Abstract
Although New Zealand is a member of the ‘Five Eyes’ intelligence community, it has taken a relatively cautious and in recent years often deliberative approach to counterterrorism powers, including in relation to access to encrypted communications. That approach can be seen to reflect New Zealand’s security, legal and political context and in particular its tendencies to independence, pragmatism and support for human rights. It is also apparent in the responses to date to the deaths of 51 people in the March 2019 attack on two mosques in Christchurch, New Zealand and, in particular, in the Christchurch Call, an initiative against terrorist and violent extremist content online. The Call is a non-binding standard adopted in cooperation with numerous other governments and large online service providers and includes commitments to transparency and human rights. As Five Eyes countries’ individual and collective positions concerning access to encrypted communications become increasingly forceful, the question is whether New Zealand will follow those positions or pursue more principled, collaborative and likely more workable measures, in line with its wider approach and the example of the Call.
Keywords
Until the horrific attack on two mosques in Christchurch in March 2019, in which 51 people were killed, New Zealand had had very limited direct exposure to actual or even alleged terrorist acts. The number of such acts was small and their consequences far more limited. 1 Further, the most prominent instance of a fatal and politically motivated attack in recent New Zealand history, the bombing of the Greenpeace vessel Rainbow Warrior in July 1985 in a New Zealand port, was not a terrorist act. Instead, it was found to have been committed by French government intelligence personnel, two of whom were subsequently convicted of manslaughter under general New Zealand criminal law. 2
The result of that experience, and of wider contextual factors within New Zealand national security law and system of government, is that New Zealand has taken a comparatively limited and sometimes deliberative approach to counterterrorism and related measures, including in relatively qualified provision for access to encrypted communications.
That principled approach can, it is suggested, also be seen in the governmental response to the March 2019 Christchurch attack. While new and more restrictive firearms legislation was enacted on an urgent basis, the New Zealand government has not to date followed the pattern, seen in other jurisdictions, of enacting additional counterterrorism or other investigative powers in the wake of such events. Instead, the government established a Royal Commission to inquire into the attack and instituted the Christchurch Call, a cooperative multilateral and industry initiative.
Made in response to the livestreaming of the attack itself and subsequent online sharing of footage, the Call is directed to prevent dissemination of violent extremist content online while also upholding human rights protections. However, and despite recent advocacy within New Zealand and within the Five Eyes relationship, access to encrypted communications was specifically excluded from the Call. It may, however, arise with the Royal Commission.
Context: New Zealand’s adoption and use of counterterrorism law
While commentators disagree on whether New Zealand’s apparently limited experience of terrorism reflects ignorance, good law enforcement and/or good luck, 3 New Zealand has in any case tended towards a comparatively narrow and incremental approach in adopting and using counterterrorism related legislation. 4 In addition to New Zealand’s limited direct experience of terrorist acts, it is possible to identify five particular contextual factors.
First, there is a convention of bipartisan development and implementation of national security-related legislation and policy. 5 In addition, the leader of the parliamentary opposition is legally entitled to regular and confidential briefings by the New Zealand security and intelligence agencies; is a member of the statutory parliamentary oversight committee; is consulted on the appointment of other members of that Committee and of the independent Commissioners responsible for intelligence agency warrants; and receives the unredacted annual report of the New Zealand Inspector-General of Intelligence and Security, the statutory officer responsible for oversight of those agencies. 6
Second, the incremental approach to such legislation in New Zealand can also be seen to reflect the tendency, since the adoption of a proportional electoral system in 1996, towards coalition and/or minority government. In that time, no political party has single-handedly secured a parliamentary majority, such that each government has had to negotiate support for legislation. 7
For example, the late 2019 adoption of broad powers to impose control orders in counterterrorism cases—to some degree following steps of Five Eyes partners taken some years before and discussed further below—was initially opposed by the New Zealand Green Party, one of the three parties currently in coalition government. The other governing parties were left dependent upon the support of the National Party, the main centre-right party, to secure a legislative majority to introduce such legislation to Parliament. The National Party initially gave that support but then withdrew it, criticising the legislation as too lenient. The governing parties then agreed to changes to the proposed legislation sufficient to secure Green Party support for its introduction and passage. 8
