locke prosed his question to the Prime Minister on 2 November 2000 no mention was made by her in her reply of any proposed legislation governing the GCSB. If such legislation had been in contemplation I would have thought it would be mentioned in the answer. Instead the Prime Ministers answer reflected the terms of the qualified exemption that appeared in s.305ZFC 3. The provisions of s. 305ZFC itself set out a process exempting GCSB employees from liability for unauthorised access to computer systems. No mention is made of warrants. No mention is made of any anticipated legislation. The process that is set out is reasonably clear. The exemption applies to an employee of the GCSB who is discharging a duty as an employee to collect foreign intelligence and is authorised in writing by the Minister for the GCSB. The prerequisites are clear. S. 305ZFC then goes on to prescribe the circumstances whereby the authorisation by the Minister in charge of the GCSB may be made. There had to be consultation with the Minister of Foreign Affairs and Trade. The GCSB Minister had to be satisfied that the target of the computer access was NOT a New Zealand citizen or person ordinarily resident in New Zealand and that the target was a foreign organisation or person; that access was necessary for the purposes of collecting foreign intelligence; that the value of the information sought justified the access and that the information was not likely to be obtained by other means. This is a fairly detailed prescription and would not have been so detailed and specific, nor proposed as an amendment to the Crimes Act if the introduction of legislation governing the GCSB had been contemplated. Therefore, it is my conclusion that as at November 2000 the Government was content to allow the GCSB to continue as it had before and that there was no GCSB specific legislation contemplated. 28 However, it would later become necessary for some statutory framework to be put in place to legitimise both the existence of the GCSB and the issue of search or interception warrants to it or its employees. SOP 85 and the Crimes Amendment Bill No 6 were referred to the Law and Order Select Committee which reported back on 18 July 2001. By that time the GCSB Bill had been introduced. So
Ibid. I say this on the basis of readily available public information. For the preparation of this essay I have not made an Official Information Act enquiries nor have I had access to any policy documents that may have suggested otherwise than what I have concluded.
28 27

we shall take a break from the chronology of the Crimes Amendment Bill (No. 6) and look at the history of the GCSB.

The Government Communications Security Bureau Early History

Since the Second World War, the New Zealand Government had a signals intelligence (SIGINT) capability. There was also a need to ensure that there was technical security (TECSEC) of Government communications systems to prevent bugging and that its sensitive messages could not be read by third parties (communications security, or COMSEC). Until the establishment of the GCSB, these services were provided by bodies such as the New Zealand Defence Force and the New Zealand Security Intelligence Service (NZSIS). 29 In 1977, the then Prime Minister, Robert Muldoon, approved the formation of the GCSB, but its functions and activities were kept secret. In 1980 it was decided that the existence of the GCSB could be disclosed on a limited basis, leading to the first briefings of the Cabinet and the Leader of the Opposition. These briefings only acknowledged the GCSBs TECSEC and COMSEC functions, but not its SIGINT functions. Prime Minister Muldoon publicly acknowledged the existence of the GCSB and its SIGINT function in 1984. 30 One of the most visible manifestations of the existence of the GCSB were the communications facilities situated at Waihopai, distinguishable by the protective domes reminiscent of giant puffballs. 31 Another facility is operated at Tangimoana Station near Palmerston North. 32

The GCSB Bill The GCSB Bill was introduced on 2 May 2001 and at the first reading of the Bill on 8 May 2001, Michael Cullen MP had this to say:

29

The functions now handled by the GCSB were split between three organisations: Communications security was the responsibility of the Communications Security Committee, based around the Prime Minister's office and the Ministry of Foreign Affairs. Signals intelligence was the responsibility of the Combined Signals Organisation, run by the military. Anti-bugging measures were the responsibility of the Security Intelligence Service. Government Communications Security Bureau Wikipedia http://en.wikipedia.org/wiki/Government_Communications_Security_Bureau (last accessed 18 August 2013) 30 History of the GCSB Government Communications Security Bureau http://www.gcsb.govt.nz/aboutus/history.html (last accessed 18 August 2013). 31 http://en.wikipedia.org/wiki/Waihopai_Station 32 Phil Goff MP made the following remarks when the GCSB Bill was introduced. In its current form the Government Communications Security Bureau was set up back in 1977. In 1982 it established a facility at Tangimoana, and that consolidated radio interception capability. In 1989 it opened up a satellite communications interception station at Waihopai. Until now, over that 24-year period the Government Communications Security Bureau has operated as a non-statutory organisation. Hansard 8 May 2001. See also the speech of Richard Worth MP at Hansard 25 March 2003 for a helpful background to the GCSB http://www.parliament.nz/en-nz/pb/debates/debates/47HansD_20030325_00001124/governmentcommunications-security-bureau-bill-%E2%80%94-in-committee (last accessed 22 August 2013)See also http://en.wikipedia.org/wiki/Tangimoana_Station (last accessed 22 August 2013)

Since its creation in 1977, the Government Communications Security Bureau has been a non-statutory organisation. The New Zealand Security Intelligence Service, on the other hand, has had its own empowering legislation for more than 30 years. The New Zealand Security Intelligence Service Act of 1969 established the service, and, through a series of amendments since that time, continues to define its functions, delineate the scope of its authority, and make provision for the issue of the interception of warrants. Oversight of the activities of the Government Communications Security Bureau, however, was significantly enhanced in 1996 by the passage of the Inspector-General of Intelligence and Security Act and the Intelligence and Security Committee Act. The bill before the House today serves to remove the distinction between the firm statutory footing on which the New Zealand Security Intelligence Service exists and the less clearly defined position of the Government Communications Security Bureau. 33 . In the absence of a legislative framework for the Government Communications Security Bureau, for example, some people wrongly infer that the bureau's signals intelligence operations target the communications of New Zealand citizens, that the Government Communications Security Bureau exists only as an extension of a much larger overseas signals intelligence operation, and that the bureau's operations are beyond the scope of parliamentary scrutiny. I reiterate today that the Government Communications Security Bureau does not set out to intercept the communications of New Zealand citizens or permanent residents. Furthermore, the reports of the Inspector-General of Intelligence and Security have made it clear that any allegations to the contrary are without foundation. The inspector-general has reported his judgment that the operations of the bureau have no adverse or improper impact on the privacy or personal security of New Zealanders. Notwithstanding such assurances, the perception has remained in some quarters that the bureau has been insufficiently accountable, and that its operational scope has been inadequately defined. This bill puts the position of the bureau beyond doubt as a legitimate agency of Government. 34 Jenny Shipley MP described the Bill as the last step in what had been a series of legislative measures that have brought New Zealand's security and intelligence framework into a much more public setting than has been the case historically. She suggested that protection by a strong legislative framework would be reassuring to New Zealanders. She did want to give some assurances from her side of the House and she said: ..that this bill is about foreigners, and not about New Zealanders. For example, if a communication is to be intercepted on a New Zealand network, it can be done only if an interception warrant is secured. Therefore, it is on the record that it has been gone through properly with all the levels of scrutiny that are now available, and reviewed in addition to that scrutiny.
33 34

