Spooks, banks and a difference of opinion about security and privacy

Two  critical  reports by the Inspector-General of Intelligence and Security (IGIS), Cheryl Gwyn, have focussed  on the practice of  New Zealand’s  intelligence agencies acquiring personal information  about customers by seeking voluntary disclosure from NZ banks.

The IGIS’s role is to ensure NZ’s two dedicated intelligence and security agencies, the NZ Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB), act lawfully and properly.

Until Parliament enacted a new law in 2017, the Intelligence and  Security Act, the intelligence agencies could seek “voluntary”  disclosure from  banks of  customers’ personal  data.

Under the  2017 legislation  the  intelligence agencies  are required to seek this kind of information under warrants of which there are two  types. 

  • To carry out activities for the purpose of collecting information about New Zealanders a Type 1 Warrant is required.   Type 1 Warrants are issued by the Minister responsible for the GCSB and a Commissioner of Intelligence Warrants (a retired High Court Judge).
  • Type 2 warrants are sought when type 1 warrants are not required – for example, activities carried out for the purpose of collecting information about a foreigner. Type 2 warrants are issued by the Minister responsible for the GCSB alone.

What is intriguing is a clash of interpretation  between  the Inspector-General  and the  GCSB   around the  circumstances whether  a  Type 1  or  Type 2  warrant  is  required.

A statement from  GCSB  director-general Andrew  Hampton said that – on this issue – the Inspector-General and the GCSB hold different interpretations of the law.

As the Inspector-General states in her report, the GCSB’s reasoning is carefully thought through and articulated.Like all  government departments, where there is a lack of clarity around the law, we rely on Crown Law for a definitive view.  We have sought advice from Crown Law on this issue and will share it with the Inspector-General once it is ready.

As the report notes, fully implementing the Intelligence and Security Act and developing the supporting policies, procedures, training and legal interpretations has been a significant effort.  This work has had an impact on how quickly we have responded to the Inspector-General’s queries, but is now largely complete,”

New  Zealanders  are  left in the  dark   over   just what   this   clash of interpretations  means.

Perhaps  there is a clue   in the  IGIS’s statement:

“The framework should expressly recognise that the business records regime was not intended to allow access to ‘bulk’ or ‘class-based’ requests for information. In my view Parliament envisaged that if large volumes of personal information, or non-specific information, is needed that should be obtained under a warrant”.

Or perhaps  not.

However  there is speculation over what bulk or class-based business records the spy agencies are demanding.  All financial transactions to particular countries would be one obvious answer.  Possibly  it could be telecommunications and internet metadata.

Let’s turn  to the  report titled: Review of NZSIS requests made without warrants to financial services providers.

The report looks at a snapshot of three months and captured 13 case studies in 2016/17 before the NZSIS’s new legislation came into force.

Cheryl Gwyn says:

The frequency of the Service’s use of voluntary disclosure, the fact that it was not authorised by a warrant or other independent process, and the nature of personal information held by banks made this an obvious area for review. From the customer’s perspective banking information is likely to be considered to be reasonably confidential, if not sensitive.

Until  2017  the  NZSIS was exempted from most of the information privacy principles in the Privacy Act. The exemption meant that personal information could be disclosed to NZSIS by another agency, such as a financial institution, without breaching the Privacy Act. This position was  confirmed by the Privacy Commissioner.  Now the process by which NZSIS can obtain information for the purposes of its national security functions has been addressed through implementation of the ISA.

NZSIS accepts the IGIS recommendations and has either implemented them or is  working on completing them.  Director-General of Security Rebecca Kitteridge  says  the NZSIS values the constructive working relationship it has with financial service providers.

We couldn’t do our work to protect NZ’s national security without the assistance we receive.  The issues identified in the report are historical and relate to cases where the NZSIS was pursuing its functions in respect of matters relevant to NZ security. The responses provided by the financial service providers gave valuable information and informed a range of security investigations and operations”.

Kitteridge  says the process by which the NZSIS can obtain information for the purposes of its national security functions has been addressed through implementation of the ISA.

“The ISA provides a sound and transparent mechanism, the Business Records Approval and Directions regime, by which NZSIS can compel companies to provide information for the purposes of NZSIS’s national security functions.  The NZSIS has undertaken a significant amount of work to implement the ISA, and I welcome the Inspector-General’s recognition of this work in her report. The Inspector-General has acknowledged that improvements in terms of the legal issues identified in her report are already visible.

 “I also welcome the Inspector-General’s positive comments in this report about the way the NZSIS has worked with her in regard to this matter, noting that she had an open and constructive discussion with the NZSIS about all the matters covered by this report. 

“She added that it was to the NZSIS’s credit that it has been willing to reconsider its position on matters, discuss developing policies, and make change to many of its processes as this report has progressed.  Our work must often be carried out in secret, but I am a big believer in transparency where possible. It is worth noting that for the first time our 2018 Annual Report will also state how many Business Record Directions we have issued to financial services providers, as well as telecommunication network operators.”

So  where does this leave us?

On the  one hand  the GCSB has a different idea  of how it should operate  than the IGIS,  but   for the NZSIS  everything  is  hunky-dory,  even  though under  the  old regime  it  was scoring bags of  data from banks’   “voluntary” disclosure.

Is there  now  a   hole  in    NZ’s  security network?

Let’s look again at what the  IGIS  said about the  NZSIS  under the old system:

“The 13 cases examined and the agency’s practices disclosed issues relevant to NZSIS’s compliance with the law. Very intrusive requests were at times made when the Service should have tried to obtain a warrant to require the banks to provide the information. 

“Many of the letters sent to banks should have been clearer that they were requests for ’voluntary’ disclosure.  Some of the past collection by the NZSIS would have constituted unreasonable searches contrary to the Bill of Rights.”

If  security  is the issue,  wouldn’t  one  want the SIS  to be  “intrusive”?

After all, gathering intelligence  which helps keep New Zealanders safe  is a  vital sort of  job.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.