Legal Beagle by Graeme Edgeler


Cameron Slater: computer hacker?

In September last year, David Parker laid a complaint with the Police about a supposed “hack” of the Labour Party website by Whaleoil blogger Cameron Slater. On Friday, Police released a letter explaining that their investigation was over, and they were satisfied that “there was no evidence of criminal offending”. They considered that while the matter “may raise privacy and ethical issues, these are not the domain of the criminal law.”

I will be clear: based on what I understand occurred, I do not think Cameron Slater’s “hack” of the Labour Party server donor’s list was criminal. I think an interpretation of the law that would mean that what I understand Cameron did was criminal would make illegal a lot of things that I do not think should be illegal, and think that we should be reluctant to interpret the particulars laws in play here in a way that would render a great deal of ordinary computer use subject to prosecution.

The possible offence we are considering is the offence against section 252 of the Crimes Act: accessing a computer system without authorisation. You commit a crime if you:

  • intentionally access (directly or indirectly)
  • any computer system
  • without authorisation
  • and you either know that you are not authorised to access that computer system, or are reckless as to whether or you are authorised to access that computer system.”

But the law comes with a caveat: this offence is not committed “if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.”

For me, this subsection means that Cameron, who was, like the rest of us, authorised to go to Labour’s server to look at Labour’s website, was not committing a crime by looking at the other files that Labour had left open to view on their server.

But I have to concede that my interpretation has problems. I have authorisation from Google to access its servers to check my gmail account. I do not have authorisation from Google to access their servers to read your gmail account, but the interpretation I favour does mean that my hacking a gmail account of someone else, which I clearly have no right to access, may not be criminal (although there are other offences that might be committed if there's dishonesty involved, or I cause damage) because I would be accessing gmail’s servers (which I am authorised to do, to read my emails) for a purpose other than the one for which I was given access.

And there are arguments for an alternative interpretation of the law. The definition of computer system is open to some interpretation

computer system—

(a) means—

(i) a computer; or

(ii) 2 or more interconnected computers; or

(iii) any communication links between computers or to remote terminals or another device; or

(iv) 2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and

(b) includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.

You will note that “computer system” includes “any part” of a computer system.

The drafting of the definition in this way is, I think, intended to forestall arguments that someone has not accessed a computer system because all they actually did was access some small part of it. The argument “I didn’t access their computer system, all I did was access their hard drive” doesn’t fly.

But the definition can be argued the other way. The part of the gmail servers that contain your gmail account, is defined as a computer system. I may have permission to access other computer systems owned by Google, like the parts of their servers that contain my gmail account, but I lack authorisation to access that part which contains your (which, under this interpretation, is a separate computer system), and I could thus commit a crime if I access it.

I think this interpretation proves too much, in that it would render the caveat almost meaningless. If your work denies you permission to access the part of the hard drive which contains solitaire, but you play solitaire anyway, I think your actions should be protected by that caveat: you have permission to use your work computer, and your use it for a purpose other than work, may be an employment breach, which if serious enough, or repeated enough, might be grounds for termination, I don’t think it should be criminal.

But I have to concede that the argument can be made, and that my position does, in some respects, try to narrow the definition of computer system which might be seen as clear.

Which brings me back to the police investigation. The Police have said they don’t consider there was crime. That conclusion accords with my view, but the debate is a legal one.

I have been asked a few times about the possibility of private prosecutions arising from Nicky Hager’s Dirty Politics. My advice is generally that prosecuting is hard: the defendant has a right to silence, you have to prove things beyond reasonable doubt, and private prosecutors can’t get search warrants. Dirty Politics contained several claims that could be allegations of criminal activity, but they will be difficult to prove without the coercive powers of the state.

But that caution doesn’t apply here. There is little if any factual dispute about what has happened here. It is not going to be difficult to prove that Cameron accessed the Labour Party website, or how it was done: Cameron published a video showing how he was able to access the information Labour had on its server. It is still online now.

What is left is a legal argument over whether what has been admitted amounts to criminal conduct.

Like I have said, I don’t think what Cameron explains doing in that video is criminal, but I know that some people in whose legal judgment I ordinarily place much confidence disagree with me, so I have to be open to the alternative view. If Labour seriously considers that what Cameron Slater did in accessing their server amounts to criminal hacking, a private prosecution to resolve the question will not be difficult.

I hope that, absent new evidence, a prosecution would fail, but for those who disagree with my view, the way forward is clear.

96 responses to this post

First ←Older Page 1 2 3 4 Newer→ Last