Hansard 8 May 2001. Ibid. The emphasis is mine.

There is a review of the process in retrospect, so that we can be satisfied that there are no loopholes. New Zealanders can be assured, far more than ever before, that we now have a very, very thorough process. It should give them complete confidence that their interests are not being undermined while their interest in having an adequate external security is being satisfied. 35 Richard Prebble MP echoed Mrs Shipleys comment that the Bill completed the legislative framework underpinning New Zealand security services whilst at the same time stating that security agencies should be subject to some parliamentary scrutiny wider than just Ministers. In describing GCSB activities since 1970 he claimed: Of course it was always lawful, but because it was not under a statutory framework and did not have specific parliamentary scrutiny, it was possible for people to make up the most fanciful explanations of what our Government bureau was doing. 36 The purpose of the legislation, according to Mr Phil Goff MP, was to introduce transparency, clarity and accountability to the entire framework of New Zealands security arrangements. The Security Intelligence Service Act 1969 had been in place for many years. Clearly, it was time that the GCSB should be placed on the same footing. At the same time, Mr Goff felt the need to emphasise the assurances that had been given by Mr Cullen and Mrs Shipley. The Government Communications Security Bureau, of course, could continue to operate on the same basis as it has, but this Government believes it is preferable that security and intelligence agencies operate within a clear legislative framework that prescribes their powers and sets out their accountabilities. That is the purpose of this bill. In that sense, this bill is an important step towards greater transparency in the work of security and intelligence agencies. Oversight of the Government Communications Security Bureau has already been significantly advanced by the passage back in 1996 of the Inspector-General of Intelligence and Security Act and the Intelligence and Security Committee Act. Both those pieces of legislation have been important in ensuring that there is oversight and supervision of security agencies. The Act created the position of InspectorGeneral of Intelligence and Security, which, by tradition, is filled by a retired High Court or Court of Appeal judge. This bill contributes to a clear public understanding of the work of the Government Communications Security Bureau by setting out what its legitimate roles are. The legislation specifies the bureau's objective and functions. It creates a regime for the interception warrants to be issued, and, likewise, for computer access authorisations to be issued. The objective of the agency is to contribute to New Zealand's security and defence, its international and economic well-being, and its general conduct of international relations. It does that quite simply and quite openly by providing foreign intelligence, including the interception of foreign communications.

35 36

Ibid. Ibid.

Clause 4 is a key clause because it provides legislative protection for the rights of ordinary New Zealanders. It specifies, for example, that the bureau may not take any action for the purpose of intercepting the communications of a New Zealand citizen or a permanent resident unless that person is acting in the capacity of a representative or an agent of a foreign Government or organisation. In particular, this legislation makes it clear that the bureau's signal intelligence operations do not target the communications of New Zealand citizens. That is not simply a matter of faith, it is confirmed annually in the reports of the InspectorGeneral of Intelligence and Security. The Inspector-General also provides oversight to ensure that the operations of the bureau do not have an adverse or an improper effect on the privacy or personal security of New Zealanders, and each year his obligation---his role---is to confirm that this is the case. 37 The Bill was then referred to the Security and Intelligence Committee and came back before the House for its second reading on 19 November 2002. In the meantime, the Law and Order Committee reported back to the House on the Crimes Amendment Bill No 6 on 18 July 2001, two months after the GCSB Bill was introduced. Nothing was said about why it was necessary to introduce the Bill at this precise time other than the rather general remarks to the effect that it introduced transparency and, as Ms Shipley said was the last step in the series of legislative measures that have brought New Zealand's security and intelligence framework into a much more public setting. So what had changed between November 2000 and May 2001 that necessitated the introduction of the GCSB Bill, and that meant that there had to be clarity, transparency and accountability in its operations. In a word the Internet. If one looks at the earlier operations of the GCSB it had conducted its operations mainly through the satellite stations situated at Waihopai and Tangimoana. Their work as all about wireless signals monitoring and interception. The Internet had changed all that. Although there are many ways of connecting to the Internet essentially the basic structure of the Internet is a hardwired backbone to which people connect. This, and the nature of digital technologies and communications were paradigmatically different from the systems with which the GCSB had earlier dealt. New and enhanced surveillance and monitoring capabilities were introduced by the new paradigm. Tools such as Carnivore an e-mail monitoring system operated by the FBI and Echelon an established signals intelligence and analysis programme operated by the five signatory states to the UK USA Security agreement (of which New Zealand was a signatory) were directly involved in data and intelligence analysis involving aspects of the Internet. If New Zealand was to fulfil its obligations within the context of international security protocols, the scope of GCSB operations would have to be extended. Part of that involved accessing computers without the knowledge or authorisation of the operator, but with some form of approval process akin to a warrant. And in this respect there was a problem created by the new offence proposed in SOP 85
37

Ibid. Again, the emphasis is mine.

and in the proposed widening of the scope of privacy protections in Part 9A of the Crimes Act. Clearly the proposed s. 305ZFA was seen as insufficient, together with a desire to clarify the scope of GCSB powers. The widened opportunities for surveillance introduced by the Internet meant that the powers of the GCSB had to be widened commensurately. In addition, with widened opportunities for surveillance activity, the lack of an accountable and transparent system might attract adverse comment from the Inspector-General of Intelligence and Security. Concern was also expressed from other quarters. Bruce Slane, the Privacy Commissioner at the time made a detailed submission on SOP 85. In the course of that submission he expressed his concern with the privacy implications associated with large-scale electronic surveillance. He was especially concerned with the position of the GCSB and said: A precursor to GCSB having the benefit of an exemption from the prohibition on the use of listening devices, should be to place the Bureau on a statutory footing; and create a statutory warrant process for the Bureau to undertake any intrusive activity particularly where that activity would, if performed by any other person, constitute a breach of the law. 38 It should also be noted that the fateful day of 11 September 2001 was still some months away.

The Law and Order Committee Report on the Crimes Amendment Bill No 6 18 July 2001
In its report the Committee made reference to the provisions relating to exemptions for state agencies to interception procedures observing concerns at the: inclusion of qualified exemptions for State agencies from the unauthorised access offence, and the belief that there are insufficient safeguards or controls on these agencies to warrant these exemptions being granted proposed changes to the definitions of "private communication" and "interception device", and the effect this has on the scope of authorised interceptions by agencies such as the police and the GCSB. 39

The GCSB Bill received special mention. It was observed that the Bill contained an authorisation process, a requirement for annual reports and oversight of interception warrants and computer access authorisations by the Inspector General. It was unclear whether or not the GCSB would be enacted before the amendments to the Crimes Act and for that reason the Law and Order Committee recommended that the GCSB exemption be retained. Without that the GCSB would be unable to intercept any private
Report by the Privacy Commissioner to the Minister of justice on Supplementary Order Paper No 85 to the Crimes Amendment Bill (No 6) 13 December 2000 at para 3.2.4. For additional concerns and especially a critique of s. 305FZA see para. 3.4.1 3.4.5. 39 Crimes Amendment Bill (No 6) and Supplementary Order Paper No 85 Report of the Law and Order Committee (House of Representatives, Wellington 18 July 2001) p.3.
38

communications in the interim which could pose a security risk to the country. However, the Committee suggested that the authorisation process be tightened up. We consider the following amendments will increase the level of transparency and safeguards related to the exercise of the GCSBs interception operations, and will also serve as interim measures between the enactment of this bill and the GCSB Bill. Therefore, we recommend inserting the following authorisation requirements in new clause 19, proposed new section 255 a written authorisation process limitations to the term of an authorisation to no more than 12 months (subject to a right of renewal) irrelevant records must be destroyed. 40 The Committee also went on to observe the interrelationship between computer access and the offences against privacy. We note that in exercising its functions in relation to intercepting "private communications" the GCSB could, arguably, also be 'accessing a computer system'. This is because the definition of "computer system" includes "any communication links between computers". The inclusion of the term "communication links" could mean that in carrying out its interception functions the GCSB may also require an authorisation for computer access for each intercepted communication, under the unauthorised access offence. Therefore, we consider a new subsection should be added in new clause 19, proposed new section 255(4), which provides the GCSB with an exemption from the unauthorised access offence to align it with its exemption from the interception offence in clause 16B. This ensures that the GCSB is not at risk of committing the computer access offence when carrying out its interception operations, and would have the same authorisation procedure for the same activity. We recommend that new clause 19, proposed new section 255, be amended to include an exemption for an employee of the GCSB when accessing communications links between computers for purposes of foreign intelligence gathering. 41 In terms of the exemption from an interception offence under Part 9A of the Act, the Committee what the following to say within the context of intelligence gathering capabilities as well as emphasising that the scope of those activities was restricted to foreign intelligence collection: Under clause 16B(5), the GCSB is exempt from the offence in section 216B of the Act that prohibits the use of listening devices to intercept private communications. This in effect preserves the existing exemption held by the GCSB for its Waihopai site, and extends the exemption to cover all interception devices operated by the GCSB. This means that the exemption is no longer site specific. Several submitters register concern about this exemption on the grounds that: the GCSB does not have a statutory basis (discussed above)
40 41

Ibid. p.4. Ibid p. 4 -5.

 the scope of communications the GCSB can lawfully seek to access or intercept is unclear and too broad, because of the descriptions of the terms "foreign organisation", "foreign person", and "foreign intelligence". We consider the exemption in clause 16B (5) is necessary in order to preserve the existing foreign intelligence collection capabilities, for which no warrant is required. Placing the exemption in the statute will increase public transparency in relation to the Waihopai facility and, by extending the exemption to the other sites operated by the GCSB, will avoid the risk that they may have to cease operations in order to avoid committing an offence. We recognise there is concern about the specific scope of communications that the GCSB can collect as part of their lawful operations. We consider some of these concerns may be allayed by further clarifying the definition of "foreign organisation" for the purposes of the GSCBs foreign intelligence collection. This definition is consistent with the definition in the GCSB Bill. We recommend the definition in clause 16A be amended as follows: "foreign organisation means( a) a Government of any country other than New Zealand; or (b) an entity controlled by the Government of any country other than New Zealand; or ( c) a company or body corporate that is incorporated outside New Zealand; or (d) a company within the meaning of the Companies Act 1993 that is, for the purposes of the Companies Act 1993, a subsidiary of any company or body corporate incorporated outside New Zealand; or ( e) an unincorporated body of persons consisting exclusively of foreign organisations or foreign persons that carry on activities wholly outside New Zealand; or (f) an international organisation; or (g) a person acting in his or her capacity as an agent or a representative of any Government, body, or organisation referred to in any of paragraphs (a) to (f)". 42 One interesting reference was made to the concept of remote access searches. The issue was whether or not a search of a computer system may be carried out without entry onto the premises where the computer was held, and whether there was a power under the Summary Proceedings Act to conduct a remote access search. We do not consider the bill provides the police with additional powers but acts to preserve existing ones. This clause assists in the interpretation of the concept of "authorisation" in clause 19, new section 305ZF A, by putting it beyond doubt that law enforcement agency accessing of a computer system pursuant to existing statutory and common law powers is not unauthorised access.

42

Ibid. p. 7-8.

