This section of the report contains material that may be confronting, particularly to those affected by the 15 March 2019 terrorist attack.
On 12 November 2018, the New Zealand Security Intelligence Service received an intelligence report that identified four IP addresses that had accessed suspicious files of “possible national security interest”. One of these IP addresses (184.108.40.206) had been accessing suspicious files containing content “that could facilitate actions that would result in threat and or attack activity”. A table attached to the intelligence report identified the IP address as being in Dunedin, New Zealand.1
- sets out the source of the information on the IP address;
- describes what the New Zealand Security Intelligence Service did with the IP address lead;
- examines whether the individual can be associated with the IP address activity; and
- considers whether the IP address could have come to light sooner.
We held a hearing to inquire into this issue. We summoned relevant officials from the New Zealand Security Intelligence Service to attend and provide evidence under oath or affirmation.
3.2 Where did the IP address come from?
Operation Gallant Phoenix is an intelligence fusion centre established in 2013 (based near Amman, Jordan) with the aim of tracking the flow of foreign fighters in and out of Iraq and Syria. Over time it has evolved to provide a platform for partners to collect, monitor and process material regarding potential and existing terrorist threats and trends at home and globally.
Currently, Operation Gallant Phoenix has many countries involved, including New Zealand, with a variety of participating agencies including military, civilian and law enforcement personnel.
Its specific role is to contribute to intelligence operations that offer opportunities to further understand and potentially disrupt Dā’ish. This is achieved through partner nation country collaboration and information sharing. Information generated through it has facilitated terrorist-related arrests in several countries and supported the opening of dozens of international investigations.
New Zealand’s involvement in Operation Gallant Phoenix (known as Operation Solar) began in late 2014 in response to an action taken against a New Zealander by Dā’ish. As a result of this involvement, New Zealand officials came to understand the potential benefits to New Zealand’s national security from Operation Gallant Phoenix.
In October 2016, the United States of America invited countries (including New Zealand) to participate fully in Operation Gallant Phoenix.
In March 2017, a Cabinet paper described a key advantage of the Operation as being “its fusion approach to information and cross-agency collaboration to address the multi-dimensional challenges of terrorism”. The paper considered that this approach is likely to be used more frequently in the future and New Zealand’s continued participation in Operation Gallant Phoenix would “build our domestic capability, ultimately enhancing our ability to respond to future violent extremist threats”. A small New Zealand deployment was agreed by Cabinet through to April 2019.
In June 2019, Cabinet noted that New Zealand had continued to gather security information from Operation Solar on the risk of terrorism and violent extremism and decided that it would continue New Zealand’s small presence until December 2020. We note that the Government’s decision was taken after 15 March 2019 and is agnostic as to threat ideology.
Information from New Zealand’s deployment to Operation Gallant Phoenix has been passed on to the relevant domestic law enforcement agencies. This has provided benefits to New Zealand’s national security beyond what was initially expected and continues to prove the value of New Zealand’s participation. We have seen some reports from Operation Solar and can confirm that they provide real value and insight into matters of significance to New Zealand’s counter-terrorism effort.
A pertinent example was a project initiated in 2018 aimed at discovering individuals in New Zealand who were accessing content of national security concern on the internet. Although narrowly focused, its purpose was to assist counter-terrorism agencies to better understand the scale of New Zealand-based online activity that had a national security nexus.
The outcomes of this project included:
- Seventy-four unique IP addresses were identified that had accessed suspicious files since October 2016.
- Four of those IP addresses were identified as being of “possible national security interest” and recommended for further investigation. Not all the suspicious files were related to Islamist extremist ideology.
- One of those four IP addresses was 220.127.116.11. This IP address is the subject of this chapter.
3.3 What material was the IP address accessing?
The IP address (18.104.22.168) had accessed suspicious files relating to Al Qaeda propaganda and the Oslo terroist’s manifesto between 24 August 2017 and 4 September 2017 (New Zealand time). During the same period the IP address had also accessed suspicious files relating to firearms (including Magpul parts) and tactics.
3.4 What did the New Zealand Security Intelligence Service do about the IP address?
Opening, pursuing and closing the lead
On 12 November 2018, the New Zealand Security Intelligence Service opened the IP address as a lead and assigned it to a counter-terrorism investigator (see Part 8, chapter 5 for information on the New Zealand Security Intelligence Service’s leads process). The lead was assessed by the investigator, a more experienced investigator and the counter-terrorism manager as low priority, because:
- there was “insufficient information to assess nexus to national security”;
- there was limited information to suggest the intent, capability and imminence for potential violence and there was no obvious threat to public safety;
- the content did not display a clear ideology, as both Islamist and right-wing extremism were present;
- there were several possible reasons why someone might view this content, some of which would not raise national security concerns; and
- there was no other information to suggest it was “indicative of somebody who may be doing some bad things”.
