Criminal liability for mobile phone spying in New Zealand
By Bianca Mueller
Modern technology has made it easy for everyone, not only government agencies, to hijack private cell phone communication. Mobile phone spying software (malware) is used to eavesdrop on the wireless communications of lovers, children, and business rivals.
It is becoming an increasingly popular industrial espionage tool targeting technology-heavy businesses, and companies trading with international partners are especially at risk. Businesses that depend on technological innovation and novel ideas, processes and formulae are common targets for theft of data, trade secrets, intellectual property and confidential information.
In fact, smartphones are collecting and compiling an increasing amount of sensitive information (SMS, MMS, email, photos, videos). As smartphones are a permanent point of access to the internet, they can be compromised with malware as easily as computers.
The most common way for breaching cell phone security and surreptitiously listening to phone calls is to install cell phone monitoring software directly onto a cell phone. The software can be downloaded from the internet, sometimes free of charge. Once installed, information exchanged over the tracked phone can be monitored, including phone calls, text messages, and emails. In some cases, it can be used to eavesdrop on calls in real time. Most mobile phone spying software can also track the GPS location of the phone.
Companies that offer mobile phone spying software routinely disclaim their responsibility in respect of any unlawful use of the software, but does that mean that the sale or use of such mobile phone spying software is lawful?
In terms of civil remedies, an action for the unauthorised access to and disclosure of mobile phone communications may arise for invasion of privacy Hosking v Runting  1 NZLR 1, Television New Zealand Ltd v Rogers  2 NZLR 277, breach of confidence, breach of copyright Skids Programme Management Ltd v McNeill  NZCA 314; Vulcan Steel Ltd v McDermott  BCL 540; Wilson v Broadcasting Corporation of New Zealand  12 IPR 173 and/or intentional infliction of emotional distress Tucker v News Media Ownership Ltd  CP477/86. An action could also potentially arise in trespass to chattels, and a complaint could be made to the Privacy Commissioner under the Privacy Act 1993.
In the following, I will focus on the criminal law implication of tapping someone else’s cell phone communication.
Part 9A of the Crimes Act 1961 deals with intercepting private communication by means of an interception device. It is an offence to:
• sell or supply interception devices;
• intercept private communication by means of an interception device; and
• disclose private communications that were unlawfully intercepted.
Dealing with interception devices
Section 216D(1) of the Crimes Act makes it an offence to offer for sale or supply or to offer or invite or agree to sell or supply to any person an interception device unless this is done for a lawful purpose as described in s216D(2).
An interception device is an "electronic, mechanical, electromagnetic, optical, or electro-optical instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a private communication” (s216A).
Mobile phone spying software is an electronic application software. It is an electronic device that has been developed for the purpose of monitoring cellphone communications and therefore qualifies as an interception device under s216A. A person who sells, supplies, or offers to supply mobile phone spying software in New Zealand will commit an offence under s216D(1), which is punishable with up to two years’ imprisonment.
Using mobile spying software to intercept communications
It is an offence under s216B(1) to intercept any private communication by means of an interception device unless the interceptor is a party to the said communication or it is being done for lawful purposes (s216B(2)) (ie, in accordance with the authority conferred under the Search and Surveillance Act 2012, New Zealand Security Intelligence Service Act 1969, Government Communications Security Bureau Act 2003, or the International Terrorism (Emergency Powers) Act 1987). The offence is punishable with imprisonment for up to two years.
“Private communication” includes oral, written, or electronic communication that is made under circumstances that may reasonably be taken to indicate that any party to that communication desires it be confined to the parties to the communication.
The communication is not private if any party might reasonably expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so. In light of the NSA's mass email spying, it is arguable whether anyone communicating via popular email-hosting providers, not using encryption, can reasonably expect the communication to be private.
At first glance, it seems obvious that the use of software to track a phone's calls, text messages, and emails amounts to an unlawful interception. However, the statutory definition of “to intercept” suggests that the answer is not as clear cut: to intercept in relation to a private communication means to “hear, listen to, record, monitor, acquire, or receive the communication either while it is taking place or while it is in transit”(s216A).
The mobile phone spy software must be used while the communication occurs or while the message is transmitted from the sender to the recipient. The requirement that private communication must be captured “while it is taking place” or “in transit” suggests the capture must be instantaneous. Once a communication has reached its final destination, it is no longer in transit.
Liability under s216B(1) will arise if the software is used to eavesdrop on a phone conversation while it is taking place. Listening to a voice mail that is being downloaded from the server may also be deemed as still in transit until received by the recipient.
