Age journalists apologise for unauthorised access to ALP database

August 6, 2013 |

Today 3 journalists, Royce Millar, Nick McKenzie and Ben Schneiders, have penned a letter of apology on page 2 of the Age. It is found here. The Herald Sun reported (no doubt very reluctantly) on the three having their cases diverted and therefore they are released without conviction and a good behaviour bond of 12 months.

The apology provides:

In November 2010, while researching a story for The Age newspaper, we the undersigned journalists accessed the ALP’s Electrac database without authorisation.

The focus of the story, published on 23 November 2010, was upon databases maintained by political parties, which contain private information concerning voters, and how that information is used for election campaigning. The Electrac database is such a database. Other political parties have similar databases.

We were able to access Electrac through the use of passwords provided to one of the undersigned. We accept that we did not have authorisation of the ALP to access the database.

About six months after the story ran, the Victorian Electoral Commissioner contacted the Victoria Police, who commenced an investigation into whether, in accessing the database, we had breached s. 478.1(a) of the Commonwealth Criminal Code, being ”Unauthorised Access to Restricted Data”. We accept that we did in fact contravene this provision by accessing the database. We do wish to point out, however, that the access to the database was not for an improper motive, but rather to write a story that we felt was a matter of public interest. No names or identifiable personal details were disclosed in the story without the consent of persons concerned. No personal details were stored or used for other purposes.

Despite the public interest motives for the story, we recognise that journalists are not above the law, and, although we were not aware of s. 478.1, we accept that ignorance of the law is no excuse. We apologise to the ALP and to the Victorian Electoral Commission for our actions. We also apologise to any of the individuals whose details we either viewed or searched for.

Our case has served as a warning to us, and other journalists, that in gathering information – especially via the internet – we need to ensure our methods are lawful. In November 2010 we did not take sufficient care. We should have been more diligent.

Section 478.1, Unauthorised access to, or modification of, restricted data, of the Commonwealth Criminal Code provides:

478.1   Unauthorised access to, or modification of, restricted data

             (1)  A person is guilty of an offence if:

                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and

                     (b)  the person intends to cause the access or modification; and

                     (c)  the person knows that the access or modification is unauthorised.

Penalty:  2 years imprisonment.

             (3)  In this section:

“restricted data” means data:

                     (a)  held in a computer; and

                     (b)  to which access is restricted by an access control system associated with a function of the computer.

It is interesting to see the Department’s response in 2009 regarding section 478.1 to a question on notice from the House of Representatives Standing Committee on Communications, inquiry into Cybercrime where in response to the following question:

3. To what extent does the current legal framework and the Government’s stated policy ambition for ‘achieving a just and secure society’ support the personal security of individuals hurt by the use and application of ICT. In responding to this question, the Department(s)
should focus on the current limitations of the law (i.e. unauthorised access to and modification of data) and apparent lack of safeguards to protect individuals from:

it relevantly stated:

Section 478.1 of the Criminal Code criminalises the unauthorised access to or modification of data held on a computer which is restricted by an access control system. The maximum penalty for this offence is two years imprisonment. The offence in section 478.1 would generally cover hacking into password protected data, such as a Facebook account, and/or modifying that data.

The section has been touted as an effective means of combating and prosecuting hacking.  The AFP has issued a number of press releases regarding the use of the provision, including in July 2011 AFP arrests Cowra man after landmark hacking investigation where it, in part, provides:

The AFP has arrested a 25-year-old Cowra man on 49 hacking charges after a six month investigation into his online activities.

Police will allege in court that the man’s hacking activity could have potentially caused considerable damage to Australia’s national infrastructure.
In June 2011, AFP investigators found a compromise to Platform Networks, a wholesale internet provider in Sydney that is one of the contracted providers of the National Broadband Network (NBN) release.

Platform Networks cooperated fully with the AFP during the investigation, working with officers to monitor the alleged offender’s illegal activities inside their network. 

“While Platform Networks had strong cyber security measures in place, even the best security systems are only as strong as the weakest link – it only takes one user with a weak password to put an entire network at risk,” AFP National Manager for High Tech Crime Operations Neil Gaughan said.

“The facts of this investigation are interesting. The 25-year-old Cowra man arrested is an unemployed truck driver who is completely self-taught in terms of his IT skills. The AFP will allege this man was motivated by ego in his illegal hacking, proving his skills after complaining he could not get work in the IT sector. He is known to use the online nickname ‘Evil’. 

“In the experience of cyber crime investigators, internet hackers often do not have any IT qualifications at all.

