Mega Limited Private Bag 1, Wellsford 0940

Submission on the Telecommunications (Interception Capability and Security) Bill

Summary of Changes Suggested 1. Service providers are completely excluded from the Bill. A review of the provisions and scope, say in 2 years, can assess whether there are indeed any grounds for regulatory intervention. 2. Clause 24(3)(b)(vi) is deleted or clarified to make it clear it only applies where the service providers system allows it to decrypt its users telecommunications. 3. Provisions related to imposing obligations on a specific service provider, clauses 35 to 37, are removed from the Bill. This will still allow obligations to be imposed on a class of service providers under clause 38. 4. If the above is not accepted, there are explicit provisions imposing obligations on a class of service providers under clause 38 is preferred over Ministerial direction under clause 37. Parameters are put around that regulatory process to impose obligations under clause 38. Further, the reasons for a surveillance agency singling out the specific service provider, rather than seeking obligations on the class of service providers, must be provided at the time the surveillance agency makes an application under clause 35. 5. The Bill provides for a minimum period of 24 months for any direction under clause 37 and regulations under clause 38 coming into force. 6. Clause 10(3)(b) be re-worded to: the network operator intercepting the telecommunication has provided that encryption and has the decryption key for the telecommunication. 7. Clause 10(4)(a)(i) should be re-worded to: supplied by a person other than the operator and is available on retail sale to the public or otherwise available for public use. 8. Clause 39 is clarified to apply only where the network operator specifically contracts with the overseas provider for those services to be delivered into New Zealand. 9. Declaring any government department a law enforcement agency for the purposes of this Act requires amendment to the Act rather than an Order in Council. 10. Part 3 providing GCSB with oversight of the design, build and operation of networks to identify and address risks related to national security or economic well-being is removed entirely.

About Mega and Privacy Mega Limited (Mega) is a privately held New Zealand company. The companys initial service was launched in January 2013 and already has over 3 million subscribers worldwide, including in New Zealand. Mega provides cloud based storage and collaboration. This allows people and businesses to securely and confidentially store, share and collaborate on electronic files and documents using the Internet. Our service users have uploaded over 250 million files and, at its peak, are using 100 Gigabit in bandwidth to interact with Mega every second, equivalent to the whole of New Zealands international Internet usage. The company is growing rapidly and regularly covered in the international news media. Mega intends to extend its services to provide messaging (chat, text, voice and video) in the near future. The companys core focus is on protecting the privacy of its service users. It does so by giving users complete control of what they store and how they share material through the use of open standards based encryption functionality that the user controls. This helps address a major shortcoming of the Internet as a public telecommunications network for communications and commerce- the lack of security as an integral part of the Internet protocols. A few examples of how businesses and people using Mega are: Musicians and others in the creative industry collaborating on their work in a private, secure environment. Lawyers storing due diligence materials for clients which are then able to be accessed on a regulated, logged basis by specific persons. Professional photographers storing their entire collection securely and using it as a way to deliver purchased photographs to clients globally. Boards of directors storing confidential strategic reports and decisions. Health professionals storing large confidential files, including MRI scans, about their patients for access by those patients and other client health advisors. General storage of confidential financial and personal information with the ability to share it only with specific, invited individuals (e.g. ones financial advisor).

Achieving the goal of privacy protection critically depends upon the service users password which unlocks, is a part of, and therefore wholly controls, the encryption and decryption operations. There is absolutely no way that Mega can, on its own, view the name or content of a file or even the folder structure of a service user. The company will be a service provider as defined by the Telecommunications (Interception Capability and Security) Bill (the Bill).

