Friday, September 08, 2006

Pretexting and Canadian law

Rob Hyndman has some interesting things to say about the whole surveillance fiasco that appears to be blowing up in faces of HP's management. (See: robhyndman.com » Blog Archive » Surveillance - is this the HP Way?) I also have to say thanks to Rob for posting a link to the Smoking Gun's reproduction of a letter from one board member who resigned in protest (Hewlett-Packard Targeted Board In Leak Probe - September 5, 2006). That letter includes, as an attachment, a letter from AT&T describing the outcome of their investigation of how someone managed to establish online accounts in the name of the board member to review his calling activity. Apparently, HP's management also hacked the accounts of journalists to get similar info on them (Reporters' records hacked in HP probe CNET News.com).

[What follows is very general and should not be taken as legal advice.]

If this case had arisen in Canada, PIPEDA would probably not be much help to go after the pretexter. In connection with an investigation, you can collect personal information without consent under 7(1)(b). And then you can use it without consent under 7(2)(d). The only check on this is likely the "reasonableness" provision in s. 5(3):

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Unfortunately, this section doesn't really speak of the manner of collection. Principle 4.4 of Schedule I, however, says that "Information shall be collected by fair and lawful means." Hacking into a system and impersonating the individual is probably not fair and (see below) lawful.

(I would emphasise that PIPEDA does not apply to private individuals pretexting for their own purposes or to journalists. But the Criminal Code applies to everyone. )

In Canada, our Criminal Code has a number of provisions that could be used to prosecute anyone doing this sort of pretexting. To begin with, there's the fraud section (s. 380) that reads:

Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service,
(a) is guilty of an indictable offence and liable to a term of imprisonment not exceeding fourteen years, where the subject-matter of the offence is a testamentary instrument or the value of the subject-matter of the offence exceeds five thousand dollars; or

(b) is guilty (i) of an indictable offence and is liable to imprisonment for a term not exceeding two years, or

(ii) of an offence punishable on summary conviction,

where the value of the subject-matter of the offence does not exceed five thousand dollars.

Courts have held, generally speaking, that an individual commits fraud when (a) deceit; (b) unfair disclosure; or (c) unfair exploitation is used to induce any person to part with any property or suffer a financial loss. But is setting up an online account really within "any service"? It's not 100% clear.

The Criminal Code also contains a section dealing specifically with impersonation. Section 403 reads:

403. Every one who fraudulently personates any person, living or dead,
(a) with intent to gain advantage for himself or another person,

(b) with intent to obtain any property or an interest in any property, or

(c) with intent to cause disadvantage to the person whom he personates or another person,

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction.

There are also the "hacking" provisions in s. 342.1, which in my experience the crown and police are too bashful to apply to hacking to obtain information:

342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

(2) In this section,

“computer password” means any data by which a computer service or computer system is capable of being obtained or used;

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

“computer service” includes data processing and the storage or retrieval of data;

“computer system” means a device that, or a group of interconnected or related devices one or more of which,

(a) contains computer programs or other data, and (b) pursuant to computer programs,

(i) performs logic and control, and

(ii) may perform any other function;

“data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;

“electro-magnetic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing;

“function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system;

“intercept” includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof;

“traffic” means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.

Several aspects of this provision make it extremely broad or at least allow a very broad interpretation. The definition of computer service includes data processing and the storage or retrieval of data. Computer system is quite broad, covering every device that contains some software-related functionality. The definition of data is also rather expansive, including data “in a form suitable for use in a computer system,” which would include data in the process of being transmitted, or in offline storage, in addition to data inside a computer.

It may appear that Canadian law is up to the task of dealing with pretexting, but I'd conclude that we could use some clarification. The courts have held that information is not property and there may be enough wiggle room to argue that pretexting doesn't fit within the above sections of the Criminal Code. Perhaps we need an amendment or two to clearly criminalize impersonation of a person to obtain information about that person.

No comments: