Hacking law has insider flaw

The proposed law against computer hacking, scheduled to be referred last week to a parliamentary select committee, leaves hackers within an organisation untouched.

The proposed law against computer hacking, scheduled to be referred last week to a parliamentary select committee, leaves hackers within an organisation untouched.

The proposed amendments to the Crimes Act don't outlaw the abuse of computer systems by employees authorised to access the organisation's computer who use it in an unauthorised way.

There have been cases of police staff accessing the Law Enforcement System - the so-called "Wanganui computer" - for unofficial purposes, such as checking on a person's criminal record for a friend. And there is a wealth of anecdotal accounts of dismissed or disaffected employees walking off with company information from the system.

Yet the proposed law specifically exempts such behaviour from its provisions. The hacking section of the bill (Section 305ZFA) comprises subsection (1) prohibiting unauthorised use of a computer, and subsection (2), which says: "To avoid doubt, subsection (1) does not apply if a person is authorised to access a computer system or part of a computer system for a specified purpose or purposes, but accesses it for some other purpose or purposes."

"Such misuse may be cause for disciplinary action or a charge under some other offence," says Ministry of Justice senior policy adviser Vivienne Morell, who helped draft the proposed statute.

"Note the comment of the English Law Commission Computer Misuse report (1989)," she says: "'An authorised user should not commit a hacking offence merely because he uses the computer for an unauthorised purpose . Our view remains that there is nothing to distinguish the misuse of an employer's computer from the misuse of the office photocopier or typewriter, and it is therefore inappropriate to invoke the criminal law to punish conduct more appropriately dealt with by disciplinary measures'."

The proposed New Zealand law defines "part of a computer system" and prohibits someone authorised to access one part of the system from accessing another part "for example, the payroll system," she notes.

Police accessing the Wanganui system for unauthorised purposes were mostly dealt with by internal discipline, a police spokesman says, and there "may have been" some prosecutions under the old Wanganui Computer Centres Act which had an "unauthorised use" provision capturing internal misuse.

Overseas hackers accessing New Zealand computer systems may be caught by the proposed statute, says a spokeswoman at the office of IT Minister Paul Swain, who introduced the Supplementary Order Paper containing the proposed amendment.

"New Zealand courts have jurisdiction where any act or omission forming part of any offence, or any event necessary to the completion of any offence, occurs in New Zealand (whether the person charged with the offence was in NZ or not at the time of the act, omission, or event - see section 7 of the Crimes Act).

"If any part of an offence took place here, then it may be possible to extradite the alleged offender to New Zealand. If you are hacking into a computer system here, then part of the offence happened here. That means that if you can catch the person overseas, you could extradite them and prosecute them under New Zealand law.

"Anyone hacking from New Zealand into an overseas system would be hacking and breaking the new law."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments