Grubb's story: the strong arm of the lawPolice say receiving photos like taking stolen TVs
A senior lecturer in internet law says the arrest of a Fairfax journalist over his receipt of an unauthorised Facebook photo "defies sensible explanation" and the entire matter exposes serious failings in Australian cyber crime laws.
Peter Black, senior lecturer at the Queensland University of Technology, said Australian laws on cyber crime were so broad that they criminalised much "ordinary activity". He said it was very unusual for police to spring into action over an alleged theft of digital photos.
Fairfax deputy technology editor Ben Grubb was arrested by Queensland Police yesterday and threatened with charges relating to the receipt of "tainted material". The material pertained to a story Grubb published yesterday revealing that a security researcher managed to bypass Facebook's privacy settings to access someone's private photos.
At a press conference this morning, the head of the Queensland police fraud squad, Brian Hay, admitted that police were "still cutting our teeth" in the rapidly evolving online environment.
However, he equated receiving an unauthorised photograph from someone's Facebook account with receiving a stolen TV.
Online users lobby group Electronic Frontiers Australia has taken particular issue with this statement, saying comparing a digital photo to a stolen TV was unhelpful.
Mr Black said security researcher Christian Heinrich, who obtained the Facebook photos, potentially breached section 477 of the Commonwealth Cyber Crime Act.
"It is possible based upon a reading of [the Act] that the original action to access that private Facebook page may actually constitute a criminal offence because it does provide that a serious offence is one where a person has gained unauthorised accesss," he said.
"The phrase 'unauthorised access' may include the activity that was done in this instance even though there was no hacking in the traditional sense."
Despite investigating this matter, Queensland police confirmed that it had not referred it to the Australian Federal Police for investigation. An AFP spokeswoman said that, despite the Cyber Crime Act being a Commonwealth law, state police would still be able to charge Heinrich without AFP involvement.
Mr Black said the Cyber Crime Act was at odds with Facebook's terms of service, which says there are no guarantees private photos will not be accessed. He said when users upload photos to Facebook they were granting the company a "non-exlusive licence" to use the photo but Facebook did not obtain ownership of it.
The way the Cyber Crime Act was drafted was so broad that a whole range of "more or less ordinary activity" could attract criminal charges, Mr Black said.
"This is a common criticism of the Cyber Crime Act, that it has been drafted too broadly ... basically it could encompass any activity whereby someone gains access to someone else's website or social networking platform even in the absence of what anybody would consider to be hacking," he said.
"They might guess a password, they might obtain it by accident ... all of these things could be nonetheless considered a criminal offence with a penalty of up to 10 years."
Mr Black said that Grubb, by receiving one of the photos taken by Heinrich, potentially breached Queensland state laws regarding receiving "tainted property".
He said the speedy and heavy response of police in targeting Grubb was "totally inconsistent" with how police would usually respond to this sort of matter and it "just defies sensible explanation".
"[Typically] if someone called up the police saying someone has accessed my Facebook page and taken my photos, they wouldn't get very far," Mr Black said.
Colin Jacobs, chairman of Electronic Frontiers Australia, said security professionals explosing flaws in services such as Facebook should be given "a little leeway" by police and that went double for a journalist covering the story.
Mr Jacobs said police comparing a digital photo to a stolen TV was unhelpful.
"It's obvious that physical theft is a completely different beast to the movement of information online. Nobody can email you a stolen television without your foreknowledge," Mr Jacobs said.
"It reminds me of how we are constantly told downloading a pirated movie is theft. It's not, but comparing it to a physical theft will compromise our ability to think clearly about the issue and the new challenges these events place on our traditional methods of dealing with them."
Mr Jacobs also criticised Queensland Police for spreading "misinformation" on Twitter when it initially denied that Grubb was arrested.
After Grubb had tweeted about his arrest, the media unit tweeted that he had not been officially arrested, but it was forced to retract that statement this morning.
"Our bad @bengrubb was arrested for questioning briefly Our tweet last night was based on information provided at the time Apologies," it said this morning.
"Oops, 'our bad' isn't a good enough response. If the police are going to be responding to real-time events on Twitter they'd better make sure they aren't misleading the public by doing so," Mr Jacobs said.
Grubb's iPad is still in police custody and there has been no word on when it will be returned.
"Unless the police are sure there's a very good case to answer we hope Ben gets his gear back as soon as possible," Mr Jacobs said.
This reporter is on Twitter: @ashermoses