Hacker convicted

A man has been pleaded guilty in the Queenstown District Court of intentionally accessing a computer system at the hostel he was staying at:

Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.

The long reach of the e-law

The global reach of the internet sometimes creates practical difficulties for law enforcement and, for private litigants, in “getting a remedy”. In essence, one country’s laws do not have (without special arrangements) “extraterritorial” effect in another country. But that does not mean that just because something or someone is located overseas, a court in another country cannot claim jurisdiction.

This issue has arisen several times in defamation proceedings, where a person complains that they have been defamed in another country, even though they would not be able to sue for defamation in that second country. A few years back, an Australian court ruled that an article posted on the internet is considered published wherever it is downloaded. So an article written in the United States by a US citizen, and not actionable in the US, could be actionable in Australia if it is defamatory under Australian law.

Another example, this time involving criminal law, is currently underway with the Australian Human Rights Commission threatening to lay charges against the US-based operator of Encyclopedia Dramatica over an offensive entry on Aborigines.

Similarly, a UK court recently confirmed that English criminal law can apply to internet content accessible in the UK, regardless of where in the world it is hosted. Meanwhile, three US-based Google managers were convicted in absentia by an Italian court for “allowing”  disturbing footage of an Italian boy being bullied to be posted online, and not removing it.

In other cases, specific legislation (e.g. section 7A of the Crimes Act) or public policy may compel or be used to justify a court exercising jurisdiction. For example, in New Zealand the Commerce Commission has successfully prosecuted overseas residents for breaches (in New Zealand) of the Fair Trading Act.

In summary, it does not typically matter that a server, or a person, is located outside of the jurisdiction. The fact that conduct occurs in a jurisdiction (e.g. material can be accessed in a jurisdiction in the same manner as if the server or material were located there; conduct by an overseas person is “aimed” at the local jurisdiction)  is often sufficient.