Hackers beware – the Crimes Amendment Act works

You might have noticed in the papers that a Dunedin man recently pleaded guilty to charges of hacking into a US-based e-commerce operator's systems. This case, involving damages claims of US$458,000, is a timely reminder of the importance of the “anti-hacking” provisions established by the Crimes Amendment Act 2003 (the Amendment Act).

The attacks in question occurred late last year, causing severe disruption to electronic stores run by Oregon-based “BuyMusicHere”. The attacks reduced the operation of the “BuyMusicHere” database in Oregon to a virtual crawl. Co-operation between the New Zealand police and US authorities led to the prosecution. The hacker (who has name suppression) pleaded guilty to three charges of damaging a computer system and unlawful access (new “computer crimes” under sections 249 and 250 of the Crimes Act).

This case provides a good insight into the impact and workings of the new computer crimes, established by the Amendment Act late last year. Before the passing of the Amendment Act, New Zealand was one of the few Western countries without specific computer offences. Under our old law, hackers could only be convicted under general theft and criminal damage provisions of the Crimes Act (which were not always applicable to hacking activity). Were it not for the Amendment Act, the Dunedin hacker may have remained unpunished.

The Dunedin hacking case also clarified that the new computer crimes in the Amendment Act extend to cover damage caused from New Zealand, but which occurs on computer systems overseas.

So what changes did the Amendment Act make?

Illegal access

Section 249 of the amended Crimes Act makes it illegal to access a computer system for a dishonest purpose.

In order to be convicted under this section, an offender must access a computer system with the intent to obtain property, privilege, service, pecuniary advantage, benefit, or valuable consideration or cause loss to a person. An offender will be caught under this section whether or not they actually gain any such benefits or cause loss, provided that it was their intention to do so.

It is worth noting that if someone accesses a system, for example during the course of their employment, and believes that they are entitled or authorised to obtain a benefit, then to do so may not breach section 249.

Unauthorised use of data

Section 250 of the amended Crimes Act makes it illegal to intentionally or recklessly damage a computer system or intercept, access, use or damage data held on computers without authorisation. This could include an attempt to put a website out of action (i.e., a denial of service attack) or interfering with someone else's data. This offence has a maximum sentence of seven years' jail, increasing to ten years if the offender knows or ought to know that damage to life is likely to result.

Debate about this section has largely centred around the meaning of “authorisation” and the effect this has on the application of this section. It has been suggested that the inclusion of this word creates a loophole in the Act, which allows employees (who are authorised to access the computer system) to intercept, access, use or damage data held on the computer without being caught by the provisions of the Act. However, whether this in fact happens will depend on the interpretation that the courts give to the word “authorisation”.

The courts may decide that a person is “authorised” for the purposes of the Act if they have authority to access a particular part of the computer system. If this interpretation is adopted then such a person cannot be liable under this section. However, such an interpretation would not appear to be sensible or consistent with the purpose of the legislation. Instead, it seems more likely that the courts will adopt a pragmatic approach and hold that a person is “authorised” only for specific purposes and that action outside those specific purposes, such as deleting a file from a computer for a malicious reason, is not authorised behaviour.

Unauthorised access

The Amendment Act also makes simply accessing a computer system without authorisation illegal. This means that “pure hacking”, or hacking into a computer system without gaining a benefit or causing harm, is now illegal. The Amendment Act imposes a maximum penalty for “pure hacking” of two years' imprisonment.

Concerns have been raised in relation to this provision. These include the fact that penalties for the computer-specific offence are far more severe than those for an equivalent offence in the “real world”. Critics of the Act see pure hacking as a minor offence and think that it is occasionally helpful in that it alerts organisations to weaknesses in their security. Arguments that “pure hacking” are beneficial and should not be illegal seem to avoid the fact that hackers are deliberately breaking into a system they are not authorised to enter.

Hacking Tools Banned

The new section 251 has also proved to be controversial. It makes it illegal to sell, distribute or possess computer hacking programmes in New Zealand.

It has been suggested that this provision:

• overlooks the importance of educational websites and other information that deals with hacking; and
  
  
• may prevent individuals or organisations learning more about hacking programmes in order to protect against them.

On the face of it, such criticisms may be justified. Whether or not the Amendment Act will actually have this effect will only become clear through the passage of time. In this regard, “good” users of such information may have to rely (tentatively) on the police's discretion whether or not to prosecute a particular case.

Powers of interception

The Amendment Act also changed the police interception warrant provisions of the Crimes Act. Previously, law enforcement agencies acting under interception warrants could only intercept oral communications. The Amendment Act broadens law enforcement agencies' powers under interception warrants and allows them to intercept written communications such as emails, facsimiles and text messages. This is required as the old ban on the use of listening devices is extended by the Amendment Act to cover any communications interception device.

An exception to the new ban on the use of interception devices is also provided for ISP's and communications companies using such devices in limited circumstances for maintenance purposes. The Amendment Act makes it clear that a law enforcement agency is not committing an offence if it has a legal basis, such as a search warrant, for accessing a computer.

A healthy level of debate about infringement of privacy occurred when the new interception powers were tabled. The Amendment Act goes some way towards addressing such “privacy” concerns by requiring police to specify the person, place, specific electronic address, phone number or similar facility relevant when applying for an interception warrant. However, a number of people remain concerned about the interception powers. Whether these concerns are warranted will probably only be clarified with the passage of time.

Jeremy Salmond