Traffic encrypted by the sender before being put on to the public network appears safe from interception under the Telecommunications (Interception Capability) Bill, which came back from Parliament’s Law and Order select committee last week.
The bill came back with a swag of amendments that include a more moderate view of network operators’ capability to break encryption, and evidence of considerable negotiation on the cost of introducing the surveillance measures.
The bill aims to compel operators of public networks or wholesale providers of telecommunications to other operators to make the networks capable of being intercepted in the course of law enforcement.
The proposal is generating some heat among those concerned with over-enthusiastic surveillance, including media and Green MP Keith Locke. But as the notes to the bill point out, it is essentially a technical measure, conferring no more power on law-enforcement agents to intercept communications than they had already been given under the Crimes Amendment Act 2003 and previous measures.
The select committee has recommended that limitations should be placed on the requirement on the telecommunications operator to decrypt traffic, effectively making it no longer responsible for breaking encryption that it has not provided.
Traffic encrypted by the sender before being put onto the public network, or traffic being transmitted between the offices of an organisation that runs its own virtual private network, appears still safe from interception.
Section 8 (2) of the bill says: "A network operator must....decrypt a telecommunication on that operator's...service if
- the content of the telecommunication has been encrypted and
- the network operator ...has provided that encryption.
"(3) However, subsection (2) does not require a network operator to: decrypt any telecommunication on [its] network if the encryption has been provided by means of a product that is - supplied by a person other than the operator, and is available on retail sale to the public, or supplied by the operator as an agent for that product.”
Telecomms companies disputed the $12m cost included in the first drafts of the bill for introducing the interception capability. Submissions by the Telecommunications Carriers’ Forum and separately by forum members Telecom and BCL suggested the cost would be $23.57m for the use of ad hoc probes in a network, and more than $43m if every network element was required to have interception capability.
The amendments leave the decision on how and where to install interception capability to the network operator, and on this basis, the cost has been negotiated back down to between $10.2m and $13.4m.
The Crown will pay the cost of introducing the capability to existing networks, but the operator must meet the cost of building it into new networks, the current version of the bill suggests.