It seems so long ago that minister of everything technical Paul Swain said we were going to get legislation to outlaw hacking. Why does it seem so long ago? Probably because it was. Our editorial database has a story from June 2000 saying the act isn't far away.
But even that wasn't the start of it all.
Before the current Labour government came to power I spoke with then-minister of justice, Tony Ryall, about another story I'd written (Urgent cyber-law report languishes on government shelf), pointing out that the Law Commission, the police, the opposition parties, the criminal law association and the country's law schools had all called for an urgent review of the law following a Court of Appeal decision in the case of R v Wilkinson. Wilkinson had dishonestly obtained money from a financial institution by claiming to own various vehicles and machinery that could be used as collateral. Although he was initially found guilty, the Court of Appeal ruled in his favour because the bank had electronically transferred the money to Wilkinson's account instead of paying him by cheque.
Ah, but we've fixed this cyberspatial loophole by now, right? Well, just. You once could have robbed a bank by means of electronic transfer and retired not to a country without an extradition treaty with New Zealand but to the Coromandel without any fear of prosecution.
But with the passing of the Crimes Amendment Bill last Friday, it will be illegal from October 1. Its passing is good news, but a major flaw in the wording of the act could mean up to 80% of hackers will never be convicted of hacking.
In relation to the new crime of hacking, specifically section 253 relating to "accessing a computer system without authorisation", Judge David Harvey's new book Internet.law.nz notes that accessing a system with authorisation is allowed. Makes perfect sense, really. System administrators, among others, are required to access parts of the system all the time. Making that a crime would mean the network couldn't be used by anyone.
Harvey says section 253 "does not apply if 'a person who is authorised to access a computer system ... accesses that system for a purpose other than the one for which that person was given access'." That means should you go on a file-deleting frenzy or change all the passwords or generally hack the system to bits, you can't be charged with hacking. Sure, you can be charged with other things -- destruction of property and so on -- but what's the point of enacting legislation that can't be used? Harvey points to a UN-sponsored survey that says 73% of the risk to computer security was attributable to internal sources and only 23% to external criminal activity.
By the way, if this problem sounds familiar to you, it's because Computerworld Wellington reporter Stephen Bell wrote about it in 2000.
Other e-legislation is far from perfect. The Electronic Transactions Act, which was passed on October 17 last year, is supposed to enable e-commerce transactions by ensuring online contracts and agreements have the same weight as paper-based transactions. So far so good, but law firm Simpson Grierson points out that the Ministry of Economic Development has listed a number of other acts that will need updating to make them ETA-compliant. These include the Credit Contracts Act 1981 and a number of Inland Revenue acts. Is there any sign of these acts being updated? Maybe by the end of this year, is the suggestion, with some luck and a tail wind and a bit of a push. Where does that leave us? Back in the early 1990s, by my reckoning. Welcome to the future, same as it always was.