Legal Beagle by Graeme Edgeler

Read Post

Legal Beagle: Cameron Slater: computer hacker?

96 Responses

First ←Older Page 1 2 3 4 Newer→ Last

  • Graeme Edgeler,

    Video embed now fixed :-)

    Wellington, New Zealand • Since Nov 2006 • 3202 posts Report Reply

  • Sacha,

    A useful Standard post discusses why it probably *is* a prosecutable offence.

    If it is true that there is no precedent around this issue, why would Police err on the side of not referring the matter to a court given there is doubt including public statements by at least a few lawyers?

    Ak • Since May 2008 • 19680 posts Report Reply

  • Thomas Lumley,

    Some sort of definition or interpretation of unauthorised access based on circumventing security seems like it would be useful. If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account. If your computer was set up so that playing solitaire required an administrator password, then using your boss's password would be unauthorised access.

    I say definition or interpretation because I don't know if this is something that would need a law change or whether the courts could do it.

    This still wouldn't make clear whether it was an offence to access files that were open on the Labour Party server but without links, and where access was fairly obviously not intended. It's similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I'd prefer that not to be illegal, but I don't think it would be as indefensible as your solitaire example.

    Auckland • Since Feb 2013 • 43 posts Report Reply

  • Rob Stowell,

    Fair enough for a legal opinion. I think motive should be relevant here but that's still skirting the biggest issue. Which is Jason Eade and the PM's dept's role.
    How do you feel about a public servant doing this 'work'? Eade was scooted onto the national party's payroll but I understand much of his time on the 9th floor was as a public servant.

    Whakaraupo • Since Nov 2006 • 2090 posts Report Reply

  • Graeme Edgeler, in reply to Thomas Lumley,

    It’s similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I’d prefer that not to be illegal, but I don’t think it would be as indefensible as your solitaire example.

    Agreed. I can’t come up with a consistent interpretation of the law that would mean that what Cameron Slater admits doing was criminal, but that what Keith Ng admits doing was not.

    Wellington, New Zealand • Since Nov 2006 • 3202 posts Report Reply

  • Alfie, in reply to Thomas Lumley,

    If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account.

    My interpretation of Slater and Ede's access in this case is the equivalent of someone putting a sticky note on their monitor which says Gmail password in large letters. While the account owner's incompetence obviously makes it easy for anyone to access their email, there comes a point when your actions become illegal. If you download sensitive information from the account and republish this or use it for commercial gain, that's surely illegal.

    Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain. In his video he states the numbers of credit cards in two files, proving that he downloaded and accessed that info.

    Ede worked for the PM at the time. By knowingly downloading credit card data from his employer's opponents, he realised that he was breaking the law and his subsequent boasts about using dynamic IP addresses proves this.

    The world is full of badly secured websites. While I would have expected the Labour Party to be a bit smarter in this regard, I have no doubt that both Slater and Ede knew they were downloading and using private information and I would like to have seen this matter tested in court.

    Dunedin • Since May 2014 • 1381 posts Report Reply

  • Sacha, in reply to Thomas Lumley,

    where access was fairly obviously not intended.

    That seems like a crucial test. How the Police were satisfied it did not even apply to credit card transactions etc mystifies me. I'd rather their assumptions were tested in court.

    Ak • Since May 2008 • 19680 posts Report Reply

  • Sacha, in reply to Alfie,

    I would like to have seen this matter tested in court.

    snap

    Ak • Since May 2008 • 19680 posts Report Reply

  • Russell Brown,

    I think an interpretation of the law that would mean that what I understand Cameron did was criminal would make illegal a lot of things that I do not think should be illegal, and think that we should be reluctant to interpret the particulars laws in play here in a way that would render a great deal of ordinary computer use subject to prosecution.

    I think this is the key thing.

    I once wrote a story on the basis of a company's work-in-progress that was sitting unsecured on the internet (albeit in a fashion that would make Labour's server look like Fort Knox).

    The parent company sued me and my employer for everything they could think of (including, for some reason, "conversion"). It came to nothing in the end, but I'm very bloody glad they didn't have the option of a criminal complaint.

    Auckland • Since Nov 2006 • 22747 posts Report Reply

  • steve black,

    I’m wondering how the new CyberBullying law

    Herald Article announces passage of new law

    might enter into this scenario. As The Herald says (not that they are the ultimate interpreters of what a law means):

    New cyberbullying law will create a criminal offence of intentionally causing harm by posting a digital communication, punishable by up to two years’ imprisonment or a maximum fine of $50,000.

    So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?

    sunny mt albert • Since Jan 2007 • 116 posts Report Reply

  • Nick Kearney, in reply to steve black,

    No, no, yes, no and no.

    North Shore, Auckland • Since Nov 2006 • 73 posts Report Reply

  • Russell Brown, in reply to steve black,

    So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?

    He eventually didn't carry through on his threat to republish all of people's private information, but it could be seen that even the threats would cause distress.