The third contextual factor is a series of prominent scandals and controversies over excessive, apparently unjustified and/or unlawful acts in relation to counterterrorism and national security measures. For example:
– Following a substantial operation against what were alleged to be domestic terrorism-related activities in 2007, it proved impossible to prosecute those alleged activities under New Zealand counterterrorism law, as discussed further below. 9 In addition, the Independent Police Conduct Authority (IPCA) upheld claims arising from the operation, finding that the Police had made ‘unlawful, unjustified and unreasonable’ use of road blocks staffed by specialist armed police in the middle of a town and that Police had unlawfully detained, searched and photographed many members of the public. 10 The New Zealand Police Commissioner subsequently made a formal apology to the affected community. 11
– The Government Communications Security Bureau (GCSB), one of the two New Zealand civilian intelligence and security agencies, which specialises in ‘signals intelligence and information assurance and cybersecurity activities’, 12 was found in 2012 to have carried out unlawful surveillance against a group of New Zealand residents who were later the subject of extradition applications by the United States. 13 The disclosure led both to civil proceedings against the GCSB and also to an official review conducted by the Cabinet Secretary, who found structural deficiencies in compliance by GCSB with its empowering legislation and suggested that at least 88 people might have been subject to unlawful surveillance over the previous decade. 14
– The New Zealand Security Intelligence Service (NZSIS), the other New Zealand civilian intelligence and security agency, which specialises in ‘human intelligence activities’, 15 was found by the Inspector-General of Intelligence and Security in 2014 to have released ‘incomplete, inaccurate and misleading’ information concerning briefings given to the Leader of the Opposition and also to have failed to act to uphold its legal obligation of political neutrality. 16
The fourth contextual factor is the significant impact of national and international human rights obligations in New Zealand.
Most directly, New Zealand’s civil and political rights legislation, the New Zealand Bill of Rights Act 1990, does not have higher law status and so can be overridden by contrary legislation. However, the Act does require formal reporting by the Attorney-General to Parliament on whether proposed legislation is consistent with affirmed rights and there is at least some effort to avoid inconsistencies. 17 Formal government policy and drafting procedures also mandate consideration of compliance with national and international human rights obligations and such assessments are usually required to be released under New Zealand’s freedom of information legislation. 18 In the context of access to communications data on national security grounds, compliance with human rights obligations is additionally and expressly required by the legislation governing New Zealand’s intelligence and security agencies. That requirement extends to any cooperation with any other country. 19
Alongside national human rights law, the impact of international human rights obligations is also significant. The New Zealand courts have been described as taking a relatively strong approach to unincorporated treaties, including human rights obligations. 20 Notably, one of the few significant national security cases—an attempt to deport a foreign national designated a risk to national security—in part ended once it was accepted that the non-refoulement obligation under the Convention against Torture is an absolute bar to expulsion, regardless of any claimed risk. The New Zealand Supreme Court, accepting a government submission, specifically declined to follow the contrary approach of the Supreme Court of Canada in Suresh. 21
That international context has also had more indirect but still concrete practical effect upon New Zealand data protection legislation, which was recently updated in part so as to maintain New Zealand’s data protection adequacy status with the European Union. Adequacy status, which could as noted below be undermined by additional access powers or other requirements, is regarded as underpinning trade and other cooperation with EU countries and as a competitive advantage over those countries that do not have such determinations, including Australia. 22
More widely still, New Zealand foreign policy has tended towards advocacy of a rules-based international system, including commitment to international human rights treaties and procedures, sometimes in opposition to traditional allies.
23
In particular, defence and security commentators have observed that New Zealand has maintained and/or reinstated its intelligence and security cooperation with Five Eyes partners while also maintaining its nuclear-free policy. It also, for example, opposed the 2003 Iraq War, though its nuanced position has come increasingly under scrutiny as a result of the Snowden and other disclosures, as suggested by Robert Patman and Laura Southgate
24
: …with growing economic interests in the Asia-Pacific region, New Zealand cannot afford to be indifferent to growing concerns about its espionage role. The [New Zealand] government will face growing domestic and international pressures to adjust its national security policy so that it is consistent with what is claimed to be an independent and diverse foreign policy.