We note there is some debate about whether the current law allows the police to conduct remote searches. However, we do not believe the bill is the appropriate vehicle to extend or restrict police search powers. We consider that the current review being undertaken by the Law Commission into police search powers (including consideration of new technology and related privacy concerns) is more appropriate. The issue of remote access searches remained in legal limbo until 2012 and the enactment of the Search and Surveillance Act 2012 which provides for remote access searches. However, there is still some dispute between whether or not a remote access search as described above and referred to be the Privacy Commission may be covered by a normal; search warrant (applying the extended definition of a computer system which, according to some includes the entire Internet) or by a remote access warrant.43 As far as the computer crimes offences were concerned, the Committee recommended that the proposed offence of accessing a computer system without authorisation should proceed. A few minor changes were made to the existing sections but there were two additional provisions that were recommended. The first was that in addition to the offences set out in the section relating to damaging or interfering with computer systems, there should be the addition of an offence of causing a computer system to fail or deny service to an authorised user. The Committee also recommended the addition of a new offence the making, selling or distributing of software for committing crime. Both of these recommendations went forward and were incorporated into the Bill and there was a restructuring of the numbering of the provisions of the Bill so what emerged from the Select Committee may be shown as follows: Section 249 250 251 252 Amendment Interpretation covering definition particularly of access and computer system. Creation of a new offence of accessing a computer system for a dishonest purpose. The creation of a new offence of damaging or interfering with a computer system. The creation of a new offence of making, selling or distributing or possessing software for committing a crime. Accessing a authorisation. computer system without

253

43

This is a matter with which I have dealt in my examination of the cyber search provisions of the Search and Surveillance Act 2012. http://theitcountreyjustice.wordpress.com/2013/03/24/cybersearches-computer-andremote-access-searches/ (last accessed 25 August 2013)

254

A qualified exemption to access without authorisation for the New Zealand Securities Service. A qualified exemption to access without authorisation for the Government Communications Security Bureau.

255

It was not until 2003 that Parliament had another opportunity to consider and debate the Committee Report. In the meantime there was further activity regarding the GCSB Bill. The second reading debate resumed on 19 November 2002 and did not continue until 4 March 2003. The Bill received further consideration towards the end of March. Keith Locke MP, a long-time opponent of the facility at Waihopai, expressed support for the statutory recognition of an organisation that had for 25 years existed without statutory foundation. He questioned whether the security of Government communications could not be carried out by the New Zealand Police, expressing concern at the threat to privacy posed by the GCSB. He said: The main functions of the Government Communications Security Bureau are purposesand these are the most expensive onesthat we should not identify with. When we talk about communications security, the main facility of the Government Communications Security Bureau is the Waihopai satellite communications interception station near Blenheim.. Interception of communications, is very important. It is a considerable invasion of our privacy when an agency like the Government Communications Security Bureau is given the right to intercept electronic communications, which we use so much these days, and, in tandem with the Crimes Amendment Bill (No 6) and the Telecommunications (Interception Capability) Bill, the powers to intercept electronic communications of all types, plus the right to hack into peoples computersthat is, to access peoples computers remotely, without them even knowing that that is happening. 44 Other members speaking commented upon the relationship of GCSB activities primarily in regard to the privacy provisions contained in Part 9A of the Crimes Act. Mr Richard Worth MP in particular made the following observation: The first relates to the Crimes Act amendment that is set out in clause 26, and a significant change to section 216B(2)(b) of the Crimes Act. Members opposite are nodding quite clearly, because they have a close and sufficient familiarity with that particular and very tricky provision. Section 216B is headed Prohibition on the use of listening devices, and subsection (1) was itself amended in 1999. Basically, the
44

Hansard Debates 25 March 2003 http://www.parliament.nz/ennz/pb/debates/debates/47HansD_20030325_00001124/government-communications-security-bureau-bill%E2%80%94-in-committee (last accessed 22 March 2013).

provision creates a term of imprisonment not exceeding 2 years for everyone who intentionally intercepts any private communication by means of a listening device. The particular change in clause 26 proposes to amend section 216B(2)(b) by inserting after subparagraph (iii) a further subparagraph that the draughtsman has identified as subparagraph (iii)(a). It contains the words: the Government Communications Security Bureau Act 2001;. Members opposite will immediately be aware of the huge significance of that change. That change is not necessarily the most significant one, but it is certainly one worth commenting on. 45 The Act was passed a few days later and received the assent of the Governor General on 1 April 2003. The concerns expressed by the Law and Order Committee regarding the enactment of the GCSB Act had faded. There was now no longer the necessity for s. 305FZA because the GCSB Act prescribed the circumstances where the GCSB could access computers and intercept communication under warrant. So now the focus shifts to the final stages of the Crimes Amendment Bill (No. 6)

Crimes Amendment Bill (No 6) June - July 2003

The final stages of the passage of the Crimes Amendment Bill (No 6) came in June and July 2003. On 12 June 2003 the report of the Law and Order Committee was further considered, Mr George Hawkins MP observing that the faster that the Bill progressed through the House the better. 46 There was further debate on 1 July 2003 with the final debate and third reading on 4 July 2003. The new Act received Royal Assent on 7 July 2003 and commenced on 1 October 2003. On 12 June 2003 Brian Connell MP drew attention to the hacking provision introduced by SOP 85, considering it important given the increasing reliance upon computer systems, threats posed by terrorism and especially in the area of dishonesty and credit card fraud. He closed by observing: I raised the fact that this bill was first introduced in 1999. The world has moved on quickly since then, and, moreover, it moves on more quickly in the area of ecommerce and the computer world than in other areas. As a parting thought, I say that this legislation, which I wholeheartedly support, needs to be frequently reviewed in order to keep pace with the changing nature of the industry. There is no point in dusting this legislation off and thinking that we have done our job as a Parliament, if we do not continually look at it on a regular basis. My experience in the industry suggests that every 2 or 3 years it would be appropriate to do that. 47 Phil Goff MP observed that the passage of the GCSB Act meant that a number of provisions in the Bill were no longer necessary. 48

45 46

Ibid. Hansard 12 June 2003 http://www.parliament.nz/ennz/pb/debates/debates/47HansD_20030612_00001129/crimes-amendment-bill-no-6-%E2%80%94consideration-of-report (last accessed 22 August 2003). 47 Ibid. 48 Ibid. He was clearly referring to the prescription contained in s.305ZFA.

