Yesterday, we revealed details at The Intercept about the New Zealand government’s secret plan to access data from the country’s main internet cable. The government has since denied that the project was ever completed — but its statements in the past 24 hours have raised more questions that they have answered and deserve some closer scrutiny.
The surveillance project we revealed — named Speargun — was listed as “underway” in classified documents from New Zealand’s GCSB spy agency in March 2012. In early 2013, an NSA document listed the first phase of the project as having been achieved. It noted that the second phase — which would entail inserting covert “metadata probes” — was scheduled to begin later the same year following the passing of a new surveillance law. That law was approved in August 2013.
While publicly New Zealand government officials were reassuring the public that the new law would not lead to an expansion of powers, behind closed doors GCSB was preparing to install its metadata probes — which would have constituted the biggest expansion of GCSB’s surveillance reach in decades.
In response to our story, New Zealand Prime Minister John Key (pictured above) has said that the Speargun project was not finalized. What he claims is that the project was instead eventually replaced by a narrower initiative. In a radio interview on Monday morning, Key described this as a toned down version of what he called “mass cyber protection.” What’s now in place, he said, is a “bespoke functionality which an individual company or agency could deploy,” apparently to mitigate cyber attacks.
In a bid to prove this, Key declassified documents later on Monday (after we published our story) that outlined a project called Cortex. Key seemed to think — or perhaps hope — that these documents would kill off any concerns and put the controversy to a swift end. But they fail to address a number of crucial issues — critics have already dismissed them as a “red herring” — and in fact only seem to cloud matters further.
First of all, the Cortex documents contradict what Key said on the radio show, because they state that under Cortex GCSB “is not proposing to procure or develop bespoke systems” and that “all of the technology has been in use for some time.” Again, Key had described the system as a “bespoke functionality” and suggested the technology had been newly introduced.
The Cortex files show that the government signed off on a new “proactive” cybersecurity effort aimed helping government agencies and other organizations detect malware attacks. But what Key has not mentioned in any of his interviews is that the monitoring that was enabled by this system also, by design, has to filter through private communications to identify malware in the first place. The documents Key declassified clearly state that under Cortex “technology can be used to separate personal communications from other data, so that privacy issues associated with GCSB activities to be proportionate to cyber threats.” (Emphasis added.) In the United States, the cybersecurity bill CISPA was opposed by privacy advocates and eventually killed because of widespread concerns associated with the type of activity Cortex appears to enable.
To function, the Cortex project must have some degree of access to New Zealand’s internet cables. What we still do not know is how broad that access is or the practical restraints in place preventing the system from being misused to collect citizens’ private data. Key has insisted, of course, that no large-scale “cable access” project like Speargun was completed. But the Cortex documents certainly do not prove it — so thus far Key is expecting citizens to take him at his word.
The full facts remain murky, there is no doubt about that. But we have learned a huge amount in the last few days about New Zealand’s surveillance apparatus. The Key government has been forced to admit that it secretly considered implementing a mass surveillance program that would have collected metadata on its own citizens (in the words of Key, it was “mass protection“). The government has also now acknowledged for the first time that it has granted GCSB access to large streams of data under the Cortex project under the auspices of cybersecurity. Crucially, it is clear that this same access could easily be exploited for a broader internet surveillance purpose under other programs, such as XKEYSCORE, a dragnet spying tool that NSA whistleblower Edward Snowden alleges GCSB has access to. Even if Speargun were cancelled, Cortex is only a fragment of the full picture. The curious reference in the Cortex documents to technology that “has been in use for some time,” for instance, is just one striking example of this.
We are currently researching a number of other stories related to GCSB, and I expect we are going to shine more light on the agency’s activities in this sphere in the near future. In the meantime, Key and the GCSB face a mounting number of important questions that they have until now managed to dodge.
Here’s a few for starters:
- Why did you inform the public that the GCSB Amendment Bill would not lead to an expansion of powers when at the same time you were planning the Speargun mass surveillance initiative?
- Why was phase one of the Speargun project completed if it was, as Prime Minister Key has claimed, something that never made it past the “business case”?
- Why were New Zealanders not informed about the Cortex project until the government’s hand was forced by disclosures based on documents from Snowden?
- How much data is collected on a daily basis by GCSB under the Cortex project, and how does the agency ensure this data does not “incidentally” include the content or metadata of citizens’ communications?
