Hard News: Snowden and New Zealand
126 Responses
First ←Older Page 1 2 3 4 5 6 Newer→ Last
-
Steve Barnes, in reply to
Unclassified is a classification
Like I said "nitpick" but it is still lazy and allows abuse of the OIA by smart arsed bureaucrats.
As to“Unclassified” != “not yet classified”
what are you saying here, sounds the same as what I said.
Really don't need to argue, like I said, nitpick. Just a pet peeve of mine, language laziness, probably an Americanism. -
Paul Campbell, in reply to
Mathew - it's not that simple for tax reasons I'm not a direct employee :-) I'm technically my own boss - none of our equipment other than customer units are in NZ and I don't do network operations, so it's likely not an issue, it's much more likely that the GCSB would find itself trying to force a foreign entity to get a NZ security clearance - if they did that I might lose my job because having employees in NZ is too much trouble.
I do however write network code that's regularly deployed in NZ.
Mostly I guess I'm pissed because some paranoid scary dudes have secretly (to me) gotten a law passed in urgency that potentially allows them to tell me what I can put on my net, and in fact if I do my job well and they can't break the crypto they're likely to tell me I can't deploy my best work.
-
Matthew Poole, in reply to
Unclassified is a classification
Like I said “nitpick” but it is still lazy and allows abuse of the OIA by smart arsed bureaucrats.
No, it doesn't. It really, really, really doesn't. Documents classified as Unclassified cannot be withheld under the national security exemptions to the OIA. The national security classifications are, as already laid out, Confidential, Restricted, Secret, and Top Secret. Those are the ones that let bureaucrats withhold under the OIA, and realistically it's only S and TS that'll stand up to a determined challenge. Documents that are Unclassified are not deemed to pose a security risk. That's what Unclassified means.
As to
“Unclassified” != “not yet classified”
what are you saying here, sounds the same as what I said.What I'm saying is that "Unclassified" is not "not yet classified", which is what you're claiming. It's completely the opposite. What you said was:
an unclassified thing, document or whatever, just means it hasn’t been classified, so you couldn’t tell if it were meant to be secret or not
which means, as best I can tell, that you believe Unclassified means nobody has assessed it for a security risk which might justify an upgrade in classification. That's not the case. An Unclassified document has been assessed, determined to present no security risk, and thus marked as such. Given that classification is meant to be as granular as the sentence level it's possible to find documents that have mixtures of U/S/TS next to different lines to indicate the different classifications. Have a look through some of the Snowden slides to see what I mean. If Unclassified means it might actually be Secret or Top Secret if someone just bothered to look, how could it possibly be mingling casually with lines that are Secret or Top Secret?
Part of the reason that classification markings (look in SIGS) are written all in capitals is to avoid any ambiguity. The marking UNCLASSIFIED is a classification marking. If I were to be really precise here I would've done the same but, instead, I've just used an initial capital.
-
Matthew Poole, in reply to
UNCLASSIFIED is also the default classification on anything the national security apparatus of the government produces, at least in theory. So that also shoots down your "lazy bureaucrat" theory.
-
nzlemming, in reply to
“Unclassified” != “not yet classified”.
Word.
-
Idiot Savant, in reply to
My guess is the real reason for having someone with a security clearance is so that the GCSB has someone in place in every ISP to use when the time comes to start tapping someone aggressively, they also need someone they can tell "don't fix that bug, we're using that"
Clearance doesn't mean obediance, and I would hope that any sysadmin in the latter case would immediately post the demand all over the internet. But I guess the point of requiring security clearance in the first place is to weed out such people from such positions.
-
Idiot Savant, in reply to
they could, I suppose, classify a document as “Public” and refuse to let you see it on the grounds that it is “classified”.
Nope. The OIA doesn't care about what labels agencies stick on documents. Instead, they would have to claim that release would prejudice the security and defence of New Zealand (or whatever), but that doesn't automatically follow from classification.
-
For the non-geeks, ”!=” means “not equal” (and is pronounced “bang-equal” if you’re that way inclined) just the same as ”!>” is “not greater than” as opposed to “<” which is “less than" and not the same as “not greater than” #protip
-
IS: I don't know - does having a security clearance legally require you to keep secrets? can the existence of a bug that the NSA is actively exploiting be declared a state secret? even one in my own code?