The purpose of investigating the lead was to “identify the user of this IP address in order to assess their relevance to national security”. The New Zealand Security Intelligence Service carried out an initial check of its records, but it had no information about the IP address.
The New Zealand Security Intelligence Service used open-source look up tools that indicated that the IP address was associated with Spark New Zealand Limited (a telecommunications and internet services provider). On 14 November 2018, the New Zealand Security Intelligence Service submitted a Business Records Direction request to Spark New Zealand Limited seeking subscriber details for the IP address. A Business Records Direction, under sections 143–145 of the Intelligence and Security Act 2017, was identified as the “least intrusive and most practical means by which to identify the user of the IP address” (see Part 8, chapter 14).
The Business Records Direction requested the subscriber details for the IP address as at 31 August 2017, as this was the day on which more IP address activity had occurred than any other day in the date range.
On 28 November 2018, the New Zealand Security Intelligence Service raised the IP address as a new lead at the Combined Counter-Terrorism Investigations and Leads Meeting (the Joint Leads Meeting) attended by the Department of Corrections, Immigration New Zealand, New Zealand Customs Service and New Zealand Police (see Part 8, chapter 12). The New Zealand Security Intelligence Service noted that they “were taking steps to identify the user”. Agencies were asked to check their records and advise the New Zealand Security Intelligence Service if they had any information on the IP address. No agencies had any information on the IP address.
On 4 December 2018, Spark New Zealand Limited responded to the New Zealand Security Intelligence Service’s Business Records Direction. It confirmed that the IP address was “within a range of IP addresses owned by Spark” on 31 August 2017 and was “in the range for [Digital Subscriber Line (DSL)] Broadband” connections. Spark New Zealand Limited advised, however, that the date provided by the New Zealand Security Intelligence Service was too long ago for their records.
On 11 December 2018, the New Zealand Security Intelligence Service emailed Operation Solar to see if the IP address had “been active recently accessing any content of security concern”. The New Zealand Security Intelligence Service advised Operation Solar that it was looking into the IP address from a right-wing extremism angle. The next day, Operation Solar responded to the New Zealand Security Intelligence Service, advising that it could not identify any additional activity on the IP address.
Following the response from Operation Solar, New Zealand Security Intelligence Service staff discussed what, if any, additional steps could be taken to identify the subscriber details. New Zealand Security Intelligence Service staff did not consider it appropriate to ask the Government Communications Security Bureau for assistance with the lead. They thought it would not have met the threshold to obtain a warrant (see Part 8, chapter 14) and that the Government Communications Security Bureau would be unlikely to hold information on an IP address last used more than a year before the request.
No other open-source checks were carried out. This is because people do not usually post their IP address on social media or other forums, and therefore open-source checks are unlikely to link an individual with an IP address.
New Zealand Security Intelligence Service staff concluded there were no other options available for investigating the IP address and determined the lead should be closed. Before closing the lead, the experienced investigator peer reviewed the investigative steps taken on the lead and agreed the lead should be closed. The investigator’s manager told us they were not involved in the decision to close the lead.
On 12 December 2018, the investigator submitted the lead for closure and a manager in the Counter-Terrorism Unit approved closure of the lead. The New Zealand Security Intelligence Service noted that if the IP address came to its attention in the future, for instance through more recent reporting, another subscriber check would be submitted.
On 23 January 2019, the New Zealand Security Intelligence Service updated the Joint Leads Meeting. It said it could not identify the subscriber of the IP address and, because of that, the lead had been closed. It said that if the IP address came to its attention again, the lead would be re-opened.
Post-15 March 2019 review
On 16 March 2019, the New Zealand Security Intelligence Service reviewed 10 recently opened and closed leads that related to right-wing extremist ideologies. The purpose of re-opening these leads was to “identify any others who might hold similar right-wing views and be inspired by the 15 March attacks”. Investigating whether the IP address was associated with the individual was said to be a “useful” but secondary purpose.
The New Zealand Security Intelligence Service undertook the following checks to identify the subscriber of the IP address:
- It re-checked with Spark New Zealand Limited to see if subscriber information on the IP address was available.
