• Home
• ICT
• Digital Technology
• Security and Confidence
• Strategic Consideration
• Discussion Paper
• Safety and Security Issues

• Digital Technology

• Security and Confidence

• Strategic Consideration

• Discussion Paper
• Media Statements

26. Security of information and communications infrastructure:

1. Issue: The information and communications infrastructure comprises both fixed line and wireless networks that interlink to enable the transmission of information and communications between users (e.g. the Internet). Threats to the secure operation of this infrastructure include:
   1. Cyber-attacks affecting the operation of ICT infrastructure (e.g. viruses/worms, denial of service attacks, hacking, deliberate sabotage);
   2. A lack of robustness or protection against ICT network faults or failures leading to network outages;
   3. Physical damage to key parts of the ICT infrastructure.
2. Policy: The policy objective is to ensure that key ICT infrastructure continues to be operational and support ICT services through protection from security threats, sufficient network robustness and appropriate contingency planning. New Zealand made international commitments at the APEC Leaders meeting in Mexico in 2002 to:
   1. Endeavour to enact a comprehensive set of laws relating to cyber security and cyber crime that are consistent with the provisions of international legal instruments;
   2. Identify national cyber crime units and international high-technology assistance points of contact and create such capabilities to the extent they do not already exist;
   3. Establish institutions that exchange threat and vulnerability assessment (such as Computer Emergency Response Teams).
3. Regulatory framework:
   1. The Crimes Act 1961 (ss 249 - 252) prohibits unauthorised access, damage and interference to computer systems and data held on computer systems.
   2. The Radiocommunications Act 1989 - prohibits the transmission of radio waves except in accordance with a licence or regulations made under the Act, requires licences issued under management rights to be certified as to non-interference before being registered and puts in place interference resolution mechanisms.
4. Institutional framework:
   1. New Zealand Police - enforces the Crimes Act provisions relating to e-crime;
   2. The Centre for Critical Infrastructure Protection (CCIP - part of the Government Communications Security Bureau) - CCIP provides advice and support to protect New Zealand's critical infrastructure from cyber threats - it has three main roles:
      • Providing 24 hour/7 day "watch and warn" advice to owners of critical infrastructure;
      • Analysis and investigation of cyber attacks;
      • To work with critical infrastructure organisations and other sectors nationally and internationally to improve awareness and communications regarding information technology security;
   3. The IT and Telecommunications Policy Group (part of the Ministry of Economic Development) - develops ICT policy for New Zealand with a particular emphasis on economic benefits;
   4. The Radio Spectrum Management Group (part of the Ministry of Economic Development) - administers and enforces the Radiocommunications Act;
   5. The Government Inter-departmental Internet Security Working Group - this group has representatives from a number of government departments involved in Internet security issues - it considers and provides feedback on Internet security policy issues where they involve cross-departmental interests;
   6. The State Services Commission (ICT Branch) - considers e-government issues and implements policies aimed at promoting effective and secure e-government practices;
   7. The Telecommunications Carriers Forum - comprises a group of telecommunications carriers who consider telecommunications sector issues and develop policies and codes of practice to address these;
   8. InternetNZ - engages in self-regulatory consensus-driven policy development relating to its operation of the .nz domain name space and other public policy advocacy and codes of conduct relating to protection of the Internet.
5. Comment:
   1. From a legislative perspective New Zealand has responded to one of its commitments made at the 2002 APEC Leaders Meeting by enacting sections 249 - 252 of the Crimes Act regarding unauthorised access, damage to and interference with computer systems and data held on computer systems. There may be value, however, in reviewing New Zealand's cyber security laws for the purpose of determining their consistency with international cyber security laws and whether further legislative measures may be required.
   2. In New Zealand e-crime investigations are carried out by the appropriate Police District, with the forensic component conducted by a centralised forensic unit (the Electronic Crime Lab, which has three locations across the country). Electronic crime poses particular challenges because of its virtual and cross-border characteristics and its specialist nature. There may be merit, therefore, in considering whether the current Police structure and capability is sufficient to meet the growing challenges involved in e-crime investigations.
   3. In other countries there have been established institutions that exchange threat and vulnerability assessment information. No computer emergency response team (CERT) or domestic computer security incident response team (CSIRT) has been set up for New Zealand but CCIP does carry out some of the functions of a CERT (it provides advisories in relation to cyber-threats). In addition some New Zealand organisations subscribe to the Australian Computer Emergency Response Team (AusCERT - an independent not-for-profit organisation based at the University of Queensland). There is a concern, however, that many computer security incidents in New Zealand are going unreported because of the lack of a single national contact point to address these as well as a mechanism for anonymous reporting. There is, therefore, a lack of effective communication with private sector organisations concerning threats, and prevention and mitigation measures.
   4. There do not appear to be any requirements on business or ICT infrastructure providers to ensure that minimum security requirements are met in terms of network design and implementation or in terms of network robustness and security management practices.
   5. For business to put in place good ICT security measures there need to be sufficient incentives from a business and/or regulatory perspective. Care would need to be taken to minimise any unnecessary compliance costs. Facilities based competition can have an incentive effect to promote better security because it can provide a competitive advantage. In addition, the development of telecommunications infrastructure alternatives assists in mitigating against the effects of network outages.
   6. There are security standards available to the private sector (ISO/IEC 17799:2000, ISO 27001:2005) which some businesses use as benchmarks for their security. These standards could be promoted to the private sector by government with a view to obtaining their wider use.
   7. In the government sector there is the Security in Government Sector (SIGS) manual, which sets out the minimum standards of protective security that must be met by government departments and agencies, including standards relating to communications and systems security management. This is supplemented by NZSIT 400 which provides additional technical guidance.
   8. There is a concern that there is a lack of expertise being developed in the area of ICT security and a lack of dedicated ICT security courses at our tertiary education institutions. There appears to be a need for the area of ICT skills development and training to be examined further to ensure future needs are catered for.
   9. GCSB and CCIP appear to be the government agencies best placed to take the lead within government on the issue of ICT infrastructure security. In the business sector there is a need for a business-related group to take the lead in this area.