As the debate continued on 17 June 2003, Tony Ryall MP noted concerns that existed when SOP 85 was introduced and the care that would be needed to ensure unwarranted intrusions into the privacy of citizens did not occur. There was considerable concern at the time the Supplementary Order Paper came in that what was being proposed was a permanent attachment to the telephone exchanges, with a continuous feed to the intelligence agencies, and only when the intelligence agencies had a warrant would they actually turn that feed on and allow them to monitor what was going on. 49 Mark Alexander MP addressed the interrelationship between the Crimes Amendment Bill and the passage of the GCSB Act. I note the work of the select committee in examining this bill and the changes it has made as far as ensuring that members of the Government Communications Security Bureau and our other intelligence agencies will not be prosecuted under the bill for the legitimate activities they can carry out in protecting national security and similar matters. They are positive changes. One example is the recent Government Communications Security Bureau offshoot, the Centre for Critical Infrastructure Protection, which I am led to believe is directed to protect our critical infrastructures such as power grids, water supplies, and air travel, from Internet-based crime. 50 On 1 July 2003, Keith Locke MP raised a matter of concern that the passage of the Crimes Amendment Bill and the introduction of SOP 85 was a back-door move to increase the ability for Government agencies such as the SIS and the GCSB to increase surveillance activity. Instead of improving our ability to apprehend lawbreakers, we are giving those agencies the ability to affect in some way our privacy, which is a right under the New Zealand Bill of Rights Act that should be very much upheld in our society. No good reason is given in this bill for doing that, and a lot of innocent people will get caught. Members should think about how many emails they receive in a week and in a yearit ends up being thousands and thousandsand if any one of the people who send those emails is intercepted under these provisions, then a members communications will also be intercepted and could end up being affected in that way. I accept that there has to be a balance, and sometimes we may give away, to some extent, the hard-won right to privacy if there is a very clear community gain. That is the real spirit of a crimes amendment bill, but no one gave any statistics or anecdotal evidence to the Law and Order Committee through any stage of its consideration of this bill to show that we would catch many extra criminals through giving the police and the intelligence services that ability. We need such evidence if we are to give away our privacy in that respect. This bill is about the Crimes Act and about catching

49

Hansard 17 June 2003 http://www.parliament.nz/ennz/pb/debates/debates/47HansD_20030617_00001917/crimes-amendment-bill-no-6-%E2%80%94 (last accessed 22 August 2003). 50 Ibid.

criminals, and everyone knows that serious criminals can very easily avoid interception using code, encryption, and those sorts of things. 51 Ron Marks MP picked up the theme that the Bill seemed to focus more on surveillance than on Crime. He said: In fact, this bill deals with surveillance issues. It was long in its gestation in the Law and Order Committee. Given the length of time it has taken to get this bill to the floor, I am bemused about why the Government has to do all of this under urgency. One would have thought we would have been debating this important bill a year or so ago, at least. 52 As the Bill progressed through the third reading Keith Locke demonstrated his continued tenacity to draw the attention of the House to his concerns about privacy in the face of the surveillance potential that he believed was going to follow from the introduction of the Act. One thing I want to talk about particularly is the provision to allow access to computers. I want to bring in the matter of the Privacy Commissioners concerns. The Privacy Commissioner presented a number of submissions to the Law and Order Committee on various matters in this bill, and he was particularly concerned about our granting the law and intelligence authorities the right to access computers remotelyto hack into computers. His argument, and I agree with it and it has motivated one of my amendments, is that the police already have the power to look at the contents of a computer when they search a premises under a warrant, so why do they need to go further and have remote access or hacking powers, which are very hard for us to oversee in any serious way? It is very hard for the police to be fully, publicly accountable for the exercise of those powers, compared with the exercise of their powers under a search warrant to look directly at a computer and its contents. I support the Privacy Commissioners concern that that power should not be granted. He had other concerns. For example, he did not want interception warrants to apply by way of the police just going to a judge and getting a warrant on a one-off basis. Different judges will be dealing with those warrants, and he thought there should be an additional control, as there is in Australia, where the federal ombudsman does an annual audit of interception warrants granted to the police. I think we should have implemented that provision. It was one of the things that one of my amendments dealt with. It would have meant that we do what is done in Australia and have an extra layer of accountabilitythat is, an ombudsman auditing those warrants. A concern expressed by the Privacy Commissioner and most of the submitters to the select committee was that we should try to protect innocent people as much as possible. There are two ways of doing that. One is to discard the information acquired from intercepts, and that is covered by amendments in this bill that provide that when information is no longer needed it should be discarded. I put forward an additional provision in one of my amendments. My amendment would have meant
51

Hansard 1 July 2003 http://www.parliament.nz/ennz/pb/debates/debates/47HansD_20030704_00000161/crimes-amendment-bill-no-6-%E2%80%94-incommittee-third-reading (last accessed 22 August 2013). 52 Ibid.

that an innocent subject was notified, once the police investigation was over and it was quite clear that the police no longer had any interest in that person. Where an innocent person had been accidentally caught up in the interception system, and no charges were laid, my amendment would have meant that that person was notified that an interception had taken place. That is what the FBI does in America. The Law and Order Committee received a submission from a person who lives here in Wellington that one of her emails to a friend in the United States had been intercepted by the FBI, and the FBI had reported that fact to the recipient of her email. That is a good provision, and it could have been added to this bill. Sometimes, in later life, in relation to later events, people are affected by an interception, because it resulted in their names ending up on a database. There is a looseness and a capacity for error in any bureaucratic system. If the agencythe FBI in the American case or the police in the New Zealand casenotifies a person that he or she was subject to an interception order, then that person, at a later point, if his or her credit rating, or travel, or something else is being affected, at least will know that he or she was subject to that interception warrant, and might be able to get to the bottom of the disadvantage that he or she is suffering. I think it is consistent with the general privacy themes that operate in our law that people should be notified of what information about them appears in public databases. 53 Ron Mark MP expressed some surprise that he and Keith Locke occupied the same position when it came to privacy and state surveillance. Mr Mark said I compliment Keith Locke. Some serious issues were canvassed in this bill, and they all pertained to privacy. I look at the types of people who operate in transnational crime, organised crime, and terrorismdrug-runners, gun-runners, and those sorts of peopleand I consider them to be dangerous lowlifes. One has only to consider September 11, and everything that has happened from then on, to realise how much more focused we need to be on countering terrorism. There are those of us who will look for what might be considered very draconian legislation, in order to protect ourselves and our communities, but there is always a balance to be struck, and that balance revolves around privacy and the protection of peoples rights.. Mr Locke consistently worked hard to make sure that the legislation was as balanced as possible. I oppose some of the things he said, but this morning he brought to this House an amendment that read: 312R Ombudsman to audit. All Mr Locke wanted was for the ombudsman to conduct an annual audit of all telecommunications interceptions carried out by the police in the previous year. Being the sort of guy who for obvious reasons would welcome police interceptions, I could not disagree with that. 54

The Crimes Amendment Act 2003

As finally enacted, the computer crimes provisions of the Crimes Act 1961 read as follows:
53 54

Ibid. Ibid.

