Member log in

MSD won't prosecute Ng, or Bailey

UPDATE Nov 2: The Ministry of Social Development - which was still dodging questions as of yesterday - has finally made up its mind about whether to take legal action against the man who broke the kiosk security story, or his associate.

Asked this morning if the MSD would take legal action against Keith Ng or Ira Bailey, spokesman David Venables replied:

"MSD does not intend to prosecute either of these two men."

Read Mr Ng's take on the Deloitte report released today here.

ckeall@nbr.co.nz

----------------------

Keith Ng, facing two years' jail if successfully prosecuted, has a defence – lawyer

Oct 15: By accessing swathes of the Ministry of Social Development's network, via a public WINZ kiosk, blogger Keith Ng technically broke the law.

"On the face of it, it is a breach of the Crimes Act," Wellington lawyer and intellectual property specialist John Edwards told NBR ONLINE.

Battle of the home break-in analogies
Tech Liberty founder and Council for Civil Liberties executive committee member Thomas Beagle indicated in online comments that he thought Mr Ng had gone too far.

"Just because the house is unlocked doesn't mean you have to search the drawers to show them how unlocked it was," Mr Beagle tweeted. 

But Mr Edwards hit back with his own home analogy.

"It's like Keith's walked past a house and seen it wide open and gone inside to see if everybody’s okay," he told NBR.

Went too far
Mr Beagle, stressing he was expressing a personal view, remains skeptical of that argument.

"I was surprised at how far Keith went into their systems after establishing that there were major security holes," he told NBR this morning.

"He said in his article 'I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible'," Mr Beagle quoted.

"That implies that he wasn't just looking at what was available, but was actually analysing/reading it and possibly even taking copies away ('obtained'). 'White hat' hacking is normally about proof that a system can be penetrated, not exploiting the holes that you can find."

Complicating matters, Mr Ng confirmed to NBR this morning that he took some of the MSD files home for further analysis.

Colour of right defence
Mr Edwards said Mr Beagle was quite correct that the blogger could be prosecuted under Section 252 of the Crimes Act, which reads:

252 Accessing computer system without authorisation
(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

However, prosecution guidelines meant action was unlikely to be taken.

Mr Ng probably had a "colour of right" defence, Mr Edwards said.

There was no public interest in prosecuting the blogger. "He didn't make any personal gain," Mr Edwards said (Mr Ng posted his story free to Public Address, but has asked for donations from the public to support his work).

"He secured the information and turned it over to the appropriate authorities."

MSD responds
Asked by NBR if the MSD would take any legal action against Mr Ng, a spokewoman responded, "We only found out about this late afternoon today. Our first priority is understanding exactly how this has happened."

Mr Ng told NBR he briefed the MSD, but said he did not get a detailed response beyond the fact kiosks had been closed.

Asked if he got legal advice before he embarked on his escapade, the data journalist told NBR, "No, the kiosk was available to members of the public. But I did get legal advice once I figured out what I found, and I talked to the Privacy Commissioner prior to publication." 

Mr Ng declined to answer whether he was aware of the two-year Crimes Act penalty before he embarked on his effort to test MSD security.

Unauthorised access case 'a dead duck'
Meanwhile, Lowndes Jordan partner Rick Shera told NBR he was surprised at comments that Mr Ng broke the law by accessing the material.

"First off, as I heard Katrine Evans the Assistant Privacy Commissioner, say this morning on Radio New Zealand, Keith has done a public service in doing what he has done and appears to have acted responsibly in securing the information and offering to hand it over to the OPC. 

"As John Edwards said also, prosecution guidelines would rule out any charges anyway," Mr Shera said.

"But that doesn’t matter because there’s no crime here.  The only section of the Crimes Act that is really relevant is section 252, the first part of which makes unauthorised access to a computer system an offence.  But, you only need to read a little further, to subsection 252(2), to find that what Keith has done does not constitute “unauthorised access”.  As the subsection says:

“… subsection (1) [creating the offence] does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.”

"The information kiosks are public facing and as far as I’m aware, carry no access restrictions.  Anyone can use them," Mr Shera said.