- It requested assistance from the Government Communications Security Bureau (which sought information from Five Eyes partners). The Government Communications Security Bureau also analysed the IP address. It was “unable to discover any additional information beyond that provided by the [New Zealand Security Intelligence Service]” because there was “no indication of who the customer was” at the time of the activity in the intelligence held by the Government Communications Security Bureau.
- It requested assistance from Operation Solar.
- It sought advice from Security Liaison Officers about any assistance that partners may have been able to provide. Security Liaison Officers are posted overseas to engage with a broad range of key international partners. They represent the interests of the New Zealand Security Intelligence Service and are a conduit for information sharing, joint training and other forms of cooperation. Security Liaison Officers work closely with other New Zealand government staff posted abroad, particularly those with national security and intelligence responsibilities.
- It cross-referenced the IP address with data from the individual’s devices. The devices were the individual’s mobile phone, an SD card from the individual’s drone and his external hard drive, the latter two having been recovered by New Zealand Police (see Part 4: The terrorist). Spark New Zealand Limited also provided the New Zealand Security Intelligence Service with IP address information associated with the individual’s internet router at 112 Somerville Street, Dunedin.
- It cross-referenced the IP address with the individual’s online activity data sourced from ANZ Bank and Trade Me (provided to the New Zealand Security Intelligence Service by New Zealand Police). The ANZ Bank and Trade Me data was from the period 1 April 2018 to 13 March 2019. This is later than the IP address was accessing suspicious files.
None of these checks provided any further information about the IP address.
On 10 April 2019, the New Zealand Security Intelligence Service closed the lead again. The New Zealand Security Intelligence Service said that it had exhausted all possible options for identifying the subscriber of the IP address and it could not definitively exclude, or establish, a link between the IP address and the individual.
Was the lead correctly prioritised as low?
As noted earlier, the IP address lead was prioritised as low because, amongst other things, it did not have a clear national security nexus. It was reiterated to us during the hearing that the content accessed did not provide evidence of an imminent threat, the intent of the user of the IP address was unclear and the ideology was, on the face of it, also unclear. We agree the activity had occurred more than 12 months before the intelligence report received from Operation Solar. There is nothing in the material accessed to suggest an imminent mobilisation to violence that required the New Zealand Security Intelligence Service to act under urgency and therefore give the lead a higher priority.
Additionally, there are practical reasons why leads of this type should be prioritised as low. We were told during the hearing that many people view violent and extreme content online either out of curiosity or to fuel their ideology, but not necessarily in preparation for acts of violence. It would be impracticable, and produce false positives, if all leads of this type were given a medium or high priority.
We are satisfied that the lead was correctly prioritised as low.
Were all reasonable steps taken?
There were inquiries that the New Zealand Security Intelligence Service might have undertaken on the IP address lead but did not:
- It did not check with Five Eyes partners or New Zealand Public sector agencies other than those at the Joint Leads Meeting. This is because the New Zealand Security Intelligence Service assessed that it would have been highly unlikely for those agencies to hold information about the subscriber of a New Zealand IP address last used more than a year before the request.
- It did not request information from financial institutions because such requests usually require the identity of a person to be known before these checks are made.
- It did not check with the Government Communications Security Bureau. This was for two reasons. First, we were told that the chances of the Government Communications Security Bureau holding information about the IP address that it had not already passed on were slim. Second, we were told that it would overwhelm the Government Communications Security Bureau’s resources if all IP addresses (particularly those associated with low priority leads) were checked with it.
It is open to question whether checks with Five Eyes partners, other Public sector agencies, the Government Communications Security Bureau and, perhaps, financial institutions should have been carried out. At the time, the likelihood of such checks being successful was assessed as too low to justify making the requests. This assessment is supported by the lack of success the New Zealand Security Intelligence Service had in identifying further information relating to the IP address after 15 March 2019.
Given the lack of information available at the time, and the low priority of the lead, checks with the above-named agencies may not have met the “necessary and proportionate” test in the Intelligence and Security Act (see Part 8, chapter 14). Some of these checks may have required a warrant. And, even checks that would not have required a warrant may still have been disproportionate.
We are satisfied that the inquiries that were undertaken were reasonable.
