[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Download] [Help]

Endnotes

^[1] The term "stored" is intended to cover both data retained on a computer for any period of time and data which passes through a computer but is not necessarily retained for any period of time. Unless the context requires otherwise, the term "stored" is to be read in that way throughout this report.

^[2] See paras 12 _23.

^[3] The Internet was developed by the United States Defence Department in the early 1970s. It was then known as ARPANET (Advanced Research Projects Agency Network). It was designed to provide communications which would not be disrupted even in the event of a major emergency. Computers were interconnected so that each computer in the network was connected to each other computer. Electronic messages could be sent from A to B directly or via any other computer or computers in the network. If part of the network became unoperational, the message would arrive at its destination regardless via an alternative route. The second feature is that the messages are not sent as a single stream of data. Rather they are divided into discrete "packets" that are sent separately and reassembled by the recipient computer. Each packet may take a different route to the destination in order to avoid congestion. The Internet is identical to the ARPANET in its operation with the major difference being that while the ARPANET consisted of approximately 40 computers, there are now literally millions of interconnected computers any of which can communicate freely with the others. The term "Intranet" means an internal network which uses the same technology as the world wide web to show and link documents. It is not necessarily linked to the Internet itself, but when it is it can allow in viruses and hackers from outside (Gringras 1997 3 383).

^[4] Generally, "private communications" is defined as being "oral communications".

^[5] There is some case law on the meaning of "use" in the context of privacy and data protection laws (see R v Brown [1996] 2 Cr. App. R. 72, H.L. (E.)).

^[6] In Revlon Inc v Logisticon Inc 705933 (Cal. Super. Ct., Santa Clara City. Complaint filed Oct 22, 1990) a software company dialled into Revlon's computer system and intentionally disabled Revlon's system because Revlon had not paid the software company for certain software. Revlon could not distribute its products as its computer system was disabled for three days losing an estimated $20 million dollars in revenue. The case was settled out of court (cited in Gringras (1997, 170)).

^[7] See http://www.cert.org/ (site of the Computer Emergency Response Team located at Carnegie Mellon University in Pennsylvania); http://www.auscert.org.au (site of the Australian Computer Emergency Response Team located at University of Queensland in Brisbane) and http://ciac.llnl.gov (site of the Computer Incident Advisory Capability, a part of the U.S. Department of Energy located at Lawrence Livermore National Laboratories in Livermore, California) where computer viruses and incidents of computer misuse on the Internet are discussed.

^[8] It is noted by Gripman that only 17 percent of respondents who suffered a "hacker" intrusion reported the incident to law enforcement officials. Over 70 percent of the respondents who suffered a hacking intrusion cited negative publicity as the reason for non-disclosure (1997 175).

^[9] In the "Ihug" case, discussed at para 25, it was reported that Ihug were considering extraditing the hacker and prosecuting him in the United States as New Zealand law was "inadequate to deal with cyber-vandalism" (The Dominion, Teenage hacker faces extradition bid 21/11/98, 10).

^[10] Gringras defines website as "a collection of colourful documents on the World Wide Web. They can be used as an electronic brochure or be more active performing tasks for their viewers, such as searching databases or taking orders  . . ."  (1997 387_388).

^[11] The Minister of Information Technology, Hon. Maurice Williamson MP, has recently referred to the onset of the "knowledge economy" in his paper at the New Zealand Law Society Conference (M Williamson, 1999). See also, interview with Hon Max Bradford (Minister of Enterprise and Commerce) on Telstra Business, TVNZ, 14 April 1999, in which Mr Bradford discusses the "knowledge based economy"

^[12] There is currently a criminal offence in relation to interception of private communications (see para 53). Also, unauthorised use of information will often involve criminal activity (for example fraud or theft). Destruction of information will often involve criminal activity (see the provisions in relation to wilful damage under s298(4) Crimes Act 1961).

^[13] See para 36.