In formal terms, the 2012–2013 scandal involving the GCSB resulted in a substantial strengthening of oversight of both the GCSB and the NZSIS, as discussed below. The continuing result of that strengthening has been a series of investigations and reviews, such as the 2014 report noted above, including further findings of unlawful or otherwise improper conduct, including findings of unlawful access to information. 25
Similarly, and while responsible ministers had previously tended to decline to comment on matters concerning national security, such controversies have led to detailed public comment and, on occasion, pointed criticism 26 :
– In 2012, the then New Zealand Prime Minister, the Rt Hon John Key, apologised publicly to those found to have been subject to the unlawful GCSB surveillance, commenting that he was ‘appalled’ that the agency had ‘failed the most basic of hurdles’. 27
– In 2018, it was disclosed publicly that mistakes in legislative drafting had made it impossible for the NZSIS to undertake covert visual surveillance for some months. The then responsible Minister, the Hon Christopher Finlayson, responded that the agency should not ‘even bother asking’ for urgent legislation to correct the error and later commented that, had that error caused a terrorist attack, the relevant officials ‘would have been to blame’. 28
Perhaps no less importantly, however, such steps have more generally resulted in greater transparency and consequent debate. For example, an inquiry by the Inspector-General of Intelligence and Security into whether the NZSIS and/or the GCSB had any connection to the use of torture by the United States Central Intelligence Agency in 2001–2009 resulted in recommendations for better future practice but also in some disclosure of details of intelligence cooperation and consequent public controversy. 29 While the responsible Minister and the current Directors-General of the two agencies appeared to accept the findings, the agency heads from the relevant period issued rebuttals, 10 pages long, including assertions that they could not have sought to engage with revelations of torture by the United States Central Intelligence Agency (CIA) because to do so would have ‘risked vital intelligence flows’. 30 These developments can also be seen to underpin greater legislative scrutiny of counterterrorism and related measures, as discussed further below.
Legislative scheme for counterterrorism
The substantive result of these contextual factors is that New Zealand legislation dealing with counterterrorism remains narrow, relative to other jurisdictions and, particularly, other Five Eyes countries. The Terrorism Suppression Act (TSA) was enacted in 2002 to give effect in part to the primary multilateral counterterrorism treaties and to specified United Nations Security Council (UNSC) resolutions, 31 and has been subject to only limited amendments since that time. 32 The TSA provides for criminal offences of and related to terrorist acts and to designated terrorist entities; offences in relation to nuclear material and plastic explosives; transaction reporting; and seizure and forfeiture of property. 33 Terrorist entities may be designated both in accordance with UNSC listings and independently of such listings. 34 Offences under the TSA are subject to limited extraterritorial jurisdiction; are deemed to be extradition offences; and may be the subject of criminal mutual assistance applications and proceedings. 35
The TSA is supplemented by a number of specialised legislative provisions and measures. Notably:
– Sanctions imposed by and/or under UNSC resolutions have been implemented through subordinate legislation, enacted under general legislation providing for the implementation of such resolutions 36 ;
– The Intelligence and Security Act 2017 (ISA), which provides for the operation and oversight of New Zealand’s two civilian intelligence and security agencies, permits the issue of warrants for surveillance and related activities and for access to specified official databases for purposes that include counterterrorism 37 ;
– As discussed in more detail below, the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) requires New Zealand telecommunications network operators to ensure that various data carried on such networks are capable of access under warrant or warrantless powers; and
– If an offence under the general criminal law is committed as part of a terrorist act, that is an aggravating factor for sentencing purposes. 38
Other specialised measures include particular offences in maritime and aviation legislation 39 ; a legislative regime to counterterrorist financing 40 ; provision for suspension and cancellation of New Zealand passports and refusal and revocation of immigration permissions on terrorism-related grounds 41 ; and emergency powers legislation, which provides for the requisitioning of property, interception and restriction of communications, deployment of military personnel and related measures in circumstances including response to an ‘international terrorist emergency’. 42
Counterterrorism in practice
Some of these measures are used on a regular basis. The New Zealand government has independently designated a series of terrorist entities under the TSA since its enactment and currently maintains 19 such designations, 43 while the NZSIS has consistently referred to ‘an active watch-list’ of ‘30–40’ people in New Zealand, including a smaller number under constant surveillance under ISA warrants. 44 There is also a publicly disclosed cooperation mechanism for assessing the risk of terrorist acts, including through a published ‘national terrorism threat level’, and for responses to any such risks and acts. 45
There have also been official disclosures of instances of counterterrorism activities. For instance, as part of the policy background to the 2016–2017 review of their governing legislation, the NZSIS and the GCSB disclosed cooperation with other governments concerning persons alleged to be attempting to engage in militant jihad, resulting in prosecutions by those governments, and also interception of communications that led to the ‘disruption’ of a New Zealand person’s attempt to travel to join ISIL. 46 However, some such official statements have also on occasion been incorrect: for example, a widely reported December 2015 statement that a ‘small but significant’ number of women had travelled from New Zealand to ISIL-held areas and become ‘jihadi brides’ was later admitted to have been inaccurate. 47
