IT Security - Some Legal Perspectives

James Bishop, Stephen Revill, Consultant | October 2001

Introduction

Today I am going to deal with some legal aspects of Information Technology Security:

1. The legal framework in New Zealand relating to Information Technology Security;
2. The use of Public Key Infrastructure; and
3. The current proposed changes to the Crimes Act.

The legal framework in New Zealand relating to Information Technology Security

Few specific rules

Generally speaking the law addresses issues of confidentiality and information security in terms of recognised categories of relationship rather than by reference to the media or technology on which the information is processed, recorded or stored.

For example specific duties of confidentiality can be imposed or implied:

• in fiduciary relationships such as relationships between lawyer and client where the law recognises the existence of a high degree of trust and dependence
• in contract arising out of promises made by one or both parties to the other
  
• in other situations where there is no contract but where the law is still prepared to impose a duty of care to protect or secure information in circumstances where it is reasonably foreseeable that misuse of that information is likely to cause loss or damage
• under statute, such as the rules relating to the protection of taxpayer information that are imposed on the IRD under the Inland Revenue Act

Technology based legislation

There are some laws that are technology specific. However they generally result in a piece meal approach and can become quickly out of date.

For example under the:

• Telecommunications Act it is an offence to use a telephone station (but not other types of technology) for the purpose of disturbing, annoying or irritating any person, whether by calling up without speech or by wantonly or maliciously transmitting communications or sounds, with the intention of offending the recipient; and
• under the current Crimes Act the provisions relating to the interception of private communications are currently limited to the interception of oral communications using a listening device.

Clearly, this technology specific approach has resulted in the law becoming quickly outdated in a matter of years with the emergence of telecommunications technologies such as email and pagers. The concepts of oral communications and listening devices are clearly too limited for today's environment.

As a result those provisions are currently being updated, and I will touch on this briefly later on.

Standards based legislation

There is also the Privacy Act which says:
"An agency that holds personal information shall ensure that:
That the information is protected, by such security safeguards as is reasonable in the circumstances to take, against -

(i) Loss; and

(ii) Access, use, modification, or disclosure, except with the authority of the agency that holds that information;

(iii) Other misuse ?.."

This is where the adoption of current industry standards for information security become relevant. For example:

• the OECD Guidelines;
• NZS 4444; and
• ISO 15408,

Being able to show that you comply with information security policies that reflect industry standards of the type just referred to will strongly support compliance with such statutes as the Privacy Act and provide powerful defences against claims in negligence arising out of unauthorised information disclosures.

The use of Public Key Infrastructure

The use of the internet for business has focussed attention on the development of technologies and business processes that give greater confidence as to the identity of those that we deal with through that medium.

The most commonly adopted methodology that has emerged to address these problems is the Public Key Infrastructure or PKI. The use of this kind of technology in turn raises a new set of issues. It is an example of where the law (at least the law here in New Zealand) has not yet fully caught up. This means that the rules or the norms for dealing with the providers of Certification Authority Services are being developed for the most part simply through contract and that process is being largely driven by the suppliers of those services

What is Public Key infrastructure?

1. PKI is essentially a technology solution that is intended to provide a higher level of security when entering into transactions over networks such as the internet.

2. Through the use of digital certificates, and associated public and private keys, PKI provides parties with:

(a) Authentication

Each party can be confident of the identity of the other.

(b) Integrity

Each party can be confident that the transaction has been received by the other uncorrupted and unaltered.

(c) Non-repudiation

Neither party may deny that a particular message was sent, or that they were the party that sent it.

(d) Privacy/Confidentiality

Each party can be sure that a transaction stays confidential between the parties during its transmission over a network.

The roles in PKI

1. The typical PKI arrangement

[see diagram in presentation]

2. The roles

(a) Subscriber

The Subscriber applies to the Registration Authority for a digital certificate. If the Registration Authority validates the Subscriber's application then the Registration Authority will forward the Subscriber's application on to the Certification Authority who will then issue the Subscriber with a digital certificate (made up of a public key and a private key).

The Subscriber can then use the digital certificate to enter into transactions over the internet with the Relying Party (who may or may not know the Subscriber).

(b) Registration Authority

The Registration Authority verifies the Subscriber's digital certificate application to ensure that among other things, the Subscriber is who they say they are.

Once satisfied that the Subscriber's application is valid, the Registration Authority forwards the Subscriber's application on to the Certification Authority.

(c) Certification Authorit

Upon receiving a validated Subscriber application from the Registration Authority, the Certification Authority issues a digital certificate to the Subscriber.

The Certification Authority maintains publicly available lists on its web site detailing all valid digital certificates issued (sometimes called the Certificate Issuance List) and all digital certificates revoked (sometimes called the Certificate Revocation List).

Sometimes the Certification Authority also performs the role of the Registration Authority.

(d) Relying Party

The Subscriber sends the Relying Party their digital certificate when entering into an on line transaction with them to satisfy the Relying Party's need for Authentication, Integrity, Non-repudiation and Privacy/Confidentiality.

The Relying Party generally should check the Subscriber's digital certificate against the Certificate Issuance List and the Certificate Revocation List on the Certification Authority's website to ensure that the Subscriber's digital certificate is valid and can be relied upon.

The legal framework

1. There can be a number of contractual arrangements in a PKI arrangement.

The Subscriber Agreement

2. The first contractual arrangement is between the Subscriber and the Certification Authority (called the Subscriber Agreement).

3. The Subscriber Agreement details the specifics of the services that the Certification Authority will provide to the Subscriber, as well as the liabilities and obligations of the Certification Authority and Subscriber to each other. Sometimes this agreement can be made through the organisation for whom the Subscriber works.

The Relying Party Agreement

4. Another contractual arrangement is one that is between the Relying Party and the Certification Authority (called the Relying Party Agreement). This is generally a contract between parties that have no pre existing relationship. There is some doubt about the validity and effectiveness of the mechanisms for forming these contracts. I will touch on this briefly later on.

5. Assuming that it is validly created, the Relying Party Agreement's main function is to make it clear to the Relying Party what it must do in order to be entitled to rely on the digital certificate in question. Relying Party Agreements are also usually intended to operate to limit the liability of the Certification Authority to the Relying Party in the event that the Relying Party should suffer loss through reliance on the digital certificate.

Other Contractual Arrangements

6. In addition there will ordinarily be a contract between the Certification Authority and the Registration Authority where these authorities are two separate entities. Furthermore in closed PKI systems there may be a contract between the Relying Party, the Subscriber or the organisation for whom the Subscriber works.

Electronic Transactions Bill

Electronic Signatures

1. Clauses 22 and 23 of the Electronic Transactions Bill, which should be passed into law in the reasonably near future contain provisions dealing with the use and requirements of electronic signatures.

2. While these provisions are intended to be technology neutral, it would appear that some of the Act's provisions are directed to PKI or PKI like arrangements.

Legal issues arising from PKI

There are several legal issues that arise when you start to look into the use of PKI. I am going to look at some of the main ones and give you a very brief explanation of their nature.

Legal issues arising from PKI:

1. Legal consequences of the Certification Authorities you choose or rely on.
2. Absence of locally acknowledged accreditation criteria.
3. Uncertain legal environment.
4. One sided contractual documentation.

While there is obviously and almost never ending list of factors that will influence a decision on the Certification Authority to choose, one significant factor from a legal angle is the place in which the Certification Authority is established.

Whether the Certification Authority is located locally, or off-shore, is significant for several legal reasons:

Choice of law and jurisdiction

If the Certification Authority is based off-shore, it will be usual for the Certification Authority to insist that the law governing any dispute is their foreign law, and any dispute resolution procedures, for example arbitration or court proceedings will have to be brought in their jurisdiction.

Many implications arise from this, but most importantly, where legal action is taken against an offshore Certification Authority in its own jurisdiction it will generally be:

• more costly; and
• more time consuming.

than legal proceedings taken here locally.

