About the New Zealand Council for Civil Liberties

1. The New Zealand Council for Civil Liberties (‘the Council’) is a voluntary, not-for-profit organisation which advocates to promote human rights and maintain civil liberties.
   
2. We wish to make an oral submission to the Committee.

Introduction

3. The bill implements the Budapest Convention, an international treaty for standards in cross-border police co-operation with a focus on online crimes.  
   
4. The convention has been widely criticised for creating human rights problems. The convention requires New Zealand Police to invade the privacy of people here, upon receipt of demands from foreign police, without adequate safeguards like proportionality. Some of those problems have been replicated into part one of the bill.
   
5. Part two of the bill takes the convention’s less controversial cyber-crime specific measures, and creates a civil liberties disaster from it by naively amplifying flaws peculiar to existing New Zealand legislation.  In doing so it effectively criminalises everyday use of computers. Separately, the bill, if not amended, effectively criminalises Information Security as a profession, practically making it impossible for anyone to run a computer system.
   
6. We will address each part of the bill in turn. 

Spying on New Zealanders for foreign autocracies

7. New Zealand is a world leader on Human Rights. A consequence of this is that almost every foreign government we interact with has lower standards for justice than we do.  Part one of this bill discards that fact as irrelevant. This bill gives other countries powers to demand that we act for their interests even when those things are against our interests. This is an inappropriate objective.
   
8. As last month’s reports from the Royal Canadian Mounted Police should teach us, our allies are neither stable nor uniform.  The Government of India has “direct involvement in homicides, extortions and other criminal acts of violence” in Canada to the extent that they are a “significant threat to public safety.” India is hardly the least reputable state which could accede to the convention. Officers of foreign governments will commit crimes.  We must not implement any system which results in us blindly complying with anyone’s orders, never mind those of nations whose agendas are transparently different to ours.

What we ought to be doing

9. In anticipation of New Zealand’s accession to the Budapest Convention, the Law Commission wrote Modernising New Zealand’s Extradition and Mutual Assistance Laws (NZLC R137, 2016). The Law Commission spent two years writing that 273 page report, including public consultations.  The detailed recommendations of that report, including two draft bills, have not been implemented in this bill. Nor does this bill implement the recommendations of that report. Neither the bill nor the supporting materials even acknowledge the report’s existence.
   
10. The Council agrees with the following safeguards from the Law Commission’s report: 

Safeguards to be included in the guidelines

13.17 We envisage the Central Authority’s guidelines would promote inclusion of the following safeguards in interagency regimes:

1. Purpose – the purpose of the interagency regime should be made clear, and the type and quantity of information to be shared should be no more than is necessary to facilitate this purpose.
2. Legality under domestic law – a New Zealand agency should not, under the arrangement, be required to carry out measures at variance with, or supply information not obtainable, under New Zealand’s law or the agency’s own administrative practices. This would include a protection against providing legally privileged materials.
3.  Protection of the information – the New Zealand agency should have the ability to impose conditions on how the overseas agency may use, and ensure the security of, the information.
4. Privacy protections – the public interest (for example, in the maintenance of law) in facilitating information sharing under the agreement should be required to be likely to outweigh the privacy risks of doing so. Furthermore, in conjunction with the requirement relating to “protection of the information” above, the arrangement should contain adequate safeguards to protect New Zealanders’ privacy. It may be desirable to direct that the agency should consult the Privacy Commissioner in this regard.
5. Double jeopardy – the agency should be able to refuse to assist with a request under an interagency regime where a criminal proceeding has already been initiated in New Zealand, based on the same facts and against the same person.
6. Dual criminality – the agency should have scope to refuse a request if it relates to the investigation of, or proceedings against, a person for conduct that, if it had occurred in New Zealand, would not be subject to investigation or proceedings under New Zealand law.
7. Public interest or essential national interest – there should be the ability to refuse to provide information based on public interest or essential national interest.
8. Payment of costs – the regime should include arrangements providing for the payment of costs incurred by an agency in fulfilling a request.
9. A ground for refusal in the new Mutual Assistance Bill, not otherwise covered in the guidelines, would be likely to apply – although it is unlikely that grounds relating to the death penalty or torture, for instance, are likely to be engaged in arrangements that relate predominantly to assistance in regulatory matters. In those circumstances where a ground for refusal in the new Mutual Assistance Act is likely to arise, the agency should be able to refuse to assist
   
10. The Council agrees with these safeguards, which we do not consider controversial.  We will contrast the Law Commission’s recommendations with this bill to demonstrate how short it falls.