Other significant parts of the legislative scheme have been used only rarely, if at all. There has to date been no concluded prosecution of an offence under the TSA in New Zealand. One charge, laid in addition to multiple charges of murder and attempted murder, was pending in late 2019 following the March 2019 Christchurch attack. 48 An earlier attempted prosecution arising from Police raids of alleged ‘terrorist training camps’ in 2007 was refused permission by the Solicitor-General, who commented that although the allegations were ‘very disturbing’, the TSA was ‘very technical’ and ‘almost impossible to apply in a coherent manner’. 49 Instead, terrorism-related conduct has tended to be pursued under other legislation: for example, the dissemination of ISIL-related material online has been prosecuted under legislation dealing with offensive publications. 50
In the context of civil measures, two prominent cases concerning the potential denial of refugee status on the grounds of alleged involvement in terrorist acts were both ultimately withdrawn. The first, which ran from 2002 to 2007, concerned the former leader of an opposition party in Algeria and concluded following both the acceptance that the Convention against Torture provided for an absolute protection against refoulement and the acceptance by the NZSIS, following undertakings, that no security risk remained. 51 The second, from 2006 to 2010, concerned a crew member of a vessel operated by the Liberation Tigers of Tamil Eelam and collapsed when the New Zealand Supreme Court confirmed that the evidence did not meet the standard for criminal complicity. 52 However, powers to cancel passports on counterterrorism grounds introduced in 2014 were reported to have been used a total of eight times over the following four years, including one instance later withdrawn following the filing of court proceedings and another still before the New Zealand courts. 53
Divergent approaches to national security-related law reform
The further result of these contextual factors is a tendency over the past two decades towards greater parliamentary and public scrutiny of proposed national security legislation and, in substantive terms, greater specificity and transparency in such legislation. Historically, New Zealand intelligence and security legislation had often been framed in opaque or incomplete terms: most strikingly, the GCSB was formed and operated under prerogative and without any specific legislation at all from 1977 to 2003. 54
Beginning with the adoption of legislation governing that agency, there has been an increasing degree of openness. The most significant example is the 2016–2017 reform of legislation governing the civilian intelligence and security agencies and their oversight mechanisms. The reform, which in part followed some of the controversies noted above, was formulated not from within government agencies, as had previously occurred. Instead, it took place through an independent and public review, established by legislation, and was conducted by a former Deputy Prime Minister and a prominent lawyer, later appointed as Governor-General. Similar such reviews are now required by the reformed legislation every five to seven years. 55
Further, the reform legislation itself was in turn the subject of extensive public submissions and hearings by a parliamentary committee. Again, in contrast to previous national security-related legislation, which had often been passed with minimal amendment and only limited public information, significant disclosures and amendments were made through the parliamentary process. One example was a proposed provision for ‘purpose-based warrants’, intended to follow UK legislation as statutory warrants for intelligence-related activity framed in terms of purposes to be achieved, rather than specified authorised places or persons. 56 Such warrants had been recommended by the independent review, but were rejected by the parliamentary committee as lacking safeguards, certainty and oversight and having ‘no operational justification’. 57
Against this, however, some initiatives for review have stalled or failed. A review of the TSA initiated following the attempted 2007 prosecution was first paused pending the outcome of other prosecutions arising from the same events, then suspended at the direction of the Minister of Justice in 2012 and ultimately stopped altogether in 2013. 58 Similarly, proposals by the New Zealand Law Commission, an independent statutory legislative review body, for reform of New Zealand’s relatively narrow closed material procedures made in December 2015, had not generated a response by December 2019. 59
Further, and most recently, legislation for control order-type measures was proposed and adopted on an urgent basis with very limited scope for public submissions and what appeared to be little underlying policy work. 60 Apparently formulated in response to the imminent prospect of the return of ISIL-affiliated person(s), 61 the legislation provides for the making of a broad range of restrictive and intrusive measures against any person who comes to New Zealand after having engaged in a broad range of ‘terrorism-related activities’ in another country or having been subject to civil or criminal measures related to such activities. 62 The Bill was widely criticised, including by the New Zealand Chief Justice, as lacking necessary clarity, and by the New Zealand Law Society as in part unworkable. 63 However, it was reported back with little significant change. 64 Some of the most problematic aspects of the Bill—for example, undefined provision for a court to impose almost any form of restriction or condition—were however amended to some degree at the last stage of parliamentary consideration. 65
Encrypted communications
New Zealand’s approach to encrypted communications has followed that wider context. While a recent study has asserted that ‘[i]t is generally believed that encryption is largely unregulated in New Zealand and in other jurisdictions’, 66 that is of course not the case, as is shown by past and continuing controversies over the use of and access to encrypted communications. 67
New Zealand legislative provision for such access falls into three related categories 68 :
– First, TICSA requires telecommunications network operators to enable access to their networks and services, including to any encrypted system that those operators themselves provide.
