A requirement on providers of telecommunications services to make their traffic “interceptable” for the purposes of criminal investigation will create challenges for ISPs.
The provisions have long been discussed (see Interception capability bill due next year) but their imminence as a draft law — yet to complete its first-reading stage — has galvanised InternetNZ into seeking comment from its members and the broader internet-using community.
ISPs, however, have already begun considering likely requirements, albeit in a preliminary way.
“Most likely these requirements will have a knock-on effect and require us to upgrade our technology,” says ICONZ general manager Sean Weeks. While he has not completed exploration of all the legislation’s likely consequences, he already sees that it could require names to be attached to records of internet activity surrendered to investigating authorities.
“We already respond to [search] warrants, usually by supplying information on which IP addresses [from a dynamic pool] were being used at what times,” he says. But, conscious of the requirements of the privacy act, ICONZ usually keeps actual user names and contact details confidential. These may in the near future have to be provided.
“We will probably have to install more ‘sniffing’ equipment — I use that phrase loosely — to be able to collect details of who the person is, and to record where emails originate, where they go to and the servers they pass through on the way.”
He estimates ICONZ today has “about 70%” of the interception capability likely to be required.
A smaller ISP manager, commenting in the InternetNZ discussion, sees extra expense and trouble for ISPs, possibly considerable, depending on the detail required, and if it extends to historical information.
“Just keeping records of log-ins, bills and payments for years is enough work,” he says. “Keeping a record of every byte that flows to a user’s account just to aid police fishing expeditions years later” would be a major and probably wasteful expense.
“Search warrants with terms like ‘all records you may hold about the above person’ can potentially cost thousands of dollars to comply with if years’ worth of traffic accounting logs must be searched.”
InternetNZ will make a submission on the bill when it comes before select committee, says deputy president Rick Shera.
Meanwhile, provisions to compel the release of passwords and encryption keys to inspectors from government agencies, potentially disturbing the work and privacy of IT staff, have been enshrined in a counter-terrorism bill, also scheduled to come before Parliament early this year.