Wednesday, August 21, 2013

TICS gives spies a veto on ISPs

Criticisms of the Telecommunications (Interception Capability and Security) Bill have focused on the powers of the GCSB to micromanage network decisions and demand backdoors into networks (to "protect us from cyber-attack", of course). But there's another problem with it as well, and its a significant one: the bill requires a substantial invasion of privacy by the SIS of people who are not government employees. And it gives the SIS an effective veto over who can run an ISP in this country.

How? Section 70 of the bill requires "network operators" - phone companies and ISPs - to nominate an employee to apply for a secret-level clearance. Nominees are legally required to apply. Once they do, then the SIS will vet them - which means trawling through their lives looking for signs that someone is a "security risk". What are those signs? The basics are MICE - Money, Ideology, Compromise, or Ego. So, they look at your financial records to see if you're in debt and e.g. whether you might be easily persuadable by someone offering you a large amount of money. They look at whether you have secrets in your life - affairs, sexual orientation, mental health issues. They look at whether you like to brag. They look at who you know, and whether any of them are a "risk" or "unsuitable". They look at your politics, whether you might be ideologically motivated (e.g. by a belief in democracy and transparency) to leak information. And they ask your friends and co-workers about all of this, asking them to rat on your private life, with your job on the line.

This may be suitable for government employees in sensitive positions. But it is simply no fucking business of government to do this to people who aren't working for them.

But apart from fundamental objections about the proper role of the state, this process is also likely to be hugely problematic in practice. To point out the obvious: the SIS are a cold war agency with a cold war mentality. They still believe in communists, and they don't believe in democracy and transparency. The average ISP employee has grown up on the net, and has its basic cultural assumptions: freedom, transparency, and de facto anarchy. "Information wants to be free" is an internet axiom. So is a free-market in legal jurisdiction. The SIS will regard both with utter horror, and its hard to believe that this huge cultural difference won't impact on vetting.

So what happens if the nominee gets denied clearance? The ISP must keep on nominating people. Which means more intrusion and more vetting. What happens if they run out? The GCSB can go to court and get a breach notice, compliance order, or pecuniary penalties of up to $500,000.

Under the law as written, it seems perfectly possible for the SIS to drive an ISP out of business simply by repeatedly denying them a security clearance. it gives them a political veto on who can run an ISP in this country. And that is something we should not accept.