– Second, the general provisions for search warrants and, in specified circumstances, powers of warrantless search in the Search and Surveillance Act 2012 extend to requirements upon those subject to search to provide decryption passwords or other keys. These are supplemented by a specific regime for border searches by customs officers.
– Third, the ISA provides for warranted powers under which the GCSB and the NZSIS may access communications. The ISA does not refer specifically to encrypted communications but both agencies have made public statements that encryption does, for example, ‘affect’ or ‘challenge’ such access. 69
Telecommunications (Interception Capability and Security) Act 2013
TICSA provides both for network security standards and for access for intelligence and law enforcement purposes. So far as access is concerned, TICSA is directed to ensure that the intelligence and security agencies, the New Zealand Police and other designated law enforcement agencies are able to carry out interception of communications under warrant or warrantless powers, without unduly interfering with the operation of communications systems. 70
In particular, TICSA requires certain network operators to enable identification and interception of communications and associated data that fall within the terms of a warrant or warrantless power. That interception capability must be unobtrusive; must protect the privacy of communications falling outside the warrant; and must operate in real time or as close as practicable to real time. 71
Network operators are defined to include those providing data networks for public use, including Internet and email access. In addition, entities that provide telecommunications services in New Zealand, even if based elsewhere, can be designated as subject to TICSA by the responsible minister. 72 This aspect, and in particular the prospect that the effective scope of the Act could be broadened by ministerial decision, rather than by amendment of the legislation itself, was criticised by Google and Microsoft, among others. 73
However, in respect of encrypted communications, the network operator that undertakes the interception of encrypted communications must decrypt such communications only if it has itself provided that encryption: the operator is not required to decrypt communications if the encryption is provided by a product that is supplied by another person or entity and that is available to the public. The operator is also not required to decrypt communications if the encryption is provided by a product supplied by that operator as an agent for it, and while the operator can be required to assist the relevant government agency, it is not required to ensure that the agency has the ability to decrypt any communication. 74
Further, at least two aspects of the TICSA scheme appear subject to additional limitations, although the legislation is not entirely clear and has not been the subject of judicial decision. First, TICSA does not specifically preclude a network operator from providing an encryption product involving user-provided keys unavailable to the operator. Given the exclusion of encryption when provided as an ‘agent’ or by others, it appears likely that it does not do so. 75 Second, it is also not clear how TICSA might apply cross-jurisdictionally. The terms of the Act do, as noted above, envisage extending its obligations to overseas entities that provide services in New Zealand 76 and, at the time of its adoption, a number of large online service providers did raise objections to its potential impact upon provision of encryption services to New Zealand users. 77 However, the Act does not deal with at least two foreseeable responses of such service providers: how it is to apply if the regulated telecommunications service were to be provided by a New Zealand-connected entity but encryption services provided separately and how any extraterritorial requirement should be reconciled with contrary privacy or other controls in the other jurisdiction.
Intelligence and security agencies
The ISA provides for access to communications by way of an intelligence warrant, issued by the responsible Minister and in some instances an independent quasi-judicial Commissioner to conduct surveillance or to intercept or seize communications, including by access to an ‘information infrastructure’. 78
An information infrastructure is non-exhaustively, but broadly, defined to include ‘electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems, or networks’. 79 These powers are further given effect through TICSA, as above.
Search and Surveillance Act and other specific search powers
The Search and Surveillance Act provides access to communications by way of:
– The use of an interception device, which may be authorised by judicial warrant for Police investigation of serious crimes and may also be authorised by subordinate legislation for the New Zealand Customs Service and for the Department of Internal Affairs, which enforces censorship legislation. 80 These powers are further given effect under TICSA, as above.