Need for Careful Scrutiny In developing the Bill, the government has consulted with industry. However, it appears that such consultation has been limited to telecommunication companies (network operators)1. There has been no or inadequate consultation with companies that will be included within the ambit of the Bill as service providers. This places a relatively higher burden on the Committee to scrutinise and evaluate provisions related to service providers in the Bill. As the recent and developing PRISM revelations in the US have highlighted, it is clear that the interaction of ICT companies with intelligence agencies are of great concern to citizens worldwide, including New Zealanders. The PRISM revelations have highlighted the potential for overreach by intelligence agencies and, therefore, the countervailing need for: Greater scrutiny when legislation is passed. More specificity in the legislation itself so that the boundaries of an intelligence agencies powers to intrude on the privacy of individuals are clearly understood by the agency and citizens. The need to treat call associated data, also referred to as metadata, with the same care and subject to the same safeguards as call content. The so-called trade-off between national security and privacy is a false dichotomy. Not only is it possible to achieve both simultaneously, public good requires this. Truly independent and robust oversight as a proxy for transparent oversight by citizens, given the obvious necessity for secrecy where issues of national security are involved.

As the United Nations Special Rapporteur, Frank La Rue has stated in his recently released Report .. on the promotion and protection of the right to freedom of opinion and expression2: Inadequate national legal frameworks create a fertile ground for arbitrary and unlawful infringements of the right to privacy in communications and, consequently, also threaten the protection of the right to freedom of opinion and expression.3 Further, in relation to encryption in particular, in discussing the chilling effect that removal of the ability to communicate anonymously and privately can bring, Mr La Rue noted: The security and anonymity of communications are also undermined by laws that limit the use of privacy-enhancing tools that can be used to protect communications, such as encryption.4 It is with this context in mind that Mega makes this submission.

1 2

Para 123 of the Regulatory Impact Statement on updating interception capability obligations A/HRC/23/40 issued 17 April 2013 available at http://tinyurl.com/l2pr8a3 3 Page 3, Ibid. 4 Page 19, Ibid.

Exclude Service Providers The sponsoring department MBIE has stated it has no idea5 of the number of warrants served by the surveillance agencies. The size of the total problem, for both network operators and service providers, is therefore unknown. The stated rationale for including service providers is to keep up with evolution of the telecommunications industry.6 Therefore, in respect of service providers, the Bill is neither proportionate nor even necessary today. Including service providers and imposing huge technical and commercial costs on them is an exercise of obtaining wide, unbounded discretionary powers just in case they are required in the future. Further, the grounds for imposing the obligations of a network provider on a service provider under clause 35(2) is the surveillance agency considers that lack of interception capability on the telecommunications service offered by that provider adversely affects national security or law enforcement. (emphasis added) This is a very low threshold as it does not require the surveillance agency to demonstrate that actual harm has been done or that the obligations are proportionate to the actual harm. It also contrasts with clause 39(4) which requires a surveillance agency to include the reasons why a resold overseas telecommunications service gives rise to a significant risk to national security or law enforcement. From the perspective of service providers, the Bill violates two of three stated desirable characteristics of an interception capability scheme.7 Mega therefore recommends that service providers are completely excluded from the Bill. A review of the provisions and scope, say in 2 years, can assess whether there are indeed any grounds for regulatory intervention. At that time, after proper consultation with service providers, and proportional to the actual harm identified, the Act can be updated as necessary and appropriate. Notwithstanding the above, the rest of this submission provides comments and recommended changes should service providers continue to be included in the enacted law. Decrypting telecommunications in the context of the duty to assist If it is intended by clause 24(3)(b)(vi) that Mega or any service provider must decrypt its users material as part of assisting in the exercise of a warrant, then that is absolutely rejected. Effectively, this puts Mega at the highest interception capable level, which is meant to be reserved solely for network operators. Mega and other service providers are not network operators and should not be treated as one. In addition, as previously stated, there is absolutely no way that Mega can, on its own, view or provide the name or content of a file as the service user is completely in control of the decryption key. For Mega, decryption of telecommunications is therefore impossible and it cannot be a reasonable or fair expectation, as the clause is predicated on reasonable assistance. We note that case law suggests that it is not reasonable to expect action to be taken without regard to cost or proportionality looked at from the point of view of the person being asked to assist.8

5 6

Para 23 of the Regulatory Impact Statement on updating interception capability obligations . Para 57 Ibid. 7 Para 25 a. and b. Ibid. 8 Mallard Productions Ltd v Attorney-General [1997] BCL 11; 2 TCL 2/4.

