Speaker by Various Artists

40

The great New Zealand phone hacking scandal

by Juha Saarinen

I’ve been following the News of the World “phone hacking” story and am disgusted that a publication would stoop that low in order to work fill its pages with scandals and tattle. There’s no justification for what has happened and those who did it are not journalists, pure and simple.

The current NotW mess is eerily familiar too, from a New Zealand perspective. In May 2005 Telecom’s voice mail system for the 027 mobile phone network was found to be vulnerable so that anyone with the smallest amount of technical nous could listen in on, delete and forward messages. I broke that story for Computerworld together with the paper’s then editor, Matt Cooney.

For those who missed the story it featured powerful people, government ministers and SIS spooks having their mobile phone voice mail messages intercepted. Not deliberately by journalists and private investigators as the NotW did, but accidentally by a confused teenager and his older friend who were playing around with Voice over IP gear.

There was no hacking or phreaking taking place in other words, just horsing around that got out of hand. It was big scoop for little ole Computerworld though, one that we all felt proud over.

Since the NotW scandal, the 027 episode has popped up again in New Zealand media filling in some details that weren’t available when the whole thing played out.

For starters, I wasn’t first with it. After the story ran the teenager in the eye of the storm told me he had contacted the Herald and Peter Griffin who was the technology editor about it.

I never asked Griffin why he didn’t write the story, but see that he has now reflected on what happened then in light of the NotW scandal in a column in the Listener.

Normally, I’d let sleeping dogs lie especially after so many years but the column makes some sweeping statements about journalists and our reporting of the story that I can’t ignore. After discussing the column with Griffin I feel I have to respond to some of the points raised, and explain how we worked on the story and provide an update on what happened after.

First, was the ability to listen in on important people and celebrities’ voice mail “the stuff of journalists’ dreams” as Griffin writes? This is really important: did we listen to messages or were we ever tempted to do so for stories?

The answer to that is a categorical “no”. I believe Matt said the story was about the messages being accessible and not what was in them. That was the boundary and while I can actually imagine there being a few situations where journalists would be justified to cross it, this wasn’t one of them.

Maybe it’s because both Matt and I are both geeks and used to certain protocols when dealing with security issues but honestly, we never once considered listening in on the voice mails. Instead, we took great care not to breach people’s privacy when working on the story which was a minefield full of legal and ethical considerations at almost each turn.

And, the people hit by the vulnerability were in our minds. The responsible way to deal with security issues is that you inform the party with the vulnerability before you publish anything. This gives the organisation a chance to verify the vulnerability, patch it, and assess the damage, if any and alert those affected by it.

So, we notified Telecom about the voice mail breach and provided details of how it works, well in advance so they could sort it out and ensure that there would be no more interception of messages.

Unfortunately, this was during the Gattung era and Telecom’s head PR person was at best unhelpful to deal with when he wasn’t just plain unpleasant. He refused to believe us until we gave some supplied details of a message left for him by his wife on his voice mail (no, we didn’t listen to the message).

Playing the game in an ethical fashion with Telecom backfired on us somewhat. We didn’t get even a thank you for bringing the glaring security hole to Telecom’s attention ahead of running the story so they could sort it out.

Instead, Telecom’s PR person refused to return our calls and attempted to spike the story by issuing a press release to other media. Luckily, the story was ready to go so we published shortly after.

And boy, there were some strong reactions to the story. Paul Brislen interviewed a hugely upset Auckland mayor Dick Hubbard for Computerworld for instance and there were others who were shocked and disgusted that their private messages might have been accessed.

Other publications, TV and radio followed up on the Computerworld stories. Clearly, it was in the public interest to know that voice mails left on 027 phones could be intercepted easily. Clearly, interception of officials’ messages had taken place and the public deserved to know this. This is not stuff you can ignore.

Why would a journalist sitting on a story of that magnitude back away from it?

Griffin explains in the Listener:

The kid had potentially hit the jackpot. He could be selling info to the women’s magazines, trading commercial secrets, even manipulating the political system. Instead he wanted his name in the Herald – his real name too. That’s because Phreaker didn’t care about the consequences of his actions. He didn’t care what happened to himself as a result. I’d been to his house and seen his middle-class family – mum trying in vain to wrangle a sullen teenager who spent his life in front of a computer, hacking.

 And that’s why I didn’t publish the scoop Phreaker had dropped in my lap. I knew what he was doing would get him in serious trouble with the law – which it subsequently did. Phreaker went to another technology journalist, who promptly ran the story.

 

The above implies that we didn’t care if “Phreaker” (which the teenager incidentally never called himself) got into trouble with the law. Nothing could be further from the truth. Both Matt and I have kept in touch with the boy to this day.

When the story broke the teenager was under eighteen and could not be named or identified. He was a not untypical combination of reckless obnoxiousness but was also shy and definitely not stupid and self-destructive.

Thanks to previous brushes with the law, the teenager had become something of bush lawyer. He knew that as a minor, he had automatic name suppression. He knew his name wouldn’t appear anywhere and that the slate would be wiped clean at the age of 18 and that was one reason he behaved as recklessly as he did. It wasn’t a desire to become a computer crimes celebrity or even to collect dirt by quietly listening in on others private messages in partnership with journalists.

I can also tell you that the consequences of his actions were fairly light. Roughly a week after the story broke in Computerworld, the teenager and his friend Sahil Gupta were charged with unauthorised access to a computer and were remanded on bail.

In January 2006, Gupta walked free and you can read about him, his history and the 027 case details in this Computerworld story. The teenager admitted to the charges in the 027 and another case, in the Youth Court, was fined $5,500 and put under supervision for six months.

The boy’s kept his nose clean after that. While he’s not working as an Internet security consultant roaming the globe, he seems to be doing just fine.

In hindsight I think we I handled that tricky story really well, balancing privacy, ethics and public interest with obscure technological points while battling a corporation that didn’t appear to care about the security of its paying customers.

We did a much better job than general media, which got hung up on the teenager being a “whizz kid” going on a “hacking” and “phreaking” spree when all he did was to stumble on gaping security hole left open because of… convenience.

Even so, we should’ve asked more questions around why it was so easy for a bored teenager to get into the voice mails of cabinet ministers and SIS spooks. Who was responsible for that pathetic lack of security? How many cases of intercepted messages had there been before the story broke?

As the NotW scandal has driven home, entrusting our private lives to piss-poor guardians of privacy such as telcos and faceless companies on the Internet can and will come back and bite you in a horrible fashion.

Things haven’t improved since 2005 though. Judging by for instance Lulzsec’s 50-day rampage, exposing all manners of personal, corporate and government information with consummate ease, there’s an enormous amount of sensitive stuff sloshing around due to poor security.

Due to this, I expect to write many more 027-style stories before I switch off my word processor for good while walking on that ethical tightrope. Fingers crossed, I won’t fall off.

40 responses to this post

First ←Older Page 1 2 Newer→ Last