The select committee report on the Crimes Amendment (No 6) Bill has proposed two new sections to the bill with significant implications for all web users. The first new section is targeted at denial of service attacks. The second targets the creation, distribution and possession of "hacking software".
There is no doubt that there should be laws to cover these situations. The questions that need to be answered are whether the proposed sections are adequate and whether they go further than necessary.
New section 251(2)(c) is designed to deter denial of service attacks.
In doing so it casts a very wide net. The section requires the "interferer" to recklessly or intentionally, and without authority, cause any computer system to deny service to any authorised users or to fail. The section is broadly drafted and may, in Techlaw’s view, cover less culpable cases.
Have you ever received an email with a virus attachment? Opening a virus-infected email attachment without virus checking, resulting in the virus being transmitted to every person in your address book, could be construed as reckless. The argument here is that every net user should be aware of viruses, especially with the front-page coverage they receive, and by not taking steps to ensure they do not propagate them, the user is acting recklessly.
However, for some people, this may seem to be taking the concept of “responsible use” too far. If this were the effect of the new section, every user would need to obtain and keep updated a virus checker as a pre-condition to internet use.
In Techlaw’s view, it is unlikely that a naïve or ignorant web user would be found to have acted recklessly. It is, however, possible that a person with a high level of understanding of the risks, such as an ISP, could be found liable.
The second addition is Section 252, which introduces a new offence that the select committee says is the crime of “being in possession of 'hacking' programs or other information in circumstances that show an intention to use it to commit a computer crime”.
While this may seem like a worthwhile amendment, there are a number of issues arising out of the precise wording used.
First, what constitutes a “hacking” program? You and I are probably in possession of a “hacking” program at present or have been in the past. The proposed definition is “any software or other information that would enable another person to access a computer system without authorisation”. This sounds like many useful network administration tools.
Second, the words “other information” are included in the definition. Although it has been commented that this would include the unauthorised distribution of passwords or digital certificates, it could include information on sites that attempt to educate people about hacking from a prevention perspective. Often there is little difference between the information on these sites and those that contain instructions on how to implement "hacks". The information that they provide could be more than useful in the commission of a crime. One possible solution is that the courts will look at the intention behind the mounting of the material, and therefore find that mounting of "prevention" sites is not a criminal activity.
The third issue is that the new section refers to software or other information used or able to be used for “the commission of a crime”. Unlike the select committee report, “crime”, as used in the section, is not limited to “computer crime”. Is the definition limited to unauthorised access crimes or does it means crime in general? If it is crime in general, the distribution, creation or possession of software for purposes other than “hacking”, for example, file transfer or copying software (which could be used for copyright crimes), could fall within the section.
The select committee has introduced these new sections at a late stage. There is no formal opportunity for public submissions. Techlaw’s concern is that new crimes may be passed without the necessary weighing of competing interests, for example, rights of "fair use" of copyright versus the property rights of copyright holders.
A reasonable opportunity for public debate should be available before such potentially far-reaching crimes are introduced.
Parkinson is a partner and Woo is a law intern in Clendon Feeney’s technology law team. This article, together with further background comments and links to other web sites, can be downloaded from www.clendons.co.nz. Questions and comments can be sent to Averill Parkinson.