Originally published via IT Professionals NZ

When the New Zealand Defence Force signed off on Starlink, they weren’t just selecting a communications provider. They were stepping into a geopolitical ecosystem shaped by Elon Musk, controversial US data consolidation efforts, and limited contractual safeguards for mission-critical use.

The move caught the attention of local cybersecurity professionals, many of whom questioned the security due diligence behind the decision. Starlink’s own Terms of Service state that its offerings are not suitable for life-critical applications. Its privacy policy, meanwhile, offers few guarantees around end-to-end encryption or data handling. Add in Musk’s documented ties to the US Department of Government Efficiency (DOGE) and Palantir, and the risk calculus shifts sharply.

For a small country that values sovereignty and independence, this isn’t just about bandwidth. It’s about control.

TL;DR: Starlink’s entry into New Zealand’s defence communications raises red flags around data sovereignty, vendor trust, and encryption guarantees. With corporate ties to US surveillance-adjacent entities, NZDF must implement military-controlled encryption and robust oversight to mitigate risk

Original Article

Recent approval for New Zealand's military use of Starlink's satellite communication services has raised substantial eyebrows within the local cybersecurity community. According to a Newsroom article published on July 16, 2025, the NZ Navy's procurement of Starlink was initially derailed by significant security concerns, only to later be authorized despite these reservations (Meyer, 2025). 

Feedback from anonymous Kiwi cybersecurity professionals highlights skepticism regarding the Defence Force's decision. One commenter succinctly remarked, "Clearly their mistake was running it past the infosec people before the whole thing had been signed," suggesting a troubling disconnect between operational urgency and cybersecurity due diligence. Another commenter noted, with prudent caution, that encryption should at least be mandatory for military communications, highlighting inherent vulnerabilities in all communication networks, Starlink included. 

As a cybersecurity professional who recently relocated from the United States to New Zealand, my perspective aligns closely with these concerns. While Starlink has proved valuable in emergency scenarios such as disaster relief, its use in military contexts requires heightened scrutiny, particularly given its corporate ownership structure and Elon Musk's involvement in controversial data consolidation projects in the U.S. Musk's association with the Department of Government Efficiency (DOGE), aimed at centralising American private data (Kelly & Elliott, 2025) for "efficiency", and his close ties with Palantir known for feeding large-scale AI systems pose serious risks. There is a concerning possibility that unclassified military data could eventually unintentionally become training material for AI platforms such as Palantir's systems, undermining New Zealand's data sovereignty. 

Examining Starlink's own Terms of Service and Privacy Policy reveals the validity of these security concerns. Starlink explicitly states its services are not designed for "mission-critical or safety-of-life service" (Starlink Terms of Service, 2025). This inherently contradicts the nature of military operations, emphasizing the need for careful consideration and additional safeguards. 

Additionally, Starlink’s Privacy Policy states that while they "encrypt information sent via the Starlink services to and from your Starlink equipment," there is no explicit commitment to end-to-end encryption or guarantees against third-party data analysis (Starlink Privacy Policy, 2023). On the contrast, they state the opposite, “we cannot guarantee that our security measures will prevent every unauthorized attempt to access, use or disclose personal information.” Such limited encryption and privacy measures pose a clear vulnerability when handling sensitive or potentially sensitive data, increasing risks of unauthorised access and data leakage.  

Furthermore, Starlink's policies regarding data retention and sharing remain troublingly vague. Their privacy policy indicates data retention periods extending "for the life of the account + 2 years," and the company openly admits, "we cannot guarantee that our security measures will prevent every unauthorized attempt to access, use or disclose personal information" (Starlink Privacy Policy, 2023). Given the sensitive nature of military communications, the risk of unauthorized access and data leakage is a critical concern that must be addressed proactively. 

In conclusion, if New Zealand's Defence Force proceeds with utilizing Starlink, stringent encryption measures using keys exclusively controlled by New Zealand's military must be considered an absolute baseline requirement. The potential risks associated with reliance on third-party satellite communication services owned by foreign entities, particularly those with opaque or problematic data handling practices linked to controversial data centralisation efforts like DOGE and Palantir, demand rigorous security controls beyond standard commercial practices. 

References: 

Kelly, M., Elliott, V. (2025, April 18). DOGE is building a master database to surveil and track immigrants. Wired. https://www.wired.com/story/doge-collecting-immigrant-data-surveil-track/  

Meyer, F. (2025, July 16). Starlink approved for military use in NZ. Newsroom. Retrieved from https://newsroom.co.nz/2025/07/16/starlink-approved-for-military-use-in-nz/ 

Starlink. (2023, May 1). Privacy Policy. Retrieved from https://www.starlink.com/legal/documents/DOC-1000-41799-67 

Starlink. (2025). Terms of Service. Retrieved from https://www.starlink.com/legal/documents/DOC-1020-91087-64