A bill likely to be introduced to New Zealand’s Parliament early next year will clarify the legal status of evidence of an offense gained by hacking, as well as other evidence collected through illegal acts.
Evidence of electronic or other crime gathered by a hacker illegally intruding into a suspect’s computer system would probably be admissible in a New Zealand court, according to lawyers and Police e-crime unit chief Maarten Kleintjes. One lawyer acknowledges the risk of “vigilantes” hacking into systems in the hope that any detected crime would be serious enough for the hack to be seen as a lesser offense not worth prosecuting.
Such evidence would be subject to the same guidelines as evidence coming from any other informant where the illegal nature of the act of gathering such evidence may not rule it out, say the sources.But the principles governing such a judgement are purely case law at present.
Government officials are working on a new bill amending the Evidence Act, which aims to make such questions as admissibility of illegally obtained evidence a matter of statute law. At the same time, the Law Commission is drafting a paper on rights of entry, search and seizure, which has been delayed until next year to consider more fully the issues presented by new technology. This could well include further thoughts on the acceptability of hacking, says Commissioner Warren Young, though a previous Law Commission paper forms the basis of the planned Evidence Act amendment bill. This could be tabled early next year, he says.
Young points to a watershed case two years ago, R v Shaheed, which modified a previous assumption that such evidence, particularly where obtained in a way contravening the NZ Bill of Rights, would be inadmissible. None of the sources consulted can call to mind a case in the computer hacking arena. Admissibility would depend on the relative gravity of the two crimes; if murder were at issue, says one lawyer, it can hardly be imagined that the relatively minor crime of hacking would render the evidence inadmissible.
The question came up in the wake of a local case where images in breach of the censorship law were given to the Department of Internal Affairs by a computer repair shop to which the offender took a failing hard disk drive. The DIA used that prosecution to warn that it’s not only the Department’s inspectors that are alert for possible illegal activity.
But the case led IT commentator Bruce Simpson to ask in his online Aardvark column whether there was any real difference between viewing files without permission while the PC is being repaired and “hacking into someone’s PC and inspecting the files on its hard drive without permission over the internet.” He sees the latter as unjustifiable and some of his respondents agree.
A few months ago, a US appeal court allowed evidence gathered by a freelance hacker. A former judge was charged with an offense where incriminating information was rooted out by the hacker introducing a Trojan into the offender’s system. The appeal court found it would be improper for a government agency to indulge in hacking and evidence gained in this way could not be used in court. But since the hacker in this case was not directly employed by the government (although he considered himself to be working on their behalf) his evidence was ruled admissible.
Images which the former judge downloaded had a Trojan attached to them by the hacker, who used the vulnerability to read other material on the offender’s computer.
The anti-hacking provisions of the Crimes Act are still relatively untried, says lawyer Craig Horrocks, of Clendon Feeney, so there is some doubt whether a particular act of hacking could even be demonstrated to be illegal. Assuming such evidence to be admissible does open the danger of “vigilante” activity of the kind evident in the US case, he says.
In the local case, a Christchurch man, Lance Thomas Priestly, was convicted of possessing objectionable material. His arrest followed information from a Christchurch computer company to which Priestly took his hard disk for repair.
The acting director of the department’s gaming and censorship regulation group, Peter Burke, emphasizes that reports of suspected offenses by members of the public are not a breach of privacy. The repair case is straightforward, since the Privacy Act has exemptions for cases where maintenance of the law or furtherance of a prosecution “for an offense carrying a pecuniary penalty” is at issue.
“There is a common misconception that reporting a possible crime is a breach of privacy laws. It is not. If you see a burglary and report it to the police you are acting as a responsible citizen and are helping protect someone’s property,” Burke says in a statement on the Priestly case. “If you find information about movies or pictures of children being sexually abused or sexually posed and you report that, then you are being a responsible member of the community by helping protect children.”
The DIA, however, declines comment on the acceptability of hacker assistance in tracking down the kind of illegal online activity it pursues.