Yesterday, the government introduced a pair of spy bills broadening the GCSB's mandate and granting it sweeping new powers, and sent them to select committee under urgency. How much media attention did this get? Sweet fuck all. 3 New didn't even cover it - Patrick Gower was too busy chasing Aaron Gilmore. A major attack on the human rights and privacy of New Zealanders - including journalists - and our media can't pull themselves away from the sports-commentator model even to tell us.
And there's a lot to tell. You'd think a bill which granted such sweeping and intrusive powers would have some sort of Bill of Rights Act vetting. None was provided, and at posting there's still none on the Ministry of Justice's website. Similarly, bills are normally introduced with a Regulatory Impact Statement, an analysis of what the bill is trying to achieve and other options for doing do. Yesterday opposition politicians were tweeting about its absence. However, the RIS has finally made its way to the web, and it is a shocker, one of the poorest pieces of purported policy "analysis" I have ever seen.
You would think that for a bill which changes the objective of a government body, grants it new functions, expands its powers, and changes its oversight mechanisms, that these matters would be addressed in the RIS. You'd be wrong. The spy bill RIS doesn't actually consider specific policy proposals, only how to implement them: whether to pursue non-legislative methods, amend the GCSB Act, or repeal and re-enact it. As a result, the actual changes appear to have not been debated at all. No questions are asked about whether GCSB should have its function expanded from the collection and analysis of foreign intelligence to a general "national security' (including the Orwellian "economic well-being") function. There's no direct analysis of whether GCSB needs to be able to spy on New Zealanders, or what the alternatives are. Hell, there's not even a clear statement of the policy objective. Instead there's broad pap: to provide for "greater and more effective oversight" and "respond to the changing security environment, cyber and information security environment , and the changes in the public law environment", without ever saying what those changes are and why they require this sort of response.
There are some small hints in this "analysis". what are these new threats to cyber-security?
The impact of cyber threats is difficult to quantify precisely, but the NZCSS sets out some of the potential impacts, as well as some estimates suggesting New Zealanders lose up to $500m annually due to cyber-borne frauds and scams. Recent statistics on the NCSC website indicate that in the last 12 months cyber crime against New Zealanders cost $625m, and the global cost was estimated at up to $460 billion.
Yes, that's right: GCSB is being granted these powers to protect us from Nigerian fraudsters and lonely-hearts scammers.
And why does it need to spy on kiwis?
[B]ecause the information security and assurance function is about protecting New Zealanders, an amendment will also be required to allow the GCSB to see who (namely New Zealand individuals and companies) is being attacked. This would allow the GCSB to determine where the threats are being generated from and develop measures to counter those threats.
Yes, they're going to spy on everyone "to see who is being attacked". Because they couldn't just follow the computer-security literature, use the phone, or build a reputation as a trusted body to go to with these problems. No, they have to spy on everyone, in secret, with no oversight, because its What Spies Do.
So what about human rights? Here's what the RIS has to say:
The GCSB Act contains intrusive state powers. Consequently any review of the GCSB Act will involve the consideration of human rights and privacy matters. Respect for human rights, and individual privacy and traditions of free speech in New Zealand were guiding principles in undertaking the review and developing recommendations.
And that's it. Because the RIS doesn't actually analyse policies, it doesn't analyse their human rights implications. So there's no indication of whether (for example) preventing a supposed half billion dollars of cyber-crime justifies such an extreme violation of the right to be free from unreasonable search and seizure, or the chilling effects on the freedoms of expression and association by allowing them to intercept the private emails and phone-calls of New Zealanders. There's certainly no analysis of the privacy implications. We're just supposed to take it on faith that a bunch of spies, whose job is basically violating human rights, were guided by them in devising these policies. And if you believe that, I've got a couple of big white mushrooms in Marlborough to sell you...
This RIS provides no justification for the policies we are being asked to swallow. Hell, it doesn't even describe them, let alone analyse, justify, or consider alternatives. The sucker whose name got stuck on it - Rajesh Chhana of DPMC's Intelligence Co-ordination Group - ought to be deeply embarrassed that it went out under their name. As for the rest of us, we should be angry: angry that they are trying to bullshit us like this, angry that they are trying to undermine our human rights without offering a shred of justification, angry that they think they can do this. This is not how government and policy-making in our democracy is supposed to work. And the politicians who are fronting for the spies need to be told that in no uncertain terms at the ballot box.