"So Keith or anyone else was 'authorised' to access that computer system.  Once in, one could commit other offences, of course (eg, if the information was then used for personal gain or if the information was altered or deleted) but, having gained authorised access, an unauthorised access allegation is a dead duck. 

"And before anyone starts to argue that it was only that information kiosk computer that Keith was allowed access to, they need to check the definition of “computer system” in section 248 of the Crimes Act, which includes all computers (servers) connected to the kiosk."

ckeall@nbr.co.nz

More by Chris Keall

Comments and questions
35

Mr Ng did what he did for the good of all concerned - to expose the deficiencies of the MSD's security system.

Contrast that with the GCSB spying illegally on Kim Dotcom - breaking the law in the name of protecting NZ's security!

Enough said about the legal views of what constitutes right and wrong out there.

Classic white-hat dilemma: Ng could have gone directly and confidentially to MSD (or possibly even better, to the police) with his evidence. In an ideal scenario, there would be an immediate response from MSD in the form of securing the means by which the breach occurred, holding the appropriate persons to account, conducting a review of procedure and a public release of information regarding what had taken place and what was being done to prevent its re-occurrence.

Given how forthcoming our government and police really are, the chances of what I just described actually happening are lower than the odds of all New Zealanders getting a free pony tomorrow. On top of this, clicking on links presented on a public kiosk does not meet the definition of intentional access without authorisation specified in Section 252: no authentication challenge was ever presented and there was nothing to circumvent. What Ng did could have been performed by a complete technological novice simply trying to figure out how the thing works and getting hopelessly lost. (This is actually a handy way to find weak spots in systems...turn the automated equivalent of a clueless newbie loose on them and see what sort of havoc ensues. Do a Google search for "fuzzing" if you're curious.)

Ng did the right thing. He went public in a measured and discreet way, redacted what he put on display, and did not attempt to extort or smear anyone. Saying that he committed a violation of Section 252 is a real stretch and mocks the dismaying incompetence and cavalier disregard for privacy shown by MSD.

Absolutely right; the only way to get the government to pay any attention to errors and fix them is by going to the media.

Bullsh*t. Mr Ng did it for self gratification and the glory. He is just another hacker, contributing nothing to society. He should get the full 2 years and a damn good flogging.

I humbly suggest by pointing out what he did he has well and truly contributed.

You have to be trolling surely. There is a massive issue with passowrd and security proceedures here, Keith Ng has done a great service. How can you shoot the messenger when all he did was test the door. Going to a public kiosk and getting straight into unprotected areas is hardly hacking mate. The negligence of the MSD in storing plain text passwords beggars belief!

Mr Beagle needs to get a life or a real job.

Mr Beagle has shown himself to be a real mutt.

I have no doubt there is enough evidence for Keith to be charged by police for what he's done. But I also don't doubt there are a lot of competent lawyers that would be able to clear him of any charges.

I applaud Keith for the exposure he's brought to the issue but if I was him, I would have consulted a legal team prior to taking the files.

Question - How did Mr Ng know about the vulnerabilities in the first place?

According to the original post on Public Address, someone tipped him off that there were issues with the kiosk security.

Assuming Rick Shera is correct, doesn't this make the law basically useless for any entity that publishes their own website?

After all, if you have authorisation to access the website (i.e. by reading it) doesn't that mean you also get authorisation to access any other system owned by that entity that is connected to the same system as the web server?

Sounds like the law might need a bit of re-wording.

Don't forget, that's just Rick's opinion. Two lawyers can have different opinions on the same case - hence why we have a prosecution and a defence.

Not at all, it sounds to me that owners of public-facing computer systems - be they website hosts or Govt Depts providing public services - need to take the basic steps of securing their sensitive data.
For now, MSD stands for Muppets at Securing Data

I think Mr Ng stepped over the line when he "removed" i.e. copied data to take home and further "analyse". For what purpose other than criminal activity or personal gain would anyone do that?

Given his industry status and level of expertise he did not need to do that to prove the points on security issues.

It does seem a little strange. I wonder if it was so they couldn't lie about the severity of the breach.

A little bit of that. But mostly because I couldn't open up PDF files on the kiosks. It was impossible to determine what they were without a mass grab. And given that there are many *kinds* of sensitive information, I really needed a very large sample in order to find them all.