27. ICT network construction, repair and maintenance:

1. Issue: In order to provide secure and modern information and communications infrastructure operators need to be able to construct, repair and maintain such infrastructure without undue impediment and need to incorporate security as an essential element in the design of such infrastructure. Issues arise where:
   1. Security is not incorporated as an essential element in the design and construction of ICT infrastructure;
   2. There are difficulties or delays in getting the required landowner or council consents or where the terms and conditions attaching to consents are unreasonably restrictive;
   3. There is a lack of national standards or guidelines for councils to streamline consent processes;
   4. It is unclear whether the terms and conditions of a consent to construct and operate a power line allow that line to also be used for telecommunications purposes;
   5. There is poor infrastructure redundancy (i.e. insufficient investment in upgrades, repairs and maintenance).
2. Policy: The policy objective is to balance the need for ICT infrastructure development, repair and maintenance with the rights and interests of land owners as well as social and environmental considerations.
3. Regulatory framework:
   1. The Telecommunications Act 2001 (Part 4) provides for the declaration of network operators and for rights of access for the construction, repair and maintenance of lines and equipment for telecommunications purposes;
   2. The Electricity Act 1992 provides for the rights of access for the construction of electricity transmission infrastructure;
   3. The Resource Management Act 1991 requires that consents from local authorities be obtained for the use of land.
4. Institutional framework:
   1. The IT and Telecommunications Policy Group (part of the Ministry of Economic Development) takes the lead on telecommunications sector legislation and infrastructure issues;
   2. Ministry for the Environment - administers the Resource Management Act and is responsible for the development of national guidelines under that Act;
   3. Regional and territorial authorities - consider applications to use land and develop local planning guidelines;
   4. Telecommunications Carriers Forum - develops industry codes of practice for telecommunications carriers;
   5. Utilities Advisory Group - comprises central and local government agencies and utility providers - discusses and coordinates actions on issues relating to the development and operation of utilities such as telecommunications, gas and electricity (particularly as they relate to roads).
5. Comment:
   1. Some stakeholders have expressed concerns that compliance costs and delays associated with obtaining the required consents for network construction are impeding the provision of modern and secure information and communication infrastructure. A review of and amendment to the Resource Management Act has sought to address these concerns by promoting nationally consistent standards and streamlined procedures. Work to develop national environmental standards for low impact telecommunications facilities is currently underway. This work is being led by the telecommunications industry, with MED and MfE taking an advisory and decision-making role.
   2. There are also concerns that the separation of legislative provisions addressing the rights to construct different types of networks (e.g. telecommunications and electricity) does not easily allow for the application of new technologies to existing networks to enable a multiplicity of uses.

