Liability for using mobile phone spying software

November 15, 2013 by

Mobile phone spying software

Modern technology has made it easy for everyone, not only government agencies, to hijack private cell phone communication. Mobile phone spying software (called malware) is used to eavesdrop on the wireless communications of lovers, children, and business rivals.  

Mobile Phone Security

 

It is becoming an increasingly popular industrial espionage tool targeting technology-heavy businesses, and companies trading with international partners are especially at risk. Businesses that depend on technological innovation and novel ideas, processes, formulas, etc., are common targets for theft of data, trade secrets, intellectual property and confidential information.

In fact, smartphones are collecting and compiling an increasing amount of sensitive information (SMS, MMS, email, photos, videos). As smartphones are a permanent point of access to the Internet, they can be compromised with malware as easily as computers can.

The most common way for breaching cell phone security and surreptitiously listening to phone calls is to install cell phone monitoring software directly onto a cell phone. The software can be downloaded from the Internet, sometimes free of charge. Once installed, information exchanged over the tracked phone can be monitored, including phone calls, text messages, and emails. In some cases, it can be used to eavesdrop on calls in real time. The majority of mobile phone spying software can also track the GPS location of the phone user, which is possible because most smartphones regularly exchanges signals with the nearest transmitter (although some phone applications request permission to store location data).

Companies that offer mobile phone spying software routinely disclaim their responsibility in respect of any unlawful use of the software, but does that mean that the sale or use of such mobile phone spying software is lawful?

Civil remedies

In terms of civil remedies, an action for the unauthorised access to and disclosure of mobile phone communications may arise for invasion of privacy Hosking v Runting [2005] 1 NZLR 1 Television New Zealand Ltd v Rogers [2008] 2 NZLR 277, breach of confidence, breach of copyright Skids Programme Management Ltd v McNeill [2012] NZCA 314; Vulcan Steel Ltd v McDermott [2011] BCL 540; Wilson v Broadcasting Corporation of New Zealand [1988] 12 IPR 173 and/or intentional infliction of emotional distress Tucker v News Media Ownership Ltd [1986] CP477/86. An action could also potentially arise in trespass to chattels, and a complaint could be made to the Privacy Commissioner under the Privacy Act 1993.

Criminal law offences

Dealing with interception devices s216D(1)

A person that sells, supplies, or offers to supply mobile phone spying software in New Zealand will commit an offence under s 216D (1) of the Crimes Act 1961 (Act), which is punishable with up to two years’ imprisonment.

Use of mobile phone spying software to intercept communications s216B (1)

It is an offence under s216B (1) of the Act to intercept any private communication by means of an interception device unless the interceptor is a party to said communication or it is being done for lawful purposes (s216B(2)) of the Act (i.e. in accordance with the authority conferred under the Search and Surveillance Act 2012, New Zealand Security Intelligence Service Act 1969, Government Communications Security Bureau Act 2003, or the International Terrorism (Emergency Powers) Act 1987). The offence is punishable with imprisonment for up to two years.

Private communication

“Private communication” includes oral, written, or electronic communication that is made under circumstances that may reasonably be taken to indicate that any party to that communication desires it be confined to the parties to the communication. The communication is not private if any party might reasonably expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so. In light of the NSA’s mass email spying, it is arguable whether anyone communicating via popular email-hosting providers, not using encryption, can reasonably expect the communication to be private.

To intercept

At first glance, it seems obvious that the use of malware to track a phone’s calls, text messages, and emails amounts to an unlawful interception. However, the statutory definition of “to intercept” suggests that the answer is not as clear cut: to intercept in relation to a private communication means to “hear, listen to, record, monitor, acquire, or receive the communication either while it is taking place or while it is in transit” (s216 A of the Act).

The mobile phone spy software must be used while the communication occurs or while the message is transmitted from the sender to the recipient. The requirement that private communication must be captured “while it is taking place” or “in transit” suggests the capture must be instantaneous. Once a communication has reached its final destination, it is no longer in transit.

Phone calls and voice mail

Liability under s216B(1) of the Act will arise if the software is used to eavesdrop on a phone conversation while it is taking place. Listening to a voice mail that is being downloaded from the server may also be deemed as still in transit until received by the recipient.

