PoliticsJune 12, 2019

Why the Treasury non-hack may still have been illegal


Just because Budget 2019 was technically accessible doesn’t mean it was legally fair game for National, writes AUT law professor Kris Gledhill.

It is, of course, still theft if there is inadequate security in the shop to guard against shoplifters; or if someone takes something from a roadside stall with an honesty box and doesn’t put any money into the box. What if what is taken is information from a website that is not yet public but which has been set up without enough safeguards against premature access?

Let’s assume that someone finds such a website with a flaw that allows snippets to be accessed and so puts together 2000 searches to allow a good deal of information to be compiled. Is that an offence? And is there a defence along the lines of “Well, you didn’t do enough to stop me”?

The answer turns on the coverage of the computer related offences added to New Zealand law in 2003. The most obvious one is the crime of “accessing a computer system without authorisation”. There is a wide definition of a “computer system”, and if it doesn’t include the servers where websites are stored, that would be a major flaw in coverage.

There is also a definition of “access” that includes taking data from the system. Whether there is an authorisation is a factual matter: but it seems fairly obvious that a person who has to perform multiple searches to get snippets of information is acting without an authorisation.

What is the key question for whether this is criminal is whether the person involved knows they do not have the relevant authorisation or at least knows there is a risk of that lack of authorisation and proceeds anyway. Again, this is a factual matter: but my money would be on the prosecutor being able to show this test was met in the case of those who work in politics and are aware that budget information is meant to be secret until it is released.

This offence is defined in section 252 of the Crimes Act 1961. It carries two years’ imprisonment, which is the same maximum as when a male assaults a female. There is simply no defence of “but your security is rubbish”. It covers a variety of situations: for example, getting around a password by guessing that it is “1234” or “password”; or continuing to access a members’ only part of a website of a group you have left, which you can do because the IT people haven’t got round to blocking your sign-in.

The offence also covers serious situations such as someone getting into a website with private or financial details because of a security flaw. The question is not whether the security was good enough to prevent access: the question is whether there was authority to get access.

There is also a more serious offence, set out in section 249 of the Crimes Act, which is made out if there is access to a computer system and some additional elements. The person must obtain “any property, privilege, service, pecuniary advantage, benefit, or valuable consideration” or cause “loss to any other person”. The person must also act dishonestly or by deception: these are alternatives, with deception involving such matters as pretending to be someone else. Dishonesty simply means not having permission. In addition, there must be a lack of a “claim of right”: but this is a very narrow situation involving a claim to have a property right to the material obtained.

This carries seven years’ imprisonment (or five years if the person intended to obtain the benefit or cause the loss but did not succeed). The main question to be answered is whether early access to information that is going to be made public is a matter that involves a benefit. The Court of Appeal noted in a case in 2014, R v Watchorn, that non-pecuniary advantages were covered by this.

In short, while the police have indicated that they are not interested, there are some pretty good arguments that one or more provisions of the Crimes Act were breached. The important issue in the computer-related offences is one of permission to access, and that does not arise from a failure to have adequate security to prevent those who take advantage of vulnerabilities. Obviously, there isn’t a crime unless someone is convicted on the basis that all the elements are clearly established: but the implication that there was clearly nothing criminal in the activity is difficult to square with the statutory language.

Keep going!