Legitimate communications techniques and software routinely used in enabling an organisation’s IT to function safely will be rendered technically illegal by provisions in the Crimes Amendment (No 6) Bill, frequently called the “anti-hacking” bill.
So says Auckland University senior commercial law lecturer Chris Nicoll in the March issue of the New Zealand Law Journal.
He cites the example of a simple ping or trace-route to establish the status of a remote computer or the efficiency of the link to it. A litigious or vindictive owner of the target machine might construe this as an unauthorised intrusion into the system. And the sale of a security testing program such as Satan might be interpreted as offering for sale software which could be used for a criminal purpose.
Internet cookies and some versions of Microsoft’s Registration Wizard might also be judged to be on the wrong side of the law, Nicoll suggests.
The Crimes Amendment Bill and several other bills currently before parliament reflect the view that “what holds offline should also hold online”, he says. A recent international study has called this “a romantic and outdated concept”. In the case of trespassing on private land, the fact and intention of access and a lack of authorisation to do so are comparatively easily defined, Nicoll says. Either is more complex in the computer and network realm. Explicit authority will sometimes not have been given, with entry permitted by default, as in the case of a ping or trace-route. These are seldom blocked “because they are forms of access that it is in the ‘enlightened self-interest’ of users to perpetuate”, Nicoll writes.
Much in computer networks goes on without the user knowing, or wanting to know, the technicalities, he says. “The process of inferring authority will be complicated further where the owner of the system had no idea of the form the access took, and has to speculate on whether he would have given authorisation if he had known ... Because cookies can be blocked by more recent browser software one would think it is safe to infer authorisation where the blocking option has not been selected.” But recent European legal opinion “suggests there would be no unanimity on this question”.
Clause 252, a late introduction to the bill, criminalises the selling of software “that [the seller] holds out as being useful for the commission of a crime, whether or not he or she also holds it out as being useful for any other purpose”.
This statement is “an unacceptable form of censorship, because it prevents the factual description of a product”, Nicoll says.
“There is a world of difference between telling the public that a product can be used for an illegal purpose, and encouraging or inciting its use for that purpose.”