Critical

🎯 Targeted Device Access & Vendor Supply

Targeted on-device access and lawful intercept authorities create procurement channels for mercenary and domestic tooling. Oversight needs to match vendor capabilities and cross-border data flows.

Investigatory Powers & Warrants
Statutes & Codes
Focus: technical capability notices, computer-access warrants, and auditing obligations; necessity/proportionality guardrails.
Vendor Ecosystem (mercenary & domestic)
Surveillance Tooling
Risk: capability creep; device compromise beyond intended scope; NDA-shielded procurement.
Critical

πŸ“‘ Telecom Signalling Exploits (SS7/Diameter/Roaming)

Roaming and interconnect layers can be abused for location tracking and message interception. Mitigations are uneven; coordinated audits and operator attestations are essential.

Carriers & National Cyber Guidance
Telecom/Network Security
Focus: signalling firewalls, anomalous global-title traffic, threat intel sharing, independent testing.
Moderate

πŸ“± Cell-Site Simulators (IMSI-catchers)

Procurement and deployment by law-enforcement bodies is opaque. Risks include dragnet capture and retention of bystander identifiers without clear purge standards.

IMSI-catcher Deployments
Law Enforcement Capability
Safeguards needed: warrant standard, purge of non-targets, transparency reporting.
Critical

πŸ—‚οΈ Data-Broker & Adtech Exposure

Retail, app-SDK, and adtech flows can reveal sensitive locations and behavioural profiles. Key risks: consent defects, opaque downstream use, and cross-border disclosures.

Consumer & Location Data Markets
Brokers/Platforms
Risk: sensitive-site visitation inference; bulk audience creation; resale to public and private buyers.
Regulatory Actions & Guidance
Privacy/Oversight
Focus: consent standards, overseas disclosures, deletion rights, DPIAs for high-risk processing.
Moderate

πŸ“Ί Platform Governance & Online Safety

Platform obligations for illegal/harmful content and transparency are evolving. Public logging of government requests and user-facing appeal paths reduce β€œinformal pressure” risk.

Safety & Content Codes
Regulatory Schemes
Focus: risk assessments, reporting windows, child-safety design, auditable takedown requests.

πŸ•ΈοΈ Corruption Network Visualization (New Zealand)

Relationships between spyware vendors, data brokers, telecoms, platforms, and NZ authorities. Drag nodes to explore.

Legend: ● Authorities ● Vendors ● Brokers ● Platforms ● Telecom/Programs

πŸ”— Key Relationships (NZ)

Investigatory powers ↔ vendor ecosystem

Core: Targeted device/network access ↔ mercenary/domestic tools ↔ procurement oversight & NDA constraints.

Telecom signalling & roaming

Core: SS7/Diameter interconnect ↔ global-title and roaming exposure ↔ carrier mitigations & audits.

Data-broker ↔ platform loop

Flow: Apps/SDKs/Retail β†’ aggregators β†’ adtech & public buyers; consent/disclosure compliance monitored by regulators.

πŸ“… Signal-Power Evolution Timeline (New Zealand)

Foundational intercept & metadata regimes

Carrier and agency obligations establish baseline access and retention expectations; oversight bodies refine codes over time.

Targeted device access & technical notices

Computer-access warrants and capability notices enable on-device actions under judicial/ministerial control.

Platform governance & online-safety frameworks

Codes/standards for harm reduction and transparency; dispute-resolution and appeals mature.

Signal-layer scrutiny & roaming risk

Interconnect audits and incident reporting expand; cross-border exploitation prompts coordinated responses.

⚑ Immediate Stop-Gap Actions (NZ-aligned)

Drafted to dovetail with NZ investigatory-powers and privacy regimes while constraining β€œsignal-power” abuse.

πŸ›‘οΈ Spyware/High-Risk Tools
  1. Judicial authorization + necessity/proportionality for invasive tools (ODIT/spyware).
  2. Public DPIA within 30 days of program start; quarterly aggregate reporting (vendor, legal basis, categories).
  3. Vendor NDAs unenforceable against courts, independent oversight, and privacy regulators.
πŸ“‘ Signalling/Interconnect Hardening
  1. Carrier attestations on SS7/Diameter defences and roaming-edge audits; annual third-party testing with public summaries.
  2. Incident statistics and corrective action logs; publishable without compromising active ops.
πŸ—‚οΈ Data-Broker Containment
  1. No acquisition of location/behavioural datasets absent lawful basis and minimization plan.
  2. Public broker relationship log; deletion audits; direct-marketing conformance under privacy/telecom rules.
πŸ“± IMSI-catcher Governance
  1. Warrant standard; purge attestations for non-targets; capability summaries and annual oversight review.
πŸ“Ί Platform Governance
  1. Documented systemic-risk logs; β€œno informal pressure” policy with auditable legal bases for requests.
  2. Child-safety design and transparency measures per online-safety regimes.

πŸ“‹ Implementation Toolkit (Model Resolution / By-law)

Edit inline; then copy or download. Language aligns with NZ frameworks and telecom/online-safety contexts.