The proposed exemption for the Police, SIS, GCSB and some other authorities from the provisions of the “anti-hacking” law gives them significant new powers, says Privacy Commissioner Bruce Slane.
In the covering letter to his submission on the bill to the Law and Order select committee, Slane says the proposed exemption allowing Police and others to hack into computers and intercept emails causes him “some serious misgivings about how the measure proposes to do this”. In the submission itself he labels the measure “a significant risk to privacy”.
Slane was unavailable when Computerworld called last week.
But an informed source close to the Commissioner’s work – who does not want to be directly quoted - indicates that the position of the authorities in hacking into computers remotely and intercepting emails would be much more secure after the legislation is passed than before.
However, this contention has been questioned by some internet users who suggest that before any anti-hacking law is passed, the police – or indeed anyone – is legally able to hack PCs and intercept emails, so the exceptions to the law make no practical difference.
Slane refers to this argument, and suggests “the law should make quite plain as yet that police cannot, and must not, carry out remote hacking. If that position should ever change it must only be when a convincing case has been made out and where the law develops mechanisms that can effectively control such a practice."
Police and SIS have declined to comment on whether they already engage in covert digital surveillance (see SIS, Police stay mum on email interception).
There are other pieces of legislation that would make a not specifically authorised act of interception of hacking questionable, the source suggests. For example, the Telecommunications Act makes it illegal to attach an interception device to the public telephone network. And under the Privacy Act a government agency is not allowed to collect information in a manner that is “unfair" or unduly intrusive. A specific provision in the Crimes Act would probably override these other strictures, but in its absence the authorities may be taking a risk of committing an offence.
In his covering letter, Slane identifies risks of incorrect use of the facility and unreasonable public fears which the authorities will have to spend time calming:
- “Paranoid people will 'know' it is happening to them,” Slane says. "Even more rational people with sensitive or extensive databases may be left wondering particularly if their computer systems start doing unexpected things, as is wont to happen;
- “existence of police capability will intensify the likelihood of enquiry to ascertain whether there have been interceptions whenever systems seem to have been tampered with;
- “police capability will also increase the likelihood of potential abuse by some police officers or damage to computer systems through poorly executed operations. The losses the Crown may have to meet for damage caused by access attributed to law enforcement might be potentially enormous.”
He further draws attention to well-established principles governing other collected private information – that unused information be destroyed, and that the person being investigated be informed at some stage that such an investigation is taking place or has taken place.