248 Interpretation For the purposes of this section and sections 249 and 250, access, in relation to any computer system, means instruct, communicate with, store data in, receive data from, or otherwise make use of any of the resources of the computer system computer system (a)means (i)a computer; or (ii)2 or more interconnected computers; or (iii)any communication links between computers or to remote terminals or another device; or (iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and (b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data. 249 Accessing computer system for dishonest purpose (1)Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right, (a)obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or (b)causes loss to any other person. (2)Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right, (a)to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or (b)to cause loss to any other person. (3)In this section, deception has the same meaning as in section 240(2). 250 Damaging or interfering with computer system (1)Every one is liable to imprisonment for a term not exceeding 10 years who intentionally or recklessly destroys, damages, or alters any computer system if he or she knows or ought to know that danger to life is likely to result. (2)Every one is liable to imprisonment for a term not exceeding 7 years who intentionally or recklessly, and without authorisation, knowing that he or she is not authorised, or being reckless as to whether or not he or she is authorised, (a)damages, deletes, modifies, or otherwise interferes with or impairs any data or software in any computer system; or (b)causes any data or software in any computer system to be damaged, deleted, modified, or otherwise interfered with or impaired; or (c)causes any computer system to (i)fail; or

(ii)deny service to any authorised users. 251 Making, selling, or distributing or possessing software for committing crime (1)Every one is liable to imprisonment for a term not exceeding 2 years who invites any other person to acquire from him or her, or offers or exposes for sale or supply to any other person, or agrees to sell or supply or sells or supplies to any other person, or has in his or her possession for the purpose of sale or supply to any other person, any software or other information that would enable another person to access a computer system without authorisation (a)the sole or principal use of which he or she knows to be the commission of a crime; or (b)that he or she promotes as being useful for the commission of a crime (whether or not he or she also promotes it as being useful for any other purpose), knowing or being reckless as to whether it will be used for the commission of a crime. (2)Every one is liable to imprisonment for a term not exceeding 2 years who (a)has in his or her possession any software or other information that would enable him or her to access a computer system without authorisation; and (b)intends to use that software or other information to commit a crime. 252 Accessing computer system without authorisation (1)Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system. (2)To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access. (3)To avoid doubt, subsection (1) does not apply if access to a computer system is gained by a law enforcement agency (a)under the execution of an interception warrantor search warrant; or (b)under the authority of any Act or rule of the common law. 253 Qualified exemption to access without authorisation offence for New Zealand Security Intelligence Service Section 252 does not apply if (a)the person accessing a computer system is (i)the person specified in an interception warrant issued under the New Zealand Security Intelligence Service Act 1969; or (ii)a person, or member of a class of persons, requested to give any assistance that is specified in that warrant; and (b)the person accessing a computer system is doing so for the purpose of intercepting or seizing any communication, document, or thing of the kind specified in that warrant.

254 Qualified exemption to access without authorisation offence for Government Communications Security Bureau Section 252 does not apply if the person that accesses a computer system (a)is authorised to access that computer system under the Government Communications Security Bureau Act 2003; and (b)accesses that computer system in accordance with that authorisation. The qualified exemptions for the SIS and GCSB contained in section 253 and 254 were repealed on 13 July 2011 by section 6 of the Crimes Amendment Act 2011. A new definition of authorisation was inserted and reads authorisation includes an authorisation conferred on a person by or under an enactment or a rule of law, or by an order of a court or judicial process. Thus authorisations made pursuant to the GCSB Act and the SIS Act are made pursuant to an enactment and fall within the definition, as does an interception warrant for the Police which is provided for in statute and issued pursuant to a judicial process The associated provisions regarding privacy contained in Part 9A may be found in the appendix.

Conclusion
What started as a response to a perceived need to deal with computer crime became far more complex than that. Although computer crime provisions had been planned for a considerable time, the advent of the Internet and the ease with which it could be used for criminal activity made the incorporation of the computer crime provisions into the Crimes Act a matter of urgency. That it took 4 years from the introduction of the original provisions to the passage of the final amendments in 2003 is astonishing and was a matter of comment as the Bill went through its final stages in 2003. It is my conclusion that the delays were indirectly occasioned by the addition of the unauthorised access offence in SOP 85. I wonder if the ramifications posed by that section were really appreciated. By making unauthorised access an offence, it became necessary to ensure that State agencies operated within the law and that became complex. Rules needed to be put in place to allow exemptions or authorisations in certain cases. Under what circumstances should the Police be authorised to access a computer? Should there be a new warrant procedure or would the existing rules be sufficient? 55 There could be no doubt that the Police required new tools to deal with the rise in cybercrime and the

A special set of rules relating to computer and remote access searches were provided in the Search and Surveillance Act 2012