3.5 Can the individual be associated with the IP address activity?
The IP address may have been based in Dunedin but we are not sure. Spark New Zealand Limited and the Government Communications Security Bureau both say that open-source look up tools are reliable to a country level and generally reliable to a city level. The Government Communications Security Bureau’s analysis suggests that the IP address “is part of a range of IP addresses used by Spark New Zealand Limited for internet access services in the vicinity of Dunedin … [and it] is likely that in the past, this IP address has also been assigned to some Spark New Zealand Limited broadband customers in the vicinity of Dunedin”. This is consistent with what Spark New Zealand Limited advised in 2018 - that the IP address was "within a range of IP addresses owned by Spark" on 31 August 2017 and was "in the range for DSL Broadband" connections.
Spark New Zealand Limited has recently informed us that it cannot find any records of activity associated with the IP address range 22.214.171.124–126.96.36.199 (which includes the IP address in which we are interested). It told us that it is possible that an overseas party may have identified this IP address range as unused and has advertised (and/or used) that range themselves. If this hypothesis is correct, there is no reason to associate the suspicious IP activity with Dunedin and thus the individual. We are not in a position to assess the likelihood of this.
The New Zealand Security Intelligence Service raised the possibility that the IP address was used as part of a Virtual Private Network (VPN) to conceal the location of the person accessing the suspicious files. If so, the person accessing the suspicious files may not have been in or around Dunedin at the time.
The discussion that follows proceeds on the basis that the IP address was probably based in Dunedin but may have been part of a VPN and was associated with a DSL connection.
Figure 37: Timeline of events relevant to the IP address lead
The individual arrived in Dunedin on a Jetstar flight from Auckland. He checked in to the Law Courts Hotel.
The individual purchased a mobile phone service from Spark New Zealand Limited.
The individual signed the lease for his flat in Somerville Street, Dunedin.
At 5.53 am (NZST), the IP address (188.8.131.52) began accessing suspicious files.
The individual checked out of the Law Courts Hotel.
The individual purchased a home wireless broadband connection. He picked up the wireless modem from the Spark New Zealand Limited store in central Dunedin.
At 12.47 pm (NZST), the individual set up and tested his internet connection with Spark New Zealand Limited at his Somerville Street flat.
The individual paid the application fee for a firearms licence.
At 7.33 am (NZST), the IP address (184.108.40.206) accessed suspicious files for the last time.
The individual made a request to Spark New Zealand Limited to change his internet from wireless service to fibre.
The shift of the individual’s internet service from wireless to fibre was completed. The individual received a new IP address following the shift.
The individual arrived in Dunedin on 20 August 2017 and spent four nights at the Law Courts Hotel while he looked for a flat and purchased a car. He told us that, at that time, he had a laptop. He also had a mobile phone.
On 23 August 2017 he signed the lease for his Somerville Street flat. We were told that it is highly likely the individual was given the keys to the flat on 23 August 2017 and therefore had access to the flat from this point onwards. On 24 August 2017, he checked out of the hotel, began living at the Somerville Street flat, purchased internet access, picked up a modem from Spark New Zealand Limited and established an internet connection.
The accessing of suspicious files started on 24 August 2017 and finished on 4 September 2017. On 5 September 2017, the individual contacted Spark New Zealand Limited and requested a shift to the fibre network. The switch to fibre was effective from 8 September 2017, which resulted in the individual receiving a new IP address.
There are several factors that might suggest that the IP address activity was associated with the individual:
- The accessing of suspicious files was via an IP address probably associated with Dunedin at a time when the individual was in Dunedin.
- The accessing of suspicious files occurred when the individual was taking concrete steps towards mobilising to violence. In particular, he applied for a firearms licence, paying his application fee on 1 September 2017.
- The content accessed is broadly consistent with the individual’s interests in firearms. The IP address accessed suspicious files on Magpul firearms parts and firearms tactics. We know that the individual later acquired Magpul firearms parts. We also know that he must have downloaded videos of firearms tactics at some time, because some were recovered from the SD card associated with his drone. While the firearms videos recovered from the drone SD card do not match the videos accessed by the IP address, it is possible that the individual downloaded, and later deleted, other firearms tactics videos that matched the suspicious files on firearms tactics accessed by the IP address. On his recovered “To do list” (see Part 4, chapter 6), he had instructed himself to go through and delete his videos to “make sure all is clean and good optics”.
- The content accessed by the IP address is consistent with the individual’s interest in the Oslo terrorist. We know that at some point the individual must have downloaded the Oslo terrorist’s manifesto. This is because it was recovered from the SD card associated with his drone.