Obtaining evidence

Your organisation may find that to take legal action in respect of a transaction where digital certificates were used, it needs evidence from the Certification Authority. For example, details of when a Subscriber requested a digital certificate to be revoked, or to whom a particular digital certificate was issued.

Recovering this sort of evidence from a foreign Certification Authority can be expensive and difficult. You may even find that the Certification Authority is unwilling to co-operate in the provision of evidence and that they may not be obliged to comply with orders from New Zealand courts for the delivery of such evidence.

Absence of locally recognised accreditation criteria

The trusted third party concept

Quite clearly, the entire PKI concept is based on the Certification Authority acting as a trusted third party, who the Subscriber and Relying Party can rely on. The question that arises then is how do you determine the trust worthiness of a Certification Authority?

Accreditation criteria in New Zealand

In New Zealand, there are no locally recognised accreditation criteria, specific standards or legislation with which Certification Authorities must comply.

This means that in determining what standards a Certification Authority should comply with in order to earn and keep our trust, and whether a particular Certification Authority actually does comply with those, we need to look at what is being done outside New Zealand for guidance.

The Gatekeeper Accreditation Model in Australia

In Australia, the Government has established the Gatekeeper accreditation process for which all Certification Authorities that wish to supply Certification Authority services to the Commonwealth Government must comply.

As part of this accreditation process, an applicant Certification Authority must prove their compliance with a set of criteria established under the Gatekeeper project dealing with matters such as:

• disaster recovery and business continuity;
• security management; and
• key management.

While a Certification Authority will not have to comply with the Gatekeeper requirements to operate in New Zealand, an understanding of the Gatekeeper accreditation process is still very valuable to New Zealand organisations. At the very least, it gives a reasonably detailed due diligence list that can be used to measure the services offered by a particular Certification Authority.

Uncertain legal environment

The use of PKI is a very new process, and as such, there are many legal issues and uncertainties associated with it. Some of those are:

Will the Electronic Transactions Bill requirements be met?

While it would appear that the PKI model would in general fulfil the requirements under the Electronic Transactions Bill relating to electronic signatures, each situation will be evaluated on its own facts, on a case by case basis.

Until these provisions concerning electronic signatures have been in place for a while, and have been suitably tested, there will always be a degree of uncertainty as to what will be deemed to fully satisfy them.

Admissibility into evidence

As the law currently stands under the Evidence Act, there is some uncertainty as to whether electronically generated information can be admitted as evidence into Courts in New Zealand.

A new Evidence Code has been prepared by the Law Commission which is intended to address this problem. However, this has not yet even been placed before parliament, and it would seem very likely that it will not be enacted until some time after the Electronic Transactions Bill is passed into law.

If this situation eventuates, then there will be a period of legal uncertainty concerning the use of electronic signatures in New Zealand. While the use of electronic signatures will be recognised under most New Zealand legislation following the passing of the Electronic Transactions Act, it does not follow that electronic signatures will always be admitted into evidence or given the importance accorded to physical signatures until these changes are made to the Evidence Act.

Non-repudiation: Can it stick?

As discussed earlier, the non-repudiation aspect of PKI is crucial to its suitability for facilitating on-line transactions.

However, just how the courts will interpret the validity and strength of the non-repudiation functionality of PKI is yet to be determined.

For instance, under the proposed Act an electronic signature will be considered reliable if it meets a number of specific tests. One of these is that the 'means of creating the electronic signature is under the control of the signatory and of no other person'. We understand that in some cases, Certification Authorities generate private keys and download them across an encrypted line, which others arrange for the private keys to be generated by the Subscriber through use of a function in the browser.

This is one of a number of issues that would need to be considered by the Courts.

Enforceability of the Relying Party Agreement

The Certification Authority generally intends for the Relying Party Agreement to be entered into between the Relying Party and the Certification Authority each time a Relying Party relies on a digital certificate issued by the Certification Authority. The main purpose of the Relying Party Agreement is to limit the Certification Authority's liability.

However, the validity of these contracts is not certain, and whether they are enforceable by either party will largely depend on the process by which the contract is purported to be entered into.

