Search and surveillance requests
17.44MACMA should give effect to New Zealand’s existing international obligations to provide assistance. The leading international instrument in relation to this type of assistance is the Budapest Convention. The Budapest Convention is a multilateral treaty adopted by the Council of Europe in 2001. It serves both as a guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation between state parties.
17.45The Convention was based on more than a decade of discussions in the United Nations, the G8, the OECD, and various other European and non-European organisations. As at October 2014, it had been ratified by 43 countries (including Australia, the United Kingdom, and the United States) and signed by an additional 10 (including Canada).
17.46New Zealand is not a signatory to the Convention. However, Part V of the Harare Scheme, of which New Zealand is a member, and the associated Model Legislation were drafted to give effect to the chapter governing international cooperation in the Budapest Convention. Therefore, while New Zealand is not legally bound by the Convention, it has made a non-legally binding commitment to work towards compliance.
17.47As recently recognised by the Commonwealth Working Group of Experts on Cybercrime, there are very good reasons for New Zealand to sign and ratify the Budapest Convention including:
- the multilateral nature of the Convention;
- the number of existing parties;
- the comprehensive nature of its provisions;
- its proven practicality;
- its binding nature;
- the existence of a support mechanism in that parties to the Convention participate in the Cybercrime Convention Committee of the Council of Europe; and
- ratification is encouraged by the Financial Action Task Force.
17.48This approach aligns with the extensive work that is being undertaken throughout the public sector at present to address cybercrime and to work towards compliance with the Budapest Convention.
17.49In light of these observations, we consider that the provisions in MACMA should accord with the Budapest Convention wherever that is possible without contravening New Zealand’s domestic search and surveillance regime.
International cooperation under the Budapest Convention
17.50Chapter III of the Convention begins by stating the fundamental principle that state parties shall cooperate with each other:
… to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.
17.51After outlining other general principles, the chapter shifts to list specific types of mutual assistance that the state parties are obliged to provide to each other.
Preservation (and limited disclosure) of stored computer data
17.52Under the Convention, one state party may request another to urgently preserve data stored on a computer system in that country’s territory, pending a formal mutual assistance request for search and seizure. This is a temporary measure that is primarily directed at preserving data held by telecommunications companies and other service providers that are routine carriers of data.
17.53Preservation under the Convention may be achieved by “order or otherwise” and must last for at least 60 days. Notably, the obligation is framed so that a requested country must “take all measures to preserve expeditiously the specified data in accordance with its domestic law”.
17.54If a preservation request relates to a specific communication and the requested country discovers that other service providers were also involved in the transmission, the Convention creates an additional obligation. The requested country must disclose sufficient information about the communication to the requesting country to allow it to identify the other service providers and formulate further preservation requests.
17.55There is currently no general provision in the Search and Surveillance Act allowing for data on a computer system to be preserved, pending the execution of a domestic search warrant or production order. However, it may be that service providers routinely preserve this data for limited periods in their ordinary course of business, and the destruction of data before the Police are able to obtain a search warrant or production order does not seem to have been a problem in domestic cases. In those circumstances, there may be no need for a formal preservation order process or for the service provider to disclose information about other parties to a communication. The relevant data may still be adequately preserved.
17.56Whether this informal preservation process would be sufficient to comply with the Budapest Convention is really a domestic law issue.
Searches of stored computer data
17.57The Convention provides that one state party may request another to search, seize, and disclose data stored by means of a computer system located within the requested country’s territory and that a response can be expedited.
17.58New Zealand can already provide this type of assistance to foreign countries. The Search and Surveillance Act explains that the search of a place, vehicle, or thing extends to the search of any computer system or data storage device located there. “Computer system” is defined broadly to include computer networks and internet data accessible from the computer, even if a password is required. The user may be required to provide passwords. These rules apply equally in a MACMA context.
