Cameron Slater: computer hacker?

10:00 Aug 2, 2015 96

In September last year, David Parker laid a complaint with the Police about a supposed “hack” of the Labour Party website by Whaleoil blogger Cameron Slater. On Friday, Police released a letter explaining that their investigation was over, and they were satisfied that “there was no evidence of criminal offending”. They considered that while the matter “may raise privacy and ethical issues, these are not the domain of the criminal law.”

I will be clear: based on what I understand occurred, I do not think Cameron Slater’s “hack” of the Labour Party server donor’s list was criminal. I think an interpretation of the law that would mean that what I understand Cameron did was criminal would make illegal a lot of things that I do not think should be illegal, and think that we should be reluctant to interpret the particulars laws in play here in a way that would render a great deal of ordinary computer use subject to prosecution.

The possible offence we are considering is the offence against section 252 of the Crimes Act: accessing a computer system without authorisation. You commit a crime if you:

intentionally access (directly or indirectly)
any computer system
without authorisation
and you either know that you are not authorised to access that computer system, or are reckless as to whether or you are authorised to access that computer system.”

But the law comes with a caveat: this offence is not committed “if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.”

For me, this subsection means that Cameron, who was, like the rest of us, authorised to go to Labour’s server to look at Labour’s website, was not committing a crime by looking at the other files that Labour had left open to view on their server.

But I have to concede that my interpretation has problems. I have authorisation from Google to access its servers to check my gmail account. I do not have authorisation from Google to access their servers to read your gmail account, but the interpretation I favour does mean that my hacking a gmail account of someone else, which I clearly have no right to access, may not be criminal (although there are other offences that might be committed if there's dishonesty involved, or I cause damage) because I would be accessing gmail’s servers (which I am authorised to do, to read my emails) for a purpose other than the one for which I was given access.

And there are arguments for an alternative interpretation of the law. The definition of computer system is open to some interpretation

computer system—

(a) means—

(i) a computer; or

(ii) 2 or more interconnected computers; or

(iii) any communication links between computers or to remote terminals or another device; or

(iv) 2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and

(b) includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.

You will note that “computer system” includes “any part” of a computer system.

The drafting of the definition in this way is, I think, intended to forestall arguments that someone has not accessed a computer system because all they actually did was access some small part of it. The argument “I didn’t access their computer system, all I did was access their hard drive” doesn’t fly.

But the definition can be argued the other way. The part of the gmail servers that contain your gmail account, is defined as a computer system. I may have permission to access other computer systems owned by Google, like the parts of their servers that contain my gmail account, but I lack authorisation to access that part which contains your (which, under this interpretation, is a separate computer system), and I could thus commit a crime if I access it.

I think this interpretation proves too much, in that it would render the caveat almost meaningless. If your work denies you permission to access the part of the hard drive which contains solitaire, but you play solitaire anyway, I think your actions should be protected by that caveat: you have permission to use your work computer, and your use it for a purpose other than work, may be an employment breach, which if serious enough, or repeated enough, might be grounds for termination, I don’t think it should be criminal.

But I have to concede that the argument can be made, and that my position does, in some respects, try to narrow the definition of computer system which might be seen as clear.

Which brings me back to the police investigation. The Police have said they don’t consider there was crime. That conclusion accords with my view, but the debate is a legal one.

I have been asked a few times about the possibility of private prosecutions arising from Nicky Hager’s Dirty Politics. My advice is generally that prosecuting is hard: the defendant has a right to silence, you have to prove things beyond reasonable doubt, and private prosecutors can’t get search warrants. Dirty Politics contained several claims that could be allegations of criminal activity, but they will be difficult to prove without the coercive powers of the state.

But that caution doesn’t apply here. There is little if any factual dispute about what has happened here. It is not going to be difficult to prove that Cameron accessed the Labour Party website, or how it was done: Cameron published a video showing how he was able to access the information Labour had on its server. It is still online now.

What is left is a legal argument over whether what has been admitted amounts to criminal conduct.

Like I have said, I don’t think what Cameron explains doing in that video is criminal, but I know that some people in whose legal judgment I ordinarily place much confidence disagree with me, so I have to be open to the alternative view. If Labour seriously considers that what Cameron Slater did in accessing their server amounts to criminal hacking, a private prosecution to resolve the question will not be difficult.

I hope that, absent new evidence, a prosecution would fail, but for those who disagree with my view, the way forward is clear.

96 responses to this post

First ←Older Page 1 2 3 4 Newer→ Last

Graeme Edgeler, 10:44 Aug 2, 2015

Video embed now fixed :-)

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Sacha, 10:46 Aug 2, 2015

A useful Standard post discusses why it probably *is* a prosecutable offence.
If it is true that there is no precedent around this issue, why would Police err on the side of not referring the matter to a court given there is doubt including public statements by at least a few lawyers?

Ak • Since May 2008 • 19745 posts Report
Thomas Lumley, 11:07 Aug 2, 2015

Some sort of definition or interpretation of unauthorised access based on circumventing security seems like it would be useful. If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account. If your computer was set up so that playing solitaire required an administrator password, then using your boss's password would be unauthorised access.
I say definition or interpretation because I don't know if this is something that would need a law change or whether the courts could do it.
This still wouldn't make clear whether it was an offence to access files that were open on the Labour Party server but without links, and where access was fairly obviously not intended. It's similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I'd prefer that not to be illegal, but I don't think it would be as indefensible as your solitaire example.

Auckland • Since Feb 2013 • 50 posts Report
Rob Stowell, 11:49 Aug 2, 2015

Fair enough for a legal opinion. I think motive should be relevant here but that's still skirting the biggest issue. Which is Jason Eade and the PM's dept's role.
How do you feel about a public servant doing this 'work'? Eade was scooted onto the national party's payroll but I understand much of his time on the 9th floor was as a public servant.

Whakaraupo • Since Nov 2006 • 2120 posts Report
Graeme Edgeler, in reply to Thomas Lumley, 12:03 Aug 2, 2015

It’s similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I’d prefer that not to be illegal, but I don’t think it would be as indefensible as your solitaire example.
Agreed. I can’t come up with a consistent interpretation of the law that would mean that what Cameron Slater admits doing was criminal, but that what Keith Ng admits doing was not.

Wellington, New Zealand • Since Nov 2006 • 3215 posts Report
Alfie, in reply to Thomas Lumley, 12:04 Aug 2, 2015

If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account.
My interpretation of Slater and Ede's access in this case is the equivalent of someone putting a sticky note on their monitor which says Gmail password in large letters. While the account owner's incompetence obviously makes it easy for anyone to access their email, there comes a point when your actions become illegal. If you download sensitive information from the account and republish this or use it for commercial gain, that's surely illegal.
Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain. In his video he states the numbers of credit cards in two files, proving that he downloaded and accessed that info.
Ede worked for the PM at the time. By knowingly downloading credit card data from his employer's opponents, he realised that he was breaking the law and his subsequent boasts about using dynamic IP addresses proves this.
The world is full of badly secured websites. While I would have expected the Labour Party to be a bit smarter in this regard, I have no doubt that both Slater and Ede knew they were downloading and using private information and I would like to have seen this matter tested in court.

Dunedin • Since May 2014 • 1440 posts Report
Sacha, in reply to Thomas Lumley, 12:27 Aug 2, 2015

where access was fairly obviously not intended.
That seems like a crucial test. How the Police were satisfied it did not even apply to credit card transactions etc mystifies me. I'd rather their assumptions were tested in court.

Ak • Since May 2008 • 19745 posts Report
Sacha, in reply to Alfie, 12:28 Aug 2, 2015

I would like to have seen this matter tested in court.
snap

Ak • Since May 2008 • 19745 posts Report
Russell Brown, 12:49 Aug 2, 2015

I think an interpretation of the law that would mean that what I understand Cameron did was criminal would make illegal a lot of things that I do not think should be illegal, and think that we should be reluctant to interpret the particulars laws in play here in a way that would render a great deal of ordinary computer use subject to prosecution.
I think this is the key thing.
I once wrote a story on the basis of a company's work-in-progress that was sitting unsecured on the internet (albeit in a fashion that would make Labour's server look like Fort Knox).
The parent company sued me and my employer for everything they could think of (including, for some reason, "conversion"). It came to nothing in the end, but I'm very bloody glad they didn't have the option of a criminal complaint.

Auckland • Since Nov 2006 • 22850 posts Report
steve black, 13:16 Aug 2, 2015

I’m wondering how the new CyberBullying law
Herald Article announces passage of new law
might enter into this scenario. As The Herald says (not that they are the ultimate interpreters of what a law means):
New cyberbullying law will create a criminal offence of intentionally causing harm by posting a digital communication, punishable by up to two years’ imprisonment or a maximum fine of $50,000.
So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?

sunny mt albert • Since Jan 2007 • 116 posts Report
Nick Kearney, in reply to steve black, 14:37 Aug 2, 2015

No, no, yes, no and no.

North Shore, Auckland • Since Nov 2006 • 73 posts Report
Russell Brown, in reply to steve black, 14:38 Aug 2, 2015

So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?
He eventually didn't carry through on his threat to republish all of people's private information, but it could be seen that even the threats would cause distress.

Auckland • Since Nov 2006 • 22850 posts Report
Andre terzaghi, in reply to Graeme Edgeler, 16:34 Aug 2, 2015

I'm curious, in some areas of law ideas such as "malice", "public interest" and so on seem to be important factors. Does that not apply here? If not, why not?

