Maybe the regime isn't united on tyranny?

When the regime introduced four tyrannical bills last week, I joked that the reason for the theme was that it was one of the few things the coalition could agree on. But it turns out that maybe they don't? RNZ's Phil Pennington has a piece on the Policing Amendment Bill today, focusing on the surveillance aspect rather than the protest-suppression clauses. Which it turns out were opposed by both the Ministry of Justice and the Privacy Commissioner as overly broad and lacking safeguards. Opposition parties are jumping on that and wanting changes, which is good. But the problem for the regime is that ACT also agrees:

ACT's Todd Stephenson gave qualified backing to [the bill].

"This bill does clarify and expands the police's power to collect, record and use information, including images, sounds, for lawful policing purposes," he said in the debate.

But with a kicker.

"Our support is conditional on ensuring that there is strong privacy protections and safeguards against mass surveillance powers."

So maybe the regime isn't as united on tyranny as they appear...?

My own thoughts on the bill are here. Unless safeguards are added, it will give the police power to shut down any protest, and to engage in mass or targetted surveillance without any need for a warrant - overturning both fundamental constitutional principles and long-settled law. These are not things we should accept.

If you'd like to have your say on the bill, you can submit on it here. Submissions are due by 1.59pm, Wednesday, 22 April 2026.

More tyranny

The regime introduced a bunch of bills today: an Immigration (Enhanced Risk Management) Amendment Bill to introduce a "papers, please" regime for anyone MBIE (which also means the police) suspects they may be liable for deportation or in breach of their visa conditions; a Corrections (Management of Prisoners, and Prisoners’ Property) Amendment Bill to enable them to torture prisoners with solitary confinement more easily and stop them from writing books about it; a Fisheries Amendment Bill to make the Quota Management System a matter of ministerial fiat and introduce a secrecy regime for boat camera footage; and a Policing Amendment Bill, to allow the police to arbitrarily close public places and spy on people without warrants. There's a couple of themes across these bills. The first is overturning court decisions, including some that have affirmed quite significant protections for human rights. The second is replacing statutory protections with executive discretion, which means executive arbitrariness and corruption. And the third, linking the two, is tyranny. Because that's what we call an arbitrary executive which does not respect human rights: tyrants.

The Fisheries Bill secrecy clause deserves its own post, so I'm going to talk about the policing bill here. And it is awful.

One part of this is the creation of a new regime allowing any police officer to close access to any "accessible area" - meaning "an area of land that is accessible to the public, or a section of the public, by motor vehicle", and apparently including private property. So anywhere that is a road, or connected to a road. They're probably thinking of car-parks, but of course the definition also applies to your backyard, and even your house if you have an indoor garage. These closures can be done for a variety of reasons, some of which are good (for example, if there is a danger to the public, like a gas leak or incipient landslide, or a serious offence has been committed and there is a need to secure the crime scene). But most of it is of course aimed at one of the regime's perennial targets: boy-racers. So they can close roads to everyone if an "antisocial road use offence" is being committed or might be committed; if people are operating (or are expected to be) motor vehicles in an antisocial way; or if people are creating (or are expected to create) excessive noise with a motor vehicle, or if there is (or is imminent) "public disorder". If they close an area, its an infringement offence not to leave immediately.

The regime will be looking at this and thinking "anti boy-racer law". But the public disorder and noise clauses also make it an anti-protest law, because the police have a history of regarding public protest as inherently disorderly, and noise (say, from a vehicle-mounted PA system leading a protest march) which upsets those in power as "excessive". Naturally, there's no protection against this - no Terrorism Suppression Act-style clause saying "for the avoidance of doubt, protests, strikes, lockouts, and industrial action are not 'disorderly', and their noise is not 'excessive'". The drafting is so shoddy they haven't even excluded dwelling-places or marae from the definition of "accessible area". And given the regime's anti-protest noises, this should be regarded as deliberate until proven otherwise.

That all stinks, but its not the worst of it. The other part of the bill "reaffirms" the rules about the police collecting intelligence and recording people in public places. I put "reaffirms" in quotes because it does nothing of the sort. The courts and the Privacy Commissioner, in a long series of judgements (Tamiefuna v R, but also Hamed v R), have said what the law is, and that the police have been systematically breaking it. The regime's response is to dramatically broaden the law, and legalise the police's unlawful behaviour.

The new amendments start with a list of "purposes for which Police may collect information", which is a good start. It then says that the police can record anything they can see or hear in or from a public place, or anything they can see or hear on private property if they are lawfully there. No warrants required. To see how much of an intrusion this is, we have only to look at the police's illegal photographing and databasing of young Māori, or the Supreme Court's ruling in Hamed v R, which found that the police could not just covertly film and record people on private (but generally publicly accessible) property under "implied licence" without a warrant. That ruling led to a temporary law change, which was later incorporated into the Search and Surveillance Act 2012, which set limits on the police's ability to spy from public places without a warrant. The amendment bill would void that long established law.

If this passes, the police will be able to park outside your house with a camera and spy on you in your yard or through your windows, and record anything visible (to what wavelength?) or audible (with how much amplification?), without needing any type of warrant. They won't even need to be physically present, because the "by any means" allows remote cameras and microphones. Or they can use a drone, with thermal cameras and high-gain directional microphones and just spy on you 24/7, without any warrant, oversight, or reporting. Those are unquestionably "searches" in terms of the BORA (clearly being interference with a reasonable expectation of privacy) - but they'll be lawful. And of course they can hassle people on the street, photograph them, database them, and record their conversations without any suspicion of a crime.