-
Rich of Observationz, in reply to
I think most languages use <= rather than !> or ≯
-
nzlemming, in reply to
1. Vetting by the SIS is only for Confidential (CV), Secret (SV) and Top Secret (TSV). (Not Restricted as mention by Mark) There are also levels above TSV.
The first rule of security clearances is not to talk about security clearances ;-)
I thought I said that only SV and TSV required vetting, not Restricted and Confidential. It may have changed since I was last working for government in 2005, but I seem to remember that Confidential was at the CE's discretion. Maybe not.
3. For SV (possibly) and TSV (certainly, I know!), you are interviewed by the SIS as well as your referees – so it is a time consuming process.
When I held a TSV, my referees were definitely interviewed - probably I was as well, I don't remember (long time ago now). There are probably still a few sysadmin/IT managers around who would curse my name for pointing out to my CE that I had access to all his files and email, so really he should have me vetted ;-)
-
nzlemming, in reply to
I think most languages use <= rather than !> or ≯
They do, but they don't mean the same thing, conceptually. Sometimes, you just want to be that precise.
-
nzlemming, in reply to
IS: I don’t know – does having a security clearance legally require you to keep secrets? can the existence of a bug that the NSA is actively exploiting be declared a state secret? even one in my own code?
Simple answer: yes.
Complex answer: it's not the clearance that compels you to keep a secret. It's the fact that something has been declared secret. Your clearance allows you to know about the thing even though it is a secret from people who don't have clearance, which is most of us. America (for example) has declared a number of things as matters of "national security" - much of Snowden's revelations would fall into the category of hacking exploits and the fundamental claim against him by the USG is that he has revealed information that is classified as secret, top secret and all the way up to ultraviolet. If the bug is in your code, they might offer you a job.
-
Matthew Poole, in reply to
When I held a TSV, my referees were definitely interviewed – probably I was as well
When I was referee for a friend's TSV back in 2005 I was one of two (of four) referees who was selected to be interviewed by an SIS officer. My friend was not interviewed. The two referees who were not interviewed were sent a written questionnaire.
As best I can ascertain vetting is still only routine for S and TS (to differing depths, obviously), but a check with Ministry of Justice is standard for C and R (and everything else in government, pretty much).
-
Rich of Observationz, in reply to
Please provide a solution for:
x >= y
s.t
y ≯ xthen
-
Matthew Poole, in reply to
it’s not the clearance that compels you to keep a secret. It’s the fact that something has been declared secret.
Even more complex, the full answer is, "it's both."
Aforementioned friend still can't talk about anything classified he was read in on while in government employ, even if its existence is now public courtesy of Snowden. And he wasn't working for the spooks, either. If he was still employed in a vetted role, he wouldn't be allowed to talk about anything that Snowden's released because it's material that's classified by an allied intelligence partner so it's considered to be classified in NZ.
It's really frustrating when a conversation thread ends with "Yes, I've seen that news article, I can't talk about it." Fortunately there aren't too many things that Snowden's released that intersected with his work.
-
Paul Campbell, in reply to
Complex answer: it’s not the clearance that compels you to keep a secret. It’s the fact that something has been declared secret. Your clearance allows you to know about the thing even though it is a secret from people who don’t have clearance, which is most of us..
So if something is declared secret, It's illegal for me to reveal it, but if I'm not cleared I'm not allowed to know that it's illegal for me to reveal it ....
Paging Mr Yossarian ......
What if I find a bug in say OpenSSl, one that the NSA and GCSB are exploiting, am I (Heartbleed being a perfect real-world example) can I tell others about it if the GCSB has declared it a secret and I don't know?
It did dawn on me today that probably the best thing we can do for internet security right now is to set up 'NSA honeypots' ... machines that look like they ought to be a target and then carefully packet monitor how people break into them - the NSA has spent a lot of time and money figuring out where all our collective security holes are, they probably know more than anyone, tricking them into telling us would make us all safer and more secure.
-
Matthew Poole, in reply to
So if something is declared secret, It’s illegal for me to reveal it, but if I’m not cleared I’m not allowed to know that it’s illegal for me to reveal it
If you have a security clearance and you know it’s classified, it’s clearly illegal. If you don’t have a clearance but you become aware that it’s classified, it’s probably also illegal (see below) but not necessarily.
The US has a particularly odious concept known as “born secret” whereby something that a civilian discovers on their own but which relates to classified materials (it’s normally to do with nukes) can be deemed to have been classified at the time of invention and thus the inventor is compelled to hand their invention over to the Feds without compensation; and with federal criminal charges hanging over them if they talk about their invention.can I tell others about it if the GCSB has declared it a secret and I don’t know?