Compulsory decryption in these circumstances is also inconsistent with the careful compliance scale that has been crafted in the Bill in terms of the level of interception capability a network operator or deemed network operator must have. Clause 24(3)(b)(vi) seems to suggest that no matter what the size or nature of a service provider, it must be treated as if it were a network operator, at least as far as encryption/decryption goes this is inconsistent with the delineation between interception capability, interception readiness, and interception accessibility set out in the Bill and with the discretionary power of the Minister to level up an industry participant to interception capability standard. Effectively, clause 24(3)(b)(vi) seems to be suggesting that all service providers are to be treated as if they were interception capable service providers already- that cannot be right and should be deleted or clarified to make it clear that it only applies where the service providers system allows it to decrypt. Requirements under clause 24(3)(b)(vi) should be consistent with clauses 10(3) and (4). Otherwise, there will be inconsistency between the duty to assist and the ability of the person or service provider to provide that assistance. This could lead to confusion and unnecessary litigation on the must assist requirements of clause 24(3)(b). We should note here that Mega is not alone in facing this difficulty. An increasing number of services embed some degree of encryption. Those services will not be made available to New Zealanders if the provider of them must effectively provide a decryption back door. Removing Power to Issue Ministerial Direction to a Specific Service Provider Clauses 35, 36 and 37 provide the ability to the Minister to issue a direction to a specific service provider to have the same obligations as network operators. This is both inequitable and counterproductive. The action resulting in such a direction will be initiated at the sole and absolute discretion of a surveillance agency. The decision to seek imposition of obligations on a specific service provider, or alternatively, not to seek obligations, is not subject to any review or check. This unconstrained discretion to initiate obligations provides surveillance agencies with the power to target a specific service provider. Surveillance agencies will be able to use their unchecked power to directly or indirectly use the imposition of obligations as a threat or consequence of not cooperating with them. Such powers can and do in practice lead to abuse. Further, as has been seen with the revelations with respect to the GCSB over the past 18 months, it is clear that questions involving its powers and operations are inherently viewed as political. Mega is concerned therefore that there is insufficient guidance given as to how and whether the Minister would decide to exercise his or her discretion. For example, the rights of users of the service who are not persons of interest, in terms of privacy, utilisation of the service, cost and otherwise should all be specifically required to be taken into account. The consequence of imposing obligations on a specific service provider will put that service provider at a significant commercial and technical disadvantage. MBIE has recognised that there may be competitive disadvantage when a single provider is singled out for additional compliance cost.9 The Bill has therefore provided for a review mechanism. However, the review is neither independent of government nor capable of looking at the motivations of action/inaction by the surveillance agency. The ability to single out and impose obligations on a specific service provider is inequitable.
9

Para 63 of the Regulatory Impact Statement on updating interception capability obligations

