Following on from my earlier post regarding Nicky Hager’s new book, Dirty Politics, there’s the issue of Cameron Slater and Jason Ede accessing the Labour Party computer system. The Greens have filed a police complaint, but was a crime committed?
In the NZ Herald, John Armstrong states that:
The allegation that one of John Key’s minions hacked into the Labour Party’s database is – to put it bluntly – the modern-day equivalent of the 1972 burglary of the Democratic Party’s national committee headquarters in the Watergate complex in Washington.
Well, it’s not really hacking. I remember Cameron Slater blogging about what he’d done, back in 2011. No security was bypassed. No hacking required. Essentially, Labour left their system open to the world.
Over at The Standard, Rocky (in her blog post entitled “But the door was open…“) seems convinced that Slater and Ede would fall foul of s 249 of the Crimes Act – accessing a computer system for dishonest purpose – which reads:
(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.
(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—
(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person.
I’m unconvinced. There’s no “loss” to Labour, and I just don’t see that a court would find that snooping through Labour’s databases can be seen to fall under the ambit of obtaining or having the intent to obtain “any property, privilege, service, pecuniary advantage, benefit, or valuable consideration”. The language is that of obtaining financial advantage, which just doesn’t appear to apply in this situation.
Unfortunately, there’s almost no case law in this area, so it’s difficult to say just what a court’s interpretation might be in this sort of scenario. Could Slater be said to have obtained a “benefit” through accessing the Labour website? It’s conceivable. Labour’s embarrassment and the flow on increase in hits to the Whaleoil website might be considered a “benefit”. However, I don’t believe it’s as open and shut as Rocky posits.
There’s a better argument in favour of a prosecution under s 252 of the Crimes Act – accessing a computer system without authorisation – which reads:
(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
On the face of it, you’d have to assume that Slater and, allegedly, Ede would be toast – they’ve intentionally accessed membership and donations databases without authorisation, knowing they’re not authorised. However, lawyer Graeme Edgeler comments on Dr Nicole Moreham’s blog post at Public Address, providing an interesting counter-argument:
The question then is: does Cameron Slater have authority to access the server that hosts the Labour Party website? Well, it’s a publicly available website, that they put up there so that people can go to their website and download stuff from that server into their cache to read on their browsers. If Cameron doesn’t have authority (because, for example, it’s not express authority), I don’t see how any of us can lawfully look at it.
If Cameron, and you and I have authorisation to access the server that hosts labour.org.nz for the purpose of viewing the Labour Party’s website, then is there any basis on which section 252(2) doesn’t come into play if once we access the server, we do things that it was not intended we should do?
Obviously, if once there, those unauthorised things we are doing on that computer system (which we are authorised to access for other purposes), we do things for other reasons, eg to cause damage to the site, or to do something dishonest etc. other computer crimes may arise (such as section 249, or section 250). These offences can be committed on computer systems you have been authorised to access, because they don’t include something equivalent to section 252(2), but there has been no suggestion to date that Cameron Slater or Jason Ede (or anyone else) accessed the Labour server in a way which might give rise to an offence under s 249 or s 250.
There may still be privacy issues, but I’m tending to the view that what has been alleged is not a breach of section 252, because of subsection 2. I think we all have authorisation to access the computer system which operates as the server hosting the Labour Party website.
Nonetheless, regardless of whether we’ve all got authorisation to access the Labour Party website, Slater’s posts of the time, and Ede’s Facebook/email correspondence with Slater, make it plain that they knew they were accessing something that the Labour Party did not want accessed by the general public.
To me, that clearly brings s 252(2) into play – you’ve got authorisation to surf the Labour Party website, but when you stumble on (or are tipped off about) a publicly accessible backdoor route into membership and donation databases, it should be obvious that you’ve gone beyond the purpose of access, thus negating the right of access you previously had.
Frankly, I don’t think Graeme Edgeler’s proposed defence would fly.
Which means we now await the outcome of the Police complaint, and see who they agree with…
Occasionally Erudite Publications 
Is it me or you? I interpret 252(2) in completely the opposite way you appear to. It states 252(1) does not apply in the instance where you have authorisation for one purpose but use it for another. Therefore the sanctions in 252(1) do NOT apply.
You’re quite right, Alan. Poring back over what I’d written in my last few paragraphs, I’m at a loss as to quite how I came to the conclusion I did.
I’d still argue that Graeme’s proposed defence isn’t a flyer, but for quite a different reason. Section 252(2) refers to a change in “purpose”, having received authorised access. However, Slater’s correspondence with both Bhatnagar and Ede clearly show that Slater and Ede knew that they had no authorisation, whether explicit or implicit, to access the exposed databases.
Nonetheless, my initial reason for rejecting Graeme’s proposed defence is quite plainly wrong, and thanks for pointing out the glaring flaw in my interpretation.
(I’d note that Graeme himself has resiled from his proposed defence (see the comments thread in the Public Address post), but on quite different grounds. Namely, Felix Geiringer points out that s 248(b) defines a computer system to include any part of a computer system, meaning that an offence can be committed in s 252(1) in relation to part of a system rather than the whole system. The s 252(2) question becomes whether there was authorisation to access that part of the system that was accessed. Felix notes:
“Under the interpretation [Graeme sets] out, for example, anyone with a Google account could hack into anyone else’s Google account with impunity, as long as they were both on the same server.”)
The difficulty with your interpretation is that it would be impossible for anyone to know they didn’t have authorised access to the file until they had discovered what was in the file by accessing it.
So I don’t see how a prosecution could succeed given that these clowns had apparently put the file up on a public website in an open directory.
But that’s the distinction between Bhatnagar’s initial discovery of the open-for-access databases vs Slater and Ede’s later access, with their communication confirming that they knew they had no authorisation.
I’d argue that Bhatnagar would be safe, whereas there’s a definite case to be made against Slater.
At the end of the day though (since that phrase is suddenly so popular), there are some huge interpretation questions that the Court has never previously ruled on, so who knows which way a Court would swing…
I think Slater could still argue that he needed to access the files to check if the security breach had been closed before he went public with denouncing it. I can’t imagine a court convicting on that so long as he didn’t misuse or distribute the content.
Actually, I think Slater has an even stronger defence. He found he was authorised by Labour to access the files but he knew he should not have been. He therefore denounced that error.
Well, that’s certainly another way to look at the situation. Now we just need Police to charge Slater, Bhatnagar and Ede, to find out how the Court will interpret everything, and what defence(s) he or they would run!
The situation appears almost identical to that of the person who accessed confidential material via improperly secured WINZ info kiosks. In both cases confidential information was left open and accessible to the public on a public server. In both cases it was accessed and viewed, and subsequently used to embarrass those responsible for their abysmal lack of security. As I recall the police did not seek to prosecute in the WINZ case.
Slater has also laid a complaint over the stealing of his email – a much more clearly criminal act. It will be interesting to see what the police do. A decision to proceed on one complaint but not the other may be seen as politically motivated. I predict they’ll try to delay until after the election.