This is obviously very convenient for police. But it is not the sort of thing done in a free and democratic society. We need to stop it. We need to topple the tyrants at the election.

Under-protecting privacy

If you've been following the news, you will have seen the enormous Manage My Health shitshow, which has seen the medical records of 127,000 new Zealanders offered up for ransom (with the alternative of sale on the dark web). The information was obtained due to an absurdly basic security failure by the company, suggesting a complete failure of any duty of care for people's sensitive health information. It also seems to be an open and shutt violation of Information Privacy Principle 5 and/or rule 5 of the Health Information Privacy Code, both of which require information to be protected by "such security safeguards as are reasonable in the circumstances" - but there's no fines for breaching this, and the penalty even for violating a formal compliance notice is a derisory $10,000. The entire regime expects each affected individual to complain to the Privacy Commissioner, who can escalate complaints to the (over-worked and under-resourced) Human Rights Review Tribunal, which can issue damages. In, oh, six or seven years.

And its not like the Privacy Commissioner can help - they can't do own-motion investigations, and the regime has cut their budget. It's almost like they want our privacy to be violated and our information to be sold.

This isn't good enough. The Privacy Commissioner should be actually able to protect our privacy, rather than merely being an overworked mediator when someone has violated it. And where there has been an egregious failure to follow basic privacy practice like this, then there needs to be a criminal offence, and fines large enough to actually incentivise companies to obey the law, with personal liability for directors. Manage My Health didn't give a shit about the people whose information it was "safeguarding", because a $10,000 fine for not caring was just a cost of business. And the Facebooks and X's of this world won't give a shit either. If we start having fines in the millions, or charged as a percentage of global revenue (European-style), then maybe they will start obeying.

Legalising lawlessness

Back in 2021, RNZ exposed the systematic police practice of coercing "voluntary" photographs from young Māori on the street, leading to a joint IPCA / Privacy Commission report exposing illegality, systematic racism, and widespread ignorance among police officers of the limits on their behaviour, and a formal compliance notice to force them to stop and delete it all (something they still haven't done). This was followed earlier this year with the Supreme Court's ruling in Tamiefuna v R, which upheld the ruling of the Court of Appeal that the police photographing people in public places is a "search" in terms of the BORA (meaning any interference with a reasonable expectation of privacy), and was both unlawful and unreasonable. The police immediately started whining about how it would be impossible for them to do their jobs if they had to actually obey the law, and so predictably the regime ahs announced that they will legalise their lawless behaviour:

Police Minister Mark Mitchell said on Thursday police had been left uncertain about taking people's photos and recording their images in public places.

"Recent court decisions have created uncertainty around police's ability to record images in public places for lawful purposes," he said.

"The proposed amendments will reaffirm the prior common law position, making it clear that police can collect and use images in public spaces, and in places where police are lawfully present, for all lawful policing purposes.

"This includes intelligence gathering and crime prevention and other policing functions and associated activities."

They weren't "uncertain". It was crystal fucking clear that they could not, unless they had a warrant. As the Court of Appeal noted, "there is a reasonable expectation that a person’s photograph will not be deliberately taken and retained for identification purposes by police without a good law enforcement reason", and that seems entirely appropriate. But the police want to be able to spy on us without any restrictions whatsoever, and database us for life, in the absence of any criminal suspicion whatsoever. And that is the attitude of a fascist surveillance state, not the police force of a democratic state which respects privacy and human rights.

Oh, also, the police will be given more powers to "temporarily close areas in response to antisocial behaviour or public safety risks" - which means a blank cheque to shut down protests. So more anti-democratic moves from the regime.

The good news is that "[l]egislation will now be drafted, and the changes will go through a legislative process in due course." Hopefully that process will take as long as possible, so it can be shitcanned by the next government. The regime's cuts to the overworked justice portflio won't help here, and I'd hope that public servants who care about human rights will ensure that it is fully and thoroughly and repeatedly reviewed for BORA compliance. After all, we wouldn't want the regime to get another embarrassing declaration of inconsistency, would we?

Custodes se ipsos non custodient

We give our police significant powers in order to (supposedly) protect the public. But these powers are meant to come with oversight to prevent abuse, either from the judiciary (when issuing warrants), or from parliament and the public (due to annual reporting on their use).

Now capitalism has given them the ability to sidestep that oversight through contracts with private surveillance companies like Auror. And there's significant evidence that police are abusing that capability, and violating their own restrictions on their use. So are the police actually checking? Of course not!

The police say they have not been looking into deliberate misuse of vehicle-spotting cameras by officers despite reports suggesting there had been some, perhaps even tracking, that broke the rules.

Police use of privately-owned automatic number plate recognition (ANPR) systems jumped almost 50 percent in the year to mid-2024, to over 500,000 times.

Over 8000 officers can access the two systems, which when they enter a number plate can return up to 60 days of footage of the vehicle caught on ANPR cameras.

Newly released internal reports showed "significant" use by staff indicating they were putting the same number plate in again and again.

"This may circumvent the platform's normal controls for the use of ANPR in a tracking context," Police's chief assurance officer Mike Webb warned a camera technology assurance committee meeting last November.

Its almost as if they're deliberately looking the other way, to allow circumvention and abuse by their own.

Its a perfect example of why we need greater controls on private surveillance, and the ability of government agencies to access it. Because the police being able to track people in real time and uncover every aspect of your personal life is a very different thing from an advertiser doing it. The latter can only try and sell you shit; the former can assault, arrest, imprison, or even kill you. The best move would be to outlaw such invasive private surveillance, but if we are not going to do that, we should absolutely forbid its use by state agencies without a warrant, a criminalise the "leaking" of data to them. As the above shows, our watchmen aren't going to watch themselves. So its time we did it for them.