55

use of computers in criminal offending. That was essential in ensuring that public confidence in computer systems be maintained as business moved on to the Internet. And what of the new communications systems enabled by the Internet and the need for the Intelligence Community to access computer systems in the interests of the security of Government systems, security and intelligence gathering and the rising need to develop cyber-security systems as the world moved its business enterprises to the Internet? It became abundantly clear that there would have to be a review of other provisions of the Crimes Act those dealing with Police powers of interception in the course of gathering evidence of criminal activity, and those dealing with intelligence. But there were other problems, particularly within the context of privacy and traditional limitations on the power of the State to intrude upon the private lives, communications and interactions between citizens. It was obvious that the privacy implications of allowing access to computer systems meant that the matter could not be dealt with by what were effectively GCSB internal protocols or a prescription to be followed by an agency that had neither official nor statutory existence. This was made clear by the Privacy Commissioner in his submissions in December 2000. Thus, as a downstream consequence of the proposed criminalisation of unauthorised access to computer systems and the associated problems that it raised, it became necessary to introduce the GCSB legislation to put that organisation on a statutory and official footing, and thereby set up a process by which it might lawfully access computer systems by the provisions for the issue of a warrant.56 The introduction of the offence of unauthorised access by SOP 85 in fact had far greater consequences than may have first been imagined. To achieve the various exceptions to the offence of unauthorised access to computer systems a much wider set of powers was put in place to extend State surveillance powers, especially using digital technologies. There can be no doubt that in doing this there was a certain amount scope or mission creep beyond providing simple exception to unauthorised computer access by Police or intelligence agencies. As is so often the case, there are often unintended consequences of actions, even by Governments. Indeed, it can be said with some confidence that the consequences of the introduction of SOP 85 in November 2000 are still reverberating today. Whether they were intended, unintended or unforeseen is not for me to say. But there is a wider issue that needs to be considered within this context and it has to do with the impact of new communications technologies upon our expectations of information. I have on a number of occasions referred to Marshall McLuhans well known adage We shape our tools and thereafter our tools shape us. 57 Within the context of communications technologies our behaviours and responses to information are shaped by the delivery
56

It should be noted that the GCSB Bill was introduced in 2001 but was not enacted until April 2003 hardly a rush job. 57 Above n. 2

systems. And as I have also argued elsewhere, the Internet and digital communications systems are paradigmatically different from what has gone before. In many respects we have to view information not from the perspective of the old paradigm, but within the context of the new. We have to contemplate and recognise that new communications technologies are shaping and will continue to shape our behaviours, expectations and ultimately our values that surround information. One of the qualities associated with new digital communications technologies is continuing disruptive change. We have little time to adapt before the next wave of change is bearing down on us. This is unlike anything that has gone before. We have no breathing space is the face of relentless change. In the seventeenth and eighteenth centuries society had a chance to adapt to the new communications technology of the printing press and to adapt to it before the next information technology, telegraphy, instituted instantaneous communication over a considerable distance. There was a breathing space between Gutenberg and Morse although it is conceded that semaphore had been around since 1792. Much of the debate surrounding the introduction of SOP 85 and the GCSB Act centred on aspects of privacy argued strenuously by Keith Locke. Privacy is the terms that has been used to delineate how far the State may intrude into personal affairs and that, in its essence is really about the nature of liberty - the tension between the citizen and the State.58
The tension is not new. It was the subject of the decision in Entick v Carrington (1765) 19 Howells State Trials 1069. Lord Camdens judgment effectively placed limits upon State power. Under English law, any power exercised by the State had to be conferred by statute or pursuant to common law. Individuals, on the other hand, were free to do anything they liked unless it was prohibited by law. Thus Entick v Carrington was a trial about the liberty of the subject in the face of State power. Today it would probably be characterised as a case about privacy. A couple of passages from the judgment crystallise the tension: By the laws of England, every invasion of private property, be it ever so minute, is a trespass. No man can set his foot upon my ground without my license, but he is liable to an action, though the damage be nothing; which is proved by every declaration in trespass, where the defendant is called upon to answer for bruising the grass and even treading upon the soil. If he admits the fact, he is bound to show by way of justification, that some positive law has empowered or excused him. The justification is submitted to the judges, who are to look into the books; and if such a justification can be maintained by the text of the statute law, or by the principles of common law. If no excuse can be found or produced, the silence of the books is an authority against the defendant, and the plaintiff must have judgment. Papers are the owners goods and chattels: they are his dearest property; and are so far from enduring a seizure, that they will hardly bear an inspection; and though the eye cannot by the laws of England be guilty of a trespass, yet where private papers are removed and carried away, the secret nature of those goods will be an aggravation of the trespass, and demand more considerable damages in that respect. Where is the written law that gives any magistrate such a power? I can safely answer, there is none; and therefore it is too much for us without such authority to pronounce a practice legal, which would be subversive of all the comforts of society.
58

The agrarian dream of liberty is the ideal that we pursue today, formed in the Enlightenment through the writings of Locke, Jefferson, Voltaire, and Rousseau, described by de Tocqueville and latterly articulated by John Stuart Mill. It is the ideal which many still seek to protect today. And the question must be whether or not that sort of definition of liberty is still valid in the Digital Paradigm or whether, like so many other values and behaviours that technology has changed, the tools that we have wrought may mean that we must reassess our concepts of liberty and freedom. Will the pace of change force a reconsideration? And how careful will be that consideration without a breathing space, before the next wave of change washes over us? I do not say that we must meekly surrender our liberty in the face of new technologies. The struggle to define liberty is a continuing one. The most recent example in New Zealand was the passage of the New Zealand Bill of Rights Act a piece of legislation which, in the minds of some, did not go far enough, given that it is unentrenched and provides no opportunity for the Courts to impose a check on legislative excess. But the question still remains can the liberties formed in the Enlightenment and which have been articulated by Jefferson and Mill be maintained in a new communications paradigm, or will new technologies force us to reassess the nature of liberty? That is perhaps the big question that legislating in the new digital paradigm requires us to address.

Appendix
Part 9A Crimes Act 1961 as at 3 September 2007 216A Interpretation (1)In this Part, unless the context otherwise requires, intercept, in relation to a private communication, includes hear, listen to, record, monitor, acquire, or receive the communication either o (a)while it is taking place; or o (b)while it is in transit interception device o (a)means any electronic, mechanical, electromagnetic, optical, or electrooptical instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a private communication; but o (b)does not include (i)a hearing aid or similar device used to correct subnormal hearing of the user to no better than normal hearing; or (ii)a device exempted from the provisions of this Part by the Governor-General by Order in Council, either generally or in such places or circumstances or subject to such other conditions as may be specified in the order private communication o (a)means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but o (b)does not include such a communication occurring in circumstances in which any party ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so. (2)Any Order in Council exempting a device from the provisions of this Part expires 2 years after it is made. (2)A reference in this Part of this Act to a party to a private communication is a reference to o (a)Any originator of the communication and any person intended by the originator to receive it; and o (b)A person who, with the express or implied consent of any originator of the communication or any person intended by the originator to receive it, intercepts the communication. 216B Prohibition on use of interception devices (1)Subject to subsections (2) to (5), every one is liable to imprisonment for a term not exceeding 2 years who intentionally intercepts any private communication by means of an interception device.

