Police and computers: incompetent or just unbalanced?

I’ve just been reading the decision by the IPCA on the botched and quite illegally obtained warrants for a search of Nicky Hager’s house and belongings, and the unwarranted searches of his accounts with various businesses.

The whole process in this investigation just stinks. It points not only to the lack of process that the IPCA, various courts and the police hierarchy say that they have identified. The police say that they have fixed or are trying to fix these in policy.

Now I think that the police have some pretty selective issues about enforcing laws. Essentially if you’re John Key or Cameron Slater or the FBI then they seem to go all out. If you aren’t so well connected, especially in technical areas of law or computers that they don’t understand so well then complaining to the police appears to be like pissing into the wind. It is probably more useful.

But to me what it clearly points to is that in many areas around technical systems and the legal structures surrounding them, the police and their 19th century structure are clearly completely out of their depth. Even worse, I suspect that they’re falling even further behind all the time

To someone who is a political blogger in the time I can spare from a long career of being a professional commercial computer programmer – this is completely unacceptable. If the acts regarded as being unlawful in legislation are either aren’t being enforced or are being enforced excessively or in a proforma way by the investigating agency – then why bother having the police doing the task? Especially when the IPCA report on the Nicky Hager case clearly shows that the police again acted in an unlawful manner.

The police simply don’t appear to be able to concentrate the skills and clear sense of purpose that are required for dealing with information, computer and network legal issues. Various NZ regional police areas seem to respond quite differently to the same crimes in this area.

It took many years after I was a student marvelling at the lack of legal protections on computer system, but eventually in New Zealand in 2002, explicit laws were put into force in our Crimes Act and Summary Offenses Acts making most ‘grey’ computer based crimes explicitly unlawful. That was nearly two decades ago, and the police appear to only get concerned about these crimes if preferred political connections make them concerning.

There are several points about this that are worth examining, if only because there are so many daft myths held dearly by some self-interested members of the the public and the strange lack of balance by the police.

• Intrusions into computer systems, networks, and all computer storage media without permission are completely unlawful under the existing and current legislation regardless of the means.
• If the material was clearly exposed in public by accident, then copying or accessing it is just as unlawful.
• Conspiring to intrude into a computer system or to access networks or media by trying to encourage or pay someone to do the act is just as unlawful.
• Receiving or using information obtained by such unlawful means is unlawful.
• But there are a few exemptions to this. For instance :-
  • Parliament reserves the right for MPs inside the house to be able to present information for public debate regardless of source – subject only to Parliament’s standing orders and the members of parliament and the crown.
  • There are various exemptions for police and other investigative and legal bodies to use unlawfully obtained material in the investigation and prosecution of other crimes – subject to the approval of the courts as to it admissibility in court.
  • And there are various limited privileges for journalists about protecting sources and material to allow public debate and for the public good.

Now this isn’t exactly legal rocket science.

Copying information is no different legally than breaking into someone’s house and stealing documents, pictures, silverware or anything else of value. It used to be back in the dark ages of law that depriving someone of the use of an object was the the test. But over the last few hundred years, information has increasingly been seen as having value, the theft of copies effectively deprived the owner of its value.

The Police don’t appear to have caught up with the changes in the legislation over the subsequent decades. Just to take a few obvious and related examples.

A 2014 hack into Cameron Slater’s computer over the net is made as a complaint to Counties Manukau Police along with the use of the messages, documents and other information obtained by a investigative journalist Nicky Hager who wrote a book based on them. What is the response?

Suddenly there are search warrants obtained and houses raided in Wellington, requests made to banks and airlines. All chasing just one annoying hacker out of the innumerable thousands that infest our computer systems every day.

Almost all of this frantic police activity has been damned in the IPCA authority findings as simply not following what was lawful or proper for the police to do. From the way that the search warrants were requested, through to the way that they were executed, the obvious issues of handling journalistic privilege, and the insane way that police used production orders on banks, airlines, paypal and NZ Customs.

For me, the key bit of the IPCA report was this:-

41. Mr Hager and his lawyers suggested to the Authority that the amount of resources put into the Rawshark investigation seemed disproportionate.
42. Mr Hager noted that the Police’s investigation into Rawshark began after Mr Slater sent an email to Assistant Commissioner Malcom Burgess’ PA, complaining that he had been hacked. Mr Hager implied that this contact with a senior Police officer was designed to bring indirect political pressure to bear.
43. On the other hand, Assistant Commissioner Burgess told the Authority he did not know why Mr Slater emailed his complaint directly to his PA. The Police have maintained that this was a serious offence and that the investigation was run like any other of this sort, apart from the fact that there was probably a bit more oversight because of the high-profile nature of it.
44. The Authority does not have information about the competing demands upon investigative resources in the Counties Manukau District at the time and is therefore unable to make any real comparison between this and other similar cases.

The IPCA was “unable to reach any conclusion as to whether the resources devoted to the investigation were proportionate to the seriousness of the alleged offense.”