Grooming us for identity theft

Local body elections are in October, and so like a lot of people, I received the usual pre-election enrolment confirmation from the Orange Man in the post. And I was horrified to see that it included the following:

Why horrified? After all, surely using email, rather than the failing postal system, makes elections more accessible?

Sure. But it also exposes us to scams and fraud. Think about the emails you usually receive. How many of them are real? Now think about important emails - things from your bank, or NZTA, the IRD. How many times have you seen warnings from the government or these bodies about scam emails?

Now imagine the following: you receive an email from "votе.nz", with a link (also to votе.nz) where you can confirm your details. You click it, and it presents you with a RealMe login page, asking you to enter your username and password to proceed.

This is exactly what the government would do (because DIA is desperately pushing RealMe into everything whether they want it or not). And its also how you get scammed (with or without the lookalike Cryillic letter). And in this case, the consequences of being scammed includes identity theft, someone being able to use your RealMe to get a passport in your name, and possibly having your voter details changed to deny you your right to vote.

The government should be protecting us from these risks. Instead, we have a government agency basically grooming us to be scammed, because its more administratively convenient for it to do so. Its stupid and wrong, and it would be nice if they stopped.

How is this legal?

Leo Molloy's recent "shoplifting" smear against former MP Golriz Ghahraman has finally drawn public attention to Auror and its database. And from what's been disclosed so far, it does not look good:

The massive privately-owned retail surveillance network which recorded the shopping incident involving former MP Golriz Ghahraman is able to be searched by police even when no complaint has been made, the company co-ordinating it has confirmed.

[...]

But Auror, which hosts the surveillance network covering 90% of New Zealand retailers, has confirmed information recorded by its retail clients is available to police.

“By using Auror, retailers choose to make this information available to law enforcement and also have the option to directly report to them via the software. Retailers determine what information they enter,” a spokesman said.

This has led people to ask the obvious question: how the fuck is this legal? And its a good one. Because while the purpose of collection and general idea of tracking information on shoplifters and disclosing it to police for the purpose of prosecution seems to comply with the information privacy principles, there are clear questions around the fairness and intrusiveness of the method of collection, not to mention disclosure. Because cameras which spy on you every time you go shopping, linked to facial recognition and ANPR to ID you, all of which spy on everyone regardless of guilt or innocence seems a bit over-the-top. And while disclosure for the purposes of investigation or prosecution is legal, disclosure for any other purpose is not. And where a retailer has decided not to prosecute, then that decision undermines the entire purpose of collection and retention, and renders any subsequent storage and disclosure illegal.

The Privacy Commissioner urgently needs to investigate Auror, to ensure that they are complying with the law. And if they are not, they need to be brought into compliance or shut down.

But its not just a problem for Auror - its also a problem for police. Because using Auror's database is very clearly a "search" in terms of the BORA: people have a reasonable expectation that they won't be spied on and databased when going about their daily business, even in public places. The fact that this spying is done by a third party is irrelevant - the moment the police access it, the BORA is engaged, and they need to meet a test of reasonableness. And permitting casual searches, without any reasonable causes, clearly violates the right to be free from unreasonable search and seizure. As the article points out, the police have already had this problem with Auror's ANPR database, and been forced to impose reasonable cause requirements on searching it as a result. They will need to do the same for the retail database. The problem is how to incentivise that. There's obvious scope for a BORA class action by everyone they've unreasonably searched, but the problem is getting them to admit doing so in the first place...

Putin would be proud of them

A Prime Minister directs his public service to inquire into the actions of the opposition political party which is his harshest critic. Something from Orban's Hungary, or Putin's Russia? No, its happening right here in Aotearoa:

Prime Minister Christopher Luxon has announced the Public Service Commission will launch an independent inquiry into Te Pāti Māori.

Te Pati Māori is facing mounting investigations into whether it has misused Census data and information collected from people who had COVID-19 vaccinations for electioneering.

The Privacy Commissioner, Electoral Commission, Police and Stats NZ are already investigating the allegations.

There is no question that the allegations against Te Pāti Māori are serious. Misuse of census data has been a crime since the early C20th, and covid data was protected by a similar secrecy clause with criminal penalties, reflecting the value of this private information. And Te Pāti Māori have themselves called for a police investigation to resolve the issue. But that's very different from an inquiry by Te Kawa Mataaho - a body which simply has no jurisdiction over political parties, or criminal matters - where the PM gets to pick the inquirer and write the terms of reference to ensure the outcome he wants. Such a process lacks any pretence of fairness, and any credibility. Instead, it just looks like National augmenting its blatant racism with tyranny. Putin would be proud of them.

The SIS turns Parliament into liars again

When Parliament passed the Intelligence and security Act in 2017, they assured us all that it was full of safeguards. Any intrusive surveillance of New Zealanders would be subject to a "triple lock", requiring the approval of the Minister and (supposedly independent) Commissioner of Intelligence Warrants, as well as post-facto review by the Inspector-General of Security and Intelligence. But according to the latest report from the Inspector-General, the SIS has turned them all into liars.

