The Questions for New Zealand on Mass Surveillance

Yesterday, we revealed details at The Intercept about the New Zealand government’s secret plan to access data from the country’s main internet cable. The government has since denied that the project was ever completed — but its statements in the past 24 hours have raised more questions that they have answered and deserve some closer scrutiny.

The surveillance project we revealed — named Speargun — was listed as “underway” in classified documents from New Zealand’s GCSB spy agency in March 2012. In early 2013, an NSA document listed the first phase of the project as having been achieved. It noted that the second phase — which would entail inserting covert “metadata probes” — was scheduled to begin later the same year following the passing of a new surveillance law. That law was approved in August 2013.

While publicly New Zealand government officials were reassuring the public that the new law would not lead to an expansion of powers, behind closed doors GCSB was preparing to install its metadata probes — which would have constituted the biggest expansion of GCSB’s surveillance reach in decades.

In response to our story, New Zealand Prime Minister John Key (pictured above) has said that the Speargun project was not finalized. What he claims is that the project was instead eventually replaced by a narrower initiative. In a radio interview on Monday morning, Key described this as a toned down version of what he called “mass cyber protection.” What’s now in place, he said, is a “bespoke functionality which an individual company or agency could deploy,” apparently to mitigate cyber attacks.

In a bid to prove this, Key declassified documents later on Monday (after we published our story) that outlined a project called Cortex. Key seemed to think — or perhaps hope — that these documents would kill off any concerns and put the controversy to a swift end. But they fail to address a number of crucial issues — critics have already dismissed them as a “red herring” — and in fact only seem to cloud matters further.

First of all, the Cortex documents contradict what Key said on the radio show, because they state that under Cortex GCSB “is not proposing to procure or develop bespoke systems” and that “all of the technology has been in use for some time.” Again, Key had described the system as a “bespoke functionality” and suggested the technology had been newly introduced.

The Cortex files show that the government signed off on a new “proactive” cybersecurity effort aimed helping government agencies and other organizations detect malware attacks. But what Key has not mentioned in any of his interviews is that the monitoring that was enabled by this system also, by design, has to filter through private communications to identify malware in the first place. The documents Key declassified clearly state that under Cortex “technology can be used to separate personal communications from other data, so that privacy issues associated with GCSB activities to be proportionate to cyber threats.” (Emphasis added.) In the United States, the cybersecurity bill CISPA was opposed by privacy advocates and eventually killed because of widespread concerns associated with the type of activity Cortex appears to enable.

To function, the Cortex project must have some degree of access to New Zealand’s internet cables. What we still do not know is how broad that access is or the practical restraints in place preventing the system from being misused to collect citizens’ private data. Key has insisted, of course, that no large-scale “cable access” project like Speargun was completed. But the Cortex documents certainly do not prove it — so thus far Key is expecting citizens to take him at his word.

The full facts remain murky, there is no doubt about that. But we have learned a huge amount in the last few days about New Zealand’s surveillance apparatus. The Key government has been forced to admit that it secretly considered implementing a mass surveillance program that would have collected metadata on its own citizens (in the words of Key, it was “mass protection“). The government has also now acknowledged for the first time that it has granted GCSB access to large streams of data under the Cortex project under the auspices of cybersecurity. Crucially, it is clear that this same access could easily be exploited for a broader internet surveillance purpose under other programs, such as XKEYSCORE, a dragnet spying tool that NSA whistleblower Edward Snowden alleges GCSB has access to. Even if Speargun were cancelled, Cortex is only a fragment of the full picture. The curious reference in the Cortex documents to technology that “has been in use for some time,” for instance, is just one striking example of this.

We are currently researching a number of other stories related to GCSB, and I expect we are going to shine more light on the agency’s activities in this sphere in the near future. In the meantime, Key and the GCSB face a mounting number of important questions that they have until now managed to dodge.

Here’s a few for starters:

• Why did you inform the public that the GCSB Amendment Bill would not lead to an expansion of powers when at the same time you were planning the Speargun mass surveillance initiative?

• Why was phase one of the Speargun project completed if it was, as Prime Minister Key has claimed, something that never made it past the “business case”?

• Why were New Zealanders not informed about the Cortex project until the government’s hand was forced by disclosures based on documents from Snowden?

• How much data is collected on a daily basis by GCSB under the Cortex project, and how does the agency ensure this data does not “incidentally” include the content or metadata of citizens’ communications?

• The Cortex documents refer to the use of technology that “has been in use for some time.” What technology is this?

• Is any information collected by GCSB under Cortex — or any other program that accesses internet data — shared with the NSA and/or other Five Eyes agencies through systems such as XKEYSCORE?

• Does GCSB have access to XKEYSCORE and, if so, for how long has this been the case?

• Does GCSB use its access to internet data streams — under initiatives like Cortex or similar — to launch active/offensive cyber operations that involve hacking computer systems to collect information?

• When will you declassify documents detailing the Speargun project and showing that it was not completed?

Photo: Pablo Martinez Monsivais/AP