Email and text messages
Emails and text messages can be intercepted while they are being transmitted. They must be read, acquired, or monitored on their journey either from the sender to the server or from the server to the recipient.
Once the message is downloaded from the server and stored on the recipient's phone, the transmission of the communication is complete. The communication is then no longer in transit (R v Cox  21 CRNZ 1, R v Taui  NZCA 233, R v Javid  NZCA 232, R v Sanders  3 NZLR 450). Hence, the reading of text messages and emails after they were delivered to the recipient's cellphone cannot be considered an “interception” because the communication is no longer “in transit” (R v Hooker BC200662369).
Unauthorised access to computer
Criminal liability for monitoring emails and text messages after they were delivered may arise under s252(1) for accessing a computer system without authorisation. A person who intentionally accesses any computer system without authorisation is liable to imprisonment for a term not exceeding two years.
Access to a computer system is obtained if a person instructs, communicates with, or otherwise makes use of any of the resources on a computer system. Such use includes storing, receiving, or modifying data stored on a computer system (s248). Access is unauthorised if there is no implied or express consent or an authorisation conferred by law or a court.
A person who surreptitiously installs mobile phone spying software on another person’s cell phone is obviously not authorised to do so, but is a cell phone a computer system? The Crimes Act defines the meaning of computer system as: (a) a computer; (b) or two or more interconnected computers; (c) or any communication links between computers or to remote terminals or another device; (d) or two or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; (e) and anything that includes any part of the items described in (a) to (d) and all related input, output, processing, storage, software, or communication facilities and stored data.
A computer system could be one computer or a network of computers. The ordinary and natural meaning of “computer” includes a desktop computer, a laptop, and a server. It includes any device with a keyboard (input), screen (output), microprocessor (processing), data storage (storage), or communication facilities (see above (e)).
The broad definition extends, for instance, to digital cameras, mobile phones, smart TVs, and security systems. It also includes parts of a computer and links between computers, such as hubs, routers, switches, and peripherals.
Interconnected computers are essentially networks of computers. A network of computers can be as small as two connected computers. Any device that has internet connectivity provides the potential to connect with many millions of other networked computers, meaning that a device that is connected to the internet is part of a wider worldwide network and therefore part of a multitude of interconnected computers.
A person who reads and monitors text messages and emails on a cell phone through surreptitiously installed spying software gains unauthorised access to a computer system and therefore commits an offence under s252.
Disclosure of private communications
Selling or possessing software to commit a crime
It is an offence to offer to supply or sell software or other information that will allow the defendant to access a computer system without authorisation or to have such software in possession for such sale or supply.
Taking, obtaining, or copying trade secrets
A person who uses mobile phone spying software to take, copy, or obtain any document, model or other depiction of any thing or process that contains or embodies trade secrets is liable for imprisonment for a term not exceeding five years (s230(1), s217). Document can include electronically stored information (R v Misic  3 NZLR 1).
The term “trade secret” is broadly defined in s230(2) as “any information that:
(a) is, or has the potential to be, used industrially or commercially;
(b) is not generally available in industrial or commercial use;
(c) has economic value or potential economic value to the possessor of the information; and
(d) is the subject of all reasonable efforts to preserve its secrecy”.
Trade secrets are protected under s230 as proprietary rights if reasonable efforts are undertaken to preserve the secrecy of the commercially valuable information. There must be some intention to treat the information as secret. It could be argued that someone who communicates information via email or text messages without encryption has no interest in keeping the information secret. This assertion, though, is contestable.
The information must be taken, obtained, or copied with the knowledge that it contains or embodies a trade secret. The defendant must take the information with the intention to obtain a pecuniary advantage or to cause loss to any other person.
While the sale and use of mobile phone spying software incurs various criminal liabilities, it should not distract from the fact that ultimately, it is the cellphone user’s responsibility to maintain cellphone security.
Businesses and professionals dealing with confidential information, trade secrets, and intellectual property should increase their mobile phone security.
It is no longer appropriate for commercial information to be leisurely exchanged via unsecured and unencrypted channels. The more incentive (monetary or otherwise) there is for another to know what you know, the more likely it will be that someone will take the time to monitor your communication.
Treat your cellphone communication like you treat your computer communication.
Bianca Mueller is a qualified judge and barrister from Germany and an enrolled solicitor in New Zealand. Bianca has worked as a lawyer for government agencies in New Zealand and Europe. She can be contacted at (04) 390 0030.
This article was first published in LawTalk 834, 31 January 2014, page 32.