Legal Beagle: Cameron Slater: computer hacker?
96 Responses
First ←Older Page 1 2 3 4 Newer→ Last
-
Video embed now fixed :-)
-
A useful Standard post discusses why it probably *is* a prosecutable offence.
If it is true that there is no precedent around this issue, why would Police err on the side of not referring the matter to a court given there is doubt including public statements by at least a few lawyers?
-
Some sort of definition or interpretation of unauthorised access based on circumventing security seems like it would be useful. If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account. If your computer was set up so that playing solitaire required an administrator password, then using your boss's password would be unauthorised access.
I say definition or interpretation because I don't know if this is something that would need a law change or whether the courts could do it.
This still wouldn't make clear whether it was an offence to access files that were open on the Labour Party server but without links, and where access was fairly obviously not intended. It's similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I'd prefer that not to be illegal, but I don't think it would be as indefensible as your solitaire example.
-
Fair enough for a legal opinion. I think motive should be relevant here but that's still skirting the biggest issue. Which is Jason Eade and the PM's dept's role.
How do you feel about a public servant doing this 'work'? Eade was scooted onto the national party's payroll but I understand much of his time on the 9th floor was as a public servant. -
Graeme Edgeler, in reply to
It’s similar to the situation when Keith Ng (inscrutable hacker and master of disguise) showed the WINZ documents were accessible on their kiosk systems. Personally, I’d prefer that not to be illegal, but I don’t think it would be as indefensible as your solitaire example.
Agreed. I can’t come up with a consistent interpretation of the law that would mean that what Cameron Slater admits doing was criminal, but that what Keith Ng admits doing was not.
-
Alfie, in reply to
If you use someone else's password without their permission to log in to their gmail account, that's unauthorised access even if you also have a gmail account.
My interpretation of Slater and Ede's access in this case is the equivalent of someone putting a sticky note on their monitor which says Gmail password in large letters. While the account owner's incompetence obviously makes it easy for anyone to access their email, there comes a point when your actions become illegal. If you download sensitive information from the account and republish this or use it for commercial gain, that's surely illegal.
Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain. In his video he states the numbers of credit cards in two files, proving that he downloaded and accessed that info.
Ede worked for the PM at the time. By knowingly downloading credit card data from his employer's opponents, he realised that he was breaking the law and his subsequent boasts about using dynamic IP addresses proves this.
The world is full of badly secured websites. While I would have expected the Labour Party to be a bit smarter in this regard, I have no doubt that both Slater and Ede knew they were downloading and using private information and I would like to have seen this matter tested in court.
-
Sacha, in reply to
where access was fairly obviously not intended.
That seems like a crucial test. How the Police were satisfied it did not even apply to credit card transactions etc mystifies me. I'd rather their assumptions were tested in court.
-
Sacha, in reply to
I would like to have seen this matter tested in court.
snap
-
I think an interpretation of the law that would mean that what I understand Cameron did was criminal would make illegal a lot of things that I do not think should be illegal, and think that we should be reluctant to interpret the particulars laws in play here in a way that would render a great deal of ordinary computer use subject to prosecution.
I think this is the key thing.
I once wrote a story on the basis of a company's work-in-progress that was sitting unsecured on the internet (albeit in a fashion that would make Labour's server look like Fort Knox).
The parent company sued me and my employer for everything they could think of (including, for some reason, "conversion"). It came to nothing in the end, but I'm very bloody glad they didn't have the option of a criminal complaint.
-
I’m wondering how the new CyberBullying law
Herald Article announces passage of new law
might enter into this scenario. As The Herald says (not that they are the ultimate interpreters of what a law means):
New cyberbullying law will create a criminal offence of intentionally causing harm by posting a digital communication, punishable by up to two years’ imprisonment or a maximum fine of $50,000.
So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?
-
Nick Kearney, in reply to
No, no, yes, no and no.
-
Russell Brown, in reply to
So would what Cameron did be seen as “intentionally causing harm by posting a digital communication” if he did it again this week? What is the test of “harm”, and did he do “harm” to the Labour Party? Can you harm an individual? A company? A political party?
He eventually didn't carry through on his threat to republish all of people's private information, but it could be seen that even the threats would cause distress.
-
Andre terzaghi, in reply to
I'm curious, in some areas of law ideas such as "malice", "public interest" and so on seem to be important factors. Does that not apply here? If not, why not?