^[14] See ss 312B _ 312Q Crimes Act 1961; ss10,18 International Terrorism (Emergency Powers) Act 1987; ss 14_28 Misuse of Drugs Act 1978; and ss4A, 4B, 12A New Zealand Security Intelligence Service Act 1969 in relation to the interception of private communications by law enforcement officials (and see also New Zealand Security Intelligence Service Amendment Bill 1998 and New Zealand Security Intelligence Service Bill (No 2) 1999).

^[15] See Wim van Eck, (1985 269_286) and Moller, Phrack Magazine, Vol 4, issue 44 (see http://www.infowar.com/ where the paper is reproduced).

^[16] Recommendation 148 of the Privacy Commissioner in his review of the Privacy Act 1993 states:

^[17] "Fraudulent purpose" is not defined in the Crimes Act 1961. However, it has been held that the deliberate destruction of documents to conceal improper or dishonest conduct will amount to a "fraudulent purpose" (R v Shea (13/8/97, CA221/97)).

^[19] Section 11 Summary Offences Act 1981 provides:

(1) Every person is liable to imprisonment for a term not exceeding 3 months or a fine not exceeding [$2,000] who intentionally_(a) Damages any property ...

^[20] For instance, the hacker may be in New York, the computer in California and the owner of the computer system in New Zealand. For example, in the "Ihug" case discussed at para 25 the computer was based in California and was owned by a New Zealand company.

^[21] A number of statutory provisions give New Zealand courts jurisdiction in relation to offences committed outside New Zealand. For instance, s144A Crimes Act 1961 provides that it is an offence for a New Zealand citizen to do any act to any child under the age of 16 years outside New Zealand, if that act would, if done in New Zealand, constitute an offence.

^[22] The terms "data" and "unauthorised" are intended to convey the meanings set out in paras 12_14. The term "computer" should not be defined for the reasons given in para 15.

^[23] See ss135H_135L Crimes Act 1900 (ACT); ss 308_310A Crimes Act 1900 (NSW); ss 222, 223, 276 Criminal Code Act (REPCO33)(NT); Summary Offences Act 1953 (SA); ss 257_257F Criminal Code 1924 (Tas); s408D Criminal Code 1899 (Qld); s440A Criminal Code Act Compilation Act 1913 (WA).

^[25] These definitions are drawn from Gringras (1997 379_388)

^[26] Sir Ivor Richardson, "What can Commercial Lawyers expect of a Legal System?" (8th Inter-Pacific Bar Association Conference, Auckland, 2 May 1998); see also his article "Law and Economics" (1998) 4 NZBLQ 64, 68_71. Compare with Lord Goff of Chieveley in Henderson v Merrett Syndicates Ltd (quoted above).

^[27] Laws NZ, Tort, paras 1_3; see Todd et al 1997 chapter 25 for a general discussion of tortious remedies available in New Zealand.

^[28] In this context reference can also be made to further development in New Zealand through the Consumer Guarantees Act 1993.

^[29] See the judgment of the United States District Court in American Civil Liberties Union v Reno 929 F Supp 824 (1996); affirmed on appeal by the US Supreme Court in Reno v American Civil Liberties Union 117 SCt 2329 (1997).

^[30] For a recent case dealing with defamation in the context of alleged republication of alleged defamatory material contained on a website see International Telephone Link Pty Ltd v IDG Communications Ltd (unreported, HC, Auckland, 20 February 1998, CP344/97).

^[31] While there is no case directly in point, a duty not to allow a biological virus, such as foot and mouth disease, to be transmitted has been held to exist: Weller v Foot & Mouth Disease Research Institute [1965] 3 All ER 560.

^[32] As a matter of New Zealand domestic law, it is likely that an action in tort will only arise in an international transaction if the alleged tortious act occurred in New Zealand, or the alleged tortious act was committed in a foreign country in which it would also be actionable: Red Sea Insurance Co Ltd v Bouygues SA [1994] 3 All ER 749 (PC) 761.

