ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Section 252

Paul Brislen, Editor. 30 May 2019, 6:51 am

After a lot of excitement and visions of Tom Cruise abseiling in to Treasury to steal the NOC list, I mean Budget 2019 documents, it seems instead that someone was trying out search terms in the website's search bar.

And so we can probably stand down the spy satellites and roving vans with the dishes on their roofs and look instead at whether our Crimes Act is really up to the task of identifying what is and isn't unauthorised access of a computer system.

Treasury says it built a clone website as part of its preparations for Budget Day. This gave it an exact copy of its real website to work on and to test without exposing the real website to the rigours of the world.

Budget websites typically contain a huge amount of information and so not only will the site itself get very busy on the day of launch, the search function will come under intense pressure as people try to find their particular areas of interest. As someone who has battled through previous websites looking for key phrases, I can attest to how important this feature is.

"As part of the search function on the website, content is indexed to make the search faster. Search results can be presented with the text in the document that surrounds the search phrase," says the statement from Treasury, which meant anyone searching on the clone site would return a few lines of text to provide context for the search result.

"This would return a few sentences - that included the headlines for each Vote paper - but the search would not return the whole document."

So no sign of anyone having access to the actual documents, just to the line or two of information you typically get when searching for something.

Not hacking, says the police, although both Treasury and GCSB are continuing to review the case because they've identified three IP addresses used to perform more than 2000 searches. One IP address came from within Parliamentary Services, one from 2Degrees and one from Vocus.

Does this suggest someone inside Parliamentary Services was having a look, realised they could see what looks like part of a Budget document and then they tried again from a mobile device and then from home? That seems plausible, so investigations will continue.

But is "noodling around a website looking for information" actually legal?

Section 252 of the Crimes Act makes specific mention of this:

Accessing computer system without authorisation

(1)    Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

So, you're committing a crime if you access a computer system without authorisation, or if you know you're not allowed access or you're being reckless as to whether you're authorised or not.

It would make sense that this applies to the 2Degrees and Vocus IP addressees because I'm fairly sure users of the Treasury IT system will be required to sign up to a contract that says you can't take your work home with you or something similar.

But what about the Parliamentary Services IP user?

They may also not have authorisation, but the next section of the Act could well come into play here:

(2)    To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

So if you've got permission to use the system and then use it for something other than the purpose you were given access for, you're not hacking.

This was most visibly brought into play in 2012 when Keith Ng discovered he could access a lot of Ministry of Social Development (MSD) material through the kiosks thoughtfully provided by the Ministry in some of its branches. By providing the kiosks, MSD gave Ng access to the system - what he chose to do with it is within the the law. 

Of course none of this has been tested in the courts, and I am not a lawyer, and as Keith himself freely pointed out more recently, "DO NOT BE MORE LIKE KEITH WITHOUT SEEKING LEGAL ADVICE FIRST".

Treasury's investigation is continuing and the question of who at Parliamentary Services accessed the information, whether they were authorised to do so and whether they're the same person as the one who accessed the clone site via 2Degrees and Vocus will no doubt feature largely, but for now, it's on with the show as Budget Day looms large.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio