Submission: Review of the Search and Surveillance Act

The government is in the early stages of reviewing the Search and Surveillance Act. Our submission suggest areas where it needs work, both to correct the mistakes of the past as well as to prepare for the future. A significant theme in our submission is the need for better oversight.


The NZ Council for Civil Liberties opposed the Search and Surveillance Bill back in 2010. We saw it as a significant and unjustified expansion of the government’s power to invade people’s lives. 

We were particularly concerned by the extension to all Police of the exceptional powers to demand information given to the Serious Fraud Office, the expansion of warrantless searches, and the ability to install covert video surveillance in people’s homes.

It is important to remember that search and surveillance powers are:

  • Highly invasive of people’s lives.
  • Used against people who are only under suspicion of a crime or other wrongdoing; many of them will be innocent.
  • Infringe not only the privacy of the suspect but also that of the people they live and associate with.

The significance of the invasion represented by government use of search powers is one of the reasons that the NZ Bill of Rights Act explicitly states in Section 21 that “Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise.”

We accept that some use of search powers can be justified in a free society. We believe that these powers should be as minimal as possible, subject to suitable safeguards, used infrequently, and that their use should be monitored by appropriate oversight.

This review

We welcome this review of the Search & Surveillance Act. As well as being concerned that New Zealand’s laws allow the government too much power, we also believe they do not have the necessary safeguards and oversight to protect our civil liberties. 

Therefore we see this review as a chance to correct some of the errors of the past.

As this is still the early stage of the review process we wish to suggest areas that we think should be considered as part of the review. We will be raising questions and suggesting approaches rather than providing detailed recommendations.

We have split these into the following areas:

  • Scope of the law
  • Search powers
  • Oversight and accountability
  • Technological developments

Scope of the law

Who should be added

One of the key drivers for the introduction of the Search and Surveillance Act was to bring in powers from a large number of other laws and ensure they were being administered consistently. As such it modified laws relating to many other agencies from the Police to the Pork Board. The further intention was that there would be no need to invent new search regimes in new laws, but merely refer to the existing act. 

However, even a cursory review of subsequent legislation shows this has not happened as intended. While some of these examples do refer to the Search & Surveillance Act, they also implement their own powers and procedures:

  • Civil Aviation Bill 2022 (as reported back)  has an extensive section about the search powers of aviation security officers.
  • Food Act 2014 includes provisions for search and seizure, including warrantless searches.
  • Education and Training Act 2020 has extensive search powers included.
  • Organic Products Bill (as reported back) has extensive search powers for organic product officers.
  • Maritime Powers Act 2022 includes search powers and procedures.
  • Water Services Act 2021 includes search and warrantless search powers.

This review is a good opportunity to continue the original reform by ensuring that all search and surveillance powers are controlled by the Act, and will thus benefit from standardised procedures, reporting, and oversight.

Who should be removed

At the same time, we question whether all of the agencies that have powers under the law need them or even use them. The original creation of the law focused on including agencies based on their existing powers rather than reviewing whether those were appropriate. This had the effect of increasing the powers available to the agencies in question.

It is probable that many of those agencies either have not used the powers or that their use cannot be justified.

The review should not just look at what’s in the law but who it applies to, removing agencies that don’t use these powers or that can’t justify having them.

Recommendations – Scope

  1. Review laws passed since 2011 to ensure that any new search or surveillance powers have been included in the Search and Surveillance Act rather than in individual laws.
  2. Review the agencies that are granted powers by the Search and Surveillance Act and check whether these powers are still required and justified; remove them where possible.

Search powers

Warrantless searches

An important limit on the abuse of search and surveillance powers is the requirement to get a warrant. This forces the person wanting to use the power to explain why they need it and to get an independent person to sign off on it. But the law also provides for the use of warrantless searches in certain situations where, in theory at least, it’s important enough and timely enough that it needs to be done immediately.

We find it astonishing that the Police recorded that they used this power 9435 times in 2019. This does not sound like a power that is used in exceptional circumstances, but one that is being used as a matter of course. The statistics also show that Police use this power disproportionately against Māori.

Warrants

The Search and Surveillance Act allowed for anyone (except an enforcement officer) to be appointed as an issuing officer who could sign off on search warrants. There was no requirement for legal training and no protection against them being unduly biased. 

We are concerned that the law is now so broad that it must be very tempting for agencies to find a ‘friendly’ issuing officer and ask them to approve all of their warrant applications.