    Auckland • Since Nov 2006 • 22747 posts Report Reply

  • Andre terzaghi, in reply to Graeme Edgeler,

    I'm curious, in some areas of law ideas such as "malice", "public interest" and so on seem to be important factors. Does that not apply here? If not, why not?

    Since Aug 2015 • 1 posts Report Reply

  • nick_w,

    For me, this subsection means that Cameron, who was, like the rest of us, authorised to go to Labour’s server to look at Labour’s website, was not committing a crime by looking at the other files that Labour had left open to view on their server.

    Watching that Youtube video makes this argument difficult to sustain. In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.

    If that is so, it then becomes very difficult to assert that access to the above website was authorised.

    Further, I’m not sure I agree with the wording of the following:

    …authorised to go to Labour’s server to look at Labour’s website

    Firstly, this was a Labour website, not the Labour website (keep in mind that the website in question was ostensibly not public at the time).

    Secondly, I think a more reasonable interpretation would be the other way around, where there was authorisation to access a Labour website which was hosted on Labour’s server.

    New Zealand • Since Aug 2015 • 4 posts Report Reply

  • Stephen Judd, in reply to nick_w,

    It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.

    I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.

    Also, DNS records are public. It's not unreasonable, having learned of a name, to see what web site if any is being served from it.

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • Michael Homer, in reply to nick_w,

    In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.

    It's not a magic tool, you know. The domain demonstrably was indexed or it wouldn't have been in the result list.

    Wellington • Since Nov 2006 • 82 posts Report Reply

  • Stephen Judd,

    Personally, I think Slater is guilty of being a massive jerk, but if what he did was a criminal offence, a lot of curious poking around is going to be criminalised. The Crimes Act really needs tightening up here, as "unauthorised access" is an unfortunate phrase.

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • nick_w, in reply to Stephen Judd,

    I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.

    So it was for a previous campaign; I had wondered where in the timeline the website existed. Still, it makes you wonder why he didn't just use Google to find the website if it was all there - that is why I questioned whether it had been indexed.

    New Zealand • Since Aug 2015 • 4 posts Report Reply

  • Michael Homer, in reply to nick_w,

    it makes you wonder why he didn’t just use Google to find the website if it was all there

    Google doesn't provide a reverse IP lookup, although they presumably have the data to do so.

    Wellington • Since Nov 2006 • 82 posts Report Reply

  • nick_w, in reply to Michael Homer,

    Google doesn’t provide a reverse IP lookup, although they presumably have the data to do so.

    What I meant was whether a simple Google search for "healthy homes for healthy kiwis" or similar would have led to the site. That would certainly have looked even worse.

    I bring up the Google thing because I read an article from back when this happened where Cameron Slater claimed that Google had indexed the whole site.

    So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?

    New Zealand • Since Aug 2015 • 4 posts Report Reply

  • Stephen Judd,

    Since there was previously a proper site at that domain, as long as there was a web server responding, I imagine Google would have kept indexing whatever it found there.

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • Michael Homer, in reply to nick_w,

    So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?

    No. I don't even see what distinction you could draw between them.

    Wellington • Since Nov 2006 • 82 posts Report Reply

  • izogi, in reply to Alfie,

    If you download sensitive information from the account and republish this or use it for commercial gain, that’s surely illegal. Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain.

    From what I’ve seen of Cameron Slater, I’d find it credible that he did it for political gain, or for fun, or for some sociopathic hatred. Regardless of his reasons and whether he happens to make money on the side or not, the names of thousands of Labour supporters and donors get seen much more publicly than either Labour or those people ever intended, and Labour’s incompetence in keeping that information in an unambiguously secure place shouldn’t be forgotten. Also, if generating income as a consequence is significant, does this also have an effect on the day-to-day actions of more traditional journalism outlets, such as newspapers, whenever they publish things someone didn’t intend to be published?

    I do think Rob Stowell made an important point above that the direct involvement of Jason Ede in the PM’s office should really be treated as the greater issue here, whether it’s classed as criminal or simply revolting ethics for senior members of Cabinet and their staff to be participating in everything that was done.

    Wellington • Since Jan 2007 • 1139 posts Report Reply

  • nick_w, in reply to Michael Homer,

    No. I don’t even see what distinction you could draw between them.

    But these two things are not the same: search engines are extremely well known to pretty much everyone; far fewer people would be aware of services like MyIPNeighbours, and how many would even be inclined to use them? Who, aside from the site maintainers, would routinely be checking Labour party IP addresses for legitimate reasons?

    What I'm getting at is that just because something could be found on the internet does not necessarily make that access authorised. It's one thing to have found this content accidentally via a Google search or even following an old bookmark, another to have gone looking for it.

    New Zealand • Since Aug 2015 • 4 posts Report Reply

  • Sacha,

    Most people who visit a website do not feel entitled to delve into its file structure beyond links presented on the surface. Sure not authorised to take whatever they find.

    Police (non)prosecutors are making decisions that are courts' to make, not theirs.

    Ak • Since May 2008 • 19680 posts Report Reply

First ←Older Page 1 2 3 4 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.