Telecom database update

The Herald reports more details of the alleged privacy breach involving a Telecom database:

The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.

Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.

The Privacy Commissioner’s office has also announced an investigation:

“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.

“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”

A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?

A criminal investigation is also likely. Possible charges for improperly accessing a database include:

For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.

The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.

Dealing with malicious third-party content

Last week’s Trade Me virus attack raises a number of legal issues, including.

  1. What laws prevent a malicious advertiser from using an innocent third-party’s site (in this case Trade Me) as a virus vector?
  2. Can the affected users (estimated at several thousand) claim compensation from anyone?
  3. What can / should website operators do to protect themselves?
  4. What is the position of the unwitting “advertiser”?

My thoughts on each below:

1. Laws preventing “virus advertisements”

The Herald reports:

Ford said users’ computers contracted the virus through a malicious advertisement supposedly from Lonely Planet. Trade Me accepted the advertisement online from someone who claimed to represent the travel book company.

There are 2 distinct possible criminal scenarios in the Trade Me attack: first, the act by the advertiser of configuring and uploading the malicious ad. Second, the damage intended by the advertiser to be done by the malware to third parties.

As to the first, the ad in question was “false” in that it was not from who it claimed to be from, and was apparently designed to trick users into downloading a virus. It is not a crime merely to place a “false” or malicious advertisement as such (though placing a false birth, death or marriage notice incurs a fine!), unless some other element such as fraud is present. Also, the malicious activity in this case was clearly not targeted against Trade Me, but against its users.

Which brings us to the second scenario, where it is a crime to interfere with or damage a computer system (s 250 Crimes Act), to access a system for a dishonest purpose (s 249 Crimes Act),  to distribute certain types of malware (s 251 Crimes Act), and to access a computer system without authorisation (s252 Crimes Act). If the intention is to trick users into paying money or other such tactics, fraud and other crimes may also be committed. Potentially serious stuff.

It is not clear what the malware did, or what the advertiser intended. It seems that there was no malicious code in the advertisement itself. But if the purpose of the advertisement was to cause such malware to be installed on victims’ computers, it is likely to be criminal activity or soon result in criminal activity if a virus is later caused to be downloaded. The placing of the ad was part of the overal activity of causing malware to be installed on victims’ computers. Even if the false advertisement was detected before anyone acted on it, an attempted criminal act may still have been committed.

Of course in a case such as this, it may be very difficult to track down the advertiser – and they are very likely to be from outside the jurisdiction anyway. That does not negate any criminal act, but it does mean that it may be impossible (or uneconomical) to prosecute.

2. Can affected users claim compensation?

If a person deliberately installed (or caused to be installed) a virus or other malware on someone’s computer and caused them loss, the victim could claim compensation from the wrongdoer, such as for the cost of removing the malware and reinstating the system, loss of use of the computer in the meantime, lost data, etc). Unfortunately, in most cases it will likely be uneconomic to prosecute for relatively minor loss, and in most cases the perpetrator will be unidentifiable and/or from overseas.

But what about claiming compensation from Trade Me – or any other website operator who is unknowingly used as a vector for transmitting malware? Trade Me had no prior knowledge of the malicious ad and appears to have taken all appropriate action as soon as it became aware of the problem. They are probably the most on-to-it company in NZ for handling online risks.

However, if a less on-to-it operator was negligent in allowing an ad to be placed or in allowing it to remain on the site, resulting in harm to users, then a claim could possibly be brought against that website operator (though I am not aware of any case establishing a duty of care in these circumstances). There is also the possibility of bringing a claim under the Consumer Guarantees Act on the basis of a “service” being provided.

However, the cost of making such a claim (a civil claim) would be significant, and if the virus was successful due in large part to the victim not having proper antivirus software, etc then a Court could reduce any compensation due to the victim’s contributory negligence.

3. Managing website owners’ liability

Website operators are often in the difficult position of having unknown users come onto their site and take certain actions, such as placing ads or other content that may or may not be proper and lawful. I have written before that in recent years the Courts taken a pragmatic approach that recognises this modern reality – that website operators are to a large extent reliant on their users acting properly, and cannot be expected to monitor everything in real time or alter their business models due to a few miscreants [e.g. see here, here and here].