Mutual Assistance in Criminal Matters Act 1992

12. The Council notes that the Ministry has chosen to amend the Search and Surveillance Act (SSA) in subpart 1 of this bill, instead of the Mutual Assistance In Criminal Matters Act (MACMA).
    
13. To lesser and greater extents, this bill duplicates sections of MACMA, resulting in confusion. A better design would be to not amend the Search and Surveillance Act.
    
14. It is also pertinent that MACMA section 27 includes 23 grounds for refusal of requests from foreign governments, which are not found in the SSA, because prior to this bill the SSA wasn’t a vehicle for foreign governments. If we are to continue with making major amendments to the SSA, then section 27 of MACMA ought to be replicated into subpart one, so that,  for example, New Zealand Police aren’t co-opted into aiding discrimination based on ethnicity, sex, or religion.

Recommendation 1

Either move clauses 19, 26, and 38 into MACMA, or copy MACMA section 27 into the SSA.

General Discretion

15. NZLC R137’s recommendation 14 is “The Central Authority should have a general discretion to refuse a mutual assistance request in appropriate circumstances.”  The report and its preceding issues paper go on at length about ensuring that there is a means to deny requests which “New Zealanders would consider inappropriate, but where refusal does not fit neatly into another ground for refusal.” The Council supports this discretion.
    
16. The bill does not grant this general discretion. No discretion is granted in proposed sections 88B(1), 88D(1), 88I(1), 88J(1), and 179B(2). All of them say “must.”

Recommendation 2

Change the word “must” to “may” in  88B(1), 88D(1), 88I(1), 88J(1), and 179B(2).

17. Section 59 of MACMA establishes a process by which the Attorney General personally authorises applications for search warrants which are then ruled on by a judge. The Attorney general has far more power, and experience in applying discretion, than the officers of the crown being bound by this bill.  For example, 88B binds police constables.  The Council questions the wisdom of putting rank and file civil servants into positions where they must make foreign policy decisions under pressure from foreign powers.

 Legality under domestic Law

18. The Council agrees with the Law Commission that agencies shouldn’t do things which are illegal here on requests from foreign counterparts.  We however note that there is a history of Police doing so, for example in the Kim Dotcom case, and therefore explicit reminders are in order.
    
19. The Council further hopes that the Committee takes inspiration from the Law Commission, and ensures that all of the changes being made by this bill are to strengthen civil liberties in New Zealand, not to water them down. 

Dual Criminality

20. The Council agrees with the Law Commission that we should require that an equivalent offence exist in New Zealand, so that we’re not, for example, persecuting women who are alleged to have driven a car in Saudi Arabia.
    
21. MACMA already takes a dual-criminality approach, thanks to section 24A. 
    
22. The following clauses take a dual-criminality approach:
    1. Clause 29, proposed sections 20 and 20A for MACMA;
    2. Clause 38, proposed sections 50A to 50V for SSA;
23. The following clauses do not take a dual-criminality approach:
    1. Clause 19: proposed sections 88A-88ZE for SSA;
    2. Clause 36: proposed sections 43-46 for SSA;

Recommendation 3

Add dual-criminality sections to clauses 19 and 36, so that we don’t persecute people for things which are legal here.

Proportionality

24. The Attorney General’s New Zealand Bill of Rights Act (BORA) Compliance Report’ (BORA report) correctly identifies that this bill “engages several rights”.
    
25. Part 3 of the Hansen Test requires that “the limit [ to our rights is] in due proportion to the importance of the objective” in order for a law to be compatible with BORA.
    
26. Proposed sections 88D and 88J require that preservation directives be granted unless specific conditions are met.  Neither section includes proportionality as a condition.  Therefore the entirety of Clause 19, proposed sections 88A-88ZE, are not compliant with BORA.

Recommendation 4

Add proportionality checks to both proposed sections 88D and 88J.

Political Crimes

27. There are plentiful examples of laws overseas which run directly contrary to human rights. For example several of our allies make it illegal to criticise royalty.
    
28. The bill’s National Interest Analysis (NIA) is deficient in its handling of Human Rights concerns.  It would appear that the authors of the NIA were unaware of controversy surrounding human rights consequences of the convention while it was being negotiated.
    
29. Proposed section 88A(4) establishes a laundry list of conditions under which we are committing to persecute people for political “crimes”.  The Council finds the entire concept to be entirely objectionable on principle.
    
30. Proposed section 88A(4)(a)(I) proposes to force us to persecute political behaviours as required by multinational treaties. If there are any such treaties, the Council recommends that we leave them.
    
31. Proposed section 88A(4)(a)(ii) is a serious cut-and-paste error. The definition of “criminal matters” in section 2(1) of MACMA is not about political crimes. By referencing specifically section 2(1), and not section 2(6) or section 27, proposed section 884(a)(ii) essentially indicates that there is no such thing as an offence of political character.

Recommendation 5

Correct the reference in s88A(4)(a)(ii), or preferably remove it.

32. Proposed section 88A(4)(b) allows unspecified officers of the crown the power to override primary legislation by “agreement in writing with another country”.  Aside from being ridiculous, this is unacceptable from a civil liberties perspective.
     
33. Aotearoa New Zealand is a party to the 1951 Convention relating to the Status of Refugees. Section 1(F) of that convention binds us to protect refugees unless:

1.F. The provisions of this Convention shall not apply to any person with respect to whom there are serious reasons for considering that:

(a) He has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) He has committed a serious non-political crime outside the country of refuge prior to his admission to that country as a refugee;

34. Neither our commitment to test for “seriousness” nor “non-political” nature are being given credence by the bill.
    
35. While it is legally permissible, the Council thinks that it makes no sense to grant refugees additional legal rights compared to other New Zealanders.  We therefore recommend that political “crimes” should be expressly excluded from this bill.  If those crimes are indeed serious, then they are already adequately captured in existing legislation. 

Reciprocal Rights of Defendants

36. Chapter 20 of the issues paper of NZLC R137 explains why defendants should have reciprocal rights to information under MACMA. Recommendation 36 of that report is to add those rights to MACMA. The Council supports that recommendation as an implementation of natural justice.
    
37. This bill fails to provide for reciprocal rights.

Recommendation 6

Add a new section to the bill establishing reciprocal rights for defendants as a requirement before mutual assistance is provided.

Warrantless Search

38. Clause 19, proposed sections 88A-88ZE, do not require a warrant.  The Commissioner of Police authorises preservation directives. This is contrary to current practice.  Sections 30 and 31 in part 3 of MACMA require the Attorney General to apply for a warrant.
    
39. Paragraph 65 of the NIA addresses warrantless search.  Paragraph 65 states that warrants are required and that the Attorney General authorises applications for them.  
    
40. The Council respectfully submits that the NIA’s statements in paragraph 65 are inaccurate.  Presumably the current draft of the bill has deviated from what is intended.  The Commissioner of Police is clearly identified as the decision maker in proposed sections 88A-88L, and judiciary is not involved.
    
41. The Council opposes warrantless search.
    
42. The Council further is skeptical of granting foreign police powers of warrantless search which our police do not, and should not have. 

Recommendation 7

Rewrite clause 19 so that either the Commissioner of Police or the Attorney General applies to a judge for the preservation directive.

Freedom of Expression

43. The Council opposes third party confidentiality orders. Proposed section 88U is a gag order.  Paragraphs 32 and 58 of the NIA acknowledge that search orders in New Zealand are not secret. The NIA recommends adopting third party confidentiality orders, without any consideration of whether our existing approach is preferable to the convention’s approach.  The Council considers our existing approach to be far preferable. 

Recommendation 8

Remove section 88U, and the dependent sections 88V-88W from the bill.

Computer Crimes

44. Part 2 of the bill adds new offences “designing, writing, or adapting software” (section 253) and “dealing in or possessing software” (section 254) which could be used for a section 249 or section 250 offence.
      
45. Section 249 and 250 of the Crimes Act are so poorly written as to describe much of what everyone does every day. Minor dishonesty, or even accidental but reckless untruths, are crimes under section 249. Therefore these new sections would criminalise the possession or distribution of any software which allows people to express themselves, like word processing, email, messaging, and social media software.

The Infamous Section 249

46. As this submission will now dissect section 249 in detail, we will start with it in its entirety.

249 Accessing computer system for dishonest purpose

(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—

1. obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
2. causes loss to any other person.

(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—

1. to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
2. to cause loss to any other person.

(3) In this section, deception has the same meaning as in  section 240(2).

47. Having introduced section 249, I now need to explain it.  A reasonable, but inaccurate, reading of the difference between section 249(1) and section 249(2) is that section 249(1) establishes a 7 year penalty for accidentally bypassing security while section 249(2) adds the word “intent” to establish a 5 year penalty for intentionally bypassing security.  What the section fails to adequately communicate is that section 249(1) is about successfully bypassing security and section 249(2) about failing to bypass security.
    
48. Section 240(2) defines deception as:

In this section, deception means—

1. a false representation, whether oral, documentary, or by conduct, where the person making the representation intends to deceive any other person and—

(i) knows that it is false in a material particular; or

(ii) is reckless as to whether it is false in a material particular; or

2. an omission to disclose a material particular, with intent to deceive any person, in circumstances where there is a duty to disclose it; or

(c) a fraudulent device, trick, or stratagem used with intent to deceive any person.

49. As we have already noted, these definitions are overly broad to the point of self parody.  The following are offences under section 249:
    1. When a child indicates on social media that they “like” a post in order to ingratiate themselves with others when they actually don’t like the post, they are using a computer in a way they know is false and are gaining an advantage. They can be imprisoned for more than twice as long as for making a false statement without a computer (section 111).
    2. When anyone accidentally clicks anything on a computer and then gains any benefit, they have been reckless. They can be imprisoned for more than twice as long as accidental infanticide (section 178).
    3. When an assistant acts on behalf of an MP without declaring themselves, by managing social media or accepting calendar invites as the MP, they are acting deceptively and the MP benefits from saved time.  Both the MP and their aide can be imprisoned as conspirators for more than twice as long as faking an affidavit (section 114).
    4. When someone exaggerates on their CV, but types it on a typewriter there is no crime.  But if they do so on a computer, they are subject to a penalty more than twice that of perjury (section 109).
    5. When someone cheats at a game played in person, they have committed a social faux pas.  Should they do so when playing the same game on a computer, they can be imprisoned for more than twice as long as aggravated assault (section 192), even if they are the only human playing the game.
       
50. Section 249 is intended to be about hacking a computer system.  However, its definition doesn’t approach that level of detail.  Section 249 needs to be rewritten to require intent to circumvent security measures.  Notably section 250 uses the words “intentionally or recklessly destroys, damages, or alters” while section 249 can’t even bring itself to use the words “circumvent” or “bypass.”
    
51. Subsections 249(1)(a) and 249(2)(a) are also unreasonably broad. Any “property, privilege, service, pecuniary advantage, benefit, or valuable consideration” covers basically everything.  When this wording is used elsewhere in the act it is accompanied by significant qualifiers which section 249 omits. For example, section 240(1)(a) says:

Obtains ownership or possession of, or control over, any property, or any privilege, service, pecuniary advantage, benefit, or valuable consideration

The Council respectfully submits that there is a massive qualitative difference between “gaining control” and “obtaining a benefit.”

52. There is precedent for broad legislation.  Ultimately the courts decide on a case by case basis, providing a safety net for broadly defined offences.  The Council are firm supporters of the Judiciary.  However, we have to note that the decisions in important cases like R vs Dixon and Ortmann vs USA includeare based on objectively incorrect understandings of how computers work.  Given that a pattern has been established, the Council feels it would be irresponsible of Parliament to leave section 249 as it is, nevermind expand it.
    
