From what we know this morning, it does not seem that the Budget 2019 leak was the result of any online break-in or "hack".
But experts are split on whether the Crimes Act was breached, given the person who obtained the Budget 2019 information knew that they should not have been searching for it or looking at it - even if it had been inadvertently been made public.
"What we did was what any Kiwi does any day of the week on Google," Opposition leader Simon Bridges told a press conference this morning.
"It's from within National and by chance in our preparation of the Budget and for the Budget, we came across this.
"We literally went to Treasury.govt.nz and as with every single government department website in New Zealand, there's a search bar."
An un-named person from within National typed "2019/2020" into the search engine then into the motherlode.
Tech expert and Herald contributor Juha Saarinen agrees it would have been simple to access the information.
• How Treasury got dorked
But he also asks why the person knew to look - and why Treasury failed to notice their persistent efforts.
"Although material information such as dates and times of when the leak happened and how the Budget 2019 data ended up in Google's cache is missing, the incident appears to be down to a website misconfiguration," Saarinen says.
"Due to the misconfiguration, Budget 2019 material that was not meant to be disclosed before today became indexed and partially accessible via a legitimate search function on the Treasury's website.
"The big question now is how did the person or people who conducted the specific searches find out that the clone or staging site was leaked via the index? By chance or were they tipped off?"
It's also remarkable that Treasury did not notice the around 2000 very specific searches, which took place over 48 hours, Saarinen says.
"Given how sensitive national budget documents are, you would expect staff to keep a close eye on log files for example so as to spot anomalies such as someone looking for confidential material." (Read more on Juha's blow-by-blow take here).
So it appears that Treasury was asleep at the wheel. Workflow and configuration mistakes meant Budget 2019 information was not "bolted down" as the department's boss, Gabriel Makhlouf said on Tuesday, but open to the world.
Yet anyone within National would know that Budget 2019 information should be under tight wraps until 2pm today, so the question emerges of whether it was wrong for them to seek it out.
The 'Keith Ng defence'
Tech expert Paul Brislen notes Section 252, Subsection 1 of the Crimes Act, says:
Accessing computer system without authorisation
(1) Everyone is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
But Brislen also notes Subsection 2, which qualifies:
(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
"So if you've got permission to use the system and then use it for something other than the purpose you were given access for, you're not hacking," Brislen says.
The person within National had authorisation to access Treasury's website. Indeed, any member of the public can look at it. Once there, they found the inadvertently spilled information.
"This was most visibly brought into play in 2012 when Keith Ng discovered he could access a lot of Ministry of Social Development material through the kiosks thoughtfully provided by the ministry in some of its branches. By providing the kiosks, MSD gave Ng access to the system - what he chose to do with it is within the law."
Police ultimately decided not to prosecute Ng, who today works as a data journalist for the Herald. And they took the same tack with National this morning, saying Budget details were obtained using a search function and that such activity was not unlawful.
Ng cited a public good defence.
Simon Bridges has as well, saying the public needed to be alerted to the holes in Treasury's system.
But there is the nuance that while Ng went public with the information that the MSD's network had vulnerabilities that let anyone easily access private information, he did not share the information he had accessed with media, as Bridges did with his "Money for tanks but not teachers" release. Instead, he took it directly to the Privacy Commissioner.
Lawyers specialising in cybersecurity were reluctant to go on the record this morning, given details were still emerging.
However, one said his initial impression was that "the cops could have been too quick to drop it, given they [the person within National] knew they shouldn't have been looking at it but continued".
The question of dishonest purpose
Lowndes Jordan partner Rick Shera, who was willing to go on the record, said on balance Police were right to drop the case.
"If all that happened was that National Party people entered 2000 or so search terms into Treasury's own search bar, then that is not unauthorised access under s252 of the Crimes Act. You enter a search term; you get a result – it is reasonable for you to assume that you are authorised to access that material, otherwise it would not be available. To hold otherwise would make every day searching a perilous activity," the cyber law specialist said.
"However, there is another section of the Crimes Act – s249 – that does not rely on this issue of whether access was authorised or not. It focuses instead on whether your purpose in seeking and gaining access was dishonest or deceptive, and, if it was, whether you obtained any property or benefit or caused anyone any loss."
He notes the definition of "dishonesty" in the Act is a lower bar than many might expect. It includes: "An act done without a belief that there was express or implied consent."
Shera says we know from the Supreme Court case involving a Queenstown bouncer who made a copy of a CCTV recording of the England rugby team's vice-captain, Mike Tindall, socialising with a young woman, that a digital file can be considered property so "there are the ingredients here for an argument that what has happened is illegal".
But he qualifies, "It is by no means certain, however. You would expect an Opposition party to argue that seeking information about a forthcoming budget is not a 'dishonest purpose' and, in fact, that is part of their duty.
"Added to that, there are other factors that are relevant here - there does not appear to have been any resulting financial damage from National's publication, the value of the digital material - property - is very hard to quantify, the underlying cause appears to be lax security at Treasury, and Police rightly steer clear of becoming involved in political matters.
"All of this means that taking this any further would not be a good use of Police resources, as Crown Law has no doubt advised. That's the right decision I think even if it means law geeks like me will have to swallow our disappointment and wait for a better case."
Makhlouf has called for a State Services Commission investigation, which would yet find the Budget searcher reprimanded for a breach of their employment conditions, even if police say there is no criminal case.
For his part, Ng posted, "I think whoever grabbed the files - if they work in Parliament or for a party - deserves something between a very severe eye roll and a mild, perfunctory chuckle."
This morning, Treasury issued a statement saying, "Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action."
It also released a list of "the facts that have been established so far":
• As part of its preparation for Budget 2019, the Treasury developed a clone of its website.
• Budget information was added to the clone website as and when each Budget document was finalised.
• On Budget Day, the Treasury intended to swap the clone website to the live website so that the Budget 2019 information was available online.
• The clone website was not publicly accessible.
• As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase.
• The clone also copies all settings for the website including where the index resides. This led to the index on the live site also containing entries for content that was published only on the clone site.
• As a result, a specifically-worded search would be able to surface small amounts of content from the 2019/20 Estimates documents.
• A large number (approx. 2000) of search terms were placed into the search bar looking for specific information on the 2019 Budget.
• The searches used phrases from the 2018 Budget that were followed by the "Summary" of each Vote.
• This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document.
• At no point were any full 2019/20 documents accessible outside of the Treasury network.