By Chris Steenstra
If your inbox is anything like mine, it's been assaulted by spam over the past few weeks. Rather frustratingly, the spam has come from a legitimate email addresses within my contacts. Despite multiple reminders from our IT department telling us to 'delete delete delete', curiosity has certainly tempted me to click on the link to see what all the fuss is about. It's raised the question though, what exactly is spam? How have the wily cyber spammer vigilantes got email into my inbox, and what punishment do they face if caught?
The first thought is that these emails are spam, so the Unsolicited Electronic Messages Act 2007 (UEMA) may apply. The sections of that Act prohibit unsolicited commercial electronic messages being sent by, or to, New Zealand held electronic addresses, it also requires senders to ensure that commercial electronic messages are sent with accurate sender information and a working opt-out mechanism. This definition captures what we commonly refer to as spam, such as those misleading emails you receive with an odd subject line and a single link included.
From what the media is suggesting, it seems that a wily spammer has hacked their way into the vaults of one particular email platform provider and helped themselves to email addresses, usernames and passwords. They have then (allegedly) logged in to individual email accounts and sent spam to various contacts held by the associated address book. The email address owner has had no idea the messages have been sent. The account owner, it seems, could face liability under the UEMA as the email came from the email account that they control. UEMA's watchdog, the Department of Internal Affairs did contemplate this situation, as it included the 'I know nothing' defense in section 12. So it seems the unsuspecting email account owner, luckily in this case, is spared from liability.
What about the wily cyber spammer/hacker? What liability does that person face? In addition to potential liability under the UEMA, buried within the Crimes Act 1961 are the sections on computer misuse, which prohibit access to a computer system for dishonest gain and access to a computer system without authorisation. The wily spammer has made two separate hacks in this scenario, one into the email platform to take the email addresses, usernames and passwords, and the second into the particular email account to send the spam email. As such, both of these charges could be pursued, with maximum prison time ranging from two to seven years.
Due to all sorts of reasons that are too complex to go into here it would be unusual for the wily spammer to be located in New Zealand. Proceedings under the UEMA or the Crimes Act would be difficult if the suspect is located overseas. It would require co-operation between countries and extradition. We have seen how difficult this can be with the likes of Kim Dotcom and Julian Assange.
The privacy issues in this situation are concerning. As well as the data that the wily spammer has accessed while within the vaults of the email platform provider, the wily spammer may have also had access to all of your personal information stored within your email account. In my case, this would be flight details, hotel reservations, insurance details and so on. Regardless of your password strength, if the email platform provider lets you down with poor security, then all is lost. I'm sure the Privacy Commissioner will be a little concerned.
Overall, it seems spam is here to stay. Just like the rogue flyer that makes it into your mail box despite your 'no circulars' sign, spammers will (with time) find ways to outsmart the latest IT security.
Ensuring that you use strong passwords, an email provider with a good security track record and robust spam filters are essential elements within your control to limit your risk.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.