Following on from my earlier post regarding Nicky Hager’s new book, Dirty Politics, there’s the issue of Cameron Slater and Jason Ede accessing the Labour Party computer system. The Greens have filed a police complaint, but was a crime committed?
In the NZ Herald, John Armstrong states that:
The allegation that one of John Key’s minions hacked into the Labour Party’s database is – to put it bluntly – the modern-day equivalent of the 1972 burglary of the Democratic Party’s national committee headquarters in the Watergate complex in Washington.
Well, it’s not really hacking. I remember Cameron Slater blogging about what he’d done, back in 2011. No security was bypassed. No hacking required. Essentially, Labour left their system open to the world.
Over at The Standard, Rocky (in her blog post entitled “But the door was open…“) seems convinced that Slater and Ede would fall foul of s 249 of the Crimes Act – accessing a computer system for dishonest purpose – which reads:
(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.
(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—
(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person.
I’m unconvinced. There’s no “loss” to Labour, and I just don’t see that a court would find that snooping through Labour’s databases can be seen to fall under the ambit of obtaining or having the intent to obtain “any property, privilege, service, pecuniary advantage, benefit, or valuable consideration”. The language is that of obtaining financial advantage, which just doesn’t appear to apply in this situation.
Unfortunately, there’s almost no case law in this area, so it’s difficult to say just what a court’s interpretation might be in this sort of scenario. Could Slater be said to have obtained a “benefit” through accessing the Labour website? It’s conceivable. Labour’s embarrassment and the flow on increase in hits to the Whaleoil website might be considered a “benefit”. However, I don’t believe it’s as open and shut as Rocky posits.
There’s a better argument in favour of a prosecution under s 252 of the Crimes Act – accessing a computer system without authorisation – which reads:
(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
On the face of it, you’d have to assume that Slater and, allegedly, Ede would be toast – they’ve intentionally accessed membership and donations databases without authorisation, knowing they’re not authorised. However, lawyer Graeme Edgeler comments on Dr Nicole Moreham’s blog post at Public Address, providing an interesting counter-argument:
The question then is: does Cameron Slater have authority to access the server that hosts the Labour Party website? Well, it’s a publicly available website, that they put up there so that people can go to their website and download stuff from that server into their cache to read on their browsers. If Cameron doesn’t have authority (because, for example, it’s not express authority), I don’t see how any of us can lawfully look at it.
If Cameron, and you and I have authorisation to access the server that hosts labour.org.nz for the purpose of viewing the Labour Party’s website, then is there any basis on which section 252(2) doesn’t come into play if once we access the server, we do things that it was not intended we should do?
Obviously, if once there, those unauthorised things we are doing on that computer system (which we are authorised to access for other purposes), we do things for other reasons, eg to cause damage to the site, or to do something dishonest etc. other computer crimes may arise (such as section 249, or section 250). These offences can be committed on computer systems you have been authorised to access, because they don’t include something equivalent to section 252(2), but there has been no suggestion to date that Cameron Slater or Jason Ede (or anyone else) accessed the Labour server in a way which might give rise to an offence under s 249 or s 250.
There may still be privacy issues, but I’m tending to the view that what has been alleged is not a breach of section 252, because of subsection 2. I think we all have authorisation to access the computer system which operates as the server hosting the Labour Party website.
Nonetheless, regardless of whether we’ve all got authorisation to access the Labour Party website, Slater’s posts of the time, and Ede’s Facebook/email correspondence with Slater, make it plain that they knew they were accessing something that the Labour Party did not want accessed by the general public.
To me, that clearly brings s 252(2) into play – you’ve got authorisation to surf the Labour Party website, but when you stumble on (or are tipped off about) a publicly accessible backdoor route into membership and donation databases, it should be obvious that you’ve gone beyond the purpose of access, thus negating the right of access you previously had.
Frankly, I don’t think Graeme Edgeler’s proposed defence would fly.
Which means we now await the outcome of the Police complaint, and see who they agree with…