New computer crime laws caught in legal arguments

By Chris Barton

Changes to the Crimes Act to cover computer misuse are floundering on legal definitions of "unauthorised access" and uncertainty about what sort of criminal offence hacking and cracking should be.

While three new offences will be introduced by the end of June to cover accessing, or attempting to access, a computer for a dishonest purpose and damaging a computer system, the changes will have little effect on hackers under 16 because the "age of criminal responsibility" would still apply.

That means that out of the three hacking cases reported since November, two of the offenders, because they were 15, could still not be prosecuted. Mandy McDonald of the Ministry of Justice said while the new laws would cover theft committed with the aid of a computer - a loophole exposed by a recent Court of Appeal case - the Ministry was still deciding where to position hacking as a criminal offence. She also said that it was unlikely any change would be made regarding the age of criminal responsibility for the new offences.

The "new" offences are not that new either - appearing to be little more than retrieved clauses from the Crimes Bill 1989, which was never enacted. Under that Bill, anyone accessing a computer for a dishonest purpose was liable to imprisonment for seven years. Anyone damaging or interfering with a computer system was liable to five years.

The 1989 legislation also included a summary offence of unauthorised access to a computer punishable by a maximum of six months in jail. But a statement from Justice Minister Tony Ryall said a proposed offence of hacking or cracking "raises a number of complex issues and will require further consultation and policy development before drafting."

Mr Ryall's comments coincide with the release of the Law Commission's Computer Misuse report, which outlines how trying to criminalise "unauthorised access" of a computer to obtain information creates an anomaly with existing criminal law.

Under that law, it is not an offence to gain unauthorised access to information by itself - unless some other offence such as theft, trespass or burglary is committed. If for example someone is lawfully in another person's office and sees a confidential document on a desk, it is not an offence to take a photograph of the document. Nor is it an offence to read it and "store" the contents in one's mind. The same goes for reading information over someone's shoulder.

That means that if gaining unauthorised access by a computer is criminalised, it would be at odds with current law, where gaining information without a computer is not illegal.

The Law Commission argues that "the public interest" in encouraging the use of computers and in protecting the community from their misuse outweighs any concern about this anomaly.

QC and consultant to the Commission Paul Heath believes the critical issue in defining hacking as a criminal activity is intent - whether hackers gaining access to a computer system intended to harm or benefit from their actions.

Were he over 16, that would appear to convict the hacker "Sharkdogg" who claimed responsibility for destroying 4500 Web sites hosted by Internet service provider Ihug in November last year. But would it convict "DF"? - presuming he too was over 16 - who hacked into Vodafone's administration computers last month "because he could" and copied about 90 documents?

According to Mr Heath, only if there is wide-ranging meaning for the term "harm" - something he advocates in order to catch "DF" and his ilk who hack for little else but the prize of gaining access. In Mr Heath's view, that would be fine if that's all a hacker did.

But in going public with his hacking exploits, it would be argued DF intended to harm Vodafone's reputation and so could be prosecuted for a criminal offence.

Were such a draconian position put into law, it is likely to have the knock-on effect of gagging reporting of hacking occurrences. DF's defence that he was simply showing weaknesses in Vodafone's computer security - something its customers and business partners might be interested in knowing about - would not be relevant.

The Law Commission also confirms what many have known for some time - that the existing Crimes Act is inadequate to deal with a wide range of computer misuse offences. The report outlines in some detail the Act's shortcomings for dealing with electronic crime.

Specifically, in relation to fraud and forgery charges of "making a false document" and using "a document for the purpose of obtaining" benefit, the Commission doubts that current definitions of "document" include data stored on a computer.

"I don't know why the police continue to charge people when there are grave inadequacies in the law. The probability of a conviction is zero," said Auckland barrister Barry Hart.

Mr Hart is defending Andrew Garrett, currently pleading not guilty to charges of forgery and "using a document" under the existing Crimes Act. Mr Garrett is reported as saying he hacked Telecom Xtra Internet account passwords to highlight his treatment in an unresolved dispute with Telecom over unpaid line rentals.

The report also raises the question - if the computer process, such as logging on to an Internet provider is fully automated - of whether any offence has been committed. Some case law suggests forgery only happens when a human being is duped - "that a machine cannot be deceived by a false pretence or other fraud."

The issue raises further concerns about "accidental hacking" through various automated processes prevalent on the Internet. Security consultant Brad Price asks whether "cookies" - a small piece of code set by Web sites to gather information about visitors - might not be regarded as "unauthorised access".

The same might be asked about Java script, Active X controls and software vendors' online registration processes which also probe users' PCs often without their knowledge.