28. Internet Governance:

1. Issue:
   1. Internet governance is both a national and an international concern. Nationally, management of the .nz domain name space is the responsibility of InternetNZ through the Office of the Domain Name Commissioner. Internationally Internet governance, including the Domain Name System (DNS), is the responsibility of ICANN, a non-profit body set up by the US Government to oversee the management of the core root services of the Internet. The DNS is the facility which converts website address names into addresses of actual machines. The DNS uses a database of names which is distributed across the world. It relies on "root servers" which are centrally operated, although they are geographically diverse and are duplicated in several locations.
   2. IP addresses are also managed internationally by ICANN, and regionally in Asia Pacific by APNIC based in Australia. IP numbers are also a crucial aspect of DNS resolution, and aspects of national sovereignty are ignored in the existing model.
   3. The issue from a New Zealand safety and security perspective is that decisions affecting the use of the Internet by government, business and the general public are taken by organisations (InternetNZ at a national level and APNIC at an Asia-Pacific regional level in relation to IP addresses) neither of which have any formal accountability to interested parties such as the government. Decisions affecting international aspects of security are taken by ICANN and the US Government.
2. Policy: The Government's policy objective for Internet governance is to represent the interests of New Zealand's stakeholders by participating in international discussions on decisions affecting the operation of the Internet.
3. Institutional framework:
   1. InternetNZ (a non-profit organisation fostering coordinated and cooperative development of the Internet in New Zealand - it also has the delegation from ICANN for the .nz Country Code Top Level Domain and operates the Office of the Domain Name Commissioner);
   2. The IT and Telecommunications Policy Group (MED) takes the lead on IT policy issues;
   3. State Services Commission (ICT Branch) - has an interest in Internet issues as they relate to e-government;
   4. CCIP - has an interest in Internet issues as they relate to critical information infrastructure security;
4. Comment:
   1. At the international level recent discussions on proposals to revise the arrangements for Internet governance to promote a more inclusive approach for international stakeholders and greater accountability resulted in the status quo being maintained.
   2. Internationally there has been a debate around issues such as the role that governments should play in the governance of the Internet, which is currently managed within the private sector. The New Zealand Government has contributed to these discussions through the World Summit on the Information Society and the Government Advisory Committee of ICANN. However, these issues are seen as being beyond the scope of this paper except and insofar as they affect the relationship between the Government and InternetNZ.
   3. At the domestic level the operation of the Domain Name System for New Zealand appears to be proceeding relatively smoothly at present. In the past, however, there have been a small number of calls for greater Government involvement in Internet governance. At present the Government carries out a policy oversight role in relation to internet issues.
   4. A recent phishing attack using a domain name registered in New Zealand and very similar to a New Zealand bank's website raised the issue around whether the Domain Name Commissioner (DNC) should carry out a check based on certain agreed criteria before registering a domain name for a website. The Fair Trading Act contains a general prohibition against misleading and deceptive conduct. This could include carrying on business under a name that is misleading or deceptive. However, the courts determine the question of whether a name is misleading or deceptive, and therefore the DNC does not vet names for this purpose. However, the Registrar of Companies which performs a similar function to the Domain Name Commissioner, is able to, under the Companies Act 1993, decline to reserve a name that:
      • Contravenes an enactment;
      • Is identical or almost identical to another company name (the key words and/or the order in which they appear make that name virtually indistinguishable from another);
      • Is offensive.
   5. Registering of domain names using false information, while not permitted under the terms and conditions of the agreement between registrars and registrants who use their services, is not checked by the registrars. This is the same as with the registering of a company name - checking of registrant details are not undertaken nor are required by law.
   6. Given the resources and time required to verify all applicant details and the likelihood of only a very small number of fraudulent applications, a check of the domain name against criteria similar to that used for company name registration may be much simpler and more effective.

