<i>Chris Barton:</i> Clumsy law for a different world

The Crimes Amendment Bill passed on Friday is an object lesson in how not to draft laws.

Significantly, the new computer crime legislation comes into force as a book on the subject - internet.law.nz - is published.

The book, by District Court judge and Auckland University law lecturer David Harvey, is also an object lesson in the depth of research and thinking that should have happened before these new laws were drafted.

The idea of laws to cope with computer crime was mooted in the late 1980s because of concern that current laws would not deal with the coming computer age.

But although legislation was drafted - the Crimes Bill 1989 - it was never enacted.

The issue resurfaced in 1998, when internet provider ihug had 4000 files deleted from its home pages server by a hacker.

A few months later, Andrew Garrett claimed to have hacked into Xtra servers and stolen users' passwords.

The two incidents, with concerns over an Appeal Court case - R v Wilkinson - which dismissed a theft conviction involving a convoluted electronic transfer of money, brought about the Crimes Amendment Bill.

It was introduced to Parliament in September 1999, and took almost four years to become law.

In the process it was reworked - on the one hand, to make hacking illegal, but on the other, to legalise hacking by the police, the Security Intelligence Service, and the Government Communications Security Bureau.

Besides creating laws to sanction state surveillance of Kiwi netizens, the new laws take another draconian step of making "pure hacking" (just looking) illegal.

As Harvey puts it: "The clause means that hackers who access computer systems without causing any harm or gaining any benefit for themselves are still liable for prosecution, and face penalties that are far more severe than the equivalent offence in the 'real world'."

The lawmakers have also not recognised that hacking often provides a benefit.

Even in the ihug case - where the 17-year-old concerned would more correctly be called a "cracker" - the incident highlighted sloppy security on ihug's servers, which was promptly fixed.

And Garrett's actions - which should more properly be referred to as those of a "script kiddie" - highlighted the common problem of would-be hackers using remote access Trojan software.

That resulted in Xtra warning users about the threat and providing tools to deal with it.

Which is not to say the practitioners of such black arts should go unpunished. But to lump crackers and script kiddies in with "white hat" hackers who tell companies of security holes shows a monumental lack of understanding.

Similarly, the bill's constraints on possessing software or "other information" that could enable hacking overlook the educational nature of web sites containing hacking information.

As Harvey points out: "The provision has the potential to curtail the free exchange of information about a computer problem, how to identify it and the steps one might take to stop it."

The bill has plenty more that can be criticised, such as an anomaly in the provisions for "unauthorised access". Strangely this does not apply to employees whose jobs mean they have high-level access to their companies' computer systems.

Because they are "authorised", they can't be classed as hackers - which means disgruntled or dishonest employees in these jobs can do bad things and escape criminal conviction .

The lack of privacy safeguards is another worry. The legislation has gaping holes that allow largely unaccountable, covert remote searches of computers and covert key word searches of email communications by Government security agencies and the police.

Above all, much of the legislation is not necessary.

Andrew Garrett was convicted of five offences under existing laws for his so-called hacking offences.

Other hackers and fraudsters also have been convicted.

The most that was ever required was a little tweaking of some definitions in laws dealing with real theft, property damage, fraud and forgery to ensure they applied in the virtual world.

In his chapter on internet governance, Harvey outlines the schools of thought on regulations.

At one end of the spectrum are the "digital realists" encapsulated by Frank Easterbrook, who says there is no more a law of cyberspace than there is a "Law of the Horse".

That view proposes that there is no need to develop a cyber-specific code of law.

At the opposite end are the "cyber anarchists". Harvey doesn't give them much time, although he does include John Barlow's "Declaration of the Independence of Cyberspace" as an Appendix: "Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of the Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather."

Closer to the realists is the "transnational" school which favours governance by international law. This is not too far away from the views of the Internet Corporation of Assigned Names and Numbers.

Near the anarchists, but not the same, is "digital liberalism" where the users work out the rules. Which is just a small step away from "regulatory arbitrage", where users choose, largely by their geography, what rules they will follow.

Interestingly, Harvey puts the most disrupting notion - "Code is Law" - at the centre of his spectrum.

This is the brainchild of former Harvard professor Lawrence Lessig, and says "architecture" - the combination of software and hardware code and protocols - is the best way to regulate the net.

But our Government has been unable to look at any of these options, opting instead for law by knee-jerk reaction.

* Email Chris Barton