Absolutely.
You appear to think that secrecy and security are some sort of absolute that binds everyone. They are not.
To be breaking NZ law you must “knowingly or recklessly, and with knowledge that [you are] acting without proper authority, communicate any official information or deliver any object to any other person knowing that such communication or delivery is likely to prejudice the security or defence of New Zealand”. And even then you’re only up for a maximum of three years, unless the government decides to try you for treason. Unlike the US, where unauthorised release of classified material can see you facing a life term (or the federal death penalty for treason).
So if you don’t know it’s classified, you’re free to tell the world. In reality, also, simply knowing that a bug in generally-available software was being exploited by the alphabet soup would be unlikely to constitute sufficient knowledge to achieve conviction. -
Idiot Savant, in reply to
does having a security clearance legally require you to keep secrets? can the existence of a bug that the NSA is actively exploiting be declared a state secret? even one in my own code?
No.Security clearances have no statutory force. Ultimately they're simply an employment issue.
There is a summary offence of http://www.legislation.govt.nz/act/public/1981/0113/latest/DLM53565.html?search=ta_act_S_ac%40ainf%40anif_an%40bn%40rn_200_a&p=1, and a crime of Wrongful communication, retention, or copying of official information. Neither has to my knowledge ever been used, and the government would be pushing shit uphill (both politically and legally) to try and mount a prosecution for either of a public-interest leak.
Edit to add: And if the bug is in your own code, they're screwed, because the law relies on "official information" and "official documents". If its your code, or if you discover the document independently, its neither, provided you are not working for the government at the time.
-
If you are discussing S.78A of the Crimes Act, then the infomation has to belong to an NZ government department.
I don't think information can be "born secret" in NZ, so if it hasn't passed through the hands of the NZ government, it isn't protected.
Also, information that doesn't "prejudice the security or defence of New Zealand" isn't protected, and revealing mass surveillance would fall into a grey area, in that a prosecution would have to prove a threat to security. (Various British cases such as that of Clive Ponting ended in acquittal for this reason).
-
Rich of Observationz, in reply to
Indeed. Snap.
I think S20.A could be used against a cop leaking to journalists, or a Treasury official getting a bit over-enthusiastic on that online insider trading site.
-
surely NOT telling people that the NSA was breaking into computers in NZ would "prejudice the security or defence of New Zealand” in the sense of NZ being all of us rather than just the government
-
Idiot Savant, in reply to
To be breaking NZ law you must “knowingly or recklessly, and with knowledge that [you are] acting without proper authority, communicate any official information or deliver any object to any other person knowing that such communication or delivery is likely to prejudice the security or defence of New Zealand”.
And in that, the term "official information" is crucial. Official information is information that is "held by" the government - that is, it originated with them, and has not been made public. If you have a non-NZ government source e.g. a Snowden leak, then its not "official information" and you can distribute it as much as you like.
"Likely to prejudice the security or defence of New Zealand" is also a far higher bar than it sounds. The Court of Appeal has interpreted similar language in the OIA, and requires it to be "a serious or real and substantial risk... a risk that might well eventuate". Ordinary spy paranoia "but this is super-sekrit!" doesn't count.
And if the body whose information it is isn't covered by the OIA e.g. the Inspector-General of Security and Intelligence, or the Intelligence and Security Committee - then its not "official information" and its total fair game.
(There are other branches to the offence. Both involve "official documents", so don't forbid disclosure of content. One also requires "intent to prejudice the security or defence of New Zealand", which again is pushing shit uphill territory).
Basically: if you're a security-cleared ISP employee, its only an employment issue, unless you're distributing actual copies of government-originated documents with intent that they be used to bring down the Net 9as opposed to "stop the spooks from being jerks")
-
Idiot Savant, in reply to
unless the government decides to try you for treason.
Treason in NZ has a very specific meaning. "Telling the public stuff the government doesn't want them to know" is no part of it.
-
Matthew Poole, in reply to
And if the body whose information it is isn’t covered by the OIA e.g. the Inspector-General of Security and Intelligence, or the Intelligence and Security Committee – then its not “official information” and its total fair game.
That does not mesh with the wording of the section. "Official information" does not have to be held by "an organisation" to be covered, and the definition of what constitutes official information is very, very broad. The IGSI and the ISC are both covered.
Post your response…
This topic is closed.