Friday, August 19, 2016

We don't need the GCSB

John Key's latest spy legislation passed its first reading in the House yesterday, and is off to select committee. They'll no doubt be calling for submissions soon, but I'm not sure whether it is worth wasting time on. The last committee into a spy bill notoriously didn't even bother to read the public submissions it was sent, and with a National majority on this committee, there's no reason to believe that it would be anything other than a government rubber-stamp.

Which is a shame, because this bill needs fixing. Listening to the speeches yesterday, it was clear that the government's thinking on expanding GCSB powers in particular was muddled. First, they claimed that the GCSB needed the power to spy on New Zealanders to cover cases where the SIS couldn't get a warrant because they didn't know who to spy on. Except that the GCSB also needs warrants, and would need to know who to spy on - so that excuse only holds water if the law enables mass-surveillance, something the government denies. So which is it?

The other major excuse for the GCSB's expanded powers was "cyber". MPs are deeply scared of the internet and the sorts of hoodie-wearing people who hang around on it, and think we need a government agency to counter these dastardly cyber-criminals and protect our private information from Evil h4ck0rs. And you know, they're right. Except that that agency does not need to be an intelligence agency with intrusive surveillance powers and legal immunity from prosecution.

The "information assurance and cybersecurity" function is the GCSB's sole legitimate function. The problem is that it is in direct tension with the agency's intelligence functions. A cybersecurity agency wants to find security loopholes and publicise them so they can be fixed. An intelligence agency wants to keep them secret and un-patched for future exploitation for intelligence purposes (something which has just backfired messily on them). A cyber-security agency would regard the NSA and GCHQ - foreign intelligence agencies whose purpose is to compromise our information systems, steal our data, and spy on our citizens - as enemies to be countered. The GCSB regards them as friends to be courted. The GCSB's intelligence function - which according to the Prime Minister comprises most of its workload - compromises its cybersecurity function. And so they need to be separated.

Instead of the GCSB, what we need is a completely civilian agency, an expert cyber-defence team. And instead of operating covertly and with government approved warrants, it would operate by consent. Such a team wouldn't need secret warrants to do its job, because people would ask it to. And it wouldn't need legal powers to dictate network architecture and hardware choices, because people would trust its recommendations rather than regarding them as a thinly-veilled front for NSA hackers. And with a clear focus on cybersecurity and a statutory prohibition on any intelligence gathering, it would be free of the suspicion which taints the GCSB. As for the intelligence function, we should shut that down, sack its staff, destroy its files, and throw its equipment in a volcano - because it serves no legitimate purpose in a free and democratic society.