The emails that form the basis of researcher Nicky Hager’s book The Hollow Men, which forced National Party leader Don Brash to resign, could well trigger the country’s first prosecution for theft of email.
The book, partly based on email between Brash and his senior advisers, might be subject to the Crimes Act’s cyber-laws, should anyone be prosecuted.
But what aspect of the Act would the offence, if indeed any has been committed, be brought to bear?
According to the Crimes Act, section 252, subsection 1, a person who intentionally accesses a computer system without authorisation, knowing that he or she is not authorised to access that computer system, is liable to imprisonment.
However, subsection 2 says that the act does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access. Some commentators have questioned whether this could mean users could get away with accessing and using information in ways they were not supposed to.
Manukau district court judge David Harvey explains that the subsection 2 is there mainly to protect employees.
“There are circumstances where people, in the course of their work, may wish to gain access to materials that they are not authorised to have access to,” he says.
For example, an employee that has access to a documentation section may want to have access to payroll. Under subsection 1, the employee would have committed an offence when he or she gained access to payroll.
“And you can be dismissed immediately by your employer for breaking the law,” says Harvey. “Subsection 2 is in there, so that if there was to be a complaint by an employer that an employee had accessed a part of the computer system that the employee wasn’t meant to and the employer wanted to sack the employee, then the employer would have to go through the proper dismissal procedures.”
However, if an employee not only accesses a part of the computer system that he or she is not meant to access, but accesses it for dishonest purposes, the employee could be charged under section 249 (accessing a computer system for a dishonest purpose) or section 250 (damaging a computer system), says Harvey.
Barrister Clive Elliott, who specialises in ICT law, gives another example: an ICT consultant could be employed to delete certain software and load other software but in doing so accesses other parts of the computer system, for instance confidential and commercially sensitive information, knowing that he or she is not allowed to do so.
“The exemption is designed to ensure that that will not amount to a criminal offence,” says Elliott.
On the other hand, if the ICT consultant accessed a confidential and commercially sensitive file in this way, that may very well amount to a breach of confidence, he adds.
“The party harmed as a result would need to show that not only had the information [been] accessed but it had been used by the ICT consultant and that this was to the owner’s detriment,” says Elliott.
In the National party email situation, the key issue is going to be if the person that accessed the information had authority or not, says Elliott.
The discussions in the media so far have been around whether the emails were leaked or stolen — Hager saying they were leaked and Brash saying they were stolen. But Elliott points out that a leak could be unauthorised and could be based on stolen material.
“In the email scenario, a person who improperly obtains and then uses confidential emails may avoid criminal sanctions but still face liability for breach of confidence or possibly a breach of privacy,” says Elliott.
The information that Hager used for the book came primarily from six National Party sources who were concerned about the party’s direction and tactics, according to the Dominion Post. Last week, Brash wanted the emails handed to the police, but Hager said he had returned all copies to his sources.