Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.

In New Zealand, any move to make the filter mandatory would require legislation. While many opponents of the filter would likely oppose legislation, it would at least have the effect of defining the parameters of the filter and its regulation. The legislation would need to comply with the Bill of Rights Act (unsatisfactory though that law may be), or be passed with a statement expressly acknowledging where it breaches that Act. This would clear up concerns (or at least bring them into the open) that the filter may one day start to gradually be used for other purposes, such as blocking breaches of name suppression. It would make the filtering accountable to Parliament and the Courts. Also, the enabling legislation does not need to create make filtering mandatory – it could ensure that ISP’s remain free to choose whether or not to sign-up.

As long as the scheme remains voluntary and unregulated, though, no legislation is needed. While the objective is admirable (putting aside major questions over effectiveness), concerns include:

• What information is being stored in the system, who has access to that information, and is it in compliance with the Privacy Act 1993?
• What oversight is there on the content being filtered?
• Is there a risk that the system could be extended to include material covered by name suppression orders?
• Is pressure being brought to bear on ISPs to join the system?

For now, some ISP’s have expressed strong concerns about the filter which, as long as it remains voluntary, makes it unlikely that full sign-up will be achieved in the short term.

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

In the case of Moreno v Hanford Sentinel (2 April 2009) (judgment in PDF) a student living in a small town posted an entry on her MySpace page stating that she “despised” her town, and various critical comments about it. The entry was “signed” with her first name only. Possibly feeling the comments were a bit harsh, she removed the post six days later. However, shortly after the post was taken down, the town’s newspaper published the text of the original post under her full name. The revelation of her post caused a furore and incensed some townsfolk. The student’s family was threatened and abused, and the family business was affected.

The student attempted to sue for breach of privacy, on the grounds that her MySpace post was not intended to be published in a newspaper and brought to the attention of thousands of people. In other words, the student claimed she had an expectation of privacy (a key phrase in privacy law) that the post would only be read by her friends and followers on MySpace.

Quite sensibly, the Court ruled that someone who posts material on a public website cannot claim their privacy is breached if the article is disseminated to a wider audience:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material.”

The fact that the post was only “signed” with her first name did not matter, as her identity was able to be easily determined from her MySpace page. Most people would agree that this is a sensible outcome.

But what would the situation have been if the post had been private? That is, if the student had configured her profile so that only approved users could read her post? In the student’s case, the outcome may have been different if the post was restricted, and any limited publication was not so broad to have, in effect, waived any expectation of privacy. Similarly, if the student had emailed her message to a few close friends, it may be reasonable to assume an expectation of privacy. If her message was still not technically “public” but was emailed or made accessible to hundreds of people, including strangers, then it would probably be unreasonable to assume an expectation of privacy. It will always depend upon the facts.

Another potentially tricky situation that could arise is where a person configures a website to keep certain information private (e.g. restricting Facebook messages to friends), but the website decides to change the rules and make all information public and/or searchable. Most websites reserve the right to make changes to their terms and conditions, which are sometimes unpopular as Facebook recently proved. If a website that you post information to has the right to change its rules, then it is plausible that you will not be able to complain if they do so – although in New Zealand, there may a limited, after-the-fact remedy under the Privacy Act 1993.

For example, Principle 10 of the Privacy Act states that personal information must not be used for ulterior purposes (e.g. marketing), unless agreed at time of collection (with some exceptions).

However, by the time that someone has allegedly “breached your privacy”, such as by republishing a MySpace/Facebook post, the horse has bolted.

The example provided by Moreno v Hanford Sentinel, while unstartling, is a small subset of a much broader principle: be very careful entrusting sensitive information to other people, without understanding what rights you retain.