-
For me, this subsection means that Cameron, who was, like the rest of us, authorised to go to Labour’s server to look at Labour’s website, was not committing a crime by looking at the other files that Labour had left open to view on their server.
Watching that Youtube video makes this argument difficult to sustain. In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
If that is so, it then becomes very difficult to assert that access to the above website was authorised.
Further, I’m not sure I agree with the wording of the following:
…authorised to go to Labour’s server to look at Labour’s website
Firstly, this was a Labour website, not the Labour website (keep in mind that the website in question was ostensibly not public at the time).
Secondly, I think a more reasonable interpretation would be the other way around, where there was authorisation to access a Labour website which was hosted on Labour’s server.
-
Stephen Judd, in reply to
It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.
Also, DNS records are public. It's not unreasonable, having learned of a name, to see what web site if any is being served from it.
-
Michael Homer, in reply to
In it, the healthyhomeshealthykiwis.org.nz domain was found via a tool that identifies other domains on the same IP address. It’s hard to be sure, but this suggests that the domain in question was, at that time, not yet indexed by any search engines and therefore was not intended to be publicly available.
It's not a magic tool, you know. The domain demonstrably was indexed or it wouldn't have been in the result list.
-
Personally, I think Slater is guilty of being a massive jerk, but if what he did was a criminal offence, a lot of curious poking around is going to be criminalised. The Crimes Act really needs tightening up here, as "unauthorised access" is an unfortunate phrase.
-
nick_w, in reply to
I believe the opposite is true: there had been a site in place for that domain in the past, since decommissioned once the relevant campaign was over. Highly likely therefore that it was being indexed by Google.
So it was for a previous campaign; I had wondered where in the timeline the website existed. Still, it makes you wonder why he didn't just use Google to find the website if it was all there - that is why I questioned whether it had been indexed.
-
Michael Homer, in reply to
it makes you wonder why he didn’t just use Google to find the website if it was all there
Google doesn't provide a reverse IP lookup, although they presumably have the data to do so.
-
nick_w, in reply to
Google doesn’t provide a reverse IP lookup, although they presumably have the data to do so.
What I meant was whether a simple Google search for "healthy homes for healthy kiwis" or similar would have led to the site. That would certainly have looked even worse.
I bring up the Google thing because I read an article from back when this happened where Cameron Slater claimed that Google had indexed the whole site.
So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?
-
Since there was previously a proper site at that domain, as long as there was a web server responding, I imagine Google would have kept indexing whatever it found there.
-
Michael Homer, in reply to
So if the site could not be found via Google but could by a service like MyIPNeighbours, does this allow us to draw inferences about whether or not said access is authorised?
No. I don't even see what distinction you could draw between them.
-
izogi, in reply to
If you download sensitive information from the account and republish this or use it for commercial gain, that’s surely illegal. Slater earns a living from his site. Republishing data he could reasonably assume to be private and confidential could be seen as making commercial gain.
From what I’ve seen of Cameron Slater, I’d find it credible that he did it for political gain, or for fun, or for some sociopathic hatred. Regardless of his reasons and whether he happens to make money on the side or not, the names of thousands of Labour supporters and donors get seen much more publicly than either Labour or those people ever intended, and Labour’s incompetence in keeping that information in an unambiguously secure place shouldn’t be forgotten. Also, if generating income as a consequence is significant, does this also have an effect on the day-to-day actions of more traditional journalism outlets, such as newspapers, whenever they publish things someone didn’t intend to be published?
I do think Rob Stowell made an important point above that the direct involvement of Jason Ede in the PM’s office should really be treated as the greater issue here, whether it’s classed as criminal or simply revolting ethics for senior members of Cabinet and their staff to be participating in everything that was done.
-
nick_w, in reply to
No. I don’t even see what distinction you could draw between them.
But these two things are not the same: search engines are extremely well known to pretty much everyone; far fewer people would be aware of services like MyIPNeighbours, and how many would even be inclined to use them? Who, aside from the site maintainers, would routinely be checking Labour party IP addresses for legitimate reasons?
What I'm getting at is that just because something could be found on the internet does not necessarily make that access authorised. It's one thing to have found this content accidentally via a Google search or even following an old bookmark, another to have gone looking for it.
-
Most people who visit a website do not feel entitled to delve into its file structure beyond links presented on the surface. Sure not authorised to take whatever they find.
Police (non)prosecutors are making decisions that are courts' to make, not theirs.
Post your response…
This topic is closed.