The problem is that the SIS has switched from using individual warrants to "class-based" ones when collecting intelligence on potential terrorism and violent extremism. So rather than having to convince the Minister and Commissioner of the need to spy on a particular person, as they were required to do in the past, they have instead switched to convincing the Minister and the Commissioner that they need to spy on classes of people, broadly and apparently subjectively defined - meaning that the actual decisions about who gets spied on and how are left entirely to them. This is clearly envisioned by the Act, but at the same time also clearly evades all those safeguards we were told about. And in the specific case, the Inspector-General argues persuasively that it is a "general warrant" (one which does not specify exactly what can be done under it) - a thing which has been unlawful since forever. And interestingly, once you strip away the tortured language designed to hide the admission, it seems that Crown Law agreed:

The Service disagreed with me that the warrants were general warrants at common law, provided the class definitions were tightened, and this was a view supported by Crown Law.

[Emphasis added]

The SIS subsequently did that. But the "improved" warrant still lets them decide "what ideologies are considered terrorism or violent extremism, who is a valid target, and what intrusive activities would be carried out, up to the maximum level of intrusiveness that the law allows." It may no longer be illegal, but it is absolutely improper.

That question of propriety is the real and underlying issue here. The IGIS is clear that while class-based warrants may legally be available, using them for intrusive surveillance "undermines the spirit of the warranting regime" and betrays the promises made to us about safeguards:

The authorising framework in the ISA provides for a process to give the public confidence in the justification for the agencies’ actions, by requiring external authorisation for the use of highly intrusive powers. Prior authorisation is a safeguard against agency overreach. It helps to ensure that breaches of protected rights in the interests of national security are justified and according to law. In the development of the ISA, this was described as a “triple-lock” of protection for individuals, with the three locks being control from the Minister, the Commissioner of Intelligence Warrants, and post-facto review by the IGIS. The effective delegation to NZSIS, under these warrants, of decisions on who to target for counter-terrorism or violent extremism purposes, by what means and for how long, and to undertake the most intrusive activities available, effectively leaves the scrutiny of individual cases to my office alone, after the fact. That is not what the public was led to expect.

Bluntly, the ISA was meant to stop the spies from doing whatever the fuck they want. This is a deliberate circumvention of all those safeguards. It is absolutely unacceptable. Further, it betrays that the culture of lawlessness and unaccountability the ISA was meant to stamp out continues to exist, in the SIS at least. And if that's the case, you really have to ask why we tolerate their continued existence.

IGIS will now be putting the SIS's improperly-delegated targeting decisions under the microscope, giving them the scrutiny the Minister and Commissioner should have. But while that's better than nothing, its not enough. And you really have to ask whether the Minister and Commissioner of Intelligence Warrants were doing their jobs properly when they signed off on this. The then-Minister, Andrew Little, is gone, so there's nothing we can do about him other than make sure he's not let within a mile of the position in future. As for the Commissioner, this seems to be a strong case for removal for neglect of duty.

The SIS is evading oversight again

The Inspector-General of Intelligence and Security released their annual report today. And it contains some rather worrying revelations about the SIS and their efforts to circumvent the restrictions on their use of intelligence warrants. When the government rams through new spy powers (typically under urgency, with no public input), it tells us that they are subject to oversight and therefore cannot be abused. But it turns out that the SIS is systematically evading that oversight. Which invites the natural conclusion that they are engaging in systematic abuse - otherwise, why bother to evade?

And this isn't over little things - its about intelligence warrants, the core of their legal powers. An intelligence warrant allows a spy agency to do something illegal to collect intelligence. Typically that's intercepting phone calls or internet traffic, or burgling somewhere to plant bugs or copy or steal documents. And when they do something like that which might affect a kiwi, they need to ask other people: both the Minister (who is a rubberstamp) and the Commissioner of Intelligence Warrants. These warrants are also reviewed after the fact by the inspector-General, who tends to be a lot more critical in their assessments than either of the other two.

Or at least, that's how it used to work. But John Key's spy law, passed in 2017, fundamentally changed the warrant system. Previously, SIS warrants had to be about a particular individual, and required particularised suspicion. Now, they can be about a "class" of people, and require only a generalised suspicion. Whether a particular person falls into the target class is up to the agency, and there's no external review of that. So of course the SIS is doing everything under class warrants, despite the fact that they are almost always targeting particular individuals:

NZSIS investigations are often focused on particular individuals. Over many years of producing individual warrant applications the agency became proficient at putting together ‘intelligence cases’ in warrant applications for intrusive surveillance of specific targets. Such applications are now disappearing. They are being replaced by applications for warrants against classes of persons defined in terms of the NZSIS having assessed them as threatening national security. It has become apparent that a class warrant can be drafted to cover any NZSIS investigation, no matter how closely it might be focused on a particular person. With a relatively small set of class warrants in place, an individual coming to the attention of the Service may be assessed as coming within an authorised target class (a class possibly approved months beforehand). That person may then be put under surveillance, potentially up to the maximum possible level of intrusion (if that is what the warrant allows), without their existence or any intelligence on them having been presented to anyone outside the NZSIS. That is obviously convenient for the agency. I seriously question whether it is consistent with the concept of a warrant as a safeguard for the rights of anyone prospectively in the sights of a state security agency.

Translation: the SIS's use of class warrants is undermining the entire oversight regime, and the entire concept of warrants as a safeguard.

The Inspector-General apparently has a report in the works about a particular class warrant, questioning whether it was lawful or proper. It will be interesting to see what comes of that, and whether the supposed safeguards in the law mean anything, or whether everything our politicians tell us about restrictions on the spies is just lies, and that the entire legal regime is designed to hide the fact that there are no effective restrictions on their activities. Meanwhile, people might want to consider whether an agency which systematically and repeatedly attempts to circumvent and undermine its own legal oversight regimes can ever be trusted, and whether it should be allowed to exist at all.

