SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybercrime in Aotearoa: How does New Zealand law define it?
Thu, 23rd Jun 2022
FYI, this story is more than a year old

‘Cybercrime' is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?

The New Zealand Police defines cybercrime in two distinct ways. The first pertains to technology as a target, whereas the second refers to technology as a means to attack.

What is ‘pure cybercrime'?

According to the Crimes Act 1961, sections 249 to 252, the first term used by the Police relates to crimes that involve computers.

This definition further stipulates that cybercrime can only be carried out by using ICT or the internet and has to specifically target a computer or network, irrespective of the overall intent.

This type of crime encompasses computer intrusion, attack on a computer system and malicious software.

‘Computer intrusion' is likely better known as ‘hacking,' which, according to the New Zealand Police, means “gaining unauthorised access directly or indirectly to a computer system which can include a desktop, laptop, smartphone, tablet, server or other device regardless of whether it is connected to the internet or not.

However, the term can also refer to non-physical access, such as entering a social media, email or online banking account.

An attack on a computer system is defined as “any type of offensive act that targets computer data, information, infrastructure, network, cloud or any personal computer devices.

What constitutes a crime under this definition can vary, including acts such as installing malware on a personal computer, to severely damaging a country's critical national infrastructure.

In addition, while it may be an intentional act, to be considered a crime, it can also be a reckless act carried out without authorisation and causing damage, deletion, modification or other interference with as well as impairing any data or software in any computer system.

Lastly, malicious software, or malware, refers to “programs that can perform tasks, often discreetly without detection by the user.

This includes several offences such as software that allows all keystrokes to be recorded on a computer, taking screenshots and accessing files and saved passwords, encrypting personal files to prevent access by the user, allowing discreet remote access to your computer and affording offenders the ability to record from your webcam.

What is ‘cyber-enabled crime'?

Cyber-enabled crime is classed as any criminal act that could be carried out without ICT or the internet but is helped by the use of this technology.

The Police include crimes such as online scams, threats to life or public safety, and possessing or distributing objectionable material in this definition.

Criminal charges

Sections 249, 250 and 252 of the Crimes Act 1961 detail, in particular, accessing a computer system for a dishonest purpose, damaging or interfering with a computer system and accessing a computer system without authorisation, respectively.

“This type of offending covers a wide range of offending from business email compromise (BEC), ransomware attacks, distributed denial of service (DDoS) attacks through to gaining access to systems to steal intellectual property,” New Zealand Police High Tech Crime Group detective senior sergeant Greg Dalziel says.

According to Evidence Based Policing Centre data from January 2017 to April 2022, 799 offences that fell under these sections resulted in court actions.

Broken down into sections, accessing a computer system for dishonest purposes saw 113 offences committed in 2017, 142 in 2018, 118 in 2019, 151 in 2020, 108 in 2021 and 26 in the first four months of 2022.

Intent to access a computer system for dishonest purposes noted 16 offences in 2017, 10 in 2018, 6 in 2019, 19 in 2020, 15 in 2021 and 3 so far in 2022.

Intentional or reckless damage or interference with a computer system accounted for three offences in 2017, three in 2018, one in 2019, none in 2020, one in 2021, and one so far this year.

13 offences in 2017 related to accessing a computer system without authorisation, with 17 in 2018, 10 in 2019, eight in 2020, 12 in 2021 and 3 in 2022 so far.

Dalziel notes that the term ‘proceeding' refers to each separate occasion on which Police dealt with an alleged offender for one or more crimes.

He adds that while proceedings would regularly be classified based on the most serious offence that the offender is dealt with for on a particular occasion, this data takes into account all instances in which at least one of the offences in sections 249, 250 or 252 was involved, irrespective of whether it was the most serious offence.

The dark web

When it comes to the dark web, crimes related to this fall under section 7 of the Crimes Act 1961, which affords the Police jurisdiction when the offence has a specific connection to New Zealand.

According to the Act, “for the purpose of jurisdiction, where any act or omission forming part of any offence, or any event necessary to the completion of any offence, occurs in New Zealand, the offence shall be deemed to be committed in New Zealand, whether the person charged with the offence was in New Zealand or not at the time of the act, omission, or event.

However, Dalziel says that offences involving the dark web are not usually computer crimes as they are defined in sections 249 to 252 but instead relate to the purchasing and selling of items that are illegal to possess under New Zealand law.

“As such items will come across the border, there may also be a New Zealand Customs Service investigation.

Asked whether anyone in New Zealand has been charged for crimes related to the dark web, Dalziel says he has an awareness of cases involving the dark web in Aotearoa and that most of these relate to the purchasing or selling of illegal contraband.

“A number of prosecutions have occurred although these cases are coded relating to the illicit item,” Dalziel says.

“For example, importing cannabis seeds would be an offence against the Misuse of Drugs Act 1975.

“The dark web is also associated with child sexual abuse material and a specific team within Police triages these matters when they are reported.

Who to contact

While the term 'cybercrime' is quite broad in its definition, the Police say that the procedure for reporting incidents is the same as any other offence: dial 111 in an emergency or, for non-emergencies, contact the Police through 105, online or in-person.

Additionally, concerns regarding online safety or digital communications can be referred to Netsafe and cyber security issues to CERT NZ.