MSD won't prosecute Ng, or Bailey
UPDATE Nov 2: The Ministry of Social Development - which was still dodging questions as of yesterday - has finally made up its mind about whether to take legal action against the man who broke the kiosk security story, or his associate.
Asked this morning if the MSD would take legal action against Keith Ng or Ira Bailey, spokesman David Venables replied:
"MSD does not intend to prosecute either of these two men."
Read Mr Ng's take on the Deloitte report released today here.
Keith Ng, facing two years' jail if successfully prosecuted, has a defence – lawyer
Oct 15: By accessing swathes of the Ministry of Social Development's network, via a public WINZ kiosk, blogger Keith Ng technically broke the law.
"On the face of it, it is a breach of the Crimes Act," Wellington lawyer and intellectual property specialist John Edwards told NBR ONLINE.
Battle of the home break-in analogies
Tech Liberty founder and Council for Civil Liberties executive committee member Thomas Beagle indicated in online comments that he thought Mr Ng had gone too far.
"Just because the house is unlocked doesn't mean you have to search the drawers to show them how unlocked it was," Mr Beagle tweeted.
But Mr Edwards hit back with his own home analogy.
"It's like Keith's walked past a house and seen it wide open and gone inside to see if everybody’s okay," he told NBR.
Went too far
Mr Beagle, stressing he was expressing a personal view, remains skeptical of that argument.
"I was surprised at how far Keith went into their systems after establishing that there were major security holes," he told NBR this morning.
"He said in his article 'I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible'," Mr Beagle quoted.
"That implies that he wasn't just looking at what was available, but was actually analysing/reading it and possibly even taking copies away ('obtained'). 'White hat' hacking is normally about proof that a system can be penetrated, not exploiting the holes that you can find."
Complicating matters, Mr Ng confirmed to NBR this morning that he took some of the MSD files home for further analysis.
Colour of right defence
Mr Edwards said Mr Beagle was quite correct that the blogger could be prosecuted under Section 252 of the Crimes Act, which reads:
252 Accessing computer system without authorisation
(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
However, prosecution guidelines meant action was unlikely to be taken.
Mr Ng probably had a "colour of right" defence, Mr Edwards said.
There was no public interest in prosecuting the blogger. "He didn't make any personal gain," Mr Edwards said (Mr Ng posted his story free to Public Address, but has asked for donations from the public to support his work).
"He secured the information and turned it over to the appropriate authorities."
Asked by NBR if the MSD would take any legal action against Mr Ng, a spokewoman responded, "We only found out about this late afternoon today. Our first priority is understanding exactly how this has happened."
Mr Ng told NBR he briefed the MSD, but said he did not get a detailed response beyond the fact kiosks had been closed.
Asked if he got legal advice before he embarked on his escapade, the data journalist told NBR, "No, the kiosk was available to members of the public. But I did get legal advice once I figured out what I found, and I talked to the Privacy Commissioner prior to publication."
Mr Ng declined to answer whether he was aware of the two-year Crimes Act penalty before he embarked on his effort to test MSD security.
Unauthorised access case 'a dead duck'
Meanwhile, Lowndes Jordan partner Rick Shera told NBR he was surprised at comments that Mr Ng broke the law by accessing the material.
"First off, as I heard Katrine Evans the Assistant Privacy Commissioner, say this morning on Radio New Zealand, Keith has done a public service in doing what he has done and appears to have acted responsibly in securing the information and offering to hand it over to the OPC.
"As John Edwards said also, prosecution guidelines would rule out any charges anyway," Mr Shera said.
"But that doesn’t matter because there’s no crime here. The only section of the Crimes Act that is really relevant is section 252, the first part of which makes unauthorised access to a computer system an offence. But, you only need to read a little further, to subsection 252(2), to find that what Keith has done does not constitute “unauthorised access”. As the subsection says:
“… subsection (1) [creating the offence] does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.”
"The information kiosks are public facing and as far as I’m aware, carry no access restrictions. Anyone can use them," Mr Shera said.
"So Keith or anyone else was 'authorised' to access that computer system. Once in, one could commit other offences, of course (eg, if the information was then used for personal gain or if the information was altered or deleted) but, having gained authorised access, an unauthorised access allegation is a dead duck.
"And before anyone starts to argue that it was only that information kiosk computer that Keith was allowed access to, they need to check the definition of “computer system” in section 248 of the Crimes Act, which includes all computers (servers) connected to the kiosk."