SIS shows it cannot be trusted - again

One of the few legitimate functions of the SIS is security vatting: making sure the public servants we trust with sensitive information are in fact trustworthy. But, as in everything else, the SIS do a terrible job at this: in 2016 the Inspector-General of Intelligence and Security exposed them as incompetent, trust-abusing muppets who failed to properly safeguard this information, failed to properly record or control access, and (of course) used it for other purposes. The SIS of course solemnly promised they would fix all of this. But seven years later, the IGIS is back, with another report exposing continued illegal use of this information for other purposes.

Section 220 of the Intelligence and Security Act 2017 explicitly bans use of vetting information for any purpose other than security clearance assessment and counter-intelligence. The purpose of the ban is to ensure people can give honest answers to vetting questions without e.g worrying that if they disclose minor past criminal behaviour, the SIS will rat them out to police. But despite this clear legal prohibition, the SIS has been using it for counter-terrorism investigations, and sharing it with law-enforcement. On one occasion, this was apparently done without any legal assessment whatsoever. On another, they relied on a tendentious legal interpretation from their pet lawyers that "disclosure" was not "use", so s220 did not apply (this was stomped on by Crown Law, but only after the information had illegally been disclosed). But most worryingly, they have used intelligence warrants - which allow spies to carry out "an otherwise unlawful activity" - to over-ride the protection of s220. Which effectively renders all the "protections" of the Act a simple nullity. The IGIS recommends this practice stop immediately. Whether it has or not is something we won't know until their next report.

(As an aside, the IGIS also notes that disclosure of vetting information to police may be a crime. But of course no-one will ever be prosecuted for it, because both the spies and police are above the law).

Another report showing that the SIS remains a pervasively criminal agency which is constantly trying to evade the legal limits imposed on it by Parliament is bad enough. But the most worrying aspect of this is the use of intelligence warrants to bypass legal prohibitions on disclosure. The IGIS says that this is unlawful for vetting information because a warrant cannot over-ride the Intelligence and Security Act itself:

Section 49(3) ISA provides that an authorised activity may lawfully be carried out “despite anything to the contrary in any other enactment” [my emphasis]. In my view, if the intent of Parliament was to enable an authorisation to override anything in the ISA itself, the section would state ‘in this or any other enactment’, or words to that effect.

But the upshot of that is that it can be used to over-ride promises of secrecy or confidentiality in other enactments. For example, in the Data and Statistics Act 2022 (allowing them to access your personal dossier in the Integrated Data Infrastructure), or in the COVID-19 Public Health Response Act 2020 (allowing them to access your contact-tracing information). Parliament makes these promises for the same reasons as for s220 ISA: to encourage honesty where information is crucial. But it turns out that none of them are binding. Whether the spies are in fact pissing all over Parliament's solemn promises in this way is something we will likely never know (again, unless there is an IGIS report). But the fact that it is a possibility will inevitably affect the quality of the answers the government gets, and is a standing threat to both good government and trust in government in this country.

Challenging ANPR

RNZ reports that the police's use of automated number plate recognition (ANPR) is finally being challenged in court:

Police use of footage from high-tech automated number plate recognition cameras is being challenged in court by defendants.

At least 5000 cameras in two private networks provide footage of vehicle licence plates that police use to prosecute people.

At the heart of the unprecedented legal challenges is that this amounts to use of a tracking device without a warrant, in breach of search and surveillance laws. Another challenge is that it is in breach of the Privacy Act and the Bill of Rights.

There are at least two court cases, but suppressions mean details cannot be reported.

This seems pretty open and shut. On BORA grounds, using ANPR to locate someone or track their movements clearly interferes with a reasonable expectation of privacy (in that we do not expect our movements to be thus tracked without justification), and thus constitutes a "search". As for a tracking device, the definition is very broad: it means "a device that may be used to help ascertain, by electronic or other means... the location of a thing or a person [but] does not include a vehicle or other means of transport, such as a boat or helicopter". The fact that following someone with a car needed to be excluded tells you that the definition covers everything else which serves this function, irrespective of technological specifics. And there's a clear parallel here with interception devices, which means "any electronic, mechanical, electromagnetic, optical, or electro-optical instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept or record a private communication (including a telecommunication)". While this covers physical bugs, it also covers phone and internet taps, which are done at the exchange or ISP, using computers and software. The upshot: an ANPR camera is a "device", as are the computers and databases which store the information and allow police to search it. Which makes ANPR a "tracking device", which in turn makes it a "surveillance device", which in turn means its use by police requires a surveillance warrant. And that does not seem unreasonable at all: police get such warrants all the time, and it means they need to convince a judge that there are actual grounds and an actual offence, rather than just snooping for the sake of it. The police already accept this for "real-time" tracking; they just pretend that a time lag of a few seconds makes it "historic".

Of course, the police are not going to accept being told what to do by mere judges. They'll fight this all the way to the supreme Court, and if they lose there, get the government to change the law and legalise everything they've done. Because that's how things actually work in this country. The rule of law? Not when it comes to the police.

This could be interesting

The Inspector-General of Intelligence and Security announced their 2023/2024 annual work programme today, and its interesting reading. There's a bunch of spy stuff, including reviews of "Execution of class warrants", "Acquisition and use of bulk personal datasets (NZSIS)", and "A specific form of online intelligence gathering operation (NZSIS)", which will be interesting to see how the spies are violating our privacy and human rights. There's also a review into "New Zealanders and International Terrorist Screening Center Databases (NZSIS)", which covers "no fly" lists. And then there's this:

Assessment of security risk in meeting transparency requirements (GCSB and NZSIS): A review would examine the agencies’ approaches to the assessment of security risk from official publication or disclosure of information on their activities, including in response to requests under the Official Information Act 1982 and the Privacy Act 2020.