On imposing such obligations, people who are of interest to a surveillance agency will easily and quickly shift to another service provider which does not have the obligations of a network provider. The vast majority of customers of the affected service provider, who are not under surveillance, will suffer from reduced innovation and higher costs. The surveillance agency will have to sequentially seek imposition of obligations on the next service provider to continuously try and catch up with people of interest. Over time, this will lead to persons of interest using services or service providers that are not within the ambit of the Bill. Imposing obligations on a per service provider basis is therefore also counter-productive. Mega recommends that provisions related to imposing obligations on a specific service provider, clauses 35 to 37, be removed from the Bill as they are inequitable and counter-productive. This will still allow obligations to be imposed on a class of service providers under clause 38. MBIE has recognised that this leads to competitive neutrality10 and is therefore a superior solution than imposing obligations singly with absolute discretion. If clauses 35 to 37 allowing for discriminatory obligations to be imposed on a specific service provider are nonetheless retained, Mega recommend that the Bill is amended to explicitly provide that imposing obligations on a class of service providers under clause 38 is to be preferred over Ministerial direction under clause 37. The reasons for a surveillance agency singling out the specific service provider rather than seeking obligations on the class of service providers must be provided at the time the surveillance agency makes an application under clause 35. These reasons should be available to the service provider. If they are withheld on the grounds that the reasons would reveal classified information, the Bill should provide that the reasons are still relevant information under clause 36(3)(a). Further, in respect of clause 38, if a class of service providers are to be singled out for regulation as if they were network operators, some parameters should be put around that regulatory process. In a sense, by doing so, the whole industry is being regulated. We therefore suggest that a process similar to that used in the Telecommunications Act for standard terms determinations be used, with the issue of consultation papers, call for submissions, industry conferences if necessary and a final determination which is subject to review. In addition, as we note below, if interception capability is to be imposed, time must be given for industry participants to alter their systems. As noted below, at least 24 months should be allowed. Time for Obligations Coming Into Force In contrast with network operators, the Bill does not provide for a minimum time period for service providers to implement obligations imposed on them under clause 37 and 38. This could lead to an arbitrary time limit being imposed. The consequences of insufficient time for regulations coming into force are security weaknesses, unnecessary costs, commercial disruption, and adverse impact on users.

10

Para 61 Ibid.

For consistency, Mega recommends that the Bill provides for a minimum period of 24 months for any direction under clause 37 and regulations under clause 38 coming into force. There is precedent for this. It was recognised that a reasonable period was required to allow any provider of ICT services to change its systems when the Telecommunications (Interception Capability) Act 2004 was first passed.11 Encryption vs. Decryption Key Clause 10(3)(b) requires a network operator to decrypt a telecommunication if the network operator intercepting the telecommunication has provided that encryption. This provision is unclear and ignores both best practices and practical implementation of security. Encryption is the process of converting plaintext (e.g. Hello World) to ciphertext (e.g. d3E8*sW0x). Properly implemented, cryptography ensures that ciphertext is unreadable. Decryption is the process of converting ciphertext into readable plaintext. A well know cryptography principle is that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.12 This means that there is no real security if it depends on hiding the details of the cryptosystem. In practice, organisations like Mega make details of how its cryptosystem has been implemented publicly available, in line with best practices and transparency. The sole private, hidden factor is the actual key that converts plaintext to ciphertext and vice versa. This is unique to each service user and, as previously stated, it is the service users password which unlocks, is a part of, and therefore wholly controls the encryption and decryption operations. There is absolutely no way that Mega can, on its own, view the name or content of a file even though it runs the cryptosystem. The law must therefore distinguish between a cryptosystem (encryption) and the encryption/decryption keys. Some service providers provide the encryption system to their service users but, since they do not have the decryption key, they cannot provide the decrypted telecommunications (which clearly is what lawful interception needs). In fact, Mega has published an encrypted file created by its standard cryptosystem on its website and will pay 10,000 to anyone who can provide the company with the key that decrypts the file.13 Mega therefore recommends that clause 10(3)(b) be re-worded to: the network operator intercepting the telecommunication has provided that encryption and has the decryption key for the telecommunication. (added words in italics) The recommended change is consistent with the intent and wording of clause 10(4)(b) as well as the recommended change to clause 24(3)(b)(vi) previously noted. Clarify Retail Sale to Allow Open Source Products Clause 10(4)(a)(i) refers to a product that is available on retail sale to the public.