Sir you are full of it. There are other ways to bring discrepancies/flaws in an entities IT. Please do not suggest you were innocently on the 'net and accidently walked off with the private details of fellow citizens and the only way to have the entity acknowledge and fix the fault was for you to go public. As I said, Sir, you are full of it.

Takes a criminal mind and devious mind like yours to think of that.

There's a perfectly valid reason for this: Evidence. How was Ng to know that even if he did report it confidentially that it would be taken care of? Given the track record of the government on security breaches, both accidental and intentional, he absolutely needed to have evidence of what he was claiming.

To find out what was actually available, so he could announce it publically so that MSD would HAVE to act. Given that allegations have surfaced that they've been alerted to this issue twice in the last year, it's pretty valid to doubt that they'd do much if he hadn't.

Keith Ng has benefited from this through notoriety which will increase his profile and business. He deliberately removed data. As for Mr Edwards comments, Keith didnt just go in an see if everyone was OK. He removed items and put them on public display. Isnt entering a home uninvited, unsecured or not, still a crime? Mr Edwards likes to use the 'home' analogy, well maybe someone should enter Mr Edwards unsecured home, remove his undergarments and put them on public display!

What are you talking about? Keith Ng hasn't put anything on display! Obviously he copyed some of the data and took it home in case the government chose to deny any breach or deny the severity of the breach. If Keith Ng didnt take a copy of some of the data, what evidence would he have if he was accused of lying?

You need to be more careful in your choice of words before critiquing matters.
"removed" ? ...as far as I can understand he 'copied'....big difference.

Seeing Labour trying to score points on the #WTFMSD thing is annoying. The same would have happened under them. It's not political

Dylan, I think it is political, given that it was a policy initiated and then celebrated by the Minister, Paula Bennett. I don't think you can tar Labour with this brush as well.

I think this is how it goes. Keith should have seen a lawyer before he disclosed. The lawyer could have passed the information on e.g. to the media. But if Keith so instructed, the lawyer is bound not to identify his client. Not even the Court would order disclosure. Litigation lawyers may explain if this is correct.

"it was a policy initiated and then celebrated by the Minister, Paula Bennett"

Really? The policy was not that kiosk cyber-security be poor. The actual policy - having kiosks in the first place - is an excellent one. The implementation was evidently flawed. You can hod Paula Bennet responsible for the general implementation, but it would be a stretch to expect her to micromanage to such an extent that she personally checks the network permissions of the kiosks.

Chris, Perhaps the MSD computer system should be added to your list of failed IT projects... Perhaps MSD and Wheedle could go halves on a security expert....

WELL DONE KEITH NG - CYFS AND WINZ CAN GET ANYONES
CRIMINAL HISTORY/POLICE CALLOUTS GOING YEARS BACK, AS I HAVE JUST FOUND
OUT IF U ARE TOO OUTSPOKEN TO CYFS THEY WILL TRY AND DRAG OUT ANYTHING THEY CAN ON U TO STOP U KEEPING/HAVING/SEEING YOUR CHILDREN/GRANDCHILDREN.
THESE PEOPLE NEED TO BE EXPOSED FOR THEIR EVILNESS.
THEY ARE NOT FOR THE GOOD OF THE CHILDREN!!! THE CHILDREN SUFFER UNDER CYFS

A lot of judgemental people here obviously lack any technical knowledge of basic computer technology, eg; copying files to a removable flash drive. Therefore they get of my internets! Trolololollo

Surely no-one in authority would be stupid enough to shoot the messenger? Mind you, this is NZ.

Why no one is blaming the govt who kept the doors open. First of all ministry of sd who look after IT should be charged and then this hacker.

so, plain text passwords have been used by MSD, despite a report on this a year ago? USB access on a public terminal, and despite the infrastructure there was no security. The system must still be using plain text passwords today. I think the MSD might be the one breaking the law considering they record phone calls every time you ring them.
Keith Ng has nothing to gain from this. He's the cheapest independent security audit money can buy !

Why is it always such people who seem to 'acquire' or 'come across' the sensitive information? First Pullar, now Bailey and Ng.