The use of a general statement either on the certificate or the Certification Authority's web site stating that the reliance on a digital certificate is subject to the terms of the Relying Party Agreement will probably be insufficient to create a valid agreement between the Certification Authority and the Relying Party.

However, a click through agreement will probably be found valid as long as the Certification Authority:

(a) took reasonable steps to draw the Relying Party's attention to the relevant terms and conditions prior to entering into the transaction;

(b) provided the Relying Party with a reasonable opportunity to consider the terms; and

(c) required the Relying Party to click to accept those terms and conditions prior to the service being provided.

If the Relying Party Agreement is found to be invalid, then the allocation of risk between the parties will become uncertain, increasing the risk to the Certification Authority.

One sided contractual documentation

In most cases, the Certification Authority will have standardised Subscriber and Relying Party Agreements in the form of Certificate Practice Statements. These are generally based on the suggested format for such documentation provided by RFC 2527 issued by the Internet Engineering Task Force. While RFC 2527 takes a neutral stance as to the content of the Certificate Practice Statements, many of the Certification Practice Statements that have been produced by CA's are one sided, and significantly limit the extent of the Certification Authority's obligations and liability.

Cathedral of documentation

When assessing the services being offered by the Certification Authority, there is a lot of contractual documentation to review and analyse. Very often it is technical, contradictory and hard to understand.

In order to fully understand the full effects of this documentation it is necessary to invest a considerable amount of effort and time.

Undermines Confidence
Unfortunately, when you do develop a good understanding of the conditions contained in those documents, you may feel less willing to place your trust in the Certification Authority than when you started.

While one can understand the commercial reasons behind the Certification Authority attempting to limit their obligations and liabilities so greatly through the documentation, one is left with the distinct impression that the Certification Authority are not always willing to stand behind the services when something goes wrong.

Crimes Amendment Bill (No. 6) and Supplementary Order Paper No. 85

What is it?

Overseas developments

In the past decade or so, there have been moves in many foreign jurisdictions to review the increasing misuse of computers to commit crimes. These reviews have resulted in new legislation been passed in the United Kingdom, Australia and Singapore, amongst others, which is designed specifically to address crimes committed through the misuse of computers.

Law Commission review

Given these international developments, and the increasing misuse of computers in New Zealand, the Law Commission conducted a review of computer misuse and the suitability of New Zealand's criminal law to deal with matters of that nature.

The Law Commission reported that New Zealand's criminal law was inadequate to deal with the full scope of potential computer misuse, and recommended the enactment of new criminal laws specifically aimed at addressing these matters.

New Zealand's response

Parliament's response to the issue of computer misuse and the criminal law's application to this has been the introduction of the Crimes Amendment Bill.

The Crimes Amendment Bill amongst other things, attempts to update the law so that it is able to take account of computer related crime in accordance with changes in technology and recent case law. It includes a wide range of new provisions including ones aimed at hacking and the interception of communications by authorities.

Given the time constraints here today, I am going to focus only on some of the changes to the criminal law that are proposed by the Bill.

Crimes against personal privacy

The Crimes Act already contains provisions relating to the interception of private oral communications, and the gathering of evidence in private oral communications by the authorities via the use of listening devices.

To make sure that these existing provisions are not in conflict with the new computer misuse offences, and to ensure that they take into account recent developments, the definitions of the Act have been updated so as to apply the Act's anti interception provisions to a wider range of technologies.

Private Communications

Current definition

The law, as it currently stands, makes it illegal to intercept private communications using a listening device, unless you are a party to that communication, or if you are otherwise authorised to do so (for example, the police acting under the authority of a warrant).

Currently, a "Private Communication" is limited to oral communications that the parties reasonably expect not to be intercepted by another person.
Obviously, in these days of email, faxes and pagers, limiting the application of these provisions to oral communications alone is quite inappropriate. It is an example of legislation not keeping up with technology.

Expanded definition

However, the Bill ensures that these criminal provisions relating to the interception of private communications do clearly apply to the unauthorised interception of non-oral communications using interception devices by extending the definition of "Private Communication" to include communications whether they be in oral, written form or otherwise.

