New Zealand hacking law has insider loophole

New Zealand’s proposed law against computer hacking, scheduled to be referred last week to a parliamentary select committee, leaves hackers working within an organization untouched.

The proposed amendments to the Crimes Act don’t outlaw the abuse of computer systems by employees who are authorized to access the organization’s computer, who then use it in an unauthorized way.

There have been cases of police staff accessing the Law Enforcement System – the so-called “Wanganui computer” – for unofficial purposes, such as checking on a person’s criminal record for a friend. And there is a wealth of anecdotal accounts of dismissed or disaffected employees walking off with company information from the system.

Yet the proposed law specifically exempts such behavior from its provisions. The hacking section of the bill (Section 305ZFA) comprises subsection (1) prohibiting unauthorized use of a computer, and subsection (2), which says: “To avoid doubt, subsection (1) does not apply if a person is authorized to access a computer system or part of a computer system for a specified purpose or purposes, but accesses it for some other purpose or purposes.”

“Such misuse may be cause for disciplinary action or a charge under some other offense,” says Ministry of Justice senior policy adviser Vivienne Morell, who helped draft the proposed statute.

“Note the comment of the English Law Commission Computer Misuse report (1989),” she says: “‘An authorized user should not commit a hacking offense merely because he uses the computer for an unauthorized purpose . Our view remains that there is nothing to distinguish the misuse of an employer’s computer from the misuse of the office photocopier or typewriter, and it is therefore inappropriate to invoke the criminal law to punish conduct more appropriately dealt with by disciplinary measures’.”

The proposed New Zealand law defines “part of a computer system” and prohibits someone authorized to access one part of the system from accessing another part “for example, the payroll system,” she notes.

Police accessing the Wanganui system for unauthorized purposes were mostly dealt with by internal discipline, a police spokesman says, and there “may have been” some prosecutions under the old Wanganui Computer Centres Act which had an “unauthorized use” provision capturing internal misuse.

Overseas hackers accessing New Zealand computer systems may be caught by the proposed statute, says a spokeswoman at the office of IT Minister Paul Swain, who introduced the Supplementary Order Paper containing the proposed amendment.

“New Zealand courts have jurisdiction where any act or omission forming part of any offense, or any event necessary to the completion of any offense, occurs in New Zealand (whether the person charged with the offense was in NZ or not at the time of the act, omission, or event – see section 7 of the Crimes Act).

“If any part of an offense took place here, then it may be possible to extradite the alleged offender to New Zealand. If you are hacking into a computer system here, then part of the offense happened here. That means that if you can catch the person overseas, you could extradite them and prosecute them under New Zealand law.

“Anyone hacking from New Zealand into an overseas system would be hacking and breaking the new law.”