Since Aug 2015 • 1 posts Report
nick_w, 16:38 Aug 2, 2015

For me, this subsection means that Cameron, who was, like the rest of us, authorised to go to Labour’s server to look at Labour’s website, was not committing a crime by looking at the other files that Labour had left open to view on their server.
Watching that Youtube video makes this argument difficult to sustain. In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
If that is so, it then becomes very difficult to assert that access to the above website was authorised.
Further, I’m not sure I agree with the wording of the following:
…authorised to go to Labour’s server to look at Labour’s website
Firstly, this was a Labour website, not the Labour website (keep in mind that the website in question was ostensibly not public at the time).
Secondly, I think a more reasonable interpretation would be the other way around, where there was authorisation to access a Labour website which was hosted on Labour’s server.

New Zealand • Since Aug 2015 • 4 posts Report
Stephen Judd, in reply to nick_w, 17:47 Aug 2, 2015

It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.
Also, DNS records are public. It's not unreasonable, having learned of a name, to see what web site if any is being served from it.

Wellington • Since Nov 2006 • 3122 posts Report
Michael Homer, in reply to nick_w, 18:19 Aug 2, 2015

In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
It's not a magic tool, you know. The domain demonstrably was indexed or it wouldn't have been in the result list.

Wellington • Since Nov 2006 • 85 posts Report
Stephen Judd, 18:32 Aug 2, 2015

Personally, I think Slater is guilty of being a massive jerk, but if what he did was a criminal offence, a lot of curious poking around is going to be criminalised. The Crimes Act really needs tightening up here, as "unauthorised access" is an unfortunate phrase.

Wellington • Since Nov 2006 • 3122 posts Report
nick_w, in reply to Stephen Judd, 18:59 Aug 2, 2015

I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.
So it was for a previous campaign; I had wondered where in the timeline the website existed. Still, it makes you wonder why he didn't just use Google to find the website if it was all there - that is why I questioned whether it had been indexed.

New Zealand • Since Aug 2015 • 4 posts Report
Michael Homer, in reply to nick_w, 19:40 Aug 2, 2015

it makes you wonder why he didn’t just use Google to find the website if it was all there
Google doesn't provide a reverse IP lookup, although they presumably have the data to do so.

Wellington • Since Nov 2006 • 85 posts Report
nick_w, in reply to Michael Homer, 20:31 Aug 2, 2015

Google doesn’t provide a reverse IP lookup, although they presumably have the data to do so.
What I meant was whether a simple Google search for "healthy homes for healthy kiwis" or similar would have led to the site. That would certainly have looked even worse.
I bring up the Google thing because I read an article from back when this happened where Cameron Slater claimed that Google had indexed the whole site.
So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?

New Zealand • Since Aug 2015 • 4 posts Report
Stephen Judd, 21:00 Aug 2, 2015

Since there was previously a proper site at that domain, as long as there was a web server responding, I imagine Google would have kept indexing whatever it found there.

Wellington • Since Nov 2006 • 3122 posts Report
Michael Homer, in reply to nick_w, 21:03 Aug 2, 2015

So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?
No. I don't even see what distinction you could draw between them.

Wellington • Since Nov 2006 • 85 posts Report
izogi, in reply to Alfie, 21:14 Aug 2, 2015

If you download sensitive information from the account and republish this or use it for commercial gain, that’s surely illegal. Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain.
From what I’ve seen of Cameron Slater, I’d find it credible that he did it for political gain, or for fun, or for some sociopathic hatred. Regardless of his reasons and whether he happens to make money on the side or not, the names of thousands of Labour supporters and donors get seen much more publicly than either Labour or those people ever intended, and Labour’s incompetence in keeping that information in an unambiguously secure place shouldn’t be forgotten. Also, if generating income as a consequence is significant, does this also have an effect on the day-to-day actions of more traditional journalism outlets, such as newspapers, whenever they publish things someone didn’t intend to be published?
I do think Rob Stowell made an important point above that the direct involvement of Jason Ede in the PM’s office should really be treated as the greater issue here, whether it’s classed as criminal or simply revolting ethics for senior members of Cabinet and their staff to be participating in everything that was done.

Wellington • Since Jan 2007 • 1142 posts Report
nick_w, in reply to Michael Homer, 21:38 Aug 2, 2015

No. I don’t even see what distinction you could draw between them.
But these two things are not the same: search engines are extremely well known to pretty much everyone; far fewer people would be aware of services like MyIPNeighbours, and how many would even be inclined to use them? Who, aside from the site maintainers, would routinely be checking Labour party IP addresses for legitimate reasons?
What I'm getting at is that just because something could be found on the internet does not necessarily make that access authorised. It's one thing to have found this content accidentally via a Google search or even following an old bookmark, another to have gone looking for it.

New Zealand • Since Aug 2015 • 4 posts Report
Sacha, 21:54 Aug 2, 2015

Most people who visit a website do not feel entitled to delve into its file structure beyond links presented on the surface. Sure not authorised to take whatever they find.
Police (non)prosecutors are making decisions that are courts' to make, not theirs.

Ak • Since May 2008 • 19745 posts Report