The GCSB and the Unknown Unknowns
Donald Rumsfeld once famously stated that “unknown unknowns”—things we are unaware that we don’t know—necessitate large-scale intelligence operations. If there’s even a slight chance of a monster under the bed and you can check, you might as well do so.
I suspect a similar kind of reasoning supports the claims that the GCSB’s recently revealed full-take mass-surveillance in the Pacific—including sharing New Zealanders’ data with the NSA—is “perfectly legal.”
Firstly, Section 25 of the GCSB Act 2003 (amended in 2013) allows the GCSB to share any information it collects, including incidentally obtained information about New Zealanders (25.1), with anyone the Director chooses (25.3.c), anywhere globally, as long as the information was initially gathered to prevent crime, save lives, or address potential security threats to any country. Notably, the Director has sole authority to share this information.
Who decides the purpose for which the information was collected, which is the only restriction on sharing?
In some cases, a warrant is required. However, Section 16.1.a allows the GCSB to bypass the warrant requirement for any work on “Information assurance and cybersecurity” (S.8A) or “Intelligence Gathering and Analysis” (S.8B), which can practically cover almost anything. To be fair, S 16.1.b states you can’t collect warrantless information to intercept a New Zealander’s communication, but if you have another purpose and incidentally collect New Zealanders’ information, you’re fine.
Here’s how it can work:
- The Minister instructs, “Go and find out what threats we and our friends might face.” This vague directive gives the GCSB significant freedom in fulfilling the request.
- The GCSB might say, “There could be a threat in Samoa. We can’t be sure there isn’t. But we also don’t know exactly where threats might originate, so we’ll conduct full-take collection of all communications in Samoa, just in case it reveals a security threat.” This is where those unknown unknowns come into play.
- The full-take collection is for a security purpose but incidentally captures the communications of the 40,000 New Zealanders who visit Samoa annually.
- That “incidentally-obtained” information is then sent directly to the NSA under the GCSB director’s authority in S.25.
At the core of this issue is the GCSB’s authority to independently decide the purposes for bypassing the warrant process. GCSB staff determine the purpose, decide if a warrant is needed, and can share the information globally without needing permission from anyone else.
I am convinced that transferring New Zealanders’ information from the GCSB to the NSA is technically legal, as Key says. But that’s not the point. The point is that this behavior by our intelligence agency is not right, and the government can address it by clarifying and restricting its “intelligence requirements” (S. 8B). The government should make what is currently legal illegal by instructing the GCSB: “Our intelligence requirements are to look for possible threats, but ensure (as far as practical) that we do not expose any New Zealander’s data to foreign intelligence agencies.” They need to do that immediately.