Tuesday, November 26, 2013



The police, the GCSB, and PRISM

The police have been forced to release the executive summary [PDF] of their investigation into the GCSB for illegally spying on Kim Dotcom. The big news (because its easy and doesn't require close analysis) is that four GCSB agents refused to be interviewed by police. In a criminal matter, these people of course enjoy the right to silence and the presumption of innocence. Politically, its a different story. GCSB staff need to be able to enjoy the full the full trust and confidence of the New Zealand public that they are acting lawfully. Their lack of cooperation here means that that is simply no longer the case. Simply to preserve what's left of the GCSB's reputation, these uncooperative agents have to go.

Meanwhile, unmentioned by the media are the real stories. First, an implicit admission that the GCSB got their information from the NSA via PRISM:

23. Because of the origin of the data supplied to GCSB it could not be established to an evidential standard whether the data was gathered at rest or in transit. The collection of data in transit is needed to satisfy the Crimes Act legal definition of intercept R v Cox.

[...]

37. For the remainder of the data collected by GCSB the investigation could not establish whether it was gathered at rest or in transit when it was acquired. GCSB could not provide the investigation with this information as they did not have it.


(Emphasis added)

So, information was supplied to GCSB, and they don't know how it was collected. Meaning that it came from a foreign partner. So, the GCSB uses PRISM against New Zealanders.

(Sadly, the police were not specific about whether any of the data referred to came from within New Zealand. If it did, then that would also be evidence that the NSA was intercepting the communications of New Zealanders)

Secondly, there's the police's odd views about "intent". I've gone over them here, and Graeme Edgeler has his own analysis here. The police expand on their legal views, saying:
Any employee who acts in good faith and without culpable ignorance or negligence is protected from criminal prosecution. A person who honestly but mistakenly believes that the interception was done pursuant to, and in accordance with the terms of, the relevant statutory authority will not be criminally liable.

Pointy comments about the Nuremburg defence aside, while this is appropriate for Contravention of Statute, it is inappropriate for a strict liability offence such as intercepting communications. The police deliberately ignored the law here, and we have been denied justice as a result.

And then there's this bit:
It was also established that other communications were obtained that were considered to have been intercepted by GCSB's New Zealand based resources. These communications were lawfully intercepted in accordance with the GCSB Act.

The latter simply cannot be true. Before John Key amended it, Section 14 of the GCSB Act was pretty clear:
Neither the Director, nor an employee of the Bureau, nor a person acting on behalf of the Bureau may authorise or take any action for the purpose of intercepting the communications of a person (not being a foreign organisation or a foreign person) who is a New Zealand citizen or a permanent resident.

Kim Dotcom was a New Zealand permanent resident. His communications were therefore absolutely off-limits to the GCSB, and their interception was a criminal offence. It doesn't matter how they did it - the GCSB's warrantless interception powers were subject to this section. It doesn't matter if it was "only" metadata - that's clearly a "communication" in terms of the GCSB Act. The GCSB broke the law here, and the police just seem to have ignored it. They have some serious explaining to do.