Lawyers and internet users are detecting ever more problems with the proposed "anti-hacking law".
The measure, contained in the supplementary order paper to Crimes Amendment Bill (No 6), seeks to prevent interception of “private communications” by an “interception device”. The inclusion of this concept is mistaken, commentators say. Emphasis should be on the actions performed rather than the device used.
“The issue is in my view correctly the act of interception for the purpose of possession,” says lawyer Craig Horrocks of Clendon Feeney.
“A radio scanner could be an interception device but a log of broadcast data is generally useless unless the receiver has both the intention to possess and the intention to use.”
Don Stokes, founder of the Victoria University’s Netlink ISP and now running Daedalus Consulting Services, says the “interception device” concept produces legislation that is not technology-neutral, “and worse, fails to recognise that with digital communications, most interception is done by using the very communications equipment … that is carrying the traffic in the first place. The [clause] should be … a technology-neutral prohibition on the act of interception and control of the use of intercepted information, not a prohibition on the use of a specific class of hardware.”
David Elson, of systems integrator gen-i, fears the law could prevent the very acts of “interception” necessary to guard against hackers' intrusion.
“If I cannot use port-scan detectors, packet sniffers, anti-intrusion software and similar tools to prevent hackers, then the job of the hacker has suddenly become much easier,” he says.
The planned statute, whose next step will be public submissions early next year, applies only to interception of “private communications”. The definition of “private communication” excludes “a communication occurring in circumstances in which any party ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.”
So it appears any communication that the communicator suspects might be intercepted falls outside the protection of the law and may be intercepted with impunity.
“I admit the definition of ‘private communication’ seems almost circular,” says Michael Sage, head of law firm Simpson Grierson’s IT specialist X-Tech team. “But I don’t think the drafters could have done much better. Privacy is a subjective thing, and it’s up to the parties to the communication to say whether they expected the communication to be private or not.
“It’s a problem,” he says. “but not an avoidable problem.”
With regard to the "interception device" clause, the drafters seem to have been trying to make minimal changes to the existing act by simply substituting that phrase for "listening device". “It’s like painting over an existing layer of paint on a door rather than sanding back to the wood; after a while, it takes on a layered appearance … But I don’t see a serious problem in the way it’s been done.”
Sage, however, points to other problems which have emerged under British legislation, some of which (the Computer Misuse Act) is 10 years old. One key question is who pays when a government agency requires an ISP or telco to intercept - perhaps installing special equipment to do it. This still has not been dealt with in British law, and is certainly not addressed in the proposed New Zealand amendments
He also cites the risk to the reputation of ISP and telco staff through their users regarding them as "spooks" for the government.
Sage's colleague, Sean Murphy, highlights other issues that have arisen in Britain:
- whether people would be required to disclose keys to encrypted material
- whether certain material, such as medical information, should have special protection
- whether people whose traffic has been intercepted should be notified of that fact at a later date.