One of the more controversial pieces of proposed legislation introduced to Parliament in the past year has been the introduction of email interception powers for the police, SIS and GCSB.
Despite assurances from the minister responsible for the introduction of this legislation, Paul Swain, that “law abiding citizens who are not involved in criminal activity have nothing to fear”, there is still strong opposition to the legislation on privacy grounds.
One of the issues raised by opponents to the legislation is that the time for public debate and submission has been very short. The email interception powers were introduced by way of supplementary order paper in November last year, with submissions closing on March 2 this year and the law and order select committee originally due to report back to the House in May (this has now been extended to July 27).
One of the reasons given by Swain for the relatively speedy review process was that, as the supplementary order paper also created a new crime of hacking, the legislation was urgently needed to protect privacy.
At the time it was commonly thought existing legislation was inadequate to prevent hacking. This was the view of the Law Commission (in Report 54, Computer Misuse), which was one of the main precursors to the introductions of the proposed anti-hacking legislation.
However, a number of recent decisions of the New Zealand courts have shown this thinking may be wrong.
First, in a recent TechLaw column (Wilful damage cases not clear cut) we discussed recent cases involving charges of wilful damage. The courts in these cases held that the altering of the magnetic particles causing impairment to the value or usefulness of the disk to the owner was sufficient to amount to wilful damage. The cases in question generally involved the deliberate deletion of data or software.
As we noted at the time, however, it was not clear this would intend to “passive” hacks, as there may not have been any element of damage. This issue has now been further considered in the recent decision in R v Garrett.
The case involved the use of BackOrifice to gain access to computers and obtain the user names and passwords for the user’s Xtra accounts. Judge David Harvey held that interference with software programmes (ie, the various changes made by BackOrifice to Windows to allow unauthorised access by a third party) also constituted damage in that (a) the utility and functionality of the programmes was altered in a manner unexpected, unanticipated or unwanted by the owner and (b) intervention was required to restore the software to its original state. In this case the user of the infected PC had to remove BackOrifice from his PC and install virus protection to prevent further infestations.
Secondly, the uncertainties surrounding the definition of “document” for the purposes of s229A the Crimes Act have also been resolved.
In the Court of Appeal judgment in R v Misic (which involved the use of software to manipulate phone calls charging systems so that calls could be made without charge), it was held that the software programme was a document and therefore was able to be used fraudulently.
In the Garret case, the definition of document was held not just to apply to software programmes, but also a password where the password was stored on a hard drive.
As a result of these recent cases, it appears hacking, whether involving destruction of data, unauthorised obtaining of information or simply unauthorised access, is already a crime in New Zealand.
If hacking is already a crime, TechLaw does not see there is a need to rush through legislation to prevent it, if this means the email interception powers are also introduced on its coat tails. Personal privacy is too important for such a change to take place without adequate public debate.
Parkinson is a partner in Clendon Feeney’s technology law team. This article, together with further background comments and links to other websites, can be downloaded from www.clendons.co.nz. Send email to Averill Parkinson.