The Inspector General of Intelligence and Security finally released their annual report today, a mere seven months after it was due. One obvious point is that she takes the job far more seriously than her predecessors, who tended to issue 5 or 6 page summaries of complaints (example). By contrast, we have a thorough explanation of the Inspector-General's work, from which we can actually judge whether the oversight regime is sufficient. Not to mention a treasure trove of information about the actions of "our" spies. For example:
- SIS's slow vetting procedures appear to have interfered with the establishment of IGIS's office and their recruitment of staff. Vetting is their core function, but apparently it still takes months.
- IGIS currently has an own-motion inquiry into the SIS underway "which arose from the regular inspection of intelligence warrants [and] is the first Inspector-General inquiry into the “propriety” of particular activities of an intelligence and security agency". Which sounds as if SIS are abusing their powers. Unfortunately, as its "operational", all the details are classified, and we'll only be getting a summary at the end of it. Its unclear whether the victims of any SIS impropriety will be informed of the violation of their rights so they may take legal action against the spies.
- Because they'd only been in the role for seven weeks, the IGIS can not certify that GCSB and SIS are complying with their legislation.
- The SIS have no internal compliance framework or internal audit staff. They have no mechanism for self-reporting failures to their management or to IGIS. While they are apparently working on this, the picture is of an agency which does not really care about whether it complies with the law.
- IGIS reviewed 10 interception warrants and 48 access authorisations from GCSB last year. Assuming that these were all in force, it appears that the number of access authorisations has almost doubled since 2013. They're spying on a lot more computers than they used to be.
- IGIS's discussion of warrantless interception powers gives two examples of their use: Waihopai and "the interception of high frequency signals of ships or other radio operators". But the implication is that if they apply to passive SIGINT then they could be used to intercept cellphone traffic (which is radio signals). While the GCSB is forbidden to use warrantless powers to intercept New Zealander's "private communications", as I highlighted on Friday, how they interpret that term in relation to cellphone encryption could be crucial.
- GCSB reported violating its warrants and illegally intercepted private communications three times in the last year. In all cases the breach of the law was covered up from the public and the evidence destroyed. If you or I had done that, we'd be facing jail.
- IGIS's "review" of warrants does not actually involve reviewing decisions, only the process. So, they're not actually checking to see whether warrants are justified. Some "oversight".