How to thoroughly mislead the public without lying once
My response to this Stuff article: New cyber-defence system for NZ
1. "If there is a cloud hanging over public trust in the GCSB it may be its involvement in the Dotcom saga."
Well yes, there is that thing of GCSB's illegal actions during the illegal targeting of a New Zealander, but most of the distrust is rather based on internal documents leaked by Edward Snowden showing what the GCSB has been doing: illegal mass surveillance, there is no doubt at all. And how private contractors in the US have casual, unaccountable access to the data gathered in New Zealand. Data including phone calls, emails and web browsing habits of ordinary Kiwis unsuspected of any crime.
It's also based on the Kitteridge report that found the GCSB had illegally investigated at least 88 Kiwis in the past decade, evidence which Prime Minister John Key called "pretty damning", but who then went on to pass the GCSB bill, which made those investigations retrospectively legal, and increased its sanctioned power to spy on New Zealand citizens without warrants.
So no, this goes far beyond the Dotcom saga.
2. "But he says the beefing-up of the resources of the Inspector-General of Security and Intelligence means the GCSB is now subject to "much more detailed oversight than was possible previously"."
Given there was practically no oversight before, and that it was in fact operating illegally for over a decade, that's not saying much.
We've yet to see if this oversight will provide real accountability. But in any case, the GCSB bill means that any oversight cannot consider there to be a problem with the spying that was previously illegal. Spying which violates our Bill of Rights, according to the NZ Law Commission, the NZ Human Rights Commission, and even a report from the UN Special Rapporteur. So this statement that there is now more oversight is extremely misleading.
3. a) Everything Fletcher says about this Cortex program is meaningless and cannot be validated so long as all the details are secret. The complete lack of transparency is insane. No-one can judge the program's effectiveness or how much it violates privacy, and these are both clearly in the public interest.
b) How can a secret program justify public funding? It's not just covert operations, but an entire program that can't be understood, let alone evaluated. We are not fighting a war, despite the commonly used "cyberwarfare" rhetoric. Spying, commercial espionage and hacking isn't warfare; it should be obvious why calling it that is stupid, dangerous and leads naturally to escalation and rights violations.
c) If knowing basic details would jeopardize security, then it's a poor program indeed. Either:
- it's introducing backdoors that actually reduce security (which the GCSB's main tool provider, the NSA, does as a matter of course), or
- it's relying far too much on security through obscurity. That strategy is only proving to be more and more useless as hackers get more sophisticated. Using continuously improving automated bug discovery tools and exploit blackmarkets, hackers - whether teenage idealists, organized crime, or foreign government spies - take advantage of security based on secret methods on a daily basis. Either that, or
- the GCSB doesn't want to subject the program to public investigation because it inherently involves mass surveillance.
Most likely it's a combination of all three.
4. The Southern Cross cable was tapped, we know that from leaked documents - whether or not the tap is part of Cortex. Saying it isn't part of this project is irrelevant. In any case it doesn't even really matter whether or not the tap exists - we know the GCSB is tapping Internet traffic, if not there then in other places.
5. Even if the program is effective, is it worth the cost of increased secret powers and surveillance? This is the most crucial question, and reporters aren't asking it. So long as we don't know details, it can't be answered. Based on every Five Eyes program we do know about thanks to Snowden and others, the answer is almost certainly "no".
6. Even if the program is effective, why should the government be involved? Why should the government compensate for bad security? Do we think police should act as security guards for a select group of private companies? Perhaps the answer is yes, but it's a discussion that needs to be had.
7. This is not simply police guarding things. This is secret police having access to the private, personal data they are protecting from nameless enemies. This is secret police watching things happening online - like a camera watching someone's house, Internet surveillance can't collect only cybersecurity-related data, it also collects very personal data.
The GCSB and its foreign counterparts have shown time and again that they will abuse this data - and why not, when they never face any consequences for their abuse, instead getting new laws passed to legalize their crimes retrospectively?
(This post was originally posted to Facebook; see further updates and comments there)