Friday, December 14, 2018

The SIS conducted unlawful searches

Two years ago, we had a series of rulings about police access to banking records, which found that their practice of asking banks to "voluntarily" disclose information on their customers violated people's privacy and constituted an unreasonable (and thus unlawful) search under s21 BORA. Of course, it wasn't just the police asking for banking records: the SIS also did it. And somewhat predictably, the Inspector-General of Intelligence and Security has found that they too violated the law.

The full report is here. It summarises the caselaw and SIS practices, and there's some fascinating suggestions of how widespread this practice was: the IGIS studied requests from a 3-month period in 2016, and selected 13 cases for examination in greater detail. Assuming they selected half or fewer of the cases, and that volume in that period was not unusually high, that suggests the SIS were making at least a hundred "voluntary" demands for people's private banking information a year, some of which were for 12 or 24 months worth of data and thus highly intrusive. The IGIS's conclusion:

Service policies and procedures provided some effective guidance for NZSIS staff and enabled a degree of record-keeping, but did not adequately ensure compliance with all relevant legal obligations. I did not make formal individual assessments of the legality or propriety of particular case requests, but, based on my review of the sample of cases, although over a short period, it is likely that some of the past collection constituted unreasonable searches contrary to s 21 BORA.

Which raises the obvious question: will the SIS apologise to and compensate their victims, as the police did to Nicky Hager? And will those responsible be held accountable? Or will unlawful behaviour by the government be allowed to pass unpunished?

The good news is that the Intelligence and Security Act 2017 created a statutory regime for requesting such information, which is subject to full IGIS oversight. There are a number of recommendations about future practice under this regime, aimed at ensuring the SIS obeys the BORA and the Privacy Act, and the IGIS will be keeping a close eye on it in future. But there's also a disturbing hint that this regime may already be being abused:
The framework should expressly recognise that the business records regime was not intended to allow access to “bulk” or “class-based” requests for information. In my view Parliament envisaged that if large volumes of personal information, or non-specific information, is needed that should be obtained under a warrant.

I don't think the IGIS would give such a warning unless agencies were already abusing the law in this fashion. So what bulk or class-based business records are the spy agencies demanding? All financial transactions to particular countries would be one obvious answer. But there's a more disturbing possibility: telecommunications and internet metadata. Unfortunately, because everything these agencies do is secret, we'll never know, unless someone leaks it, or when the inevitable report about unlawful behaviour lands in ten years' time.