17.59Neither the Search and Surveillance Act nor MACMA, however, contain a specific provision enabling the search warrant process to be fast-tracked if there are concerns surrounding loss or modification of stored computer data. At present, a mutual legal assistance request under MACMA must contain advice from the requesting country as to whether urgent compliance is necessary. If there is a case for urgency, there is scope for the Attorney-General, the Police, and the courts to respond accordingly, without the need for this to be directed by legislation.
Interception of traffic (metadata) and content data
17.60Under the Budapest Convention, the requested country must provide real-time collection of traffic and content data to the requesting country in criminal matters.
17.61Traffic data is the information generated by a computer system about a communication. It may include the communication’s origin, destination, route, time, date, size, duration, and the type of underlying service. This type of interception assistance is, in general, governed by the conditions and procedures provided for under the requested country’s domestic law. The obligation in the Convention requires:
Each party shall provide such assistance at least with respect to criminal offences for which real-time collection of traffic data would be available in a similar domestic case.
17.62For law enforcement purposes, New Zealand is only able to collect traffic and content data in “real time” using the surveillance device regime in the Search and Surveillance Act. A slightly slower alternative option in relation to routinely stored traffic and content data would be to obtain a prospective production order. This would allow a telecommunications company to disclose the relevant data to the Police, as and when it came into existence. However, New Zealand does not currently provide either of these types of assistance for criminal matters to foreign countries under MACMA.
17.63To fully comply with the interception obligations in the Budapest Convention, New Zealand should amend MACMA to allow its authorities to obtain a surveillance device warrant on behalf of a foreign country. If MACMA was simply extended to include production orders, this might allow for technical compliance. Nothing in the Budapest Convention would prevent New Zealand from making these forms of assistance subject to stringent conditions.
Q67 How should powers to intercept data in New Zealand be used in respect of criminal investigations and prosecutions in a foreign country?
The Harare SchemeTop
17.64The Harare Scheme contains two further types of search and surveillance assistance that are not outlined in the Budapest Convention.
Covert electronic surveillance
17.65The Harare Scheme provides assistance for covert electronic surveillance. Such surveillance is defined by reference to the use of a device to transmit, record, or otherwise capture audio product, visual images, or information about position or location. The definition expressly excludes the use of a device primarily designed for the interception of telecommunications.
17.66A request for covert electronic surveillance must include:
- details of any provision of law under which an order or warrant for covert electronic surveillance is required in the requesting state and any provision of law that ensures respect for the rights of those under covert electronic surveillance;
- a copy of any related order or warrant obtained;
- information for the purpose of identifying the subject and location of the requested surveillance; and
- the desired times and duration of the surveillance.
17.67This form of assistance is a catch-all for surveillance requests that do not relate to the interception of telecommunications data governed by other paragraphs in the Harare Scheme and Budapest Convention. Together, the Scheme and the Convention cover the full range of surveillance currently available in New Zealand under the Search and Surveillance Act. Again, the existence of a best-practice obligation to provide covert electronic surveillance suggests that New Zealand’s surveillance device warrant regime should be extended, in principle, to give assistance to foreign countries.
Q68 How should covert electronic surveillance powers in New Zealand be used in respect of criminal investigations and prosecutions in a foreign country?
17.68Under the Harare Scheme, a request may be made for the provision of subscriber information. Subscriber information is any information held by a service provider relating to the name, address, telephone number, email address, Internet Protocol address, or similar identifier associated with a subscriber to any telecommunications service. Such a request may be “directly transmitted to an agency or other authority competent to receive such a request under the laws of the requested country”.
17.69In New Zealand, this information may, on occasion, be publicly available. Where it is not, the Attorney-General could provide this form of assistance at present by authorising the Police to obtain subscriber information by executing a search warrant. However, this would be an expensive and time-consuming mechanism for provision of this form of assistance. It would also not be in keeping with the desired emphasis on speed suggested by the reference to direct transmission of such requests.
17.70The reference to speed tends to suggest the possibility of skipping the Attorney-General’s usual gatekeeping function. We do not think that this would be appropriate, unless the information was publicly available. A production order would, however, provide a less intrusive and less expensive way of providing this form of assistance where the information is private.