One of the country’s two spy agencies has revealed it retrieves information directly from where it is stored or processed on computers.
The “computer network exploitation” operations have been a highly-classified secret at the GCSB until now.
US commentators refer to computer network exploitation as a form of cyber warfare, or the “theft of data”.
“Our legislation … allows us to access information infrastructures, which is more than just interception,” the Director-General of the Government Communications Security Bureau, Andrew Hampton, said.
It “also allows us to retrieve digital information directly from where it is stored or processed”.
The GCSB refers to this as “accessing information infrastructures”.
The spy watchdog, the Inspector-General of Intelligence and Security, Brendan Horsley, cited Hampton’s speech to the Institute of International Affairs in May, for making the revelation.
This had freed Horsley up to be able to assure the public that the exploitation operations were scrutinised, he said in his annual report released on Friday.
Previously, he had had to refer to “certain operations”.
“Although it was subject to oversight, it was not possible to provide any clear public assurance of this.”
In fact, he had conducted a review that found the compliance systems around CNE “to be generally effective and appropriate”.
However, he was still not allowed to go into details “on the bureau’s use of this important capability”.
Elsewhere, the Inspector-General reported how the SIS was doing a lot more “target discovery”, resulting in it having to manage significantly more data, at a time its checks and controls over data – while improving – were “not there yet”.
Horsley is conducting a review this year of target discovery by the SIS, and will soon include the GCSB, too.
Both agencies boosted this work after the 2019 mosque attacks.
“The potential hazard of target discovery activity, from a civil liberties and privacy point of view, is intrusion into the lives of people who have done nothing to merit the attention of a national security agency,” the Inspector-General said.
He concluded Section 19 of the security laws did not pose a significant problem – that S19 simply required each agency to be able to justify monitoring or collection “besides the fact of certain ideas being expressed on a platform”.
As for holding on to all the extra data, the GCSB had adopted a new policy late last year under which “it may not retain information merely because it may be useful for its functions in the future”.
However, the report said the SIS was struggling on the policy front. Fully 93 percent of its policies were overdue for review, and in some cases, including data analytics, were “non-existent”.
“Draft procedures were being relied on to guide decisions,” Horsley said.
While the SIS had a plan to address the backlog, and even though it had reduced the number of its policies by a fifth, “in the meantime there is no assurance these policies are fit for purpose”.
It was also way behind on reviewing its data-sharing agreement with the Department of Internal Affairs.
The SIS and bureau both scored better for internal controls and how they handled any breaches.
The agencies had improved their joint policy on sharing information with foreign partners where there was a risk it would contribute to human rights abuses.
The new policy was “a marked improvement” on 2017 policy, though Horsley retained reservations about some of the terms, criteria and “the handling of reports likely obtained by torture”, and he wanted more of the policy made public.
The report showed he reviewed 63 spying warrants, 49 of them the most serious kind, a Type 1, which lets an agency carry out an otherwise unlawful activity in order to collection information about a New Zealander.