But it is still incumbent on website operators to ensure they have some measure of legal protection, and the primary tool for website operators is via a disclaimer. In many cases, a simple disclaimer will do. In other cases, a detailed set of website terms and conditions is advisable. For e-commerce sites in particular, getting a proper set of terms and conditions one time at the outset is a highly efficient way to greatly reduce risk for many years of trading to come.

Some terms and conditions attempt to expressly exclude liability for malicious advertising and malware risks via language such as:

We do not warrant or represent that our website will not cause damage or is free from any computer virus or any other defects, errors, or malicious third-party use. We accept no responsibility whatsoever for any third-party use of our website or content uploaded to or transmitted by our website. You accept full responsibility for ensuring your computer has effective security software including up-to-date antivirus and anti-malware software.

4. The unwitting “advertiser”

It was Lonely Planet whose good name was falsely used by the party placing the dodgy ads. It is likely that if a company’s name is misused in such a manner, the company will have a claim against the false advertiser (if they can be found and if it is worth it) for defamation, malicious falsehood, and possibly under the Fair Trading Act.

Whale Oil case: lessons for bloggers

My brief post yesterday noted Judge Harvey’s starting proposition that the Police v Slater case was not about the merits of name suppression orders in the 21st century, but was simply about whether the defendant’s conduct breached the law as it stands (albeit in a novel circumstance). And the judge got it right.* But the judgment also provided some useful observations of more general application. Some of these include:

While the case involved posts made by the blog owner himself, what is the position of comments by third parties? Judge Harvey noted:

… most administrators or supervisors of blog sites or those occupying the position of Mr Slater must hold some responsibility for the comments that are posted. Mr Slater in his DVD interview indicated that he exercised such supervisory power over his blog site. He would allow comments or postings of material with which he agreed. This indicates that he is able to delete or remove material or posts from the blog site. This would put Mr Slater in the position of a person of responsibility similar to that of the moderator in the case of Stratton Oakmont Inc v Prodigy Services Co.

The Prodigy case involved defamation, but the principle is the same: a person who knowingly permits defamatory, suppressed or other unlawful content to remain on a website under their control (or otherwise “assumes responsibility” for the material) may be held liable for that material. See my article here and posts here for more information.

On the other hand, the position where the website operator has no knowledge of unlawful material will usually be quite different. Recently, there have been a number of instances where Courts have taken a pragmatic view where website operators have little or no control over what their users do, or where attempting to introduce such controls would be very difficult. E.g. for a situation involving IP infringment see my post here and for a defamation situation see here. A similar situation arose today, with a US judge finding that eBay was not liable for its customers using its service to sell counterfeit jewelery. So lets be clear, the case does not mean that anyone operating a blog may be liable for what someone else posts. But for blogs with active moderation, or if the operator becomes aware of certain material posted on their site (or “ought to have” been aware of it), care should be taken, and editorial discretion exercised. Which is just common sense, and how many blogs operate anyway.

Whale’s lawyer also advanced an argument that, because the Whale Oil site is hosted on a server in San Antonio, Texas, there was no “publication” or relevant act in New Zealand, and therefore no crime under New Zealand law. Nice try, but with a judge as well versed in such matters – Judge Harvey literally wrote the book on internet law in New Zealand and teaches it at Auckland University – no cigar:

The reality of the situation therefore is that Mr Slater’s blog is available free of charge to internet users in New Zealand who may and do access it from time to time and therefore publication takes place in New Zealand… The evidence before me is that the material was able to be read and comprehended in New Zealand (thus constituting a publication) and the material was uploaded on the Whaleoil blog by Mr Slater present in New Zealand at the time. Thus acts necessary for publication – the creation of the material, the posting of the material and the availability of the material to be comprehended by readers in New Zealand – all took place within the jurisdiction.

What about a blog that doesn’t carry unlawful (suppressed, etc) material, but merely links to it? The judge noted the US DeCSS case, but left the question open for another day, saying:

“Following from that is the [hypothetical situation of a] New Zealand based blogger who may embed a link to the off-shore blogsite which contains the suppressed name. One should be cautious in such circumstances that one does not become involved in “publishing” by way of hypertext link… I have no doubt this point or something like it will fall to be decided in this country in some future case”.