We know of no statistics collected about who can issue warrants, how many warrants they issue, and how many warrant applications that they refuse. This would seem to be important information when assessing how search and surveillance powers are used and possibly abused.

Recommendations – Search powers

  1. Review the use of warrantless searches with a view to removing the power to use them except in the most exigent circumstances.
  2. Review who can issue search warrants and require minimum standards of knowledge of the law and civil liberties.
  3. Prevent agencies developing relationships with particular issuing officers, possibly by setting up warrant review pools.
  4. Add requirements to publish statistics by issuing officer on warrants granted and declined.   

Oversight and accountability

The current oversight and accountability measures in the Search and Surveillance Act are unacceptably weak. There is no auditing of how powers are used, mandatory reporting requirements are minimal, and it is not obvious who to complain to when something goes wrong.

The Law Commission review in 2016 revealed that it feared warrants were being used inappropriately and it recommended changes to help improve oversight, but their uncertainty also revealed the bigger problem that they also didn’t really know how the powers were being used. This is due to a lack of good auditing and data collection.

A major concern is that many people will be unaware that search and surveillance powers have been used against them. The Cabinet Paper mentions the lack of complaints about the use of search & surveillance powers but you can’t make a complaint if you don’t even know your rights have been infringed.

We believe that the topic of oversight and accountability in the Search and Surveillance Act needs a complete rethink. The aim should be to ensure that we can be confident that the people using these highly invasive powers are using them appropriately, only when justified, and by following the proper procedures. At the moment this is lacking.

Oversight body

At the moment there is no single point of responsibility for the administration of search and surveillance powers.

We compare this situation to the intelligence agencies who have the oversight of the Inspector General of Intelligence Services. The IGIS reviews all search warrants granted under the Intelligence and Security Act. 

The IGIS reports show that the agencies have repeatedly failed to meet the requirements for warrants. They have asked for overly broad warrants, had insufficient reasons for getting a warrant, failed to execute them properly, and failed to manage the collected data correctly. This oversight and feedback has led to a rise of standards at the agencies so that they better comply with the law.

With information collection being a core part of the intelligence agencies’ work it is probably safe to assume that they are doing a better job at compliance than most of the agencies with powers under the Search and Surveillance Act.

We believe that we need an oversight body with responsibility for the exercise of search and surveillance powers. This oversight body would:

  • Audit the use of search and surveillance powers.
  • Review and approve policy statements.
  • Be the first port of call for complaints.
  • Collect and publish statistics.
  • Make binding decisions about the use of search and surveillance powers.

We note that we see this oversight body should also cover the Police. While the Independent Police Complaints Authority provides some level of oversight of the Police, they have no focus on search and surveillance, have no auditing responsibilities, and have no power to force binding decisions on the Police.

Policy statements

The suggested introduction of policy statements appears to be an attempt to fix one of the original sins of the Search and Surveillance Act, where agencies suddenly had access to more powers by being included in the new law. The intention seems to be that agencies should have to create policy statements as a kind of voluntary limit on how they use the powers they have available to them. We approve of any measures which will help prevent unnecessary and unjustified use of search and surveillance powers.

However, the intention seems to be that policy statements will also be used to define how what are described as otherwise legal forms of surveillance will be used; the example given is of filming in a public place. The argument is put forward that creating policy statements will ensure that these arguably legal forms of surveillance will still have at least some moral limits put on them.

However, the Search and Surveillance Act is not the only relevant law. For example, the Privacy Act is also important when it comes to search and surveillance. Some acts that might be seen to be legal when done by a private person or on a small scale might still qualify as an illegal collection of personal information under the Privacy Act when done by a government agency. Our concern is that policy statements will be written by agencies as a way to legitimise and excuse activities that might not really be as acceptable as they would like to think. 

Reporting

Section 171 imposes statistical reporting requirements on law enforcement agencies using warrantless search and surveillance powers. We fail to understand why all agencies are not required to report on any use of powers under the Search and Surveillance Act. This would seem a minimum requirement for the use of invasive powers like these.

Our own research showed that a number of agencies who are required to include section 171 reports in their annual reports fail to do so. Furthermore, the few reports which have been filed are so brief as to be of little value. The Ministry of Health, for one example, is empowered by multiple sections of four acts, but reports only once. It is impossible for anyone to determine from Health’s s171 reports if, for example, the powers from the Pyschoactive Substances Act 2013 have ever been used.

