Somewhere in the back of an Auckland police station sits a computer, doing little except gathering dust.
And no, it's not connected to the Incis system. This machine, confiscated by officers following a hacking attack on one of the country's Internet service providers in 1998, has not seen any follow-up action since.
Why not? Because it's not clear the action was against the law - despite the fact damage was done to the ISP's business.
That dusty PC stands as a silent, reproachful tribute to the country's lack of a comprehensive law covering electronic crime. And it's a lack that was pointed out over a decade ago.
A 1989 Crimes Bill aimed at an over-arching revamp of the country's criminal code included a clause on electronic crime which would have essentially made unauthorised access to other people's computers, and any resultant damage or removal or copying of information, illegal.
And although in 1991 a committee of lawyers, headed by Justice Casey, recommended a more specific set of rules based on that 1989 draft, the bill got stuck in the legislative sausage machine and lapsed at the end of the 1993 Parliament. The existing Crimes Act is still the 1961 version, and still lacks any provisions that might cover illegal access and damage online.
Cabinet papers obtained under the Official Information Act show increasing official disquiet about this hole in the country's laws.
"New Zealand has fallen behind Australia, the United Kingdom, Canada and the United States - among others - in not having specific computer offences," the Cabinet's social policy committee was advised late last year. Some jurisdictions have had specific computer misuse laws since the 1970s, the papers point out. And computer crime has become "a significant and serious problem" with the potential to affect a large number of people and businesses.
What finally spurred the policy makers into action were two attacks on Internet service providers (ISPs) which caused major disruption and even more major embarrassment.
First was deletion by a hacker of more than 4500 personal Web sites administered by Ihug. This was closely followed by a disgruntled former Xtra customer getting hold of its client database - including passwords - and misusing them.
There have been other, less well-publicised incidents, says Wellington lawyer Chris Patterson, of Hesketh Henry.
The papers obtained, which cover a series of Cabinet briefings, stress the urgent need for a law change. They highlight the need for greater certainty, if only for practical commercial reasons. Officials made it clear to the last government - as have numerous commercial interests - that if it wanted to turn talk about the "knowledge economy" into reality there had to be better legal safeguards for firms venturing online.
At least one firm, an Auckland-based travel company, shied off a strong Web presence after the Xtra attacks in November 1998. The attacks came in the midst of an extensive Web site development for the firm, but after the security breaches that firm's management cried off.
"We'd like to see better safeguards, both legal and technological," says the company's IT director, who does not want his, or his firm's name, publicised.
It's safe to say that the IT director's position reflects the position of a number of other businesses. Just how many, no one knows. Few firms are willing to put their hands up and say publicly they have had a security breach.
And there have been no real attempts by central government to estimate the size of the problem in this country.
In the US, government studies have put the value of damage at $US8 billion a year. A similar UK study put the level at œ1 billion a year.
Here, the closest officials have been able to come up with is a joint Australia and New Zealand study. But as this lumped businesses that had had some form of unauthorised access to their computers with those who were unable to say whether or not they had had a problem, this was of limited use.
Following the Ihug and Xtra attacks, the 1991 rules were dusted off and taken to Cabinet.
The necessary changes were classed as "urgent" on the legislative calendar and put into draft form, which became the Crimes Amendment Bill No 6.
That was a year ago. The bill is still before Parliament's law and order select committee; submissions closed earlier this month.
It's not as if the last decade has seen any radical rethinking by officials of the legal approach to computer misuse. The provisions in the new bill are basically the same as those recommended by Justice Casey's 1991 committee, with a few refinements which take into account technological developments since then.
Some of the problems raised with the current law do sound rather like a make-work scheme for lawyers. For example, the Court of Appeal ruled in a 1998 case that the law against obtaining by false pretences does not apply where there is a fraudulent transfer of electronic funds. This is because the law covers, in what was intended as a phrase covering anything the policy makers had not thought of, "anything capable of being stolen".
In R v Wilkinson the Court of Appeal ruled electronic funds were not capable of being stolen, even though, in that particular case, they were.
The other main gap in the current law is that concerning the fraudulent taking or destruction of a document. "Document" is not defined in this part of the 1961 Act, and the presumption is that it does not include a document held on a computer. The reason the presumption is against including documents on a computer is, according to the Cabinet papers, that in the part of the act covering forgery, document is defined, and it does include computer data.
Another gap relates to the "obtaining by false pretences" clause. The current law says for there to be a crime there must be a deceived victim. The Court of Appeal has ruled that although a machine such as a computer can be deceived, it is not the victim. And as the person who is affected by the deception is not actually deceived, there is no crime.
The bill currently being considered will plug such gaps. But they do not go far enough, says Patterson.
The bill makes it illegal to:
- Access a computer system for a dishonest purpose (seven years maximum imprisonment);
- Attempt to access a computer system for a dishonest purpose (five years); and
- Damage or interfere with a computer system (seven years maximum imprisonment).
There is also an amendment to the Summary Offences Act, which makes straightforward hacking an offence, with a maximum of six months imprisonment. The Cabinet papers reveal a debate over whether or not to make hacking illegal, but come down on the side of making it a minor offence.
While hacking in itself is seen as a relatively minor matter, it may be "a prelude to more serious offending and ... potential hackers may be relatively easily deterred by criminalising such activity".
Ministers of the last government were also advised that the bill would require little or nothing in the way of more spending.
"The costs of implementation are expected to be small ... police will monitor the costs associated with this proposal in case costs are greater than expected and additional funding is required."
These costs can be expected to be watched even closer given the police's recent 20% budget blow-out.
It is that approach which Patterson believes is a large part of the problem.
"There has to be some sort of system put in place whereby people in business on the Net can feel secure with the transitions taking place," he says. "Now, how the government goes about that I don't know, but I do know government has to direct more resources into cracking down on credit card fraud, and they need specific legislation to bring that into focus."
The bill is, he says, "a bit of window dressing for the bigger issues. As far as legislation to deal with crime, and to assist e-commerce to move forward, the big thing is credit card fraud. And until that is addressed, people are going to hold back."
The other area that he sees as being of growing concern - and which is covered by the present bill - is the recent spate of "denial of service" attacks.
"What is being proposed will only go some way to addressing those. I don't think the government has looked at what has happened in these attacks in the US."
In addition, the police electronic crime unit needs to be given more resources, he says.
"They can't afford to prosecute people at the moment anyway. It's all a bit ridiculous when they have one individual to service the entire upper half of the North Island."
Meanwhile, in a more recent development, the new government announced its intentions to introduce an Electronic Transactions Bill, based on recommendations of the Law Commission. Based on a recent Australian law, this is likely to amend current antiquated practices such as the legal requirement that certain documents be in writing, be signed, or be kept in their original form.
In addition, the advent of computers and the Internet means some laws requiring the physical presence of people when signing a document is no longer absolutely necessary.
The details are not yet known, but the act is scheduled to be passed this year. Given that the Crimes bill was due to be passed last year though, it would be an optimist who expects the bill to become law by December 31.