- The hypothesis that it was not the individual who used the IP address to access the suspicious files might appear to involve quite a coincidence – that there were two people with an actual or probable connection to the same place (the individual who was in Dunedin and another person using an IP address probably associated with Dunedin) at the same time acting on similar interests in firearms and terrorism (the individual, by applying for a firearms licence and the other person, by accessing the suspicious files).
There are, however, some complicating considerations.
The IP address was associated with a DSL (Digital Subscriber Line) internet access service.
If the individual was responsible for the IP address activity, he needed to have had either his own DSL internet access service or access to another DSL internet access service (perhaps using public WiFi or a VPN) at 5.53 am on 24 August 2017 and to have had continued access to the same internet access service until 4 September 2017.
We know that the individual bought his modem on 24 August 2017, and that his internet connection was established at 12.47 pm that day at his Somerville Street flat. We can exclude the possibility that the IP address was associated with the internet connection established at Somerville Street on 24 August 2017 for two reasons:
- The individual did not have access to that internet connection until 12.47 pm, approximately seven hours after the accessing of suspicious files began at 5.53 am.
- The wireless internet access established did not use a DSL connection.
There are other ways in which the individual may have been responsible for the IP address activity. In particular, he may have accessed the suspicious files using:
- a previous occupant’s modem and internet connection or an unsecured WiFi access point at 112 Somerville Street (“the first scenario”);
- a free public WiFi service or free WiFi at a local business (“the second scenario”); or
- a VPN (“the third scenario”).
In each of these scenarios, the IP address would have been associated with the internet connection through which the individual accessed the suspicious files.
In the case of the second and third scenarios, it would have been practically difficult, perhaps almost impossible, to link the suspicious internet activity to the individual. For our purposes, they are thus of limited relevance. We will, however, discuss each of the scenarios in turn.
The first scenario, accessing the suspicious files from Somerville Street, could have happened in two ways. Spark New Zealand Limited had provided internet access to a previous occupant at 112 Somerville Street. Although the account was terminated on 3 August 2017, it is possible that the service remained intact and live. The previous occupant may have left the modem behind along with the password, assuming there was one. If so, the individual could have used it after he had access to the flat. As well, it is possible that there was an unsecured WiFi access point close to 112 Somerville Street (perhaps in a nearby residence) that the individual may have been able to use. Either of these mechanisms would have enabled him to access the internet from Somerville Street.
This first scenario assumes that the individual was at Somerville Street at 5.53 am on 24 August 2017. He had paid to stay at the Law Courts Hotel on the night of 23 August 2017 and checked out on 24 August 2017. Checkout is from 7.00 am–10.00 am. There is no obvious reason why he would have been in Somerville Street at 5.53 am. This is particularly so given that the individual’s flat was unfurnished on 23 August 2017 and he did not purchase any furniture until the afternoon of 24 August 2017. These timings indicate that this scenario is not particularly plausible.
In the second scenario, the individual accessed the suspicious files using the same public WiFi service or free WiFi at a local business (such as McDonald's or Starbucks). This, however, would have been highly inconvenient for the individual given the times of day the IP address was active.
We can illustrate the point just made by being more specific. It is possible that the individual may have used WiFi at the Law Courts Hotel to access suspicious files at 5.53 am on 24 August 2017 and then returned to that hotel to access, in the same way, the same WiFi over the next 11 days (that is until 4 September 2017). Leaving aside whether he would practically have been able to access WiFi there after checking out, it does not seem very likely that he would have gone to the trouble of travelling back to the Law Courts Hotel on all other occasions when the suspicious files were accessed, given that there were more convenient alternatives open to him. So, the second scenario too is not very plausible.
In the third scenario, the individual accessed the suspicious files using a VPN. In this scenario, the individual:
- started to access the suspicious files at 5.53 am on 24 August 2017, perhaps using his mobile phone and a VPN which used the Dunedin-associated IP address; and
- continued to access the suspicious files over the next 11 days, using either his mobile phone or other devices and connections, via the same VPN and Dunedin-associated IP address.
We have looked closely at the individual’s financial transactions over the relevant period. None exclude the possibility that he could have accessed the internet at the relevant times. However the individual made financial transactions around two of the relevant times of IP address activity – 7.45 pm and 8.15 pm on 24 August 2017 – that are relevant to the plausibility of the third scenario. The two transactions were:
- At 7.06.19 pm, the individual paid for some 20 household items at the checkout at The Warehouse South Dunedin using an Australian bank card, which was debited with AU$407.20.