– The search of computer systems and other data storage devices, including by way of a ‘remote access search’ of that system or device, which may occur under warrant or where a warrantless power is provided. 81 For the purpose of such searches, the executing Police officer or official may require the user or operator of that system or device to provide access information. 82
In addition, the Customs Service has the power to require access information for the content of locked and/or encrypted devices at the border, but not for remotely held information accessible using that device. 83
Oversight of surveillance and decryption powers
The exercise of surveillance and decryption powers in New Zealand is subject to a number of general and specific oversight mechanisms.
Oversight mechanisms under TICSA
TICSA provides for two particular oversight mechanisms. First, TICSA obligations are enforceable through the courts, and so indirectly subject to judicial supervision, including if need be through a closed material procedure. 84 Second, a provider subject to direction under TICSA may seek review by an expert panel, which may recommend to the responsible Minister that the direction be varied or revoked. 85 Measures under TICSA are also open to binding challenge by way of judicial review proceedings.
Intelligence and security agencies
The intelligence and security agencies are subject to oversight at several levels.
First, the exercise of warranted powers against New Zealand citizens and permanent residents requires concurrence of the responsible Minister and a Commissioner of Intelligence Warrants, a tenured statutory officer who must be a former judge of the New Zealand High Court. 86
Second, the Inspector-General of Intelligence and Security, a tenured statutory officer, may inquire into any aspect of the conduct of the agencies, whether following complaint or of her or his own motion, and has wider obligations to review and/or be consulted in respect of activities of both agencies, including the issue and exercise of warrants and the operation of compliance mechanisms. 87
Third, the Intelligence and Security Committee comprises the Prime Minister, the Leader of the Opposition and several other members of the New Zealand Parliament and is required to review the overall operation of the agencies and the Inspector-General’s annual report. While the Committee is not able to inquire directly into operational matters, it may request the Inspector-General to do so. 88
The agencies are also subject to judicial supervision through court proceedings. 89
Police and other law enforcement agencies
The exercise of powers by the New Zealand police is subject to oversight both by a specialist complaint body, the IPCA, and through the courts, both in any subsequent prosecution or directly by way of civil proceedings. 90 Other law enforcement agencies are also subject to oversight through the court system and through the parliamentary Ombudsman.
Current prospects for encryption: Five Eyes proposals and the Christchurch Call
New Zealand’s position on Five Eyes proposals for access to encrypted communications
Five Eyes ministerial meetings in which New Zealand has taken part have issued communiqués seeking such measures in increasingly forceful terms, 91 in addition to measures by individual Five Eyes governments.
The most recent, and strongest statement, is that of July 2019
92
: We are concerned where companies deliberately design their systems in a way that precludes any form of access to content, even in cases of the most serious crimes. This approach puts citizens and society at risk by severely eroding a company’s ability to identify and respond to the most harmful illegal content…as well as law enforcement agencies’ ability to investigate serious crime. Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format…. We therefore welcome approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services. These engagements must be substantive and genuinely influence design decisions…. More broadly, we call for detailed engagement between governments, tech companies, and other stakeholders to examine how proposals of this type can be implemented without negatively impacting user safety, while protecting cyber security and user privacy, including the privacy of victims.
There has also been no proposal to follow legislation enacted by other Five Eyes countries. Notably, and following the enactment of the Australian Telecommunications (Assistance and Access) Act 2018, the Hon Andrew Little, the Minister now responsible for the GCSB, indicated that New Zealand did not intend to enact similar legislation, commenting that to do so would be a ‘serious step’ and that ‘[a]ny concerns about the extent to which encryption is being used to conceal illegal or seditious activity would need to be the subject of widespread public scrutiny and debate’. 95
It is also at least potentially significant to New Zealand that the Australian legislation has been criticised by the largest online service providers. It has also been criticised by the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, who said that the ‘virtually unfettered discretion’ afforded breached the International Covenant on Civil and Political Rights. 96 Furthermore, the Law Council of Australia warned that the legislation was incompatible with the European Union General Data Protection Regulation and, surprisingly, with the recently introduced United States CLOUD Act, which provides a regulated means of cross-border data access. 97 The former is likely most important given the particular value placed by New Zealand on its European Union adequacy status, noted above.
The official publication New Zealand’s Cyber Security Strategy 2019, released in July 2019, commented
98
: Human rights should be protected online as they are offline. International and domestic law similarly apply online as offline. This includes the right to freedom of expression, and the protection of privacy, as set out in New Zealand law and existing international law. We will also continue to work with others on issues related to encryption: ensuring that law enforcement can access the information it needs while balancing the rights of New Zealanders to protect their privacy and security. Any action to address online harms, such as the Christchurch Call to Action to Eliminate Terrorist and Violent Extremist Content Online, will be consistent with New Zealand’s wider cyber policy positions, including the importance of maintaining a free, open and secure Internet and the application of international human rights law online.
Following the August 2019 Communiqué, however, the responsible Minister commented that while he was receptive to the need for privacy, ‘something needed to be done to help law enforcement’. 99 Nonetheless, New Zealand did not join with three of its four Five Eyes counterparts—Australia, the United Kingdom and the United States—in writing an open letter to Facebook in October 2019 to insist that it not proceed with standard encryption measures without ‘substantive and genuinely [influential]’ consultation with those governments and without ensuring law enforcement access. 100
The Christchurch Call and related developments
The further, and potentially significant, context for New Zealand’s future approach to encryption is the response of the New Zealand government to the Christchurch attack, including to the disclosure that the person subsequently charged over the attack had not been known to the New Zealand security agencies. 101
The response to date has been significant in several respects. First, and in contrast to the experience of other jurisdictions and to the urgent enactment of new firearms legislation within weeks of the attack, 102 there has not to date been any urgent attempt to introduce additional counterterrorism or related powers. 103
This said, however, the Directors-General of the NZSIS and the GCSB have both made public statements concerning the difficulty posed by encryption since the attack.
104
In particular, the Director-General of the NZSIS asserted in a significant September 2019 speech that
105
: Encryption of sites, chatrooms, apps and other platforms (including gaming) is a huge challenge for all security and law enforcement agencies. Compelling or encouraging technology companies to cooperate with law enforcement and intelligence agencies is an ongoing challenge—particularly where they are located in a foreign jurisdiction…. Many jurisdictions and international bodies are debating the extent to which law enforcement and intelligence agencies should be able to require access to information online…It remains to be seen whether the public will continue to tolerate the licence to operate afforded to criminals and terrorists by the online world. Global leadership is required to solve this global problem. Sadly, the attacks in Christchurch have given New Zealand a compelling and legitimate role in building support for a concerted push for change.
The third relevant step is the April 2019 establishment of a Royal Commission to inquire into what was known prior to the Christchurch attack, what was and should have been done and ‘what additional measures should be taken by relevant State sector agencies to prevent such attacks in the future’. The Commission terms of reference also provide that it must, among other matters, inquire into
107
: whether there were any impediments to relevant State sector agencies gathering or sharing information relevant to the attack, or acting on such information, including legislative impediments.
The fourth and potentially most significant step, however, is the Christchurch Call. The Call, a joint intergovernmental and industry initiative to eliminate terrorist and violent extremist content online, was launched by the New Zealand Prime Minister and the President of France on 15 May 2019, exactly two months after the attack. 108
It is a non-binding statement, to date endorsed by 49 governments and by eight of the largest global online service providers, including Facebook, Google and Microsoft. It includes commitments to
109
: Ensure appropriate cooperation with and among law enforcement agencies for the purposes of investigating and prosecuting illegal online activity in regard to detected and/or removed terrorist and violent extremist content, in a manner consistent with rule of law and human rights protections…. Collaborate, and support partner countries, in the development and implementation of best practice in preventing the dissemination of terrorist and violent extremist content online, including through operational coordination and trusted information exchanges in accordance with relevant data protection and privacy rules…. Respect, and for Governments protect, human rights, including by avoiding directly or indirectly contributing to adverse human rights impacts through business activities and addressing such impacts where they occur.
The Call is also potentially significant to the question of encryption in two broader respects. Most simply, it was pursued on the basis that it was necessary to secure multilateral and industry cooperation within a wider context of human rights obligations. As the current New Zealand Prime Minister, the Rt Hon Jacinda Ardern, said to the United Nations General Assembly in September 2019
111
: [W]hat happened in Christchurch, as well as a profound tragedy, is also a complex and on-going problem for the world. And it is a problem we felt a sense of responsibility to do something about, so we sought to collaborate with the technology companies so integral to the solution…. Neither New Zealand nor any other country could make these changes on their own. The tech companies could not either. We are succeeding because we are working together, and for that unprecedented and powerful act of unity New Zealand says thank you. The centrality of technology in our lives is not the only example of our increasing inter-connection, and our reliance on one another if we are to respond to the challenges we face.