- The Cortex documents refer to the use of technology that “has been in use for some time.” What technology is this?
- Is any information collected by GCSB under Cortex — or any other program that accesses internet data — shared with the NSA and/or other Five Eyes agencies through systems such as XKEYSCORE?
- Does GCSB have access to XKEYSCORE and, if so, for how long has this been the case?
- Does GCSB use its access to internet data streams — under initiatives like Cortex or similar — to launch active/offensive cyber operations that involve hacking computer systems to collect information?
- When will you declassify documents detailing the Speargun project and showing that it was not completed?
Photo: Pablo Martinez Monsivais/AP
When someone knowingly takes into possession stolen property and keeps it in their garage without using it, it’s still a crime and the property is still stolen.
When the NZ government takes into possession stolen data, it’s not ‘surveillance’ until they look at it.
Uh, yeah right.
Key wouldn’t even make good dog tucker. This country will be toast with another term of him. Give him the shift and all his mates good luck with fat Gerry Brownlee who’s stuck in Balamees KFC & bar
Well worth having a look at tutanota.de – possibly world’s most secure public e-mail system. It seems that essentially messages stay on the server. When you e-mail someone outside Tutanota, all they get is a link to the message. When the recipient clicks on the link, they are directed to the Tutanota server and are challenged to provide a pre-agreed passphrase arranged with the sender. The encryption runs in the browser. Attachments are also encrypted.
The only way of testing the security claims is to e-mail oneself awful illegal photos inside the Tutanota system and write one’s name and address (tethered goat to lure T. Rex). If there’s no knock on the door after a few months, it’s probably OK.
I think the answer to this question is: it was not an expansion of powers…because as admitted and proven by Edward Snowden…the project was already underway, so no NEW expansion even had to take place. It’s all in the parsing of the words.
“Why did you inform the public that the GCSB Amendment Bill would not lead to an expansion of powers when at the same time you were planning the Speargun mass surveillance initiative?”
I do not believe Key because his statements are not consistent with the documents, but I think The Intercept might have gotten ahead of the facts as well.
A secondary story in this week’s The Economist on the NZ elections and John Key.
http://www.economist.com/news/asia/21617002-prime-minister-looks-be-heading-third-term-key-asset
An interesting quote, looks like a right-on-deadline insertion:
Article starts by making his re-election seem inevitable, but now he sort of looks like Thomas E. Dewey. At least, it lends a certain humor to the word XKeyScore. Punditry, let’s call it.
“Mass protection”…for whom and from whom?
As the old joke goes:
“How can you tell a politician is lying?
Their lips move…”
And today John Key stated that New Zealanders should not be listening to a group of “foreigners.” Now that sounds exactly like a xenophobic and racist basis to come from – I wonder why he permits a whole bunch of “foreigners” with money buy farmland in New Zealand and promotes the process. Where money is involved, he is all for it as it benefits those who are associated with his political party. Where ethics and morality, liberty and freedoms are involved, he throws an adolescent tantrum and cries out loud, “Foreigners!”
Key is an ex-investment banker – that says it all for me – he made is money through risk and now he risks and plays with the lives and privacy of New Zealanders.
Can’t imagine that credible answers to these questions will be forthcoming.
It’s disappointing to be reminded in such stark terms that the patriotism and trust in gov’t were inculcated w/ as kids in school and dopey young adults is exploited mercilessly to serve the narrow interests of a powerful elite.
Was it not like this in WW2-era? Or did the gov’t only *really* start doing creepy stuff like this w/ Cold War onset?
Thank you for what you are doing. Please keep going. Please keep trying to get MSM to listen to the evidence and take it seriously, as from what I have seen only Andrea Vance is really getting it. I am embarrassed and ashamed of our government and most of our mainstream journalists. What we have had exposed to us over the last month is way worse than watergate in terms of political ethics and yet people still don’t seem to realise how appallingly our government has been behaving. Please keep shining a light on their dirty secrets.
This lying USA-poodle Key should be deported to Antarctica.
It seems to me that the biggest question ought to be: What on Earth does New Zealand need mass surveillance for?
It’s neither a hotbed of terrorism nor a terror target. It’s not a major hub of organized crime.
It’s just a far-off island that’s been good at maintaining democracy — until someone convinced its leaders to spy on their own people.
