Hacker convicted

A man has been pleaded guilty in the Queenstown District Court of intentionally accessing a computer system at the hostel he was staying at:

Schiavini had used his computer to access the wireless network at the hostel, where he was staying, and gained further access to the internal reservation system. He managed to access his own reservation, and left a message there to let the lodge know he had gained access.

At first, it sounds innocent enough – especially as the article goes on to say:

He then approached management to tell them about the security breach in their system, and told them how to fix the flaw. When management had repaired the breach, they approached him to ask if he could gain access again. He tried, but was this time unsuccessful.

Now if that was all that had happened, receiving a criminal conviction would seem harsh. However, the hostel’s website gives some important additional detail not in the news report:

In summary, he broke into our encrypted wireless network, downloaded 80Gb of ‘data’, and a copy of the our database for further study. He then decided to tell us assuming that by telling us that all would be made good.

Which puts a somewhat different light on it. As the oft-cited analogy says, just because you see someone has left their house unlocked doesn’t mean you can enter and leave a note in their bedroom to notify the owner.

Sadly many judgments are still not online in New Zealand, so we can’t read the judgment. But the charge was likely to have been under s 252 of the Crimes Act:

Accessing computer system without authorisation
Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Note there is no white hat or good samaritan exemption to that law – and perhaps there should be…

As a side-issue, if (hypothetically) all the man had accessed was his own information, I wonder if his lawyer might have successfully defended the charge on the grounds that he was authorised under the Privacy Act, principle 6 of which states:

Where an agency holds personal information in such a way that it can readily be retrieved, the individual concerned shall be entitled … to have access to that information.

The hostel is an “agency” under the Act, and the booking information is likely to include personal information gathered from the man. It could just be enough to escape a conviction.