53. The Council notes with grave concern that a careless rewrite of section 249 could have the effect of implementing the negative aspects of the United States’ Digital Millennium Copyright Act.  For the sake of brevity, we will not detail all of the flaws of that terrible legislation. However, we should maintain our current legal position that it’s none of the state’s business what people do to their own files on their own computers.
    
54. For the purpose of not simply asking for the entirety of Part 2 to be removed from the bill, the Council boldly proposes to replace section 249 with:

Recommendation 9

Replace section 249 with:

(1) Every one who intentionally accesses a computer system without authorisation or other claim of right is liable as follows:
a) if the security is bypassed to imprisonment for a term not exceeding 3 years;
b) If the attempt to bypass security is unsuccessful to imprisonment for a term not exceeding 2 years;

(2) this section does not apply if:
(a) The person owns or controls the system;
(b) The person has reason to believe that they are authorized to circumvent the security by the owners or controllers of the system.

(3) It is not an offence to access a system, or information, whose owners intended to secure, but which is merely obscured or is otherwise accessible.

(4) It is not an offence to read anything on a computer  screen which the person did not cause to be displayed, regardless of how well that information should have been secured.

Possession

55. Possession of lock picks is not illegal.  Section 233 requires that intent to commit burglary be proven for a conviction.
    
56. Despite this clear, functional, and long established precedent, this bill choses to make a clear break and criminalises simple possession in proposed section 254.
    
57. Possession offences inherently alter the burden of proof.  For this reason, the Council believes that their use should be minimised.

Information Security Professionals

58. As currently drafted, this bill is a danger to national security and to the individual security of most New Zealanders.  It accomplishes this by making most of the profession of information security illegal, by making possession of malware illegal.
    
59. As currently drafted, in order to avoid imprisonment, everyone is obliged to immediately delete every copy of any malware they detect.  Otherwise they are knowingly in possession of that malware.
    
60. It is standard practice, and possibly a necessity, for information security professionals to carefully examine malware to determine how it got in and what it might have done.  By criminalising simple possession, this practice becomes illegal.  This works directly contrary to the bill’s goals by greatly hampering efforts to reduce crime in New Zealand.
    
61. In the Council’s communications with New Zealand’s Information Security  community, proposed section 254(1)(c) was repeatedly singled out as the primary source of harm from this part of the bill. Without that provision, which reads “the person knows that the sole or main use of the software or other information is to commit an offence,” this bill would not prevent people from securing systems from attack.

Recommendation 10

Remove section 254(1)(c) from the bill

Responsible disclosure

62. The National Cyber Security Centre (NCSC) is an arm of the Government Communications Security Bureau.  NCSC encourages everyone in Aotearoa New Zealand to report cyber attacks to it. Further, it recommends that vulnerabilities in software should be reported, as should malware. These responsible disclosure practices are key to securing all modern computers.
    
63. All of these responsible disclosures are criminalised by section 254(2)(d) which makes supplying malware a crime.
    
64. Frankly, there are going to be an endless number of essential behaviours being criminalised by section 254 as it is currently written.  Either section 254 needs to mimic section 253’s requirement for intent to commit an offence under sections 249, 250, or 252, or a positive safeguard needs to be added to section 254.  The Council recommends the latter.

Recommendation 11

Add a new subsection 254(3), renumbering  the existing 254(3) and (4), to read:
It is a defence to a charge under this section if the person charged proves that the act to which the charge relates was done by that person, in good faith, for the purpose of, or in connection with, defending a computer system or aiding others to defend computer systems.

Closing thoughts on treaties

65. New Zealand is under no obligation to accede to the Budapest Convention.
    
66. Even when we are under obligation from foreign treaties, we have a very uneven implementation of those treaties.  To pick an obvious example, New Zealand has not implemented the Convention on the Elimination of All Forms of Discrimination against Women. We’re into our eighth reporting cycle for that treaty, and they’re still asking us to legislate.  We argue that we’re broadly in compliance.  We can make the same argument for the Budapest Convention without legislating anything.
    
67. Finally, it is far better for us to creatively implement treaties in ways which improve Aotearoa New Zealand than to strictly adhere to the wording of treaties in ways which lower our standards.  
    
68. The Council thanks members of the Committee for their time and consideration of our submission.