PM responds to incorrect surveillance claims
Prime Minister John Key tonight corrected misinformation that has been put in the public domain concerning the
operations of the Government Communications Security Bureau.
“Claims have been made tonight that are simply wrong and that is because they are based on incomplete information,” Mr
“There is not, and never has been, a cable access surveillance programme operating in New Zealand.
“There is not, and never has been, mass surveillance of New Zealanders undertaken by the GCSB.
“Regarding XKEYSCORE, we don’t discuss the specific programmes the GCSB may, or may not use, but the GCSB does not
collect mass metadata on New Zealanders, therefore it is clearly not contributing such data to anything or anyone,” Mr
“I am setting the record straight tonight because I believe New Zealanders deserve better than getting half of a story,
embellished for dramatic effect and political gain, and based on incomplete information.
“The GCSB undertakes cyber security operations to protect individual public and private sector entities from the
increasing threat of cyber-attack and this is very important work.
“It does not, however, remotely resemble what has been claimed,” Mr Key says.
The GCSB’s cyber security operations occur within its legal framework and only when the following conditions are met:
• Each entity must provide individual legal consent to be protected by the GCSB;
• The independent Commissioner of Security Warrants must be satisfied each individual case is within the law, and
a legal warrant must be co-signed by the Prime Minister and the Commissioner;
• Warrants are subject to a two-step process, as outlined by the Prime Minister when legislation was passed last
year. A warrant is required for high level cyber protection for an individual entity, and the content of a New
Zealander’s communications cannot be looked at by a GCSB employee unless a specific cyber threat is identified which
relates to that communication. If that is the case, the GCSB must return to the Prime Minister and the Commissioner to
make the case for a second warrant in order to access that communication.
In addition to this, the Inspector General of Intelligence and Security has substantially stronger powers to monitor the
GCSB’s activities and ensure they are appropriate and within the law.
“Our cyber security programme began operating this year after a lengthy process of assessing options for protection,” Mr
“The process began in late 2011 when the GCSB made it clear to me that cyber-attacks were a growing threat to our
country’s data and intellectual property and the Government needed to invest in addressing that.
“The Bureau assessed a variety of options for protection and presented an initial range to Cabinet for consideration in
“These options ranged from the highest possible form of protection to a much weaker form of security, with some in
“The Cabinet initially expressed an interest in GCSB developing a future business case for the strongest form of
protection for our public and private sectors, but it later revoked that decision and opted for what we have now –
something known as Cortex.
“The business case for the highest form of protection was never completed or presented to Cabinet and never approved.
Put simply, it never happened,” Mr Key says.
The Prime Minister tonight also released declassified material, including a Cabinet minute to show what occurred.
“I can assure New Zealanders that there is not, and never has been, mass surveillance by the GCSB.
“In stark contrast, the Bureau actually operates a sound, individually-based form of cyber protection only to entities
which legally consent to it,” Mr Key says.
(Attached: 3 x Cabinet minutes and Project Cortex Business Case Cabinet paper.)
3 April 2012 - Cabinet Minute (PDF3) shows Cabinet asks for business case on cyber security protection initiative.
September 2012 - It becomes clear there are issues with the GCSB’s surveillance of Mr Dotcom.
After this Rebecca Kitteridge is called in, problems with the legal framework and internal issues in the GCSB are
identified through reviews.
March 2013 - PM tells GCSB not to bring business case forward. Informs GCSB it is too broad. Budget contingency funding
will be rolled over and used for something else in cyber security.
September 2013 – Cabinet Minute (PDF2) shows formal rescinding of request for business case and notice of new, narrower
project. The business case had been known only as initiative 7418 through the Budget process because of its
July 2014 - Cabinet agrees to Cortex, a narrower cyber security programme. (Cab paper and minute PDF 1 and PDF4)