Moran v Police HC Napier CRI-2011-441-12
[2011] NZHC 2052
•16 June 2011
IN THE HIGH COURT OF NEW ZEALAND NAPIER REGISTRY
CRI-2011-441-12
BETWEEN PETER ROSS MORAN Appellant
ANDNEW ZEALAND POLICE Respondent
Hearing: 10 May 2011
Counsel: C M Clarkson for Appellant
J D Lucas for Respondent
Judgment: 16 June 2011 at 11:00 AM
JUDGMENT OF ALLAN J.
This judgment was delivered by
The Hon. Justice Allan on
16 June 2011 at 11:00am
pursuant to Rule 11.5 of the High Court Rules.
...................................
Registrar/Deputy Registrar
Solicitors:
Woodward Chrisp, P O Box 348 Gisborne 4040, for Appellant
Crown solicitor, PO Box 609 Napier 4140, for Respondent
Copy for:
Judge Rea, District Court Hastings.
MORAN V NEW ZEALAND POLICE HC NAP CRI-2011-441-12 16 June 2011
[1] Mr Moran was charged with offences under ss 250(2)(a) and 252(1) of the Crimes Act 1961. Each subsection is concerned with conduct involving computer misuse.
[2] Following a summary hearing before Judge Rea in Hastings District Court on
15 December 2010, the appellant was convicted on each charge.1 He was subsequently sentenced to four months community detention, nine months’ supervision, and 125 hours community work.2 He now appeals against his conviction on the charge laid under s 250(2)(a). There is no appeal against his conviction on the charge laid under s 252(1)(a), nor does Mr Moran appeal against sentence. Counsel are agreed that in the event that the present appeal succeeds, the case ought to be remitted to the District Court in order that consideration might be given to the question of a varied sentence.
Factual background
[3] The appellant and his victim had been in a long term personal relationship during which the victim used the appellant’s laptop computer. She had her own computer profile which was protected by a password. She also had her own hotmail email account, again protected by a password. Included in the hotmail facility was a Windows Live profile, which effectively serves a social networking function.
[4] The Windows Live profile of the victim could be seen by other members of Windows Live but information and data on the profile could not be changed by anybody except the victim. Her password was the same for both the hotmail account and the Windows Live profile.
[5] At some time during the relationship, the victim stored extremely intimate
photographs of herself under her computer profile on the appellant’s laptop.
The appellant could not gain access to these photographs because he did not have the password to her computer profile on his laptop.
[6] After the relationship had come to an end, the appellant unlawfully gained access to the victim’s computer profile and hotmail account on the laptop. He did so by gaining access to the password and effectively hacking in to the profile and hotmail account, with the assistance of a friend. Having obtained access to the victim’s data, the appellant distributed the intimate photographs to friends and associates of the victim in an email sent via the hotmail account. The appellant also changed the victim’s Windows Live profile by adding and amending information, including replacing a conventional photograph of the victim with one of the intimate photographs which was then visible to any person having access to the victim’s Window Live profile. The appellant also sent text messages to certain persons, advising them that the intimate photographs were available for viewing.
The District Court hearing
[7] A reading of the oral judgment of Judge Rea indicates that in the District Court there was no challenge to the prosecution’s case that there had been breaches of each of the two subsections relied upon. The Judge found that “... there are no technical aspects to this case”.3 Rather, the defence was that Mr Moran “did not do it” as the Judge put it.4 Mr Moran gave evidence that, although he was one of the recipients of the email attaching the intimate photographs, he was not responsible for
the intrusion into the victim’s private information. Judge Rea had no difficulty in concluding that Mr Moran was in fact responsible. That finding is not challenged on appeal. Rather, it is argued for the first time that the appellant was overcharged and that the whole of his culpability was properly accommodated within the conviction under s 252(1)(a) of the Crimes Act.
Computer misuse under the Crimes Act 1961
[8] In order to understand the appellant’s argument, it is necessary to consider the
key provisions in the Crimes Act 1961 concerning computer misuse.
[9] Section 249 provides (as relevant):
249 Accessing computer system for dishonest purpose
(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.
(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—
(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person.
...
[10] Section 250 provides:
250 Damaging or interfering with computer system
(1) Every one is liable to imprisonment for a term not exceeding 10 years who intentionally or recklessly destroys, damages, or alters any computer system if he or she knows or ought to know that danger to life is likely to result.
(2) Every one is liable to imprisonment for a term not exceeding 7 years who intentionally or recklessly, and without authorisation, knowing that he or she is not authorised, or being reckless as to whether or not he or she is authorised,—
(a) damages, deletes, modifies, or otherwise interferes with or impairs any data or software in any computer system; or
(b) causes any data or software in any computer system to be damaged, deleted, modified, or otherwise interfered with or impaired; or
(c) causes any computer system to—
(i) fail; or
(ii) deny service to any authorised users.
[11] Section 252 provides:
252 Accessing computer system without authorisation
(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
(3) To avoid doubt, subsection (1) does not apply if access to a computer system is gained by a law enforcement agency—
(a) under the execution of an interception warrantor search warrant; or
(b) under the authority of any Act or rule of the common law.