Consequences of this change

It is possible that an organisation will have been using interception devices to intercept non-oral private communications up until now, on the understanding that to do so was within the law, and may have had quite legitimate reasons for doing so. However, the Bill will clearly make such behaviour illegal in the future and some organisations may need to review their practices as a result.

Permitted Interceptions of Private Communications

Internet and Communication Service Providers

An important exception to the prohibition of intercepting private communications is that it does not apply to any interception device operated by a person engaged in providing an Internet or other communication service to the public if the interception is carried out:

• by an employee of the Internet or communication service provider in the course of their duties; and
• for the purpose of maintaining that internet or other communication service; and
• the interception is necessary for the purpose of maintaining the Internet or other communication services.

Monitoring of telecommunications

This exclusion in the Bill relating to Internet and communication service providers is a extension of the existing provision in the Telecommunications Act which already allows network operators to intercept any telecommunications for the purpose of maintaining telecommunication services.

Accessing computer system for dishonest purpose

• Offence

  Under the Bill it will be an offence for someone to access a computer system, and to dishonestly, or by deception, and without a belief that it is lawful, obtain any property or benefit, or cause someone else loss.

  For these purposes a computer system does not just mean the clients and associated servers but also the communication links between different systems.

  Committing this offence can result in a sentence of up to 7 years imprisonment.

• Intent

  An important aspect to this provision that should be noted is its "intent" aspect. Where there is no intention to obtain property or benefits unlawfully no offence will be committed.

  Furthermore, an individual who gains access to a computer system solely for the satisfaction of achieving the access itself will not commit an offence under this provision.

Accessing computer system without authorisation

• Offence

  The Bill will also make it an offence to obtain unauthorised access to a computer system, even though no loss is caused or any property or benefit is obtained through gaining that access.

  It should be noted that this offence carries the lesser penalty of imprisonment for a term of up to 2 years, instead of up to 7 years.

• Authorised purpose

  This provision expressly states that it does not apply to the situation where a person authorised to access a computer system and accesses that computer system for a purpose other than the one for which that person was given access.

Damaging or interfering with a computer system

• Offence

  There are two parts to this provision. The first part deals with damage to computer systems which could result in danger to life. The second part of the provision is aimed at criminalising intentional or reckless damage to computer systems, as well as attacks in the nature of denial of service and website defacing attacks. Committing an offence against this second part can result in imprisonment for a term of up to seven years.

  This provision has come under attack recently in the media.

• Who becomes criminals?

  Denial of service

  A key concern of commentators in the media has been that if an ISP makes their systems deny access to particular people or refuse to supply service for valid reasons, such as to combat denial of service attacks, then that ISP could be breaking the law.

  I personally think that these concerns have been overstated. A key element of this offence is that the person causing the computer system to deny service to any authorised user must be doing so without authority. As long as ISPs ensure that their contractual arrangements with their customers provide the ISP with the authority to withdraw the provision of its services in specified circumstances, breach of this provision can be avoided.

  Software Manufacturers

  Comment has also been made that software manufacturers could fall within the scope of this provision if their software somehow damaged or deleted any software or data. Or perhaps even more likely, caused a computer system to fail!

  It would seem that this is a possibility. Under the proposed legislation, a software manufacturer whose software did damage or deleted any software or data, or caused a computer system to fail arguably could go to jail for up to seven years. However it would be hard to prove that a software manufacturer had acted recklessly. In order to be criminally reckless, you have to deliberately and unreasonably take a risk and expose others to that risk, while knowing the possible outcomes. If the software manufacturer followed what resembled reasonable industry procedure, then a Court would be unlikely to find that they acted recklessly.

Making, selling or distributing or possessing software for committing crime

Offence

This provision provides for two general offences. These offences seem to have received the greatest level of comment in the press recently, with considerable concern being expressed about what they could mean for the industry in general, and the infringement of the right to freedom of information.

The supply of software or other information

The first general offence essentially provides that anyone who offers to supply, agrees to supply, or has in their possession for the purpose of supply, any software or other information that would enable another person to access a computer system without authorisation, the sole or principle purpose of which they know to be the commission of a crime, commits an offence and is liable to be imprisoned for up to two years.

Personally, although the drafting could be better, I don't see the need for much concern arising in regard to this provision. If someone sets out to supply software for the purpose of allowing unauthorised access or damage to a security system, then they should be criminally liable. The Crown must be able to show the supplier knew of the intent to commit a crime, or that the supplier held the information out as useful for committing a crime.

It must be made clear that what this provision does not do, is make it illegal to promote products for legal uses. Consumers may be perfectly aware of the illegal uses a product can be put to, but that does not make selling them illegal if they have some legal application.

Possessing software or other information

The second provision makes it illegal for a person to possess software or other information that would enable them to access a computer system without authorisation, and intend to use that software or other information to commit a crime.

It has been argued that this makes it illegal to be in the possession of a great deal of software and information that has quite legitimate uses. However, before a crime could be found to have been committed the Crown would have to prove beyond a reasonable doubt that the person who possessed the software did actually intend to use it to commit a crime. In my view this goes a long way to alleviate any concerns that have been expressed about this provision.

The approach adopted here is not unique or new. For example, it is an offence under the Crimes Act to possess any instrument that is capable of being used for taking a car, with the intent to take a car.

Do these offences do what they are intended to do?

Essentially, what these law changes do is make unauthorised access to computer systems, be it for personal gain, to cause damage or just for the challenge, amongst other reasons, illegal in New Zealand, or at the least, make their illegality easier to prove.

I do not think there can be much doubt that under these new provisions, a significant proportion of the activities that we would consider as falling within the ambit of computer crime will be clearly illegal. I do not believe that it is obvious that legitimate activity will inevitably and inadvertently become illegal.

Are the changes really necessary?

Criticisms

There have been comments made that these law changes are not necessary and that the current law can be interpreted to cover the misuse of computers. As evidence, critics of the Crimes Amendment Bill point to the recent successful prosecutions of Misic and Garret, in which those individuals were convicted for hacking offences under the current Crimes Act. In these cases, the judiciary was able to interpret the language of the law so as to encapsulate the behaviour in question. This will not always be the case.

Law Commission Review

As I mentioned briefly earlier, the Law Commission conducted a detailed review of New Zealand's criminal law's ability to deal with all aspects of computer misuse in their 1999 report "Computer Misuse".

The Law Commission came to the definite conclusion that our existing criminal law is inadequate to deal with computer misuse, and that new legislation is needed.

The new offences proposed in the Crimes Amendment Bill should rectify this situation. Furthermore, they bring New Zealand in line with the many other jurisdictions around the world that have identified the unique nature of crimes involving computer misuse, and the need for specific legislation to deal with them.

How effective will these provisions be against foreign hackers?

A significant problem which these provisions do not, and could not easily deal with, are overseas based hackers.

Would the offences apply?

Although it is not definite, New Zealand courts would probably assume jurisdiction and apply these new offences to a hacker based overseas who attacked a computer system in New Zealand.

Identification and extradition

However, even if the New Zealand courts would apply these offences to hackers who attacked computer systems in New Zealand remotely from overseas, there are still significant problems which would have to be overcome before the hacker could be brought to justice in New Zealand:

• Location. Often, it may be very hard or even impossible to establish where the hacker was when they committed the offence.
• Identification. You have to be able to identify the individual who has hacked, or attempted to hack the computer system in New Zealand.
• Extradition. Even if you can identify where the hacker was when they committed the offence, and who they are, convincing the authorities in a foreign jurisdiction to arrest that individual and arrange for their extradition to New Zealand to face trial, could be very difficult and perhaps even practically impossible (even if an extradition treaty is in place between New Zealand and the country in question).

Inevitably, these proposed provisions will be of most use against hackers found within New Zealand's borders. If the hacker is based overseas, New Zealand organisations will probably find that practically speaking, the enactment of these provisions will do little to improve their position.

These issues reflect inherent weaknesses in our existing legal systems which are essentially nationally based. This makes work in the international arena more important as the globalisation of business proceeds a pace.