Law and technology

In a victory for common sense, and as I predicted three months ago, the police have cleared Google of committing “privacy crime” during its recent WiFi snooping incident. Detective Senior Sergeant John van den Heuvel makes a good point when he says:

Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

A man has been pleaded guilty in the Queenstown District Court of intentionally accessing a computer system at the hostel he was staying at:

Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

1. All of the data was collected from public locations, specifically from public roads.
2. The data was being actively transmitted into those public locations.
3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

The global reach of the internet sometimes creates practical difficulties for law enforcement and, for private litigants, in “getting a remedy”. In essence, one country’s laws do not have (without special arrangements) “extraterritorial” effect in another country. But that does not mean that just because something or someone is located overseas, a court in another country cannot claim jurisdiction.

This issue has arisen several times in defamation proceedings, where a person complains that they have been defamed in another country, even though they would not be able to sue for defamation in that second country. A few years back, an Australian court ruled that an article posted on the internet is considered published wherever it is downloaded. So an article written in the United States by a US citizen, and not actionable in the US, could be actionable in Australia if it is defamatory under Australian law.

Another example, this time involving criminal law, is currently underway with the Australian Human Rights Commission threatening to lay charges against the US-based operator of Encyclopedia Dramatica over an offensive entry on Aborigines.

Similarly, a UK court recently confirmed that English criminal law can apply to internet content accessible in the UK, regardless of where in the world it is hosted. Meanwhile, three US-based Google managers were convicted in absentia by an Italian court for “allowing”  disturbing footage of an Italian boy being bullied to be posted online, and not removing it.

In other cases, specific legislation (e.g. section 7A of the Crimes Act) or public policy may compel or be used to justify a court exercising jurisdiction. For example, in New Zealand the Commerce Commission has successfully prosecuted overseas residents for breaches (in New Zealand) of the Fair Trading Act.

In summary, it does not typically matter that a server, or a person, is located outside of the jurisdiction. The fact that conduct occurs in a jurisdiction (e.g. material can be accessed in a jurisdiction in the same manner as if the server or material were located there; conduct by an overseas person is “aimed” at the local jurisdiction)  is often sufficient.