News Item

This newly released Law Foundation-funded report identifies principles and values for informing future developments of encryption-related laws in New Zealand. It highlights the need to strike a balance between the competing concerns of human rights and freedoms with those of law enforcement and public order values.

The report, entitled “A Matter of Security, Privacy and Trust: A study of the principles and values of Encryption in New Zealand”, reveals that under the Search and Surveillance Act 2012, law enforcement officers have the power to search and seize encrypted data and computers. This includes the authority to compel users and providers to give up their passwords and access information such as encryption keys. In addition, companies can be required to provide reasonable assistance to allow law enforcement officers to gain access to encrypted data, services and devices. Under the Telecommunications Act 2013, network operators and service providers have a duty to offer reasonable assistance to intercept and collect communications. NZ Customs has the power to demand passwords and order the decryption of smartphones and other electronic devices as part of customs and border searches.

Principal investigator Dr Michael Dizon, says the problem with these powers is that there are no express standards and guidelines with respect to how they are carried out, especially in relation to human rights. Forcing suspects to disclose their passwords may infringe their right against self-incrimination. Requiring a company to create backdoors or vulnerabilities in encryption to allow the police access to a suspect’s data may jeopardise the privacy and security of all its other clients. “There is a potential then for misinterpretation, misapplication and possible misuse of these powers,” Dr Dizon says.
 
Findings from focus group interviews conducted by the researchers that involved members of the general public, business and government indicated people in this country place the greatest importance on privacy, data protection and information security when using encryption. Dr Dizon says, “New Zealanders primarily use encryption to protect their privacy and security. Forcing people to disclose their passwords or to render assistance may violate their rights and interests.”
 
The researchers recommend that the right or privilege against self-incrimination should be more strongly recognised in computer searches, and that persons suspected or charged with a crime should not be forced to disclose their passwords. While providers have a responsibility to assist the police in search or surveillance operations if it is within their existing technical capabilities, such assistance should not involve any act that would undermine the information security of their products and services or compromise the privacy of their clients as a whole.
 
The principal investigators of the study: Dr Michael Dizon, Associate Professor Wayne Rumbles, Prof Ryan Ko.
  

Full report in PDF – 200 pages

Media advisory, 12 Dec 2019

Link to Principal Investigator’s web page

NZ Law Foundation has contributed $59,000 towards this research report through its Information Law and Policy Project

*Encryption is a process of scrambling information to protect it against unauthorised access, alteration or distribution. This technology helps ensure the confidentiality, integrity and authenticity of data and communications. The security and privacy of internet banking, online shopping, cloud services, data storage, secure messaging and many other products and services depend on encryption.