“Ethical” hacking affected by recent changes to Crimes Act

With computer hacking now a criminal offence, companies providing “ethical” hacking services to test system security should take steps to avoid liability.

The Crimes Amendment Act 2003 (the “Act”), which came into force on 1 October 2003, has made certain conduct involving the use or access of computers systems illegal.

In particular the intentional access of a computer system without authorisation, more commonly known as “hacking”, is now a criminal offence. These provisions will be relevant to companies who engage in “ethical” hacking in order to test the security of their clients' computer systems.

The definition of “computer system”

The term “computer system” is given a wide definition under section 248 of the Act and encompasses standalone computer terminals and computers linked remotely or to a network. The definition also extends to components which may not normally be regarded as being part of a computer system, such as software and stored data.

The inclusion of communication links between computers or remote terminals in the definition of a “computer system” suggests the definition may include Internet Service Providers (ISPs). Consequently, it will be prudent for those seeking to undertake ethical hacking to obtain express authorisation from relevant ISPs before attempting to gain access to a client's computer system.

The width of the definition means that on occasions there may be other parties from whom it will be necessary or wise to obtain authorisation, e.g. where two (or more) linked computers are used by two (or more) different parties, but comprise one “computer system” under the Act. Unhelpfully, the Act provides no definition of “authorisation”.

The offence

The principal provision of the Act for those carrying out ethical hacking is section 252. This prescribes a maximum two-year sentence for anyone who intentionally accesses, directly or indirectly, any computer system without authorisation.

The section is invoked if either the person conducting the hacking knew that they were not authorised to access the system or were reckless as to whether or not they were authorised to do so. The provisions, however, do not apply if a person is authorised to access a computer system then accesses it for a purpose other than the one for which they were given access.

“Authorisation”

In order to avoid liability under section 252, those undertaking ethical hacking must obtain authorisation when accessing a client's computer system. As previously mentioned the Act does not prescribe the form of the authorisation which is required to given, for example, whether it is necessary for it to be in writing. Nor does it require that it be given by any particular person. Those undertaking ethical hacking, however, should consider several factors when obtaining authorisation to access a computer system. Given this, authorisation should be obtained in writing.

Authorisation to access a computer system should also be obtained from a person who has authority to give it, so that there can be no doubt that it has been properly authorised. Generally authorisation from a person with the requisite delegated authority will suffice. However, given that authorisation is the only protection from breaches of the Act, if any doubt arises as to the scope of that person's authority it should be clarified.

Finally the authorisation sought should cover the full scope of the access given to the relevant system and refer to the purpose for which it has been granted. Care should be taken if there is a possibility that the relevant system is not owned by the client, or not solely operated by the client, or is comprised of components owned or used by more than one party.

In such cases it may be necessary, and would be wise, to obtain authorisation from all relevant parties. Ethical hackers should consider the nature of the computer system before accessing it and, if it appears that the authority of any other party might be required to access the system, it would be prudent to obtain it.

The recent changes to the Crimes Act 1961 now mean that those approached to undertake ethical hacking should consider a number of factors in order to avoid prosecution under the new computer offences. In particular, consideration should be given to the nature of the system required to be accessed, from whom authorisation should be sought, and the scope of the authorisation granted.

Enquiries and information

For more information on the tort of breach of privacy, please email or call Garry Williams on 64 9 9168661.