(2)Subsection (1) does not apply where the person intercepting the private communication o (a)Is a party to that private communication; or o (b)Does so pursuant to, and in accordance with the terms of, any authority conferred on him or her by or under (i)Part 11A of this Act; or (ii)[Repealed] (iii)The New Zealand Security Intelligence Service Act 1969; or (iiia)the Government Communications Security Bureau Act 2003; or (iv)The Misuse of Drugs Amendment Act 1978; or (v)The International Terrorism (Emergency Powers) Act 1987. (3)Subsection (1) of this section does not apply to the interception by any member of the Police of a private communication by means of an interception device where o (a)An emergency has arisen in which there are reasonable grounds for believing that any person (in this section referred to as the suspect) is threatening the life of, or serious injury to, any other person in his presence or in the immediate vicinity; and o (b)The use of the interception device by that member of the Police is authorised by a commissioned officer of the Police who believes on reasonable grounds that the use of the interception device to intercept any private communication to which the suspect is a party during the emergency will facilitate the protection of any person who is threatened by the suspect. (4)Subsection (1) does not apply to monitoring prisoner call under section 113 of the Corrections Act 2004. (5)Subsection (1) does not apply to the interception of private communications by any interception device operated by a person engaged in providing an Internet or other communication service to the public ifo (a)the interception is carried out by an employee of the person providing that Internet or other communication service to the public in the course of that person's duties; and o (b)the interception is carried out for the purpose of maintaining that Internet or other communication service; and o (c)the interception is necessary for the purpose of maintaining the Internet or other communication service; and o (d)the interception is only used for the purpose of maintaining the Internet or other communication service. (6)Information obtained under subsection (5) must be destroyed immediately if it is no longer needed for the purpose of maintaining the Internet or other communication service. (7)Any information held by any person that was obtained while assisting with the execution of an interception warrant must, upon expiry of the warrant, be o (a)destroyed immediately; or o (b)given to the agency executing the warrant. 216C Prohibition on disclosure of private communications unlawfully intercepted

(1)Subject to subsection (2) of this section, where a private communication has been intercepted in contravention of section 216B of this Act, every one is liable to imprisonment for a term not exceeding 2 years who intentionally o (a)Discloses the private communication, or the substance, meaning, or purport of the communication, or any part of it; or o (b)Discloses the existence of the private communication, if he knows that it has come to his knowledge as a direct or indirect result of a contravention of section 216B of this Act. (2)Subsection (1) of this section does not apply where the disclosure is made o (a)To a party to the communication or with the express or implied consent of such a party; or o (b)In the course, or for the purpose, of (i)An investigation by the Police into an alleged offence against this section or section 216B of this Act; or (ii)Giving evidence in any civil or criminal proceedings relating to the unlawful interception of a private communication by means of an interception device or the unlawful disclosure of a private communication unlawfully intercepted by that means; or (iii)Giving evidence in any other civil or criminal proceeding where that evidence is not rendered inadmissible by the Evidence Act 2006 or section 25 of the Misuse of Drugs Amendment Act 1978 or any other enactment or rule of law; or (iv)Determining whether the disclosure is admissible in any civil or criminal proceedings. Subsection (2)(b)(iii) was amended, as from 1 August 2007, by section 216 Evidence Act 2006 (2006 No 69) by substituting Evidence Act 2006 forEvidence Act 1908. See clause 2(2) Evidence Act 2006 Commencement Order 2007 (SR 2007/190).

216D Prohibition on dealing, etc, with interception devices (1)Every one is liable to imprisonment for a term not exceeding 2 years who o (a)Invites any other person to acquire from him; or o (b)Offers or exposes for sale or supply to any other person; or o (c)Agrees to sell or supply or sells or supplies to any other person; or o (d)Has in his possession for the purpose of sale or supply to any other person, any interception device o (i)The sole or principal purpose of which he knows to be the surreptitious interception of private communications; or o (ii)That he holds out as being useful for the surreptitious interception of private communications (whether or not he also holds it out as being useful for any other purpose). (2)It is a defence to a charge under this section if the person charged proves either o (a)That at the time he did any act referred to in any of paragraphs (a) to (d) of subsection (1) of this section he believed that the other person

referred to in the relevant paragraph was a member of the Police, or an officer of the New Zealand Security Intelligence Service or the Government Communications Security Bureau, acting in the course of his official duties; or (b)Where the charge relates to the supply of an interception device otherwise than for valuable consideration, that (i)He supplied the interception device to the other person referred to in paragraph (c) or paragraph(d) of subsection (1) of this section for the purpose of any proceeding or of any investigation or examination preliminary or incidental to any proceeding; or (ii)Being a member of the Police or an officer of the New Zealand Security Intelligence Service or the Government Communications Security Bureau, he supplied the interception device in the course of his official duties to the other person referred to in the said paragraph (c) or the said paragraph (d) for any lawful purpose.

216E Forfeiture Where any person is convicted of a crime against section 216B or section 216D of this Act in respect of any interception devices the sole or principal purpose of which is the surreptitious interception of private communications, the Court may, as part of the sentence, order that the interception devices shall be forfeited; and, in such a case, the interception devices shall thereupon become forfeited to the Crown accordingly, and may be disposed of in such manner as the Commissioner of Police directs. 216F Unlawful disclosure (1)An unlawful disclosure is o (a)the intentional and unauthorised disclosure of the existence of an interception warrant to be exercised by a member of the police if the disclosure would, or is likely to, prejudice an investigation; or o (b)the intentional and unauthorised disclosure of (i)any information gained when undertaking maintenance of a communication service; or (ii)any information gained when assisting with the execution of an interception warrant other than to the agency executing the warrant. (2)Despite anything in subsection (1)(b)(i), a person may disclose information to any member of the police if the information appears to relate to the commission of a crime that has caused or could cause serious harm to any person. (3)Every person who makes an unlawful disclosure is liable to imprisonment for a term not exceeding 2 years.