Law raises fears of SIS set-ups

[InfoSec News <isn () c4i org>]

http://www.nzherald.co.nz/storydisplay.cfm?reportID=58554

16.05.2001 Legislation on hacking might let spies do more than just
look at your data, writes VERNON SMALL.

The country's spies may already be hacking into your computer to add,
delete or change data, even before Parliament passes a law allowing
them to do so.

The Crimes Amendment Bill (No 6), being considered by a select
committee, will make computer hacking an offence for the first time.
But the Security Intelligence Service or the police will be able to
seek warrants to hack into computers.

The exemption has been well flagged, but what is not widely understood
is that SIS personnel almost certainly believe they have the right not
only to look at data but to change files to "achieve the purpose of
the warrant," or to hide their trail once they have secretly hacked
into a computer.

Prime Minister Helen Clark, the minister responsible for the SIS, has
refused to directly confirm that agents can tamper with computer
files.

Asked if they had that power now, she said: "Those executing a warrant
are justified in taking any reasonable action necessarily involved in
effecting an interception or seizure. For reasons of security I am not
prepared to comment further."

She said the law change would not alter or add to the SIS's powers to
hack into computers.

If agents do tamper with data, and not just view e-mails and files, it
raises questions about the integrity of individuals' computer records
and the reliability of electronic data used in evidence. It could also
- says Green MP Keith Locke - result in citizens being "set up" by the
SIS's changing files and leaving no trace.

In answer to those concerns, Helen Clark said anyone harmed by any act
of the SIS could complain to the Inspector-General of Intelligence and
Security.

But critics say that is a weak protection because those affected may
never suspect the SIS was involved.

The issue of spies changing data once they have hacked into computers
was raised by officials last year.

They advised Justice Minister Phil Goff that once the Crimes Amendment
Bill became law, the SIS Act should also be changed to remove any
legal risk to the service.

Part of the change they urged would have made explicit the power to
modify data.

Drawing on Australian secret service legislation, they suggested
wording which would allow an agent with a warrant to obtain access to
documents stored in the target computer, "and if necessary to achieve
that purpose or to conceal the fact that anything has been done under
the warrant, adding, deleting, or altering other data in the target
computer."

However, they warned that it might be better to leave well alone.

Helen Clark told the Herald that the officials' advice to change the
SIS Act was not followed because no changes were necessary.

It was based on a misunderstanding and wrongly assumed a specific
power was needed.

Rodney Harrison QC, who represented anti free-trade activist Aziz
Choudry in a successful case against an SIS break-in, said agents
probably did not have the legal right to change data to hide their
hacking, but it was a moot point.

There was now an express power allowing them to cover their tracks
when making a physical entry.

"The absence of any express power when they're hacking suggests that
they don't have it."

He said it was depressing to see new invasions of privacy when the
Bill of Rights and the Privacy Act were supposed to protect citizens.

Privacy Commissioner Bruce Slane, who believes no public case has been
made for remote hacking by enforcement agencies, said it was probably
inherent that a secret service would hide its tracks.

He has warned the Government that it could be exposed to enormous
damages if agents harmed computer systems during hacking.

But where there was no damage, the only civil remedy might be a
common-law tort of breach of privacy - something the courts had
alluded to but never defined.

Mr Slane has described remote hacking by the police as "a pernicious
secret policing practice [that] should not be allowed for ordinary law
enforcement."

He told a select committee last week that he was also concerned at
state agencies "trawling" or "browsing" for key words.

He suggested establishing an auditor to ensure compliance when a
warrant did not lead to a prosecution, and urged the committee to add
a requirement that individuals be told when their conversations or
private mail had been read.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.