Or, to put it another way: are the spies being too paranoid? Obviously, I'm primarily interested in whether they are applying sections 6(a) and 6(b) of the OIA correctly, but the broader issue of public reports - including IGIS reports? - is also important. And with the SIS recently refusing to release basic performance statistics on their processing of immigration security checks, it seems particularly appropriate.

Of course, if they're reviewing it this year, we won't see a report until 2024 or 2025, which of course will not be allowed to include classified material. Which invites the question: if IGIS finds the spies have been too paranoid in censoring information, will they censor it to protect their reputations?

Some sensible suggestions on reining in the spies

In 2022 the government announced a periodic review of the Intelligence and Security Act, the legislation governing New Zealand's spies. Yesterday the review presented its report, Taumaru: Protecting Aotearoa New Zealand as a Free, Open and Democratic Society. Its a chunky read, and I'm not finished yet, but from the bits I've read, its not the usual spy-agency power grab, but rather, the complete opposite, presenting ideas to increase oversight and rein in the power of the spies.

Stuff has a good summary of the key recommendations. The big three are:

• Strengthening the Intelligence and Security Committee, making it actually independent by kicking Ministers off it, and giving it power to investigate the effectiveness of the agencies, as well as oversight of other intelligence bodies (of which we have a disturbingly large number). The spy agencies absolutely hate this idea, so that's a strong reason to do it.
• Removing the distinction between type 1 and type 2 warrants for "national security" purposes - a bit technical, but basicly type 1 warrants are required to spy on kiwis, type 2 are for foreigners and have lower oversight. The recommendation is that everything would use the higher standard. This apparently happens anyway because of the risk of incidentally spying on kiwis, but it will mean a legislated improvement in oversight.
• Defining "national security" in the Act - this is an important definition, and defining it will potentially limit what the intelligence agencies can do. When the ISA was introduced to parliament, the Bill originally included a definition, but this was removed by the select committee because it "would require the intelligence and security agencies to make difficult judgements about when the definition applied, and when their powers could be invoked" - that is, it might stop them from doing whatever they wanted. IIRC the definition also attracted opposition from the public, because it included "economic security" and "international relations" - protecting the rich and silencing criticism of NZ's so-called "friends" - which do not enjoy social licence as a basis for spying. The review's proposal doesn't include any of that bullshit, focusing strictly on territorial integrity, safety, democracy, and social diversity. There is a mention of "essential interests", but that's nailed down by talking about "critical infrastructure and governmental operations", so it might not be the open slather it seems like. Overall, I think this is a good move, because it will limit the spies.

One of the other recommendations is legislative consistency for all the other intelligence groups (such as NZDF, police, customs, MBIE, MPI... apparently everyone's got one now). Insofar as these bodies are operating on an unclear legal basis and without statutory constraints (NZDF appeals to the royal prerogative, FFS), this seems like a bloody good idea. The Search and Surveillance Act should have done this, and it is highly disturbing that some bodies apparently fell through the cracks (and that the recommendations of the Law Commission around requiring warrants for undercover operations have been ignored). And it seems especially necessary now that the legal consensus on what constitutes a "search" has shifted to mean interference with "a reasonable expectation of privacy". Under this new consensus, these bodies are likely engaging in widespread illegal searches (the review unwittingly gives an example of the SIS using a fake identity to monitor a private chatroom. That's a search, and should need a warrant). It would be better for Parliament to legislate properly to give certainty about what they can and can't do, rather than for them to ram through "fuck you" empowering legislation when one of these agencies is caught and made to pay damages by the courts.

Again, I haven't finished reading the whole thing yet. But so far, this seems like a sensible review. So now we'll no doubt get to see the spies either bin it, or pervert it into giving them even more powers and less accountability.

The police lied in an OIA response again

In November last year, sparked by Newsroom revealing systematic police racism in its taking of DNA samples, I asked the police for some basic information on their compliance with the Criminal Investigations (Bodily Samples) Act 1995. As usual, they ghosted me; then, after intervention from the Ombudsman, they finally responded saying that they didn't know. In other words, they had no procedure for removing profiles, and no statistics on whether they were complying with the Act or not.

Today, I'm glad to say that they lied. After further intervention by the Ombudsman (sparked by ESR saying that there were policies and procedures), the police have finally admitted that they do have procedures, and even specially-designed software (though it can't generate full compliance statistics). This is comforting to know - the police might be obeying the law after all - but at the same time, deeply discomforting. Because it means that their initial response to my request was incorrect. And when the person responsible for the request is the acting manager of national forensic services, who can be expected to be fully aware of the existence of those procedures and software, its difficult to view it as anything other than a deliberate, blatant lie.

This isn't the first time the police have done this. In June 2022 the Ombudsman caught them forging documents in an OIA response to hide numbers they didn't want released. There's also the case where they lied to the public about carbon-neutrality, then lied about needing "consultations" to extend an OIA timeline so they could create documents to hide that lie. And there will no doubt be other cases. The overall impression is of an organisation which is deeply hostile to transparency, believes that the public has no right to know, and will lie and commit fraud to cover up even the most trivial details. And that's a problem. Firstly, because the entire OIA regime is predicated on truth, and simply does not work if agencies lie. And secondly, because this is the police, an agency utterly dependent on public trust in order to function effectively. Every time they lie to us, that trust is broken.

