The second of the big legislative bricks in the continuing effort to bring the law reasonably up to date with ICT was cemented into place this year, with the Crimes Amendment Act 2003 criminalising “unauthorised” intrusion into computer systems.
Hacking, in theory at least, is now punishable by a prison term of up to two years, even when no damage has been caused to the system and no gain has accrued to the hacker.
This legislation was acclaimed as a facilitator of electronic commerce, complementary to last year’s Electronic Transactions Act. “Crimes Amendment No 6” has been in the works for four years, with industry pundits complaining ever more loudly that electronic commerce would not take off without such elementary user protection.
The act passed the final stages in July. A good deal of media and parliamentary attention during the final stages went on the negative aspects – the exemptions granted to police and intelligence agencies to intrude into computers and intercept emails under warrant.
Unnoticed by many who made a fuss about those particular agencies, a blanket exception was written into the measure at Section 252(3), empowering any government agency to intrude without a warrant “under the authority of any act or rule of the common law”.
Parliament denied Green MP Keith Locke’s proposed amendment to make a sample of the warrants served during the year open to audit by a neutral authority.
Other parts of the act prohibit the interception of “private communications” and the possession or sale of software for hacking purposes. InternetNZ and others successfully campaigned for this clause to be fine-tuned to exempt security-testing and network administration software.
In the latter part of this year, public concern about official intrusion powers has recrystallised around the Telecommunication (Interception Capability) Bill. This does little more than make technical provision for the execution of the rights conferred in the Crimes Act. But Locke sees entrenching of a technical interception capability as facilitating a slide down the “slippery slope”, with police and security agencies likely to request powers for “even greater surveillance of our personal communications”.
Moves toward reform of the copyright law to account unambiguously for electronic media proceeded quietly, with evidence that New Zealand officials have forestalled problems in areas such as caching, which continue to trouble Australian law.
Following a discussion paper inviting public responses, Cabinet issued a paper in June with its policy recommendations. These include protection for internet service providers involved unknowingly in transferring copyright material, and exceptions for caching web pages, even long-term by educational institutions. Penalties are proposed for making available devices to circumvent digital rights protection mechanisms. This proposal occasioned some controversy regarding over-zealous or clumsy protection, which might prevent users doing legal things such as copying for “fair use”.
Amendments to copyright law are planned to come into Parliament next year.
Patent law also came up for re-examination during the year, with proposals to make it tougher to claim a patent for obvious or uninventive developments and a broadening of the search for “prior art” – previous inventions that negate a patent – to the international alongside the domestic front.
This was against a background of hurried New Zealand industry moves to object to Canadian company DE Technologies’ wide-ranging patent on fundamental aspects of e-commerce and Amazon’s patent on the cookie-based “one-click” ordering system.
The definition of software and the rights and value appertaining to it came in for a few tweaks. After some nervous debate in the industry a legal decision firmly established that developers who incorporate in an application for a client code previously developed by them still own that code and can freely reuse it in a new project.
Late in the year came a call from some tax experts for an unambiguous statement in tax regulations of the elements of software that would qualify for depreciation. This followed a finding in favour of the IRD against Actonz Management Services, which ran a software investment scheme found to be, in some respects, a “sham” aimed at income tax and GST avoidance. Some lawyers fear that without clarification the decision could impact legitimate depreciation claims on software.
Back on the “hacking rights” front, Keith Locke again in Parliament and IT-skilled judge David Harvey raised concern about the broad sweep of a counter-terrorism provision that would require suspects to disclose computer passwords and encryption keys even if material revealed by the keys would be likely to incriminate them. While nominally preserving the right to refuse self-incriminating information, the Counter-Terrorism Act, now passed, specifies that the self-incrimination protection applies only to the key itself, not the information it may reveal. This may lead to some creative devising of encryption keys to contain such self-incriminating data.
Hackles were further raised by the password provision’s application to a wide range of offences covered by the Summary Proceedings Act and reaching far beyond terrorism.
Last year the government strangely tried to introduce similar encryption-breaking provisions into the Climate Change Response Bill, to prevent businesses hiding evidence of reckless emission of “greenhouse gases”. As this year began, well-informed submissions persuaded them to back down, but the end of this year saw our encryption protection essentially stripped away.
Perhaps the biggest push for legal protection during the year was not fulfilled. This was the call for measures against spam. The Ministry of Economic Development produced some thoughts on the subject, but prevailing opinion regards law as a complement to voluntary compliance codes and technical filtering mechanisms. And associate IT Minister David Cunliffe and other official sources have suggested that spammers’ rights to freedom of expression – as well as the sheer difficulty of defining spam -- might handicap any attempt to legislate against it.
The illegal-porn-trading bogey loomed periodically throughout the year, at one point leading to a suggestion from Justice Minister Phil Goff that unless ISPs came up with a workable code of practice they might be brought under a government licensing scheme. The threat was formally withdrawn late in the year, but only for the present, Goff made clear.
The amendment bill to censorship law, tabled this month, is light in its impact on ICT. It makes it clear that trading of illegal publications need not be “for gain” (files are frequently swapped “in kind” in online arenas) and expands the concept of “distributing” or “supplying” a publication to include “providing access to”.
Of possibly more moment was a legal finding in the case of school principal David Young that merely looking at an objectionable image constitutes “possession” even though the file is not consciously saved. This brought some disquiet that users might become liable for a spam message examined and hastily deleted. Goff assured the public that this would not be so, or at least that unintentional reception would be a defence to any charge; but this is not clearly expressed in the bill as initially tabled.
The bill also imposes no specific restrictions on the right of law-enforcement officers to search and “seize” publications electronically (as they have been doing by examining files offered on P2P channels). By contrast, the requirements for warrants for a physical search of private premises and for officers to identify themselves when formally inspecting public premises such as video outlets are covered in some detail.
In summary, 2003 was another year in which a legal system grounded in the physical world came competently or haltingly to accommodation with a little more of the "virtual" world.
When it’s caught up with today’s position, of course, ICT will have moved on.
We’ll have to hope Aesop was right and the “slow and steady” legal tortoise will eventually overtake the ICT hare.