The reporting requirements should be rewritten to ensure that we have an accurate idea of how these powers are being used. While there are many items that should be captured it is worth calling out the requirement to be able to record any data that might indicate bias in the application of search and surveillance powers.

The oversight agency should also be charged with reviewing, and when necessary, revising these reports to ensure that they are complete.

Notification

It is impossible to complain that your civil liberties have been infringed if you don’t know about it. We believe that people have a fundamental right to know when the power of the state is used against them.

As the Law Commission review notes, naturally there will be times when it will only make sense if the notification is some time after the fact, but this doesn’t negate the general principle.

Recommendations – Oversight and accountability

  1. We recommend the establishment of a body to provide oversight of the use of search and surveillance powers. It would review the granting of warrants, audit the use of powers, review policy statements, publish statistics, and be a first port of call for complaints.
  2. Significantly expand reporting requirements for the use of search and surveillance powers. Ensure that these requirements apply to all agencies. Consult with interested bodies outside as well inside the government about what data should be collected. 
  3. Ensure that all people who have search and surveillance powers used against them are notified (in some cases after the fact).
  4. We support the use of policy statements as an attempt to limit agencies using existing search and surveillance powers inappropriately. We recommend that where policy statements stray outside of the Search and Surveillance Act that there should be mandatory consultation with the public, the Privacy Commissioner, and the search and surveillance oversight body.

Technological developments

Encrypted Messaging

The Search and Surveillance Act already provides powers to oblige people to provide assistance required to access data. This was in 2012 and since then there has been a significant increase in the use of services that provide encrypted communications, and a general shift towards increased use of encryption across the computing field. Well designed systems do not have backdoors that would allow anyone else to decrypt a communication.

While these trends have made investigations harder for legitimate law enforcement, they have also made repression harder for despots and totalitarian regimes. Governments around the world are grappling with how to deal with this and we are seeing some worrying attempts to try and break encryption systems, often from countries that are already on the road to totalitarianism. We do not believe it is meaningfully possible for companies to limit any such facility to only being used by ‘good’ governments, nor that those governments will only use it for legitimate purposes.

We suggest that as a free country with freedom of expression we should not contribute towards measures that weaken the ability of people to communicate privately.

Client-side scanning

One approach to the issue of accessing encrypted data proposed by Apple is to install scanning software on people’s devices. This can then access the material stored on the device and can then send copies of it or alerts to the authorities.

We believe that this is a terrible idea. Our personal devices are increasingly used throughout our lives and we should not have to put up with companies and governments using them against us. And, just as with encrypted messaging, this is highly appealing to repressive governments who will be able to subvert the technology to search for other images or documents. The precedent of taking over the working of our personal devices to spy on us is one that we oppose.

Social media and data aggregation

As our lives are increasingly lived with people sharing information about themselves and their activities online it is becoming possible to find out more and more about a person’s life from the traces they and others leave about them in public. These pieces can be collated and combined with other data to perform a form of surveillance on that person. The practice is known as open source intelligence gathering, or OSINT.

This is theoretically public data and therefore would not need a warrant to access. But there is a significant difference between doing a quick search and reviewing obvious social media channels for a person, and a systematic harvesting and collation of that data from all sources for one person or even an entire population. 

While large companies already attempt this, it’s even more invasive when governments do it as they can both force companies to give them access as well as combining it with other official information. We believe the use of this sort of data collection needs to be controlled and limited just like any other form of invasive surveillance.

Biometrics and facial recognition

The ability to capture and analyse biometric data continues to get easier and cheaper. Some, like facial recognition, gait analysis and sentiment analysis, can be collected without the knowledge or consent of the target. The collected information can then be used to identify people, what they do, and what they feel, as well as track their movements.

We believe that the ability to be anonymous in public is an important one and should not be given up. We further believe that capturing personally identifiable data like facial appearance should not be done without consent.

Recommendations – Technological developments

  1. Review requirements for providing access to encrypted communications where people may not be able to assist. 
  2. Prioritise the ability of people to use encrypted communications to protect themselves, rather than the desire of law enforcement to be able to access everything.
  3. Reject the use of mandated client-side scanning software on personal devices.
  4. Review the collection of publicly available data and set limits around its use.
  5. Review the collection of biometric information, particularly when it can be collected without the knowledge or consent of the target, and when it is used for tracking.