29. Protection of information assets and individual privacy:

1. Issue:
   1. The increasing capabilities and use of information systems and technologies to track, store and analyse personal information pose potential threats to people's individual privacy and confidence in using ICT. All governments and many organisations are engaged in the collection of detailed personal information on their citizens and customers. Information and privacy must therefore be protected from possible misuse and invasion while ensuring that information obtained for bona fide purposes, including providing for a safe and trusted internet, is permitted.
   2. Issues relating to privacy and information security include:
      1. "Dataveillance" - tracking of information on individuals (e.g. via databases, spyware and cookies). This can sometimes occur as a result of users assenting to end-user licence agreements which give providers wide-ranging access to users' personal information.
      2. Obtaining personal information, passwords and pin numbers through hacking or the use of software such as keystroke loggers on publicly used computers (e.g. obtaining internet banking passwords from internet café computers).
      3. Data matching, sharing and profiling -
         • This is a technology that assigns people to categories on the basis of personal information that has been collected, stored, processed and shared between organisations or different divisions of an organisation;
         • Sometimes referred to in privacy literature as "panoptic sorting", some uses of this technology could be considered unethical and discriminatory because, unlike a traditional investigation on an individual which is triggered by some evidence of wrongdoing or specific query, data matching and profiling is initiated because his or her category is of interest to the organisation;
         • To some extent this activity already exists in commercial organisations such as credit agencies, financial institutions and marketing companies;
         • To ensure that the privacy concerns surrounding this technology are considered and managed in government information matching programmes, the Privacy Act requires such programmes to go through an authorisation process.
      4. Authentication - the e-Government strategy objective of delivering services and information via the Internet requires authentication of a person's identity. This plus the Government's demand for greater border security through passports with microchips and biometric information have increased people's concern that these may be the first steps towards a national identity card. The Government has addressed these concerns in the Cabinet-approved policy principles which any authentication system adopted within Government must follow.
      5. Surveillance - tracking people's movements (e.g. via webcams, rfid, GPS computer chips in cellphones).
      6. Identity theft and identity spoofing.
      7. Covert filming and the taking of images of people in private situations.
   3. Privacy and confidentiality can be protected through the following measures:
      1. Security - the range of administrative, technical and physical mechanisms that aim to preserve privacy and confidentiality, by restricting information access to authorized "knowers" for authorized purposes, for example, passwords, encryption and authentication. Security is the responsibility of both the collector and owner of personal information.
      2. Privacy enhancing technologies (PET) - those software programs or hardware devices that can help a user regain some of their privacy that has been lost on the Internet (e.g. programs that allow users to manage the cookies that web sites place on their hard drives, applications that provide the ability to surf on the Internet anonymously so that advertisers cannot track a user's shopping habits).
      3. Data protection - the range of legal, regulatory and institutional mechanisms that guide collection, use and disclosure of information (e.g. the Privacy Act).
2. Policy: The policy objective is to achieve the right balance between protection of information assets, private property and individual privacy and competing values such as freedom of information and expression, preventing and punishing crime, and the efficient operation of business and government.
3. Regulatory framework:
   1. The Privacy Act 1993 and its related codes (e.g. Health Information Privacy Code) provide rules and guidelines to:
      1. Ensure that individuals have a right to control information about themselves, and to prevent its use without their consent for purposes unrelated to those for which it was collected.
      2. Set out the Privacy Commissioner's central requirement to seek balance and have regard to the human rights and social interests that compete with privacy, desirability of free flow of information and the right of government and business to achieve their objectives in an efficient manner.
      3. Establish a regime to permit data matches between government agencies after Parliamentary scrutiny and with monitoring and reporting back to Parliament, for example, requiring government agencies to identify those circumstances where information matching is most clearly justified, that the benefits outweigh the costs and data matching is undertaken in such a way that minimises the effect on privacy through careful data management.
   2. The New Zealand Bill of Rights Act 1990 protects against unreasonable search or seizure. It could be argued that data matching or profiling would violate this right because the technique of matching unrelated databases is designed as a general search. The search is not based on any pre-existing evidence to direct suspicion of wrongdoing to any particular person.
   3. Specific legislation, for example, the Land Transport Management Act 2003 includes a clause to prohibit a toll operator from using personal information for purposes other than the collection and enforcement of tolls.
   4. If passed, the Crimes (Intimate Covert Filming) Amendment Bill will assist in addressing some of the covert filming concerns. The Bill forbids the making, possession, publication, importation, exportation and sale of an intimate visual recording (IVR). An IVR is defined as the making of a surreptitious visual record of another person without that person's knowledge or consent and in circumstances that the person would reasonably expect to be private.
   5. The Privacy Commissioner encourages government agencies and other organisations proposing to introduce new laws, policy or technology to undertake a Privacy Impact Assessment. A PIA is an assessment of actual or potential effects that the activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.
   6. Industry codes of practice, for example, Code of Practice for Direct Marketing, Electronic Product Code (EPC) / Radio Frequency Identification (RFID) in Retail Consumer Code of Practice.
4. Institutional framework:
   1. The Ministry of Justice (Public Law Group) - responsible for privacy law policy and the New Zealand Bill of Rights Act;
   2. The Office of the Privacy Commissioner - responsible for the operation of the Privacy Act;
   3. The IT and Telecommunications Policy Group (MED) - responsible for IT policy and its relationship to privacy issues;
   4. State Services Commission (ICT Branch) - responsible for e-government issues and their relationship to privacy;
   5. New Zealand Police - responsible for the investigation and enforcement of criminal offences;
   6. Industry associations (e.g. Direct Marketing Association, New Zealand Bankers' Association);
   7. The Internet Safety Group (an independent non-profit organisation which is focused on providing cybersafety education for all New Zealanders), InternetNZ, and other user groups.
5. Comment:
   1. New Zealand is generally thought to have one of the most comprehensive national privacy law outside Europe. Some New Zealand industry associations have also been proactive with regard to privacy concerns and have instigated self-regulation. However, there are other industries or services where more work is being done or could be done in the area of security and confidentiality, for example, codes of practice for internet banking and internet cafes.
   2. Advances in, and the decreasing cost of, tracking and monitoring technologies are raising increasing concerns about surveillance and misuse of the data/images collected and whether current policies and legislation are adequate to deal with the potential ethical issues which extend beyond privacy to ones of dignity.