Whale’s lawyer had attempted to argue that blogging was intrinsically “different”, and mentioning a suppressed name did not fall within the corners of the Criminal Justice Act definitions. He had also tried to argue that the Criminal Justice Act, passed in 1985, could not apply to blogs (which were not contemplated at that time) and must be limited to traditional news media. The judge rejected these lines of argument, saying:

Conceptually a blog is no different from any other form of mass media communication especially since it involves the internet which anyone who has an internet connection is able to access… It is publication. It is made to a wide audience. It goes beyond a private conversation over the telephone or, a coffee table or at a dinner party. It is the mass media element that accompanies the internet that places the blog within the same conceptual framework as any other form of mass media publication… In the age of mass communication and the internet, where everyone may be a publisher, that approach cannot be sustained. The law must continue to speak.

* So I have no doubt the decision here is correct, based on the current law and what has been reported. It has been interesting to read the comments (on Kiwiblog for example) of some, who should know better, but who are most upset that the judge did not take it on himself to legislate from the bench and reform the “broken” suppression regime and help bloggers to “expose crims”.  However as I wrote last year, I do think the law on suppression needs to change to a more open system. That is both desirable and inevitable, and parliament should act sooner rather than later on this.

Blogging and Name Suppression

Blogger Cameron Slater (a.k.a. Whale Oil) was convicted today in the District Court of breaching suppression orders on his blog. By happy coincidence (or maybe not?) the country’s most tech-savvy judge, Judge David Harvey, heard the case and his detailed and expositional judgment is available here. Judge Harvey has certainly delivered on this judgment and it’s worth a read. He makes the following key comment at the very outset:

This case is about whether or not a person behaved in a manner that breached the law and in doing so utilised some of the communications technologies associated with the Internet. It is not a case about whether or not the law should allow nonpublication orders. That debate must take place in another forum.

A lot of comment has been made about the Whale Oil case, and much of it centred on whether name suppression should be available. Except for those who believe in a particularly activist judiciary, such questions are not for the Court to decide. Similarly there has also been much comment on the possible futility of suppression orders in the internet era. Following the release of the Law Commission’s report on name suppression last year I said that:

If the law is not to permit exercises in futility, this issue [name suppression] may need to be revisited again before long.

Judge Harvey also addressed this issue, rightly saying:

Up until such time as the legislature decides to repeal or amend s 140 of the Criminal Justice Act 1985, orders made by the Court for non-publication are expected to receive compliance and the assumption is that citizens will abide by Court orders. If they do not they may expose themselves to possible prosecution or Contempt of Court proceedings.

Except possibly in extreme cases, it is not for the Court to decide that a statutory provision is no longer effective and shouldn’t be applied.

Read part 2 here.

Google cleared of privacy crime

In a victory for common sense, and as I predicted three months ago, the police have cleared Google of committing “privacy crime” during its recent WiFi snooping incident. Detective Senior Sergeant John van den Heuvel makes a good point when he says:

Anyone using Wi-Fi needs to ensure they have appropriate security measures in place. People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes.

The police (who, by the way, are busy using Google as a crime-fighting tool) have “referred the matter back to the Privacy Commissioner”, who will probably issue a statement rapping Google over the knuckles (again), and sensibly that will be the end of it. Google has faced a barrage of criticism for its actions and is unlikely to attempt a similar exercise in this country any time soon. But there is nothing stopping other, less PR-concerned outfits from doing so – a clear precedent (in prosecutorial practice if not in law) has now been set. And this is likely to cause issues in the future.

As the Law Commission’s recent report highlighted, there are a number of gaps and grey areas in New Zealand’s privacy and “surveillance” laws. Sooner or later these issues will need to be dealt with, but we are not alone in this regard. New Zealand is probably better off adopting a “wait and see” approach and following a principled approach to privacy based on international (particularly EU and US) standards.

Meanwhile, though, other countries are keeping the pressure on Google with Spain recently launching its own criminal investigation into the WiFi incident.

Hacker convicted

A man has been pleaded guilty in the Queenstown District Court of intentionally accessing a computer system at the hostel he was staying at:

Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.