^[33] Hacking has been defined as electronic or physical penetration of a computer system by an unauthorised user (Gringras 1997 212); in England and Wales a criminal offence is committed by a "hacker" under the Computer Misuse Act 1990 (see generally Gringras 211_227). A computer virus is a generic term for computer code which replicates, not only throughout the storage medium in which it incubates, but also across the network to which that computer is connected. Without anti-viral software a computer connected to the internet poses a threat to all other computers also connected and risks infection from those other computers. The ability to infect a home page with a virus and even a word processing document makes the internet capable of spreading malicious code widely and rapidly (Gringras 1997 228).

^[34] The interest protected in the tort of trespass is possession. Although the plaintiff is not, in the current scenario, deprived of possession of the computer, the plaintiff is prevented from using that computer, either because the virus has caused it to stop operating, or because the plaintiff fears transmitting the virus to someone else.

^[35] It is not necessary for me in this case to discuss the more difficult questions of whether or not an unintentional interference with goods is actionable without proof of damage, and indeed whether damage or asportation is necessary to constitute the tort. . . . (77)

This in turn draws on the earlier case of Everitt v Martin [1953] NZLR 298.

^[36] In this case, the defendant damaged a buried electricity cable belonging to the plaintiff. However, this interference was not tortious because the cable had been buried on the defendant's land without the defendant's knowledge or consent, and did not appear on any plan. The interference was therefore neither intentional nor negligent. Note also that it is not tortious for a defendant to interfere with goods if he or she is entitled to exercise a self-help remedy, such as removing goods which have been unlawfully placed on his or her land (Laws NZ, Torts, para 291).

^[37] The definition of confidential is broad and encompasses information as diverse as commercial trade secrets or client details, and personal secrets passed between spouses (see Laws NZ, Intellectual Property: Confidential Information, paras 22_43; and Meagher, Gummow and Lehane 1992 chapter 41).

^[38] See Laws NZ, Intellectual Property: Confidential Information, para 17; Saltman Engineering Co Ltd v Campbell Engineering Co Ltd [1963] 3 All ER 413; AB Consolidated Ltd v Europe Strength Food Co Pty Ltd [1978] 2 NZLR 515, 520; and the recent decision of the Court of Appeal in Maclean & Ors v Arklow Investments Ltd & Ors (unreported, 16 July 1998, CA95/97).

^[39] Laws NZ, Intellectual Property: Confidential Information, paras 144_146. See also Aquaculture Corporation v New Zealand Green Mussel Co Ltd [1990] 3 NZLR 299. Note, however, that because the remedy is equitable, all remedies are discretionary.

^[60] Laws NZ, Intellectual Property: Confidential Information, para 17; see also Attorney-General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 (HL), 256, 282.

^[41] Questions arising from the accidental communication of confidential information to the wrong person or wrongful use of confidential information by a person who originally acquired that information lawfully are not considered as such issues are not peculiar to the field of electronic commerce.

^[42] Nor would copying information constitute theft under current New Zealand law: Laws NZ, Intellectual Property: Confidential Information, para 182.

^[43] See also the consultation paper of the Law Commission (England and Wales), Legislating the Criminal Code: Misuse of Trade Secrets, which discusses the case for criminal liability for certain misuses of confidential information.

^[44] Note that the duty is not limited to the party who obtains the information; it can also extend to innocent third parties who subsequently obtain a copy: Ross Industries (New Zealand) Ltd v Talleys Fisheries.

^[45] The fact situation in Franklin is directly analogous. The action concerned early fruiting nectarine hybrids which could only be raised by grafting a cutting (budstock) on to rootstock, which were bred by the plaintiff. The defendant stole cuttings from the plaintiff, grafted them, and made further cuttings from the resulting trees until he had an orchard. Although the possibility remained of bringing proceedings for conversion of the cuttings, the plaintiff preferred breach of confidence because the effective remedy in conversion would be a forced sale of the trees to the defendant. The plaintiff had no intention of letting others benefit from his work, a fact of which the defendant was well aware; rather, he wanted the defendant's trees destroyed. Although there was no prior relationship of confidence between the parties, the court allowed the plaintiff to succeed.

