Snooping bill troubles net lawyer

By MICHAEL FOREMAN

The Law Commission is likely to ask the Government to restrict the scope of state internet surveillance and of hacking powers to be granted under proposed legislation.

At the same time the commission may also recommend beefing up the anti-hacking provisions of the Crimes Amendment Bill (No 6) with clauses that would criminalise so-called "denial of service" attacks.

Law Commissioner Paul Heath confirmed that the commission would make a submission to Parliament's law and order select committee, but refused to discuss details.

However, Elizabeth Longworth, an Auckland lawyer specialising in the implications of internet technologies and a member of the commission's original advisory committee, suggested the report would call for several important amendments.

Speaking from Los Angeles, Ms Longworth told the Business Herald that she had taken part indirectly in preparing the submission.

"My personal view is that there are issues that need tightening so that the law enforcement agencies can do their jobs but can be checked and held publicly accountable."

She said the internet was important enough to warrant its own act rather than a series of amendments to the Crimes Act, but she believed the amendment bill could be salvaged with some careful redrafting.

In particular, she believed the bill's definition of hacking as "unauthorised access to a computer system or parts of a computer system" was inadequate.

"The bill needs to go further in that regard. People who launch denial of service attacks would still be able to get off scot free with the current wording.

"We need to change it so that this type of activity, which is authorised but totally inappropriate use of a computer, is prohibited."

Denial of service attacks involve hackers sending vast amounts of spurious data to an internet server in an effort to cripple a website or internet service.

While she believed it was "perfectly reasonable" that existing phone-tapping powers should be transferred to electronic communications, it was important to ensure surveillance by security agencies was restricted to targeted individuals where there was a reasonable suspicion of criminal activity.

"They shouldn't be just milling around in the ether."

Ms Longworth said surveillance should be limited to e-mails. Other forms of internet use such as web browsing should be left alone.

She said the commission's technical adviser had confirmed that such separation of traffic was feasible.

Although Associate Justice Minister Paul Swain continues to refer to surveillance in terms of interception of e-mails only, the bill as drafted contains no such limitation.

If it passes into law, the various agencies involved would be free to set up interception devices wherever they liked and to gather any type of data they chose from the end of June.

In a telephone interview, Mr Swain said the Government's plans to fight electronic crime would require a companion piece of legislation, but he admitted that he had "no vehicle for it yet."

"It partly depends on what happens to this one," he said.

But Mr Swain thought it likely that law changes obliging networks to be open for surveillance might be included in amendments to the Telecommunications Act.

He said Telecom's network was already open for interception purposes and the second bill would bring into line other existing digital networks such as Vodafone and "any others that turn up."

Mr Swain said that contrary to reports he "wanted to keep ISPs [internet service providers] out of it."

It is difficult to see how the police and other agencies involved could monitor e-mails without installing interception devices at some ISPs, but Mr Swain's comment suggests that the Government is considering backbone sites such as the Southern Cross network operations centre, TelstraSaturn, Clear Communications and possibly ihug.

The minister said the main lobbyists for interception powers were the police. "We have to give them the tools to do their job."

He conceded that criminals were not known to be using the internet to a great extent at present but said that could change.

Mr Swain could not give a categorical assurance that hacking by state agencies was not already occurring.

"In my dealings with the police I have been given no information on that.

"As far as the security agencies go that's not my area.

"On the other hand, I've been given lots of information that hacking is going on across the nation by [individual] hackers."