30. Abuse of information and communications technology services by users:

1. Issue: Abuse of ICT services can take many forms but they all contribute to an undermining of public confidence in the use of such services. Forms of abuse include:
   1. Abuse of email and other ICT messaging services by the sending of spam, "phishing" messages, messages promoting Internet-based scams and frauds generally, bullying or harassment by way of emails or text messaging, the sending of illegal or age restricted images by way of email or texting;
   2. Abuse of internet and phone chatroom services by sexual predators and others with dishonest or malicious motives;
   3. Abuse of ICT services by the transmission of objectionable material such as child sexual abuse images;
   4. Abuse of Internet services by the posting of defamatory, offensive or objectionable material;
   5. Abuse of Internet search engine services by the creators of websites hosting "adult" or obscene material using "acceptable" but misleading website subject information in order to appear on a website search result list for such information;
   6. The publication or distribution of images obtained covertly and in breach of privacy rights;
   7. Illegally accessing other peoples bank accounts to commit fraud by the unauthorised transfer of funds;
2. Policy: The policy objective around the use of ICT services is to adopt a multi-tiered strategy aimed at minimising abuse and promoting a high degree of public confidence in the use of such services.
3. Regulatory framework:
   1. The government has taken and is taking a number of steps to address the abuse of ICT services including:
      • the passing of the Crimes Amendment Act 2005 to address the problem of sexual predators involved in the sexual grooming of children using the Internet;
      • the introduction of the Unsolicited Electronic Messages Bill to address spam;
      • the introduction of the Crimes (Intimate Covert Filming) Amendment Bill;
      • the support of ICT safety initiatives undertaken by the Internet Safety Group;
      • the application of the Crimes Act and the Fair Trading Act by the Police and Commerce Commission to Internet-based scams and frauds; and
      • the policing of objectionable and restricted material by the Department of Internal Affairs under the Films, Videos and Publications Classification Act 1993.
   2. The government is also encouraging the development of industry codes of practice to address areas such as chatrooms and spam (the Telecommunications Carriers Forum and InternetNZ have been involved in this).
4. Institutional framework:
   1. The IT and Telecommunications Policy Group (MED) - responsible for IT and telecommunications policy, including the regulation of services;
   2. The Ministry of Justice (Crime Prevention and Criminal Justice Group) - responsible for criminal justice and censorship policy;
   3. The Ministry of Consumer Affairs - responsible for consumer policy issues;
   4. Department of Internal Affairs (Censorship and Compliance Group) - responsible for the enforcement of New Zealand's censorship laws;
   5. New Zealand Police responsible for the investigation and prosecution of criminal offences;
   6. The GCSB (as the national INFOSEC authority) and CCIP - monitoring the cyber-threat environment;
   7. Commerce Commission - responsible for the enforcement of the Fair Trading Act and, if required, telecommunications industry codes;
   8. Ministry of Education - responsible for safe practices within schools;
   9. The Internet Safety Group - promotes the safe use of ICT services and good user practice;
   10. The Telecommunications Carriers Forum (TCF) and InternetNZ which are both involved in the development of codes of practice to address the abuse of ICT services;
5. Comment:
   1. The enactment of the Unsolicited Electronic Messages Bill supported by anti-spam codes of practice developed by the TCF and InternetNZ for service providers and enforcement by the Department of Internal Affairs will assist in mitigating the growth of spam.
   2. The Crimes (Intimate Covert Filming) Amendment Bill has been considered by Select Committee and, if passed, will help address concerns over intimate covert filming.
   3. The TCF has developed a draft code of practice for mobile service providers to address mobile content issues, including the abuse of chatroom services.
   4. Investigating and enforcing laws around ICT-based scams and frauds and threats to child safety requires specialist expertise and resources and needs to be supported by a legal system that has trained and knowledgeable lawyers and judges. Concerns have been raised that there is currently a lack of sufficient specialist expertise and resources within or available to the New Zealand Police and a lack of sufficient lawyers and judges trained in this area.
   5. The resourcing of both public education campaigns and government agencies involved in enforcement is an issue that will need to be closely monitored and adequately addressed. The Ministry of Consumer Affairs is seeking to promote a fraud awareness campaign around the concept of Fraud Awareness Month (an international campaign coordinated by ICPEN) but for such campaigns to be effective they require sufficient resourcing.
   6. The Internet Safety Group has a valuable role to play in public education and awareness of the abuse of ICT services but also requires adequate resourcing for this task (government departments and agencies such as the Ministry of Education, State Services Commission, CCIP and the New Zealand Police currently contribute funding to support its work along with private sector sponsors). Its website provides information on a wide range of Internet safety issues.
   7. Businesses also have a valuable role to play in promoting ICT safety and good practice through staff education and training.

31. Security of computers and computer systems against misuse:

1. Issue: Computers and computer systems can be compromised by viruses/worms and Trojans which enable computers to be commandeered for noxious purposes such as sending spam or for denial of service attacks. In order to mitigate against this threat there needs to be education of users, installation of appropriate defences, and effective ISP management and law enforcement.
2. Policy: The policy objective is to ensure that there is effective prevention and detection of, and redress against, abuse of computers and computer systems which undermine the effectiveness of and confidence in the use of information and communication technologies.
3. Regulatory framework: As noted above, the Crimes Act 1961 (ss 249 - 252) prohibits unauthorised access, damage and interference to computer systems and data held on computer systems.
4. Institutional framework:
   1. The New Zealand Police - responsible for the investigation and prosecution of criminal offences;
   2. The GCSB as the National INFOSEC Authority;
   3. The CCIP - monitors and provides warnings of cyber attacks;
   4. The State Service Commission (ICT Branch) - advises on Internet security in relation to e-government;
   5. The IT and Telecommunications Policy Group (MED) - responsible for IT policy and promoting confidence in the use of information and communication technologies;
   6. The Ministry of Justice - has policy responsibility for criminal policy, including e-crime policy;
   7. The Internet Safety Group - promotes the safe use of computers and communications technology;
5. Comment:
   1. Experience has shown that with the increased uptake of broadband, computers are more vulnerable to misuse in that they are always "connected" and can be targeted for use as part of a "zombie" network for the purposes of spamming or carrying out a denial of service attack. This means that it is important for users to put in place effective security measures on their computers such as firewalls and anti-virus software.
   2. The Internet Safety Group provides valuable information in this area and other organisations such as the CCIP, software suppliers, computer security companies, major ISPs and the online auction company Trademe, also promote the security of computers and computer systems.
   3. In Australia the Australian Communications and Media Authority is proposing to launch an Internet Security Initiative (ISI). The aim of the ISI is to reduce spam by remotely and automatically scanning computers for compromise or vulnerability and to pass this information onto ISPs so that they can take action (which could include quarantining or disconnection if the problem is serious) and to encourage the public to secure their own machines. A similar initiative could be undertaken in New Zealand once the anti-spam legislation has been enacted.
   4. Despite attempts at user education, it would appear much of the public is unaware of ICT security issues or lack sufficient incentive to put in place preventative measures. One measure that could assist in promoting ICT security is to require that all new devices sold must meet minimum security standards.