“The AFP will allege in court that this person acted with an extreme and unusual level of malice and with no regard to the damage caused, indiscriminately targeting both individuals and companies.”

The AFP has charged the man with the following offences: 

  • one count of unauthorised modification of data to cause impairment, contrary to Section 477.2 of the Criminal Code Act 1995 (Cth). This offence carries a maximum penalty of 10 years in jail.
  • 48 counts of unauthorised access to, or modification of restricted data, contrary to Section 478.1 of the Criminal Code Act 1995 (Cth). This offence carries a maximum penalty of two years in jail.

And in April this year in AFP arrests first ‘Lulzsec’ hacker

The Australian Federal Police (AFP) has charged a 24-year-old Point Clare man with hacking offences after he allegedly attacked and defaced a government website earlier this month.

The man is a self-proclaimed leader of the group ‘Lulz Security’ (Lulzsec), a computer hacking group that has existed since 2011.

The man is the first member of the group to be charged by the AFP.

The investigation began earlier this month when AFP Cyber Crime Operations investigators found a compromise to a government website.

The 24-year-old is an IT professional employed in the industry.

Police will allege the man was in a position of trust within the company, with access to sensitive information from clients including government agencies.

The AFP believes the man’s knowledge and skills presented a significant risk to the clients of the company for which he was employed had he continued his illegal online activities.

Manager Cyber Crime Operations Commander Glen McEwen said the impairment or disruption of communications to or from computer networks can have serious consequences.

“Those thinking of engaging in such activities should be warned that hacking, creating or propagating malicious viruses or participating in Distributed Denial of Service attacks are not harmless fun,” Commander McEwen said.

“Criminal acts such as this can result in serious long-term consequences for individuals, such as criminal convictions or imprisonment.”

The man was bailed to appear in Woy Woy Local Court on 15 May 2013 and has been charged with the following offences:

  • Two counts of unauthorised modification of data to cause impairment, contrary to section 477.2 of the Criminal Code Act 1995; and
  • One count of unauthorised access to, or modification of, restricted data, contrary to section 478.1 of the Criminal Code Act 1995.

The maximum penalty for these offences is ten and two years respectively.

 The AFP advises businesses involved in IT to:

  • Provide employee awareness and education programs
  • Monitor content going into and out of networks
  • Implement acceptable use policies for wireless technology, information technology and mobile devices
  • Complete background checks on staff
  • Conduct mandatory reporting of misuse and abuse of computer equipment
  • Complete a set of written standard operating procedures for technology
  • Manage account and password policies

Organisations should also be aware of Defence Signals Directorate’s top four mitigation strategies to protect their ICT systems. These include:

  • Application whitelisting – A technical measure which only allows specifically authorised applications to run on a system. This helps prevent malicious software and unauthorised applications running.
  • Patching systems – A small piece of software designed to fix problems or update a computer program.
  • Restricting administrative privileges – Minimising administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system.
  • Using the latest versions of operating systems.

Section 478.1 is drafted broadly and as such would cover the nature of the activitiy complained of.  The question of what constitutes authorisation comes into play in this provision.  It would be difficult to establish that journalists being given a password to access a computer by a source would constitute a form of authorisation unless it was clear that the source providing the password had the authority to hand out passwords (highly unlikely event).

What is interesting about this case generally and section 478.1 in particular is that the nature of the breach is a privacy issue. the media and political parties, the victim and the accussed in this case, are specifically excluded from operation of the Privacy Act.  As a matter of public policy that is unfortunate.  The Privacy Act should cover the field.  That does not mean to say the Criminal Code should not cover similar acts where the circumstances are appropriate.  Under the now amended Privacy Act it is entirely appropriate for the Privacy Commissioner to consider a breach of the Act.  In this case the unauthorised access could only be dealt with as a criminal offence.  The Parliament intended the section to deal with hackers.  It is now being used for a broader purpose. That is possible because the legislation was drawn in terms wide enough to cover the actions of those who are not hackers, and don’t do what hackers do as a matter of course (such as steal, alter or destroy files or insert bot malware), in this case view data for the purpose of journalistic investigation.  It is not unusual for authorities to search for offences which would cover actions which legislation has not specifically contemplated and settle on an offence which covers the facts.  When that happens it is appropriate to review the legislative structure and decide whether a more purpose built provision is more appropriate in future.

This case highlights the need for the Privacy Act to be more broadly applicable and for there to be a statutory right of privacy.  An organisation should be entitled to make a civil complaint.  A person whose data was viewed without authority or permission should have a right to bring an action if that person feels sufficiently aggrieved.

Leave a Reply