- At 8.36.19 pm, the individual paid for groceries at the checkout at the Pak N Save supermarket in South Dunedin using an Australian bank card, which was debited with AU$176.74.
The two shops (The Warehouse and Pak N Save) share a carpark. It is about six minutes away, by car, from 112 Somerville Street.
The individual could have completed these transactions and accessed the internet at 7.45 pm and 8.15 pm by either staying in or around the two shops and using a mobile device or returning to 112 Somerville Street to access the internet from there and then driving back to shop at Pak N Save. The plausibility of the first option is questionable, given the convenience of accessing the suspicious files at his home and the inconvenience of doing so, presumably from his car, in between shopping. Equally open to question is the plausibility of the second option given timing constraints.
Allowing for the time necessary for the individual to get back to his car from The Warehouse checkout, put the goods in his car and drive back to 112 Somerville Street, he could have been there in time to access the internet at 7.45 pm. But if allowance is also made for unpacking his car at 112 Somerville Street and putting away his purchases in his flat, the timing becomes a little tighter.
The next relevant time for the IP address activity is 8.15 pm on the same night. In relation to this, the timing is distinctly tight. Assuming the individual left Somerville Street at say 8.16 pm, and making reasonable allowances for the time required to get into his car, drive to Pak N Save (six minutes away), park his car and walk into Pak N Save, he could not have commenced shopping before 8.25 pm. This leaves only 11 minutes to select AU$176.74 worth of groceries, get to the checkout and pay by 8.36 pm. All of this assumes that after the individual returned to his flat from The Warehouse, he began accessing the internet at 7.45 pm either without unpacking and sorting out the 20 items he had just purchased or doing so very quickly. It also assumes that he again accessed the internet at 8.15 pm but then left almost immediately for Pak N Save, without bothering to review the suspicious files he had accessed, drove to Pak N Save and selected and paid for a reasonably substantial amount of groceries, all within approximately 20 minutes.
The third scenario also assumes that:
- the individual used a VPN configured to use the same IP address on each occasion the suspicious files were accessed, thus creating a discernible pattern;
- the IP address was associated with New Zealand and Dunedin, meaning that the pattern created was associated with the country to which he had just moved and the city in which he had just started to live; and
- he therefore acted in an incautious way, which is not particularly consistent with the use of a VPN and his attempts at operational security.
The significance of the coincidence to which we have referred above (that there were two people with an actual or probable connection to the same place at the same time acting on similar interests in firearms and terrorism) depends on how common it is for such files to be accessed. On the material we have seen, this is rather more common than most people might expect.
In the end, we are not confident either way whether it was the individual who accessed the suspicious files. What is more significant is that, if he did so, it was almost certainly in a way that prevented him being linked to the accessing of those files.
For the sake of completeness, we note that during our interview with the individual we did not ask him directly whether he was responsible for the IP address activity. This was because the information relating to the IP address and the accessing of suspicious files had not been declassified at the time of our interview. We did, however, ask him some related questions. In response to these, the individual told us that:
- he did not download the Oslo terrorist’s manifesto until mid-2018;
- he frequently used public WiFi connections when he was travelling; and
- he was familiar with the use of VPNs and Tor browsers.
3.6 Could the IP address have come to light sooner?
We have considered if Public sector agencies were remiss in not earlier getting data on New Zealand-based IP addresses accessing content of national security concern, say in late 2017 or early 2018. We do not believe they were.
At the time, the New Zealand Security Intelligence Service did not have a tool to enable them to find IP addresses accessing content of national security concern. Operation Solar did not come with a list of capabilities and tools. So, it was for the New Zealand personnel to identify the capabilities and tools and test how they could be applied to support New Zealand’s counter-terrorism effort. This did not happen until well into 2018.
3.7 Concluding comments
We are uncertain whether the individual was responsible for the IP address activity. If he was responsible for accessing the suspicious files, he did so in a way that prevented the activity being linked to him. It was therefore not information that could or should have alerted Public sector agencies to the terrorist attack.
For the reasons given above, we are, in any event, satisfied that the New Zealand Security Intelligence Service followed appropriate leads management processes in dealing with the IP address lead.
1. The IP address was recorded incorrectly in the body of the intelligence report, but the raw data, attached to the report, correctly recorded the IP address. As well, the lead was originally opened by the New Zealand Security Intelligence Service using the incorrect IP address. This was corrected and did not affect the investigation of the lead.