Random Entry: SecureData acquires SensePost
< A quick view on IBM's approach to mainframe security disclosures
< A quick view on IBM's approach to mainframe security disclosures
There's a story that's been doing the rounds in the ZA press entitled; "Your private Facebook messages can be used in court against you even if you were hacked" It details a case "Harvey v Niland and Others" in the South African High Court, Eastern Cape Division where Facebook messages were deemed admissible in a case, despite having been obtained illegally. This is pretty attention grabbing, and could have far reaching implications. Could someone hack my WhatsApp/Gmail/Facebook and use my private conversations to implicate me in a crime? What does this mean for my right to privacy over my communications, and does it change the status quo? Could out intelligence services hack citizens for mass dragnet surveillance ala the NSA? Does this have implications for the Cybercrimes bill?
Since it was a pretty attention grabbing headline, I sought out the full text of the judgement to understand the, usually carefully considered and well reasoned results. The heart of the case is about whether Niland had acted in opposition to his fiduciary duties to the CC he remained attached to, and the Facebook messages were used to show he had violated this. I'm going to ignore this and focus on the part relevant to infosec, privsec and citizens; can someone hack you and use that as evidence in a case? Sections - of the judgement provide the details of what happened; an employee at Harvey's organisation claimed to know Niland's Facebook password. Harvey asked this employee to log in as Niland and check the private messages for evidence, which they did. The messages show Niland is guilty. Niland disputes that he had given his password, and claims he was hacked. No more technical details of how the messages were obtained was provided. If I had to guess, I suspect Niland left himself logged in to Facebook on one of the company machines, or had an easy to guess password (written on a post-it left under his keyboard?) or had in fact told the other employee a password to something else, and just re-used it. Sections [38-53] of the judgement deal with the admissibility of the Facebook messages. Niland's attorney argued that hacking the Facebook messages is a crime according to the Electronic Communications and Transactions Act 25 of 2002 (ECT Act) and should render the evidence inadmissible. Additionally, it was a violation of the constitutionally enshrined right to privacy [Section 14(d) of the Constitution of South Africa], which includes the right not to have the privacy of your communications infringed. The judge cited much case law and established the following four high-level counters to the above: One The ECT act is silent on whether acts marked as criminal negate their output being used as evidence. A prior case relating to phone tapping was cited where the Interception and Monitoring Prohibition Act 127 of 1992 too was silent on whether evidence obtained by phone tap was inadmissible, despite declaring such tapping a criminal offence. Interestingly, Niland's attorney sought to separate the two cases by arguing that the ECT act is a "game changer", the specifics of the argument are not disclosed, but the judge rejected the idea by citing the similarity in the two cases and acts as discussed above. Two Next, the judge cited a case describing the difference between a criminal and civil case. In a criminal case, the defendant has a right against self-incrimination, and doesn't need to help the state's case, however, in a civil case, the defendant is subject to discovery that includes information that may be harmful to their case. While the messages were not found in discovery (more on that later) their disclosure does fit the requirements of the civil case. Three The judge then tries to consider what rules he should operate under in further considering whether the evidence should be admissible. Here he cites a case where it was determined that the right to privacy "attenuates" the further away from "the home" (aka private life) one moves. In this case, the Facebook messages submitted were directly relevant to the business of Harvey and Niland, and messages related to Niland's private life were excluded. Thus, the right to privacy may be lessened in this case. Four Lastly, the judge tries to determine whether there were other, legal, means of obtaining this data, and concludes that there weren't. Harvey could have sued Niland for damages resulting from the suspected breach, and in doing so, would be entitled to discovery of the messages. I mentioned this above, in a civil case relevant information must be provided by the defendant, even if it hurts their case. This is why you often see internal e-mails from companies being cited in public court proceedings. If Harvey was worried that Niland would delete the messaged, he could ask for an "Anton Piller order. An "Anton Piller order" is a sort of surprise search warrant where the defendant is not informed. However, the judge believed that such a request would be dismissed as a fishing expedition since the messages are the basis of the case, without them the justification could not be made for such an order. And so, the evidence was admitted, and Niland was found guilty of breaching his fiduciary duties. Analysis I think at this point, it should be clear, that information obtained about you via illegal hacks cannot arbitrarily be used against you and admissible in court. It should also be clear, that in a civil case, you may be subject to discovery that would require such information to be disclosed anyway. And even in criminal cases, where you aren't required to disclose such information, it can still be obtained and used against you. For example, in the Oscar Pistorius case, detailed information about his WhatsApp messages between him and others, including deeply personal messages to his deceased girlfriend Reeva Steenkamp, as well as call records and even movement based on cell towers his phone was communicating with were provided. If you want to defend yourself, the easiest take-away is for you to regularly delete your private communications (WhatsApp, Facebook Messages, SMS, SnapChats, Twitter DMs, etc.) before they become relevant to a potential case. Meta-Analysis There are two things that I'd like to discuss in addition to this case. The first is the observation that we have a fantastic judiciary, with smart judges that apply their minds, and public records of such judgements are available. If you ever hear bombastic claims off the back of a case, it usually pays to read the actual judgement. The second, relates to the proposed Cybercrime bill. The bill attempts to pick up from the ECT act, as well as implement parts of the National Cybersecurity Policy Framework. It's first public draft received much negative attention about the privacy procedural implications of the bill. There's a call to get more technical experts involved. The case law considerations from this case are exactly why tech experts should be very wary about doing so. While any act would, of course, require accurate technical descriptions and assumptions, the bulk of the act will be interpreted outside of such technicalities, in much the way the judge did in this. As such, the implications of wording in the act can have significant unforeseen consequences. In my mind, it is significantly more important for legal minds, familiar with how acts are read during proceedings, to provide input, supported by technical experts.
Display comments as (Linear | Threaded)