[12] Section 248 of the Act provides a definition of the term “access” for the
purposes of ss 249 and 250:
Access, in relation to any computer system, means instruct, communicate with, store data in, receive data from, or otherwise make use of any of the resources of the computer system.
[13] Curiously, this definition does not extend to s 252 but there is no basis for concluding that a similar approach ought not to be taken in construing the term “access” where it appears in that section.
Appellant’s argument
[14] Counsel for the appellant submits that the purpose of s 250 is to deal with offences that damage, interfere with or impair data or software. It is submitted that to attract a conviction, the appellant’s conduct must have caused direct damage to data or software, either recklessly or wilfully. While the appellant altered the information on the victim’s online profile by adding, deleting or uploading data, the appellant argues that his activities did not “interfere with” or impair or modify the data or software that controls the overall function of the Hotmail Windows Live site. Accordingly, the central issue for determination on this appeal is whether the appellant’s conduct, in uploading and changing information and photographs on the
victim’s Windows Live profile amounted to the modification or impairment or
interference with data or software for the purposes of s 250.
Discussion
[15] Section 250 had its genesis in the Crimes Amendment Bill (No.6) which ultimately became the Crimes Amendment Act 2003. The Amendment Act was enacted in order to deal with the increasing sophistication of computer crime and arose out of the Law Commission Report,5 in which the Commission identified a
need for legislation dealing with the following four elements of computer misuse:
Unauthorised interception of data stored in a computer; Unauthorised accessing of data stored in a computer;
Unauthorised use of data stored in a computer;
Unauthorised damaging of data stored in a computer.
[16] Putting aside data interception, it is evident that unauthorised access to data falls within s 252 of the Crimes Act. Unauthorised damage to data falls within s 250, and unauthorised use of data stored in a computer is dealt with across the provisions of ss 249, 250 and 252.
[17] Section 252 sits at the bottom of the hierarchy of sections. There will be a breach of s 252 where any person, knowing that he is unauthorised or reckless as to whether he has authorisation, gains access to a computer system. The term “computer system” is defined in s 248:
248 Interpretation
For the purposes of this section and sections 248 and 250, —
...
computer system —
(a) means—
(i) a computer; or
(ii) 2 or more interconnected computers; or
(iii) any communication links between computers or to remote terminals or another device; or
(iv) 2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and
(b) includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.
[18] A charge under s 252 will be appropriate where there is an unauthorised use of information or data (for example, by simply viewing it) that does not amount to damage or lead to some other benefit or loss. Misuse of information that goes beyond simply using the information or data without authorisation is covered by ss 249 and 250. When a person gains unauthorised access and dishonestly and without claim of right obtains, in broad terms, some benefit or advantage or causes some loss, an offence will be committed under s 249. Where a person gains unauthorised access and uses the data or software in such a way as to damage, delete, modify or impair it, an offence will be committed under s 250(2).
[19] It is not in dispute that the appellant was in breach of s 252. As discussed above, s 252 may be regarded as a threshold provision in that breaches of ss 249 and
250 will usually also amount to a breach of s 252. But Mr Lucas submits that the appellant’s conduct also contravened s 250(2)(a) in that what he did amounted to a modification of the victim’s data. The term “data” is not defined in the Crimes Act. The Law Commission defined “data” as “all types of information stored on a computer including the programmes which run the computer as well as personal
information”.6 Although not a statutory definition, it is self-evident that the term
“data” must be interpreted as including all types of information including personal
information.
[20] The term “modify” is not defined in the Crimes Act either. Mr Lucas refers to the definition in the Collins Compact English Dictionary:7 “to change or to alter slightly”.
[21] It is beyond question that by changing the victim’s personal information (or
“data”) the appellant “modified” it. He did so by
Posting an intimate photograph as the victim’s profile photo. Changing the victim’s contact information.
Adding users of Windows Live as “friends” who could view the
victim’s Windows Live profile.
Changing other information on the Windows life profile such as the
victim’s favourite quote and interests.
[22] Ms Clarkson’s principal submission for the appellant was that s 250(2)(a) ought to be interpreted so as to restrict its application to cases where it could be established beyond reasonable doubt that the appellant had taken a step which altered, not the data held on the computer system but, rather, data which formed part of underlying programmes or software. She maintains that modification of personal data in a manner that any account holder or person with access to the site can do, falls within the ambit of s 252. In contrast, s 250 is directed at more serious offending which affects not just the data held on the system but in effect the system itself.
[23] There is, in my view, no warrant for such a distinction. Section 250(2)(a) creates an offence of modifying any data in any computer system without authorisation. That is precisely what occurred here. Section 252 is confined to cases of unlawful access and is not apt to catch behaviour which results in a change to the data held in a computer system. As observed above, a breach of s 250 will usually
entail a breach of s 252 as well. In my view, the separate charges were properly laid and the Judge was right to find the appellant guilty on each.
Result
[24] For the above reasons, the appeal is dismissed.
......................................
C J ALLAN J.
0
0
1