^[46] See also Meagher, Gummow and Lehane 1992 para 4109; Laws NZ, Intellectual Property: Confidential Information, para 115, and the cases cited there. See also the dicta of Lord Goff of Chievelely in Attorney-General v Guardian Newspapers Ltd [1988] 3 All ER 545, 658_659; and Denning 1982 264_268.

^[47] See also Fox LJ in Francome v Mirror Group Newspapers Ltd [1984] 1 WLR 892, 899_900, and the dicta of Swinfen Eady LJ in Ashburton v Pape [1913] 2 Ch 469, 475. Francome concerned information obtained by means of an illegal wire tap which the defendant, a newspaper, subsequently obtained and attempted to publish. The Court of Appeal ordered an interlocutory injunction prohibiting publication to preserve the position of the parties until trial, but did not consider that Malone compelled the court to deny the existence of a duty of confidence (Meagher, Gummow and Lehane 1992 para 4109).

^[48] This approach to novel cases has been adopted by the Court of Appeal: see South Pacific Manufacturing Co Ltd v New Zealand Security Consultants Ltd [1992] 2 NZLR 282, 294; Connell v Odlum [1993] 2 NZLR 257, 265; and Fleming v Securities Commission [1995] 2 NZLR 514, 526_527. Although the courts in the United Kingdom have moved from the position adopted in Anns v London Borough of Merton, it has been confirmed that the law of negligence is one area in which the common law of New Zealand is diverging from that of England: Hamlin v Invercargill City Council [1996] 1 NZLR 513. Accordingly, the above statement remains an accurate statement of the law in New Zealand.

^[49] See also Revlon Inc v Logisticon Inc (unreported, Superior Court of California, Santa Clara County No 705933, complaint filed 22 October 1990). Gripman also refers to United States v Morris 928 F 2d 504, 505_506 (Second Circuit, 1991) which involved damage caused by a virus ranging between $96 million to $186 million based upon labour costs to eradicate the virus and monitor recovery of the computer system (171); in that regard see also Lyman, Civil Remedies for the Victims of Computer Viruses 21 Sw ULRev 1169, 1172 (1992).

^[50] This does not imply that a court must necessarily find that industry practice is sufficient to meet the legal standard of care where conformity with best practice guides does not constitute incontrovertible proof that the user has exercised a reasonable standard of care. Such evidence will be taken into account by a court in determining whether the allegation of negligence has been made out: Bolam v Friern Hospital Management Committee [1957] 1WLR 582; Laws NZ, Negligence, para 5.

^[51] Gringras defines a "firewall" as:

hardware, but more usually software, designed to protect network systems from damage by outsiders, while maintaining connectivity. The firewall sits between a local network and the big, wide world (usually the internet). To protect the local network from evil-intentioned intruders, the firewall may admit only designated users, or allow only designated commands to be issued from outside. Balancing flexibility with security is, needless to say, a perennial headache in designing firewalls. (Gringras 1997 382).

Encryption is the mathematical process used to disguise text or data. It takes two forms: those forms are public key encryption and private key encryption (Gringras 381). For further discussion of public and private key encryption see chapter 7.

^[52] Gripman provides a useful analysis, in technical terms, of the steps that can be taken to minimise security problems in this context (1997 182_195); that is followed by a specific case study (191_195).

^[53] The acronym URL stands for uniform resource locator and refers to the standard for specifying an object on the internet, such as a world wide web page or a file on a file transfer protocol (FTP) for example. A URL for the world wide web will have the prefix "http://" denoting that the page uses hyper-text transfer protocol (see Gringras 1997, 387).

^[54] The definitions of "processor" and "distributor" in s 2(1) of the Defamation Act 1992 are probably sufficiently broad to include computer network service providers (see Todd et al 1997 882).