32. Security of and access to communications between users:

1. Issues:
   1. Communications between users in the form of emails, text messages and voice communications can be intercepted or accessed by persons without authorisation if proper security measures are not in place.
   2. Electronic communications, as well as providing many benefits, also serve as a means to aid criminal activity. For this reason, access by law enforcement authorities to records of electronic communications can be an important element in conducting a criminal investigation.
   3. Unlike many other countries, New Zealand does not require telecommunications service providers and Internet Service Providers to retain certain levels of information that may be relevant to law enforcement agencies. Increasingly, however, there appears to be a reluctance on the part of the service providers to retain this information voluntarily, and therefore there may be a need to consider the imposition of data retention obligations or the development of a code of practice to address this issue.
2. Policy: The policy objective is to ensure that effective privacy and security measures for electronic communications are implemented and balanced against the interests of law enforcement agencies in carrying out criminal investigations.
3. Regulatory framework:
   1. The Crimes Act 1961 (ss 216A - 216F) prohibits the use of interception devices to intercept private communications and the disclosure of information obtained from such interception (subject to exceptions for law enforcement and maintenance of service purposes).
   2. The Radiocommunications Act (s 133A) prohibits the disclosure of the contents of a radiocommunication received by a person knowing that it was not intended for that person (subject to exceptions for law enforcement purposes).
   3. The Telecommunications (Interception Capability) Act 2004 (s 7) requires network operators to ensure public telecommunications networks and telecommunications services are interception capable (this is for the purpose of enabling law enforcement and security agencies to continue to carry out interception activities notwithstanding developments in technology).
   4. The State Services Commission ICT Branch has developed a Secure Electronic Environment project for government which includes the implementation of the "Secure Electronic Environment Mail" or "SEEMail". SEEMail is used by many government agencies as a means for the secure exchange of email and attachments using the Internet. This is likely to be replaced by the Government Shared Network, currently in development by the SSCICT Branch. SSC is also working on the implementation of a shared workspace initiative.
4. Institutional framework:
   1. New Zealand Police - responsible for carrying out criminal investigations involving the use of interception warrants and enforcing the Crimes Act;
   2. Ministry of Justice - responsible for criminal justice policy and the interception capability legislation;
   3. Radio Spectrum Management Group (MED) - responsible for enforcing the Radiocommunications Act;
   4. The IT and Telecommunications Policy Group (MED) - responsible for IT and telecommunications policy;
   5. State Services Commission (ICT Branch) - responsible for the security of government communications;
5. Comment:
   1. Technology providers have developed solutions to address the issue of the security of communications between users through technologies such as encryption and authentication.
   2. The imposition of data collection and retention obligations on service providers for law enforcement purposes has occurred in countries such as Australia and those in the European Union. These obligations are likely to involve the imposition of significant compliance costs and therefore the mechanism for and extent of such obligations needs to be carefully considered.

