As the TICs Bill moves closer to becoming law the focus is moving from the GCSB law, now passed, to the impact of the TICs on the New Zealand ICT Industry. As I’ve commented before, the lost opportunity, what could have been, could be as high as $750m a year. Without revisiting that, its because the GCSB and TICs bills, combined, no longer make New Zealand a perceived safe haven for data. Vikram Kumar, desperately trying to protect the Mega business has been vociferous in his opposition, and that pushed me to do some research on how else TICS could damage the ICT Industry in New Zealand.
What TICS allows is a backdoor into ICT providers, notionally this is being sold to us as telecommunications providers, however the bill is ambiguous in its description, which means that almost any ICT provider could be forced to comply with the law. The cost of installing that permanent backdoor, which is only unlocked under warrant, is on the provider of the ICT Services.
Next, the GCSB must be consulted on over core infrastructure and design. Thomas Beagle from Techliberty has said:
“Network operators must notify the GCSB of any proposed decision, course of action or changes made by them in regards to purchases, network changes or ownership/control of the “specified security interest”. This includes their network operations centre (NOC), lawful intercept equipment, customer databases, databases of user accounts, and “any place where data aggregates in large volumes”.”
Let’s start with the backdoors. For a small company providing Cloud Services in New Zealand (there are a number of startups in this space, which is great for the industry) they will be up for a cost of some tens of thousands of dollars to provide access to the spy agencies. I’d estimate a cost of $20,000 – $70,000. That by itself in a market that is highly competitive and operating with razor thin margins is a business killer. If they don’t comply, the costs are $500,000 and up to $50,000 a day. They’ll be forced into bankruptcy.
For a large organisation, one of the large telecommunications companies, the cost of that backdoor will be millions to implement and millions to maintain. It’s not going to put them out of business, however it is going to put our costs up as users, because we’ll have to pay for it. So enter the “User Pays Spying” state.
Back to the startups. Even if they can afford to pay the costs of both implementing the backdoors and managing them, they have a trust and confidence issue that causes customers to look offshore for Cloud and other services. Jason Danner, a Director at Arrowrock, a company that helps small to medium business into Cloud, explains it like this:
The TICs bill puts a huge burden on small New Zealand based cloud service providers for 2 reasons:
1) Adding full interception capability to all of their current systems will require significant (read expensive) changes and ongoing oversight costs at a time when many local providers are pressured to compete with large, international cloud services. Essentially its increasing their compliance costs at a time when their operating margins are under pressure.
2) Increasingly users are demanding GREATER security and privacy protection from their cloud services, not less. Full interception capability forces New Zealand cloud services to act AGAINST consumer demand. This may have little effect on the business they do in New Zealand (as interception capability will be required of all providers) but it will deal a crushing blow to any business they hope to develop overseas. We’re already seeing steady customer movement away from US cloud services associated with PRISM. Telling the world that the New Zealand cloud industry will be monitored in the same fashion will put a significant damper on the growth of one of our most promising exports.
That’s an excellent summary of the risk. “Telling the world that the New Zealand cloud industry will be monitored in the same fashion will put a significant damper on the growth of one of our most promising exports.
The last part of the bill is interesting, because it has the ability to not only kill our newborns in startup mode, but it also has the potential to cripple the agility of large telecommunication providers like Telecom and its fledgling Cloud service Revera. Those providers, large and small, must notify the GCSB of any decision to change their core infrastructure.
The Cloud revolution is impacting traditional ICT in a number of ways. One of those is speed to market with new product. Products are developed and deployed within days or weeks, and any business that can’t respond to that model, will lose. Speed is everything. So now we have ICT companies that are going to have to notify the GCSB when they want to change core infrastructure.
This will mean that the time to make potential competitive changes to an end product whether for the national or international consumer will be months or years, not days and weeks. Once again, this will simply drive smaller companies out of business while the larger players are stuck in a state of inertia.
For companies like Mega, who have chosen New Zealand as a home for Cloud services and have the reach and capability to exploit a global market that is growing at over 48% per annum (for Cloud infrastructure) and 19% (for Cloud services) this bill must be a bitter pill. For a company that prides itself on privacy, it stands to lose all its gained by having to not only install backdoors, but also consult with the GCSB on design questions that lie at the heart of its business model.
Worse, the GCSB law change, and TICS change right behind it, put us on par with PRISM (granted with a warrant to access data) and so the overall perception is that these two law changes firmly put New Zealand right in the middle of the NSA scandal. A scandal which is, according to Forrester, likely to cost the U.S. ICT industry $180B. With 10% of U.S. Cloud customers cancelling contracts, near 60% re-evaluating which geophysical location they buy ICT services from, and Europe banking the customers heading their way, it’s a significant economic mistake.
Let’s not forget though, that for the dozens of smaller ICT startups through to the large providers like Revera and Datacom, the issue is the same. I’m not sure that our industry can afford to suffer the same mistake that the U.S. has made. As Paul Brislen, Jordan Carter, and Paul Matthews have struggled to voice; the New Zealand ICT Industry stands on the edge of a cliff where we could rival the export power of Fonterra or fall into the abyss.
Whatever we get in return for the passing of these bills had better be worth it.