Perhaps they should have asked some of the people who’ve been of the receiving end of the Police’s responses to computer crimes, who weren’t quite so well connected to the National Party or the Police hierarchy. The police seem to be quite selective about who they perform this kind of service for. But a compare and contrast with actions against Cameron Slater’s criminal associations is enlightening.

For instance there is a remarkably similar complaint made to the Waitemata Police about the same time about a hack into Matthew Blomfield’s computer over the net that obtained emails and other material which was subsequently used in blog posts published by Cameron Slater on his commercial blog site. What is the response?

As detailed in the book Whale Oil (see http://whaleoil.co.nz ) – apparently nothing much happens. No search warrants, no production orders. At best there were just a few interviews or statements taken. To me, in a legal sense, there appears to be absolutely no difference between the facts in both of these incidents – apart from the political damage to National from their association with Cameron Slater and/or a plea directly to the Malcolm Burgess.

Sure, if you assume that Cameron Slater was a journalist or if he claims to be one, then there may be a question of privilege about using the material – just as there was for Hager. But as the IPCA report says, that isn’t something that the police need to or should decide. It is a matter for the courts about the level of qualified privilege should apply.

That is quite explicit in the legislation and is something that needs to be decided by the High Court. The police just need to do their duty. The possibility of privilege needs to be mentioned in requests for search warrants and production orders. It needs to be handled appropriately if it arises during the execution of granted search orders and production orders.

Which makes the question of quality control by the police in how they investigate computer crimes and the subsequent use of material wide open to political debate. Do the police play favourites or are they just incompetent with the legislation or how it covers computer systems?

Exactly the same questions seem to arise whenever the Police needed to look at Cameron Slater for criminal behaviour where ever you look. Every other branch of the legal system appear to be able to hold him to account. The courts pulled him up for his criminal offense in breaching court orders. The civil courts finally get him for defamation. The Privacy Commission and the Human Rights Commission eventually pull him up for breaking the Privacy Act.

For instance staying with Blomfield look at what had previously happened to Blomfield when he made a complaint in 2012 about the theft and misuse of private information stored on hard drives and documents for commercial advantage by Slater. The contents of these private documents were selectively misused and misquoted in a series of at least a hundred defamatory posts by Cameron Slater. A selection of these posts have been found to be defamatory by civil court. The use of the copied material has been deemed to be a Privacy Act violation by the Human Rights Commission.

However the actual criminal act of copying the material off computer disks has been passed over without charges by the police despite Cameron Slater stating multiple times that he’d copied from sources obtained unlawfully without their owners permission. Again there is no effective legal difference between copying material from USB drives or from live computer systems – both are unlawful criminal acts without the owners permission. Yet the police don’t appear to have made any serious commitment of resources to pursuing the equivalent of Rawshark who gave those materials to Slater.

In 2015, I made a complaint to the Counties Manukau Police about what appeared to be a conspiracy by Cameron Slater and others to pay a hacker for information obtained from my computers about this site. There were amounts mentioned and eventually enough corroborating information for me to take the step of laying a complaint.

If proved, then to conspire to or to pay someone to do an unlawful hack is a pretty serious offense. It simply doesn’t matter if the hack took place. There is a reason for that – even the threat that might have happened is very costly. It cost me most of a week of holiday time checking logs for evidence of access and looking for weak points in my systems. In other words several thousand dollars of my time. It deprived my employer of that time as well as I took an unexpected break in the crucial start of a project and was distracted for longer.

Yet despite this after the initial complaint when I made it clear that this had caused me considerable issues, the Counties Manukau Police appeared to think that this was something that I needed to know about. After a dearth of information, I got a lawyer to obtain information that charges would be laid. Yet somehow the Counties Manukau Police failed to inform me of court dates despite saying they would.

I was in Italy doing a task when I found that the Counties Manukau Police had offered both Cameron Slater and the hacker diversion, that it had already been approved by the court and that somehow it was a victimless crime. I had to fly back early to show up at court to find out what was happening and to try to prevent Cameron Slater for getting a free pass that he wasn’t eligible for because of previous convictions. I didn’t succeed. All I got was the judge telling the police that it obviously wasn’t a victimless crime.

Al I can say about Cameron Slater’s charmed life with the police is that it is a damn good thing that the legal fraternity are there. It eventually turned sour for the him. The level of protection that he had as he stomped all over the criminal law has just allowed the time for the civil and privacy laws to exert themselves. It has now created a hole big enough to be a prison.

If you’re around the computing or the activist communities, the stories are rife about how little the police are willing to do when it comes to computer crimes. They are viewed as being completely useless and extremely selective about when they do act. The only reason that anyone IT even bothers giving complaints about intrusions to the police is because it is required by insurance cover.

The police appear to be technically and legally incapable of enforcing our legislation about computer crimes. Bearing in mind just how important our computers and networks are to the economy – that is concerning. Perhaps the government should follow the example of the Serious Fraud Office and give the task of dealing with 2002 computer crimes to a specialist office who can garner the skills to deal with it – without political linkages being an issue.