If it proceeds, this legislation would make accessing a computer system without authorisation a criminal offence punishable by a maximum of two years' imprisonment. The bill still needs to be debated and voted on before becoming law.
The contents of the bill have been widely debated. For the moment I would like to address two specific points raised by commentators recently about issues surrounding denial of service and dealing in or possessing software to commit a crime.
Part of the new legislation covers someone who sells or supplies software or other information that would enable a person to access a computer system without authorisation – the sole or principal purpose of which he or she knows is the commission of a crime; or that he or she holds out as being useful for the commission of a crime.
There has been concern that this could affect people who deal in IT security software or such information. The legislation will not criminalise the legitimate use of IT security software. But if a salesperson of IT security software holds it out as useful for committing crime then they could be committing the offence. If they hold it out as useful for protecting systems (even if they know it can be misused to commit crime) then they will not commit the offence. Basically if a person is promoting something as useful for committing a crime then they should be criminally liable. Having said that I do intend making a small amendment to make the section clearer.
Secondly, there is the issue of denial of service. The bill says, "Everyone is liable to imprisonment for a term not exceeding seven years who intentionally or recklessly, and without authority … causes any computer system to fail or deny service to any authorised users". The key words here are "intentionally or recklessly". This does not mean an innocent accident. (Criminal recklessness requires that someone deliberately and unreasonably takes a risk knowing the possible outcome.) For example, an innocent accident may be when a computer program with "bugs" in it causes a computer system to fail or a person sends a virus without knowing they have. Unless these things were done intentionally or recklessly they would not be regarded as criminal behaviour.
Also, this offence is not a blanket prohibition on causing any computer system to fail; the action must be unauthorised. For example, an ISP which denies service to authorised users for legitimate reasons has nothing to fear from this offence. The ISP, as the owner or operator of the service, has the authority to do this and would not be breaking the law.
The general feeling among commentators and legal experts is that New Zealand needs specific computer offence laws. While a couple of recent "hacking" cases have been successfully prosecuted under present law, it is accepted that these were cases of the court broadly interpreting the law. It is not always possible for the courts to extend existing offences to cover computer crime. Also it is not very apparent to the public that an offence called "taking or dealing with certain documents with intent to defraud" might cover some computer hacking. Our present law does not cover all the types of unauthorised access to a computer that the offences in the bill will cover. What we need is legislation that details specific computer offences to help make clear to the public that this type of conduct is considered criminal.
I am hopeful the Crimes Amendment (No 6) Bill will be passed into law by the end of the year. It is a piece of legislation that is long overdue.
Swain is Minister for IT.