The First Independent Review of Intelligence and Security in New Zealand looked at whether mass surveillance was being carried out by the GCSB.
The report concludes that there is no mass surveillance.
It was clear to us from our discussions with GCSB staff and from the GCSB’s own internal policy documents that these restrictions are interpreted and applied conservatively.
Far from carrying out “mass surveillance” of New Zealanders, the GCSB is unable to intercept New Zealanders’ communications even where it is for their own safety.
For example, the GCSB would be unable to analyse the communications of a New Zealander taken hostage in a foreign country unless it was assisting the NZSIS, NZDF or Police under their legislation.
That’s unlikely to change the minds of security and surveillance critics. Green co-leader Metiria Turei:
The GCSB had already been “quite liberal and loose” with their existing activities, and they should not be given more powers until it was clear they would follow the law.
That’s the opposite of what the report found.
Here are relevant references from the report.
1.11 In New Zealand, there has been considerable debate in the media about whether the GCSB conducts “mass surveillance” of New Zealanders. Having spent some months learning about the Agencies’ operations in detail, we have concluded that this is not the case, for reasons we discuss below. However, there is a degree of scepticism among the New Zealand public about the Agencies’ activities.
In a survey carried out by the Privacy Commissioner in 2014, 52 percent of respondents were concerned about surveillance by New Zealand government agencies. We received a number of submissions from people who did not see the need for intelligence and security agencies at all and considered there was no justification for the government intruding on individuals’ privacy.
Does the GCSB conduct “mass surveillance”?
3.34 As we discussed in Chapter 1, there has been some debate in the public arena about whether the GCSB conducts “mass surveillance”. In light of this, we considered it important to describe what the GCSB does and does not do. While we cannot go into as much detail as we would have liked given the classified nature of the GCSB’s operational activities, we hope what we can say will inform this debate in a useful way.
3.35 “Mass surveillance” is a term that can be understood in a number of different ways. In this context it is important to distinguish between communications that are collected by GCSB systems – for example, its satellite interception station at Waihopai – and those that are actually selected and examined by an analyst.
3.36 The reality of modern communications is that it is often not possible to identify and copy a specific communication of interest in isolation. If a particular satellite might carry a relevant communication, the GCSB cannot search for that communication before interception occurs. First it needs to intercept a set of communications, most of which will be of no relevance and will be discarded without ever being examined by an analyst. This is the haystack in which the needle must be found.
3.37 Even this “haystack” represents only a tiny proportion of global communications. The GCSB conservatively estimates that there are over 1 billion communications events every day on the commercial satellites that are visible from Waihopai station. These represent approximately 25 percent of commercial satellites that match the Earth’s rotation (although signals cannot always be secured even from those satellites that are visible). We were told the proportion of those 1 billion communications that are actually intercepted equates to roughly one half of a bucket of water out of an Olympic-sized swimming pool.
3.38 To find the “needle” (or the communications that are of intelligence value), the GCSB filters intercepted material for relevance using search terms. Only those communications that meet the selection criteria are ever seen by an analyst. The GCSB has internal processes in place toensure analysts justify their use of each search term and record all searches for the purpose of internal audits and review by the Inspector-General of Intelligence and Security.
3.39 Given these controls on what information can actually be examined by analysts, in our view the GCSB’s ability to intercept sets of communications does not amount to mass surveillance. That term suggests a kind of active monitoring of the general population that does not occur. It would neither be lawful nor even possible given the GCSB’s resourcing constraints.
3.40 Capacity acts as a check on all signals intelligence agencies, although it is particularly pronounced for the GCSB given its comparatively small size. It is simply not possible to monitor communications (or other data) indiscriminately. Professor Michael Clarke, the (now retired) Director-General of the UK’s Royal United Services Institute who convened the 2015 Independent Surveillance Review, referred to this when giving evidence before the Joint Committee on the Draft Investigatory Powers Bill:97 The other great safeguard is the sheer physical capacity. One will be astonished at how little [intelligence agencies] can do, because it takes so much human energy to go down one track. The idea that the state somehow has a huge control centre where it is watching what we do is a complete fantasy. The state and GCHQ [the UK’s signal’s intelligence agency] have astonishingly good abilities, but it is as if they can shine a rather narrow beam into many areas of cyberspace and absorb what is revealed in that little, narrow beam. If they shine it there, they cannot shine it elsewhere. The human limitation on how many cases they can look at once is probably the biggest safeguard.
3.41 We also observe that there are currently restrictions on the GCSB’s ability to intercept the private communications of New Zealand citizens and permanent residents. These restrictions apply to New Zealanders anywhere in the world, not just those in New Zealand. It was clear to us from our discussions with GCSB staff and from the GCSB’s own internal policy documents that these restrictions are interpreted and applied conservatively. Far from carrying out “mass surveillance” of New Zealanders, the GCSB is unable to intercept New Zealanders’ communications even where it is for their own safety. For example, the GCSB would be unable to analyse the communications of a New Zealander taken hostage in a foreign country unless it was assisting the NZSIS, NZDF or Police under their legislation.