We deserve better than this. We deserve a government, and a police force, we can trust. Sadly, we're not getting either under the current regime.

A warning shot to police on privacy

Back in 2021, RNZ exposed the systematic police practice of coercing "voluntary" photographs from young Māori on the street, leading to a joint IPCA / Privacy Commission report exposing illegality, systematic racism, and widespread ignorance among police officers of the limits on their behaviour, and a formal compliance notice to force them to stop. But while they may have stopped photographing kids, they still claim to be able to photograph adults going about their lawful business on public streets, with no investigatory purpose, just because they might need it one day. The basis for this claim is what government agencies call the "third source" - basicly, that ordinary people are allowed to do it, and there's no law saying they can't. But in a ruling yesterday, the Court of Appeal demolished that.

The case Tamiefuna v R is an appeal against a burglary conviction which was ultimately based on just such evidence: a photograph at a roadside traffic stop, which was not taken for any investigative purpose, but for an "intelligence noting": that a cop thought it might be useful sometime. And the Court is crystal clear that this was a "search" in terms of the BORA, and that "there is a reasonable expectation that a person’s photograph will not be deliberately taken and retained for identification purposes by police without a good law enforcement reason" (a "search" in Aotearoa now includes surveillance where there is a reasonable expectation of privacy). They were also clear that it was illegal:

The police did not act with legal authorisation when they took Mr Tamiefuna’s photograph. Their conduct did not accord with statutory provisions in the Policing Act 2008 and Search and Surveillance Act 2012 in which Parliament has conferred power on the police to take photographs. This specific conferral of powers to take and retain photographs is inconsistent with any suggestion that the police may photograph persons and retain their images without bringing any charge and without any obligation to destroy the images.

[...]

[T]he police could not rely on the third source doctrine in the circumstances: cases in which the third source doctrine had been relied on could be taken as examples of police activity that was lawful because the actions were incidental to ongoing and bona fide police investigations; there was no such investigation underway when Mr Tamiefuna’s photograph was taken. Further, the third source doctrine cannot be relied on and a specific power should be found when a public authority imposes a liability or detriment on a citizen or interferes with a citizen’s liberty or property.

The latter puts some pretty significant limitations on "third source" activities - they can only be incidental to an investigation, and cannot interfere with liberty or privacy. This means, for example, that a police officer can't just follow someone (interfering with their reasonable expectation of privacy against being followed and having their activities recorded by state agents) without a specific investigative purpose. It probably also limits their ability to infiltrate or spy on public civil society organisations "just because", unless they are investigating a specific crime. And the police are not going to like hat one bit.

Ultimately, despite it being the fruit of the poison tree of an illegal search, the court decided to allow the evidence to be used (there's a test in the Evidence Act for this), and upheld the conviction. But this came with a pretty significant caveat:

The photographs were, however, admissible as evidence against Mr Tamiefuna. Although the right breached was an important one, the intrusion on it was not very serious. The police’s impropriety was not deliberate, reckless or done in bad faith — though a different conclusion might follow if the police continue to take photographs of persons in circumstances not properly authorised by law.

The latter is clear: the police are now on notice that if they continue to violate privacy, evidence and convictions will be thrown out. And since they've known it was illegal since May 2021 (when they admitted it in an internal report), and certainly since the publication of IPCA's report and the issuing of a compliance notice on youth photographs in September 2022, that notice is effectively backdated. The police now need to clean up their act, or the courts will clean it up for them.

More police bullshit

Back in January, I posted about an OIA response which apparently showed that police had no fucking idea whether they were following the law on the removal of DNA profiles from the national DNA databank. The DNA databank is managed by ESR, so I thought I'd ask the same questions of them in case they had any idea. Their response, received today? Ask the police:

ESR acts under New Zealand Police instructions for the removal of DNA profiles from the Databank. ESR does not hold information as to what section of the Criminal Investigations (Bodily Samples) Act 1995 triggered the removal and is therefore unable to provide that information. This information would need to be sought from New Zealand Police.

Which is frustrating, but also revealing. Because if ESR, like a good contractor, acts on police instructions, then the police must have copies of those instructions, and should have a justification for each of them. The existence of such instructions also implies that there is a process for making them (the alternative being that the police are issuing them at random, which I don't believe for an instant). That process might exist only in the heads of relevant police staff, but it exists. It is official information, and it is held. So when police told me in January that they didn't have this information, and nobody else did either, they were lying.

(It may be the case that the usual police record-keeping fiasco means that statistics about removals cannot be generated without substantial collation and research. But that's a different question from the police's outright assertion that the information doesn't exist anywhere, and it certainly doesn't permit the withholding of the procedure).

This sort of bullshit from police is sadly a frequent occurrence. And it is absolutely corrosive of public trust.

The police knew coercing photographs from kids was illegal

In September last year, the Privacy Commissioner and Independent Police Conduct Authority issued a joint report on their investigation into the police's practice of coercing "voluntary" photographs from young Māori on the street. The report uncovered illegality, systematic racism, and widespread ignorance among police officers of the limits on their behaviour, including some practices so obviously illegal that the Privacy Commissioner was forced to issue a Compliance Notice to stop them. The report mentioned that the police had conducted their own internal review into the issues it covered, and a sharp-eyed person used FYI, the public OIA request site, to request a copy. Today, three months after the statutory deadline, the police finally provided a response, including a copy of the report. That report shows that, contrary to their public statements, the police's processes for handling this data are not robust, and they know it (or at least, they would if they read beyond the summary, which in usual police fashion, minimises their own wrongdoing and buries the true scale of their non-compliance). But it gets worse, because the report included legal advice, which was not properly redacted. This shows that:

• Photographing and fingerprinting children and young people is likely inconsistent with the UN Convention on the Rights of the Child and its principle that the best interests of the child be a primary consideration in all actions concerning children;
• They know that their claims of "consent" where children are concerned are pure bullshit. "There are a number of barriers to obtaining full and informed consent including the power imbalance between the young person and the Police officer, literacy issues, and communication disabilities... These factors can make it difficult for an officer to adequately explain the points in the POL545/545A forms to the level required not least because the officer does not have the training to recognise them or to address them." There are multiple cases already where evidence coerced from children and young people in this way has been thrown out by the courts on these grounds.
• Even if officers were properly trained, "some young people, particularly those aged under 15 years are not usually able to provide full and informed consent".
• These concerns effectively poison all existing material taken from young people.
• The nature of the youth justice system and its focus on allowing young people to make amends and leave offending in the past means that indefinite retention of information on children and young people is not a "lawful use", regardless of "consent".

Chris Hipkins is on record as saying that he wants to simply legalise the police's criminal behaviour, effectively putting them above the law. But this wouldn't just involve overturning the most basic principles of the Privacy Act - it would also require overturning fundamentals of the youth justice system. Which in turn would put us in violation of UNCROC, which has been incorporated into New Zealand law through the Oranga Tamariki Act. And as with "three strikes" and mandatory minimum non-parole periods, I'm not sure the courts would stand for that.

Update: The report is now on DocumentCloud. To read the redacted bits, click on "Document" (on the bottom left) and change it to "Plain text".

Are the police following the law on DNA?

Back in November, Newsroom reported that the police were racist in their collection of DNA samples from young people. The report came on the back of widespread police racism, illegality, and abuse of privacy in their policy of photographing and fingerprinting Māori youth.

When I blogged about this, I highlighted another issue: removals. Various provisions of the Criminal Investigations (Bodily Samples) Act 1995 require samples to be removed from the databank. Section 36 requires samples taken by "consent" from people to be destroyed if the consent is withdrawn (unless the police get a court order). Section 26A requires samples taken from young people effectively convicted of an offence to be destroyed if the person is not convicted of further offences within four or ten years. Section 26B allows samples from young people to be removed by application, under similar conditions. The latter two sections were passed in 2009 and 2010, so samples should have been being removed from the databank for nine years now. So have they been? back in November, I lodged an OIA request with police asking for statistics on removals under these sections, as well as a copy of their procedure for doing so. The police ignored it. Today, presumably after being contacted by the Ombudsman, they finally replied, stating that the information was not held. In other words, they have no statistics, and they have no procedure.

No statistics could just be the usual appalling police record-keeping, but its almost certainly a violation of the Public Records Act. Having no procedure OTOH is absolutely damning. It strongly suggests that the police are not complying with the requirements of the Criminal Investigations (Bodily Samples) Act 1995 around removing samples, and possibly that they have never complied with them. Someone needs to be asking Chris Hipkins pointy questions about this, and the IPCA and Privacy Commissioner need to investigate (and issue a compliance notice if necessary). As with the requirements around photographs and fingerprints (and warrants and production orders), Parliament passed these provisions for a reason. And its not acceptable for the police to ignore the law simply because they don't like it or can't be bothered.

ANPR should require a warrant

On Tuesday, the Herald broke the news of a massive increase in ANPR surveillance by police, from mere dozens of uses in 2020 to thousands in 2022, and that police had lied in their internal documentation when they said the system was audited to ensure use was legal. And today it got worse, because it seems that the police are deliberately circumventing warrant requirements for these searches, by pretending real-time surveillance is "historic":

No warrant is required by police searching for number plates captured by CCTV surveillance networks, even when the vehicles are snapped at the time of the search or seconds before.

Inquiries by the Herald have confirmed that the police definition of a “historic” search - and so not needing a warrant - includes number plates “captured at, or very close to, the time of the query being made”.

[...]

The “real-time” option requires police to seek a surveillance warrant from a judge or a forward-looking production order from a senior officer, to whom officers have to justify the crime being investigated warrants the breach of privacy involved.

OIA data showed police were able to access the vGRID system in June this year and had logged 119 specific “plates of interest” on which to receive “real-time” alerts. In the same period, police made 43,758 “historic” searches.

And this is only one of two systems, so the problem is clearly much bigger. And it makes you wonder whether they're applying the same workaround to things like text messages or emails (the interception of which in real time requires a surveillance warrant, but "historic" data - literally the moment after they are sent or received - does not).

But the core problem here is that the police treat this highly invasive form of surveillance - in which people can be tracked in real-time, their past movements traced, and a picture of their life pattern built up - as a private question between them and their (highly cooperative, promoted by police) partners. They talk of information being provided "by consent", but its the "consent" of the surveillance capitalists, not of the people they are tracking. And this partnership and "consent" is clearly being used to sidestep legal limits on surveillance which exist to protect our right to go about our business unmolested.

This isn't good enough. This surveillance needs to be regulated. Ideally, I'd like to see private use of ANPR (and facial recognition) banned. But at a minimum, any police or state access to such information must require a warrant and probable cause. And for proper law enforcement use - rather than gratuitous snooping - it should be no burden at all for police to give a reason to a judge why they need this information.