11

Clause 15 of the Telecommunications (Interception Capability) Act 2004 gave PSTN operators 18 months and public data network data operators 5 years, from the commencement of that Act, to become interception capable 12 This is known as Kerckhoffs's principle 13 Details at https://mega.co.nz/#blog_6

Many cryptographic products use open source software and standard libraries. Using open source code is a highly recommended practice as it allows for transparency and better security (by allowing everyone to look at the code). Good cryptographic systems are very difficult to implement in practice and using open source code significantly reduces errors leading to better security for service users. It is not clear from the wording of the Bill if open source code is an acceptable product given that most open source cryptographic systems are free and available directly. There is no retail sale as such. Mega believes that the intent of the Bill is not to exclude open source code from being used as that would lock in New Zealanders into proprietary and, possibly, less secure services. Accordingly, for clarity, clause 10(4)(a)(i) should be re-worded to: supplied by a person other than the operator and is available on retail sale to the public or otherwise available for public use. (added words in italics) Clarify clause 39 relating to overseas services Mega is a New Zealand based company but some of its services are delivered via overseas infrastructure, whether owned and controlled by itself or by third parties. It is unclear to us how clause 39 applies to such services. In particular, it is unclear to us whether the fact that a network operator who conveys telecommunications and data and charges its customers for doing so is reselling a telecommunications service under clause 39(1). We submit that that should not be the case, otherwise, this discretion will effectively give the Minister absolute and untrammelled discretion to ban any cloud based service delivered over the internet. Not only is this an unreasonably wide discretion but it is unworkable and will lead to unfair discrimination. It is simply not possible for a Minister to scrutinise every Internet application to determine if it should be banned under this clause. Decisions to ban Internet applications will therefore only be made in an ad hoc reactive way, which is both arbitrary and will simply mean users shift to another service which is not banned. The clause should make it clear that it is only aimed at services where the network operator specifically contracts with the overseas provider for those services to be delivered into New Zealand. Law enforcement agencies The definition of a law enforcement agency under clause 3(1) allows any government department to be declared as such by an Order in Council. Law enforcement agencies are being giving significant powers and responsibilities under the Bill. A department acting as a law enforcement agency will necessarily need expertise, resources, processes, and internal oversight arrangements to adequately discharge those powers and responsibilities. A decision to make any other government department (other than New Zealand Police, which is already included in the Bill) should require public debate and Parliamentary oversight. Mega therefore recommends that, rather than by a decision of Cabinet, declaring any government department a law enforcement agency for the purposes of the Act should require amendment to the law itself.

Network Operators generally Mega has submitted above that the proposals should not apply to service providers at all. If that submission is not accepted and the proposals do extend to service providers such as Mega, it is concerned at some of the provisions which would apply to Mega if it were directed to be treated as a network operator under clauses 37 or 38. There has been insufficient time for Mega to consider these issues properly (its request for further time to make this submission was not granted). We may therefore provide further material. However, we can say now that we are particularly concerned at the idea that the GCSB should effectively have a power of veto over New Zealands telecommunications infrastructure (Part 3 of the Bill) in the name of network security risk. First, we have little confidence that the GCSB is currently technically capable of exercising that control. Secondly, as with the Ministerial discretion to deem a service provider to be a network operator, this power will inevitably discriminate unfairly as between different operators. Thirdly, the idea that any network operator in New Zealand who wishes to change their system must obtain approval from a Government intelligence agency will quite obviously make ICT companies and investors very wary of coming to New Zealand and throttle innovation amongst existing operators. Fourthly, we have no confidence that the GCSB would not be tempted to abuse this power to force operators to provide back doors or other information sharing capability to the GCSB a la PRISM. Finally, the term economic well-being is so wide that it can, conceivably, be interpreted to mean whatever GCSB chooses it to mean. We note in this regard that the Government Security Bureau and Related Legislation Amendment Bill, being considered concurrently with this Bill, if passed in its current form, will allow the GCSB very wide powers, including almost unlimited ability to share information with anyone the responsible Minister decides. No evidence has been provided that New Zealand network operators are anything other than scrupulous in ensuring that their systems are robust and technically secure, i.e. there really is a problem. The GSCB oversight and veto provisions are unnecessary and should be deleted from the Bill. To quote the UN Special Rapporteur, Mr La Rue, again: The use of a vague and amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is a serious concern. The concept is broadly defined and is thus vulnerable to manipulation by the State14

14

Supra footnote 2, at pages 15-16.