33. Security of and confidence in transactions entered into using information and communications technologies:

1. Issues:
   1. Research studies have identified the following major impediments to the broader use of the Internet for commercial activities:
   2. Transactions are not always secure and not always conducted by authenticated parties (security). Surveys have concluded that theft is the major deterrent to shopping online and identity theft is recognised as the world's most menacing and fastest growing means to perpetuate fraud;
   3. Personal details are not always kept private, stored safely, and used as agreed (privacy). Users have a desire to avoid unsolicited advertising and other intrusions into their personal privacy;
   4. Levels of service are not always as specified or up to an acceptable standard (this may include non-delivery of items purchased) and there may be no easy access to effective systems for complaint handling and redress, especially where the business is overseas (service); and
   5. There is an apparent lack of a "value proposition", as perceived by customers, to warrant taking the risks.
   6. An issue has arisen concerning the application of existing product safety requirements to online publishers, such as Trademe, who promote and facilitate product dealings between other parties. The issue is whether the online publisher should have responsibility for ensuring compliance with the product safety requirements applying to goods sold by parties using their sites.
   7. The ability to take legal redress against another party to a transaction when things go wrong is also an issue. This is particularly the case in cross-border transactions, such as transactions over the Internet with someone from another country, and for Internet transactions generally where the personal details of the other party may not be known.
   8. In the case of transactions between parties connected through online sites, such as Trademe, the organisation operating the site may have the required personal information to enable an application to the Disputes Tribunal or court to be filed, but requests for such information can give rise to privacy concerns, particularly where it may be difficult to ascertain whether the "proposed court action" is the genuine reason for the request (the divulging of personal information where court proceedings are reasonably in contemplation is allowed by the Privacy Act).
   9. The sharing and storing of information or data by ICT service providers assists in the process of investigating cyber-crime. Accordingly it is arguable that ICT service providers should be required to store, and provide law enforcement agencies with access to, certain levels of information.
2. Policy: To ensure that consumers trust in the security, privacy and service fulfilment of e-commerce.
3. Regulatory framework:
   1. Crimes Act 1961 (provisions re fraud and theft);
   2. Electronic Transactions Act 2002 (clarifies the legal validity of transactions entered into by electronic means);
   3. Fair Trading Act (re misleading or deceptive conduct in trade and product safety);
   4. Privacy Act 1993 (provides rules relating to the collation, holding and disclosure of personal information);
   5. The OECD Cross-Border Fraud Guidelines and the OECD Guidelines for Consumer Protection in the Context of Electronic Commerce (implemented in New Zealand through the Model Code for Consumer Protection in Electronic Commerce).
4. Institutional framework:
   1. New Zealand Police - investigation and prosecution of criminal offences;
   2. IT and Telecommunications Policy Group (MED) - IT policy and the promotion of e-commerce;
   3. State Services Commission (ICT Branch);
   4. Office of the Privacy Commissioner - provides a complaint mechanism and dispute resolution process for privacy issues;
   5. Ministry of Justice - criminal justice and privacy policy and dispute resolution;
   6. Ministry of Consumer Affairs - consumer protection policy;
   7. Commerce Commission - enforcement of the Fair Trading Act;
   8. Businesses that rely on ICT to facilitate or enter into commercial arrangements (e.g. Online traders and retailers, banks);
5. Comment:
   1. The risks associated with e-commerce or online transactions can be significantly mitigated by parties adopting sensible business practices and by vendor businesses adopting sound security management practices around the commercial information of its customers.
   2. Some industries have developed codes of practice setting out principles to address the major concerns of e-commerce (e.g. the Code of Practice for Direct Marketing in New Zealand and the draft internet banking code of practice). The Electronic Marketing Standards Authority, with support from the Ministry of Consumer Affairs, has also developed the Trustmark accreditation. Businesses trading goods or services on the Internet can gain this accreditation by meeting specific good practice requirements.
   3. The Ministry of Consumer Affairs has been working on the issue of taking legal redress against another party to a cross-border transaction when things go wrong. This work has focused on the OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices across Borders, and membership of the International Consumer Protection Enforcement Network (ICPEN).
   4. There has been a proposal that where legal proceedings are contemplated following an online transaction and the parties do not know each other but a third party that connected them does, that the claimant file the application and the Disputes Tribunal obtain the personal information from the third party. The purpose of this is to address privacy concerns. The Ministry of Justice is concerned that such a proposal compromises the independence of the Tribunal or Court. It suggests that the claimant could, at the time of requesting the information from the third party, provide some sort of evidence to support the genuine nature of the claimant's request, such as a "verified" copy of an application to the Tribunal with the personal details of the respondent "to be completed".
   5. Consumer and business education and the provision of security management tools promote the security of online transactions. In particular, the education of consumers/users on the requirements for secure online transactions mitigates against the occurrences of online frauds and scams.

34. Security of intellectual property rights:

1. Issue: The development of digital technologies has had major implications for the protection and management of intellectual property rights, especially copyright associated with written works, images, and audio and visual recordings. Digital rights management technologies have been developed as a way of protecting intellectual property rights but there has been controversy about the limitations these can place on the rights of consumers/users of copyright protected works.
2. Policy: The policy objective is to ensure that intellectual property laws provide the necessary incentives for the development and creation of new works and inventions, including works and inventions created using information and communication technologies, while taking account of public interest considerations relating to dissemination, use and access.
3. Legislation:
   1. Copyright Act 1994 (governs the scope of protection of original works) - a Copyright Amendment Bill to address the implications of digital technologies as they relate to copyright has been developed by the Ministry of Economic Development and is ready for introduction;
   2. Patents Act 1953 (provides for the protection of inventions by registration as a patent) - there have been issues around the registration of patents for commonly used e-commerce processes and whether these patents are justified on the basis of novelty or not. A review of the Patents Act has led to a proposed amendment Bill to tighten the patent examination process by ensuring patents are justified and not overly broad. There is also a proposal to make the process for challenging a patent easier;
4. Institutional framework:
   1. Intellectual Property Policy Group (MED) - intellectual property law policy;
   2. IT and Telecommunications Policy Group (MED) - IT policy issues;
   3. State Services Commission (ICT Branch) - management of government information;
5. Comment:
   1. The issues arising from the development of new technologies as they relate to New Zealand's intellectual property legislation are largely being addressed through the proposed Copyright Amendment Bill and a review of the Patents Act;
   2. There are practical application issues arising from the development of Digital Rights Management technologies, particularly to prevent the unauthorised copying of works developed using software that incorporates DRM. There are concerns in particular around the ability of the person originating the work being able to retain control over the work. DRM also has the potential to lock up works and prevent the exercise of permitted acts. The State Services Commission is currently considering issues relating to DRM as they apply to government documents and government held information;
   3. The infringement of intellectual property rights is an ongoing issue and new technologies provide greater scope for infringements. These technologies also offer new business models and ways to lock up works. Education of users on intellectual property issues assists in mitigating against infringement of rights. The MED Intellectual Property Policy Group and Intellectual Property Office of New Zealand will undertake various education and awareness raising projects in 2006.
   4. Recently there was an incident involving the use by Sony of "rootkit" technology in its DRM software with the consequent creation of a security risk for users.