Am I missing something? Why are the countries at the top of the Democracy Index adopting these Stasi-like practices?
What is the motivation and justification? Is it, like many have speculated, just a continuation of the post-911 authoritarian impulse, or a giant corrupt make-work project for security tech companies, or something else entirely?
If you can answer this definitively, with good evidence to back you up, you’ll have the real story.
Thank you for bringing us the “what”. The next step, if you are able, is to bring us the “why”.
Let me present a hypothetical scenario and ask a few questions.
The GCSB is storing, for about 5 days, more than 10% of the metadata available from the Southern Cross cable, so that it could be queried by officers who had a warrant. The data is collected about many people, but only metadata on those for whom the GCSB has a warrant is looked at by a person.
Would this constitute “mass surveillance”? Are the people who’s metadata is stored, but not accessed by a human “under surveillance”?
The answer to the definition of “surveillance” was provided by ex-GCSB director Sir Bruce Ferguson in an interview with Kathryn Ryan on Radio New Zealand. To paraphrase, Ferguson basically said that it’s not surveillance until a human being reads it.
He managed to dodge a question from Ryan about what the collection and storage of metadata is called. And if it doesn’t have a name, no one can ask you about it.
Mr Key panicked & keep digging a bigger hole & causing more uncertainty for him & his mates
A slightly different set of questions which I think would also force Key to phrase his answers more honestly, as I believe there is a heavy use of Weasel words happening currently:
1. What degree of involvement does GCSB have in the XKEYSCORE system?
2. Does the XKEYSCORE system gather mass surveillance data on New Zealand citizens?
3. Did the GCSB access and provide themselves and/or support/allow the NSA (or any other 5EYES government’s communication security agency) to access and provide mass surveillance data on New Zealand citizens to the XKEYSCORE system?
3. Does the GCSB have access to this data?
4. What protection does a New Zealand citizen have from their personal communications being read/used by the GCSB and/or other 5EYES agencies.
Key keeps claiming that “GCSB does not engage in mass surveillance of NZers”. Someone should ask him: Then who does? The NSA? Because Snowden has now claimed quite directly that data on NZers can be found in NSA databases. Is the NSA collecting this data itself (with or without knowledge of GCSB)? If Key really believes no mass surveillance is taking place, you would think he’d be concerned about reports to the contrary.
Yes someone should ask him. Unfortunately no one will because our media is so incompetent it has become a running joke (a sad one at that).
“so thus far Key is expecting citizens to take him at his word”.
Yes, yes that is ALL Key does and has done for every other lie he has been caught up in. The worse part is that many members of the general public DO take him at his word and continue to blindly follow him regardless (as per his APPARENT high ratings in the ?questionable political polls). Dot Com summed it up perfectly when he was quoted as saying “the Prime Minister could probably be photographed “shooting little kittens in his garden with a shotgun”, and still be popular”.
With a complicit mainstream media, it is hard to penetrate his bought & paid-for defense….. sigh
Key keeps claiming that “GCSB does not engage in mass surveillance of NZers”. Someone should ask him: Then who does? The NSA? Because Snowden has now claimed quite directly that data on NZers can be found in NSA databases. Is the NSA collecting this data itself (with or without knowledge of GCSB)? If Key really believes no mass surveillance is taking place, you would think he’d be concerned about reports to the contrary.
These rapid-fire rebuttals are critical for honing in on the facts and questioning the veracity of PM Key’s claims.
Great questions !
Unfortunately , we have here in NZ , a media that thinks it’s role it to behave as lapdogs.
It’s a VERY right wing media here , they’ve sewn up both main TV channels and all of the big newspapers. Hooray for the internet !
Thank you so much to Greenwald, Snowden , Assange and Amsterdam for coming to NZ , physically and virtually , and shining a light . Kia Kaha !
Q: Does GCSB have access to XKEYSCORE and, if so, for how long has this been the case?
I don’t understand why access by GCSB to XKEYSCORE is still questioned. Kim Dotcom’s legal team acquired documents from the NZ govt which show XKEYSCORE was *used* by GCSB on him and others. I was expecting Kim to mention he was personally a victim of XKEYSCORE during the Moment of Truth event…
Excellent follow-up questions.. Any Kiwis or Maori’s who have issues?