Email and text messages

Emails and text messages can be intercepted while they are being transmitted, i.e. they must be read, acquired, or monitored on their journey either from the sender to the server or from the server to the recipient. Once the message is downloaded from the server and stored on the recipient’s phone, the transmission of the communication is complete. The communication is then no longer in transit (R v Cox [2004] 21 CRNZ 1, R v Taui [2007] NZCA 233, R v Javid [2007] NZCA 232, R v Sanders [1994] 3 NZLR 450). Hence, the reading of text messages and emails after they were delivered to the recipient’s cellphone cannot be considered an “interception” because the communication is no longer “in transit” (R v Hooker BC200662369).

Unauthorised access to computer s252 (1)

Criminal liability for monitoring emails and text messages after they were delivered may arise under s 252 (1) of the Act for accessing a computer system without authorisation. A person who intentionally accesses any computer system without authorisation is liable to imprisonment for a term not exceeding two years.

A person who surreptitiously installs mobile phone spying software on another person’s cell phone is obviously not authorised to do so, but is a cell phone a computer system?

The ordinary and natural meaning of ‘computer’ includes a desktop computer, a laptop, and a server. According to the statutory definition, it also includes any device with a keyboard (input), screen (output), microprocessor (processing), data storage (storage), or communication facilities (see above (e)). The broad definition extends for instance to digital cameras, mobile phones, smart TVs, and security systems. It also includes parts of a computer and links between computers, such as hubs, routers, switches, and peripherals.

Interconnected computers are essentially networks of computers. A network of computers can be as small as two connected computers. Any device that has Internet connectivity provides the potential to connect with many millions of other networked computers, meaning that a device that is connected to the Internet is part of a wider worldwide network and therefore part of a multitude of interconnected computers.

A person who reads and monitors text messages and emails on a cell phone through surreptitiously installed spying software gains unauthorised access to a computer system and therefore commits an offence under s 252 of the Act.

Disclosure of private communications s216C

If private communication has been intercepted in contravention of section 216B of the Act (see above) and is then disclosed to a third party, liability will arise out of s216C of the Act.

Selling or possessing software to commit a crime s251

It is an offence to offer to supply or sell software or other information that will allow the defendant to access a computer system without authorisation or to have such software in possession for such sale or supply. The scope of s251 of the Act is broader than s216D and will encompass mobile phone spying software. However, s216D of the Act is most likely to take precedent over s251 because it is lex specialis.

Taking, obtaining, or copying trade secrets s230 (1)

A person who uses mobile phone spying software to take, copy, or obtain any document, model or other depiction of any thing or process that contains or embodies trade secrets is liable for imprisonment for a term not exceeding 5 years (s230(1), s217 of the Act). Document can include electronically stored information (R v Misic) [2001] 3 NZLR 1).

The term “trade secret” is broadly defined in s230(2) as “any information that:

(a) is, or has the potential to be, used industrially or commercially;

(b) is not generally available in industrial or commercial use;

(c) has economic value or potential economic value to the possessor of the information; and

(d) is the subject of all reasonable efforts to preserve its secrecy”.

Trade secrets are protected under s230 of the Act as proprietary rights if reasonable efforts are undertaken to preserve the secrecy of the commercially valuable information. There must be some intention to treat the information as secret. It could be argued that someone who communicates information via email or text messages without encryption has no interest in keeping the information secret. This assertion though is contestable.

The information must be taken, obtained, or copied with the knowledge that it contains or embodies a trade secret. The defendant must take the information with the intention to obtain a pecuniary advantage or to cause loss to any other person. The defendant must also act dishonestly (s217) and without claim of right (s2) (Hayes v R [2008] NZSC 3).

Conclusion

While the sale and use of mobile phone spying software incurs various criminal liabilities, it should not distract from the fact that ultimately, it is the cellphone user’s responsibility to maintain cellphone security. Businesses and professionals dealing with confidential information, trade secrets, and intellectual property should increase their mobile phone security.

It is no longer appropriate for commercial information to be leisurely exchanged via unsecured and unencrypted channels. The more incentive (monetary or otherwise) there is for another to know what you know, the more likely it will be that someone will take the time to monitor your communication. Treat your cellphone communication like you treat your computer communication.

Tags: , , ,