35. Safety of content:

1. Issues:
   1. With the development of the Internet in particular there is now a much greater ease of accessibility to images and information which is generally considered to be indecent, offensive or harmful. Some of these images or information is "objectionable" while others are considered to be "adult" content that should have restricted availability.
   2. With the convergence of technologies for broadcasting and telecommunications there is likely to be a greater use by broadcasters of different telecommunications-related platforms, such as the Internet, for the distribution of its material. The issue is whether the broadcasting standards regime should apply to this material.
2. Policy: The policy objective is to develop a regulatory and institutional framework that supports protection from exposure to "harmful" and "offensive" content balanced against the interests of freedom of expression.
3. Regulatory Framework:
   1. Films, Videos and Publications Classification Act 1993 (indecent and objectionable material);
   2. Broadcasting Act 1989 (broadcasting standards and content);
   3. Crimes Act 1961;
   4. Advertising Standards Authority Code of Practice (advertising standards and content);
4. Institutional framework:
   1. Department of Internal Affairs (Censorship and Compliance Group) - enforces New Zealand's censorship legislation;
   2. The CCIP;
   3. Ministry of Justice - has policy responsibility for censorship and the Crimes Act;
   4. Ministry for Culture and Heritage - responsible for broadcasting standards and content;
   5. Ministry of Education - responsible for the safety of content in schools;
   6. New Zealand Police - responsible for enforcement of the Crimes Act;
   7. New Zealand Customs - responsible for the legality of material that comes into New Zealand;
   8. IT and Telecommunications Policy Group (MED) - responsible for content issues from an ICT policy perspective;
   9. Internet Safety Group - provides information on how users can protect themselves and their children from "harmful" content;
   10. Telecommunications Carriers Forum and InternetNZ - develop industry codes of practice to promote good industry practice around the provision of content services;
   11. InternetNZ.
5. Comment:
   1. The Internet is a largely uncensored place which means that indecent, offensive and adult content is easily accessible. For children in particular this represents a risk. For this reason user education and the development of safety tools are considered to be important in mitigating the risks of exposure to harmful material.
   2. The New Zealand Police, Customs and Department of Internal Affairs work together to help ensure a coordinated approach to enforcing New Zealand's laws relating to the safety of content. A coordinated approach assists in promoting effective enforcement action.
   3. The Ministry for Culture and Heritage is likely to be considering the question of what the role of the Broadcasting Standards Authority, as a complaints body, should be in relation to broadcasting-like material appearing on different platforms.
   4. There is a concern that age verification procedures for restricted material or activities, such as online gaming, is not sufficiently robust and should be improved.
   5. Some countries, such as Australia, place legal obligations on ISPs to remove offensive content hosted by them unless they have signed up to and complied with an approved code of practice. While InternetNZ is developing a draft code of practice for ISPs the issue of content safety is largely unaddressed.
   6. The recent consideration and enactment of the Films, Videos and Publications Classification Amendment Act 2005 prompted consideration of the issue of what obligations ISPs should be subject to in relation to the hosting of "objectionable" material. It was determined that ISPs should not be liable for distribution offences without the requisite mental elements. It was considered that ISPs could not reasonably monitor all the electronic material on the Internet because of the volume and changing nature of material subscribers can access, limitations placed by privacy legislation, and the unreliability of automated filters. Sections 122 and 122A of the Films, Videos and Publications Classification Act set out the legal position concerning the distribution of publications, including electronic publications via the Internet.
   7. In the area of mobile content, the Telecommunications Carriers Forum has developed a code of practice to promote the responsible provision of mobile content.
   8. The development of the Internet and satellite television has resulted in an explosion in cross-border advertising. The Advertising Standards Authority will adjudicate on a complaint made by a New Zealand consumer in relation to advertising originating in another country. In other words, it adopts the country of reception principle, but takes account of a number of factors such as the primary audience for the advertising. In dealing with the issue of cross-border advertising there is a huge reliance on international liaison and cooperation between the regimes in different countries. This international element means that there are a number of issues to be worked through between various countries such as which codes of practice apply (for further discussion see the article on this subject on the Advertising Standards Authority website).