Justice Minister Phil Goff has put up a rebuttal, to which we have replied and lawyer Michael Wigley, speaking to the Computer Society last week, also said Computerworld and other sceptics are most likely wrong.
One of the crucial points of Wigley’s argument is the way “computer system” is defined, and particularly whether the definition of "part of a computer system" makes such a part arguably “a computer system” in itself.
First, however, Goff and Wigley both make the point that elsewhere in the latest amendment to the Crimes Act and in other parts of the existing act, ample provision is made against the purposes for which a hacker usually hacks.
The offence of “accessing computer systems for dishonest purposes” (Section 249) means a person is convicted if either s/he gets a benefit or causes loss.
“The person can be convicted even though s/he doesn’t gain anything, so long as loss is caused to another," Wigley says.
"That could cover deliberately infecting with viruses, bringing a system down, hacking so that payments are made by the target organisation to third parties and so on.”
Section 250, dealing with damaging or interfering with a computer system, covers intentional impact on computer systems. This includes cases in which there is danger to life such as from the failure of an air traffic control system, he says, and those who, without authority, do things which impact on data, software and computer systems such as networks. This section, like s249, affects employees as much as it does external offenders.
Under s252, however, a person can be convicted if, without authorisation, he or she simply accesses a computer system, intentionally. This is where the exclusion for “authorised” users comes in.
Even under this section, an internal hacker could still be convicted because of the definition of “computer system”, Wigley argues. A “computer system” means any one of the following: a computer, two or more interconnected computers, any communication links between computers, or two or more interconnected computers, plus communication links. "Computer system” is also defined to include any part of those four items.
It’s not clear whether the use of the word “include” means that any part of a computer system is a computer system of itself, Wigley says. It might be hard to argue, for example, that a disk is a computer system. But if this is meant, then a person authorised to access one part of a system, who accesses another part, even down to a different sector on a disk, may be deemed to be accessing “a computer system” that they are not authorised to access.
Curiously, the definition of part of a system was more clearly expressed in the first-reading copy of the bill, and according to a drafter in the justice department at the time, deliberately implied that authority to access one part did not necessarily confer authority to access another (Hacking law has insider flaw). The final definition is less clear, Wigley says.
He expresses admiration for the amendments, which he calls “a smart piece of drafting”, which means the law is likely to confer continued protection in the face of technology change and negotiates well the delicate line between acceptable and unacceptable computer use.