The further significant aspect of the Call is that it affords an example of a considered, coordinated and much more sophisticated response to a complex issue, in contrast both to the tenor of the Five Eyes statements concerning encryption and also to the sometimes opaque responses of some of the very largest online service providers to problems of this kind. 115 The United Nations Special Rapporteur on Freedom of Expression has commented positively on the Call and similar measures as promoting transparency and accountability both for governments and for industry participants. 116
It can, as has been suggested by Robert Gorwa, be regarded as an example—and, from initial reactions, a successful example—of the ‘governance triangle’ model formulated by Kenneth Abbott and Duncan Snidal. Put short, and in response to the reality acknowledged by the New Zealand Prime Minister in her General Assembly speech that ‘no actor group, even the advanced democratic state, possesses all the competencies needed for effective regulation’ in such transnational settings, it becomes necessary to work through the ‘triangle’ of governments, industry and civil society. 117
Conclusion: Fundamental choices and the possibility of a principled response
New Zealand’s comparatively limited approach to current and proposed access to encrypted communications reflects, as set out above, both some wider tendency towards deliberation and principle in national security matters and a tension in its national security, political and legal context. That tension is made still more complex by the aftermath of the Christchurch attack.
Plainly, there will be continuing pressure both from Five Eyes partners and from within New Zealand’s national security bureaucracy to adopt, or at least attempt to adopt, some form of mandatory access requirement. Given the terms of reference and public statements by the New Zealand intelligence and security agencies following the Christchurch attack, it is foreseeable that the current Royal Commission will be lobbied to recommend such measures and it may do so. Further, the recent enactment of the new control orders legislation, passed under urgency and drafted in broad and in part likely unworkable terms, gives some indication of the potential for such measures to be adopted in haste.
Against those prospects, however, is the more principled and likely more workable example of the Christchurch Call and the wider context of New Zealand’s approach to and experience of more deliberate, principled and evidence-based national security measures. The result is that there is at least the potential for a more pragmatic and, perhaps, more principled approach.
This is not to deny that the question posed is truly difficult. A recently released New Zealand scholarly study concluded that access to encryption is a question of balance informed by principles and values. In particular, it is suggested that objections to such access may be overcome by an expanded reading of the right against self-incrimination, such that those using encrypted communications may not be required to disclose keys or passwords or penalised for failing to do so, and that
118
: …those who seek to gain access to encrypted data (e.g., law enforcement officers) should take it upon themselves to continuously improve their ability and expand the available tools that enable them to gain access to encrypted data and communication…. Law enforcement officers need to keep up-to-date and stay ahead of the technical advances needed to effectively investigate and prosecute crimes in the digital age.
The first of these difficulties appears to have been acknowledged by the United States government in July 2019. The leading security technologist Bruce Schneier has noted that while the United States government had previously insisted that technology could somehow simply ‘solve’ the problems posed by encryption without undermining its wider efficacy, the current United States Attorney-General William Barr had specifically acknowledged in a public address that mandated access to encrypted communications would also cause cyber threats: it was a question, said Barr, of ‘relative risks’.
121
Schneier commented that while Barr had sought to maintain other fallacies—for example, continued denial of past instances in which United States military systems had been made insecure by previous mandated access requirements—the acknowledgement did mean, in Schneier’s view
122
: …we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having—not the fake one about whether or not we can have both security and surveillance.
New Zealand’s particular public, political and foreign policy environment can, it is suggested, similarly provide the context for such a sensible conversation. The Christchurch Call affords precedent for a more collaborative, principled and sophisticated response to a problem of similar difficulty. The approach taken there, coming in the wake of an attack regarded as literally unspeakable, 124 advanced both robust principle and the real prospect of effective engagement between national and international public policy, providers’ technical capabilities and civil society. Encryption, similarly, is too difficult a question to approach any other way.
Footnotes
Conflict of interest
The author(s) declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: (1) The author was Crown Counsel for the New Zealand government with responsibilities for constitutional, human rights and international law from 2000 to 2014 and so appeared and/or advised in a number of matters discussed here; (2) was subsequently the inaugural Deputy Inspector-General of Intelligence and Security, 2014–2017, with some involvement in matters discussed; (3) is currently a special advocate, including in the closed material proceeding mentioned at n 53; and (4) contributed, as a member of the New Zealand Law Society Public and Administrative Law Reform Committee, to the Society’s 2019 submission on the Terrorism Suppression (Control Orders) Bill, also discussed below. All remarks are the author’s personal views and do not reflect the views of or information obtained through any past or current client, instruction or appointment.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.