Google case highlights risks in NZ law change

The US Internet company Google threatened to close its Chinese operations last week after discovering Chinese hackers had broken into its Gmail email system, apparently gaining access via specialised interception equipment installed by Google to assist US law enforcement agencies. Google posted a statement saying the mid-December attack had targeted Gmail accounts of people in China, the US and Europe who were critics of human rights in China.


This news comes after the Sunday Star-Times revealed that all New Zealand email, Internet and phone companies have recently finished installing the same sort of interception equipment into their systems, obeying a law that requires them to enable police and spies access to their customers’ communications. The New Zealand developments followed pressure from US agencies, including the FBI, for New Zealand to adopt the same standardised interception capabilities that were exploited by the hackers to enter Google.


Macworld magazine quoted a Google insider saying that the Chinese hackers “were able to access a system used to help Google comply with search warrants by providing data on Google users”. “Right before Christmas it was “Holy s***, this malware is accessing the internal intercept [systems],” he was quoted as saying. Google cofounder Larry Page convened an emergency meeting on Christmas Eve to address the break in.


When the Labour government approved the law requiring interception capability in New Zealand, the Privacy Commissioner Marie Shroff had warned Ministers in a Cabinet committee paper that modifying telecommunications networks for police and spies impacted on privacy by providing “enhanced opportunities for unauthorised interceptions by third parties”. 


Shortly after parliament passed the 2004 Telecommunications (Interception Capability) Act, the Privacy Commissioner’s concerns were demonstrated by a case that became known as the “Greek Watergate”. In 2004 and 2005 hackers gained access to Vodafone Greece’s mobile system and used the built-in law enforcement interception capability to tap months of calls of more than 100 mobile phones. These included the Greek Prime Minister and his family, senior military and foreign affairs officials and senior opposition party members. 


Investigators discovered the hackers had added sophisticated computer coding to the standard interception systems built into four of Vodafone Greece’s Ericsson AXE mobile phone exchanges. The perpetrators were never found but Greek officials believed a foreign intelligence agency was responsible and news media including the BBC and Wall Street Journal raised US intelligence agencies as leading suspects.


The same thing happened in 2004 to US wireless company T-Mobile, resulting in hackers obtaining “candid” photos from celebrity Paris Hilton’s Sidekick smart phone (mobile phone/email/camera). The 21-year-old US hacker, Nicolas Jacobsen, had gained access to T-Mobile through a US Secret Service agent’s account, which gave him open access to T-Mobile’s 16.3 million customers through the access point provided for law enforcement agencies. For over a year he had access to all their social security numbers, dates of birth, voicemail PINs and passwords to their email accounts.


One of the IT specialists who alerted the Sunday Star-Times to the installation of interception equipment in local Internet companies said the Google hacking was a sobering reminder of the risk that pervasive surveillance systems pose. “Systems that centralise this much power are always going to be a target and, even with the resources and expertise of an organisation like Google, defence is fiendishly complex. What makes you think that New Zealand companies are better equipped than Google?” he said.