SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
REVEALED: Dirty deal between NZ telcos and the GCSB...
Thu, 18th Sep 2014
FYI, this story is more than a year old

The relationship between New Zealand's spy agency the GCSB and local telcos are governed by the TICSA (Telecommunications Interception Capability and Security Act 2013).

Passed on November 11, 2013 by the National government, the legislation came into effect on February 11 this year, with every telco operating in New Zealand having three months to become compliant.

It covers the responsibilities of all New Zealand telcos to the government surveillance agencies, with the overall objective described as:

"The purpose of this Act in relation to interception capability is to ensure that surveillance agencies are able to effectively carry out the lawful interception of telecommunications under an interception warrant or any other lawful interception authority."
It essentially forces telecommunications companies when asked by government surveillance agencies to develop, install and maintain full interception capabilities across their networks.

More specifically, when presented with an interception warrant or any other lawful interception authority, the telco must be willing and able to:

(a) provide a suitable access point in its public telecommunications network or service for interception equipment:

(b) co-operate with authorised persons and allow them access to its premises:

(c) provide sufficient environmentally controlled space to house the interception equipment or provide sufficient backhaul to a suitable location where the equipment can be housed.

To apply for interception, all surveillance agencies must demonstrate to the Minister that this is an adverse affect on national security or law enforcement.

Some interesting points from the act:

- Each telco must nominate a suitable employee to apply for a secret-level government-sponsored security clearance.

- The cost of intercepting this communication and providing the data to the GCSB is generally borne by the telco.

- Telcos with smaller than 4,000 customers don't have as strict a criteria under the act.

- The Police registrar maintains a register of telcos and their network designs.

- Each year or if changes are made the telcos network they must update the registrar.

- The CEO of each telco must sign an annual certificate confirming that the information contained is true and correct.

- The courts can order a telco to pay pecuniary (financial) damages to the crown for non-compliance with the act.

Two things you need to consider:

While the act means that government surveillance agencies 'can' force telcos into this type of surveillance, it doesn't show that actual equipment is installed.

This is probably how the Southern Cross Cable CEO and others can claim they have no equipment on their network.

There maybe no equipment right now, but the government can install it at anytime....