The Republic of Kazakhstan v Mega Ltd
| Jurisdiction | New Zealand |
| Judge | Moore J |
| Judgment Date | 12 May 2016 |
| Neutral Citation | [2016] NZHC 963 |
| Court | High Court |
| Date | 12 May 2016 |
| Docket Number | CIV-2015-404-002909 |
[2016] NZHC 963
IN THE HIGH COURT OF NEW ZEALAND
AUCKLAND REGISTRY
CIV-2015-404-002909
Daniel Kalderimis and Ella Hallwass for the Applicant
Fletcher Pilditch and Rachael Cederwall for the Respondent
Application under s184 Evidence Act 2006 (“EA”) (application to HC for assistance in obtaining evidence for civil proceedings in another court) and s185 EA (power of HC to give effect to application for assistance) for an order issuing a subpoena requiring an authorised representative of the defendant to attend the HC for examination and to produce documents in its possession, custody and control sufficient to identify nominated addresses and information connected to the accounts of certain users of the defendant's website — the plaintiff claimed that in 2014 its government computer systems and the email accounts of some of its government personnel were illegally hacked by unknown individuals — a substantial number of the stolen documents were uploaded on a website hosted by the defendant — the plaintiff had filed proceedings in the United States and it had obtained a Letter of Request seeking the High Court's assistance — whether the American proceedings were civil proceedings under s184(c) EA (evidence was to be obtained for the purposes of civil proceedings) — whether the application was a third party investigation which infringed s185(5) EA (order may not require a person to state what documents were or had been in the person's possession, custody, or power or to produce any documents other than documents specified) or was it for evidence — whether there was a necessity for non-compliance with the Privacy Act 1993 (“PA”).
Held: The key consideration under s185 EA was that what was sought must be evidence and not discovery or investigation. The proceedings before the SDNY were civil. The format of the intituling of the proceedings was civil and the relief sought was that available in civil actions (a permanent injunction and damages). Although the CFAA was concerned with subject matter which was criminal in nature, it also provided civil remedies under what was plainly a civil regime. Those were the remedies being sought in the present case. They were civil proceedings within the meaning of s184(c) EA (evidence to which the application related was to be obtained for the purposes of civil proceedings) and the HC had jurisdiction to make orders under s185 EA.
The purpose of the request was to obtain evidence for use at the trial. The information was essential to identifying at least some of the “Does” named as defendants in the complaint, identifying the defendants was critical to proceeding. The Republic's request was narrowly tailored and called only for documents sufficient to identify the information for the accounts used to uplift the stolen documents onto the Mega website. The information requested was incapable of being obtained by any other means because Mega was believed to be the sole custodian of the identifying information of the accounts used to upload the Stolen Documents onto Mega's website. The evidence sought was specific. Compliance required the adoption of a mechanical process of obtaining the specific information sought, and compiling it into a form which permitted it to be presented to the Court. It did not require Mega to undertake an investigation on behalf of the Republic.
The power to make an order under s185 EA was discretionary. Questions of comity were important. The privacy expectations of any Mega website user were necessarily limited by Mega's terms of service which were explicitly binding and applicable to every subscriber or user of its services. The Republic sought IP addresses, email addresses, contact information, account information and payment information. With the possible exception of payment details, the information was neither particularly revealing nor particularly sensitive. The privacy interests in this case should not carry significant weight. Any potential harm could be mitigated by the imposition of properly worded protection orders. It was not appropriate to make a direction under s69 EA (overriding discretion as to confidential information). The public interest in disclosing the information outweighed the public interest in preventing harm to the hackers personally or Mega's relationship with its users.
A subpoena was issued requiring an authorised representative of Mega to attend at the HC for examination.
[123] I direct:
-
(a) The issuing of the subpoena requiring an authorised representative of Mega to attend at the High Court for examination before the Registrar and to produce documents in Mega's possession, custody and/or control sufficient to identify the:
-
(i) IP addresses;
-
(ii) email addresses;
-
(iii) contact information;
-
(iv) account information; and
-
(v) payment information,
connected to the accounts of certain users of [Mega's] website
-
-
(b) The parties are to consult with a view to filing a joint memorandum within 10 working days of the date of this judgment:
-
(i) advising the Court of the identity of Mega's authorised representative and such other details as may be necessary for the issuing of the subpoena;
-
(ii) this will include the date fixed for the hearing and its duration following consultation with the Registry;
-
(iii) advising the terms of any protective order/s necessary to be made in this jurisdiction governing access to and dissemination of any evidence adduced in this Court pursuant to the subpoena.
-
-
(c) Leave is reserved to either party to apply for such further or other orders/directions as counsel consider are necessary to expedient to give effect to these orders.
-
(d) Leave may be exercised by memorandum directed to the Registrar and marked for my attention in the first instance. The leave extends to, but is not limited to, any request for an order that the Republic provides security for Mega's authorised representatives and/or the Registrar's costs if that cannot be agreed.
-
(e) The oral testimony and documentary evidence adduced from Mega's authorised representative is to be made available to Judge Ramos of the SDNY by the Registrar of this Court.
-
(f) The Republic is to meet all reasonable costs incurred by Mega in complying with these orders and all costs of the Registrar in remitting the statements and evidence to the United States and matters incidental thereto.
JUDGMENT OF Moore J
| Paragraph Number | |
| Introduction | [1] |
| Background facts | |
| Preliminary steps | [7] |
| Letter of Request | [14] |
| The Republic's application | [17] |
| Mega's opposition | |
| Who is Mega and what does it do? | [19] |
| Grounds of opposition | [23] |
| Legal principles | |
| Jurisdiction | [24] |
| Discretion to make orders | [30] |
| Historical background and principles | [32] |
| Sections 184 and 185 of the Act | [36] |
| A preliminary question – are these civil proceedings? | [50] |
| First, is the application a third party investigation which infringes s 185(5) or is it for evidence? | |
| Mega's submissions | [58] |
| Analysis | [65] |
| Secondly, should the Court make orders given the nature of the claim and the availability of the Mutual Assistance in Criminal Matters Act 1992 (“MACMA”)? | |
| Mega's submissions | [81] |
| Analysis | [86] |
| Thirdly, is there a necessity for Privacy Act 1993 non-compliance? | |
| Mega's submissions | [98] |
| Analysis | [104] |
| Conclusion | [122] |
| Orders | [123] |
| Costs | [124] |
The Republic of Kazakhstan (“the Republic”) claims that in or about August 2014 its government computer systems and the email accounts of some of its government personnel were illegally hacked by unknown individuals. As a result, it alleges thousands of sensitive, proprietary and confidential privileged government documents (“the Stolen Documents”) were accessed. These included privileged communications between the Republic and its American legal advisors.
A substantial number of the Stolen Documents were uploaded on an archived website hosted by a New Zealand registered company, Mega Limited (“Mega”). Links to the archives of the Stolen Documents on Mega's website were also posted on another website (“the Kazaword Website”).
Mega is a provider of encrypted, cloud-based services which enable private, secure online storage, communication and collaboration for businesses and individuals.
The Republic filed a civil action in the United States District Court for the Southern District of New York (“SDNY”) against “Doe” defendants; that is the unknown individual or individuals who it is alleged undertook the hackings. The Republic seeks civil remedies including monetary damages and a permanent injunction.
The difficulty for the Republic is that it does not know the identity of those who undertook the hackings. That information, or the means by which it may be obtained, is in the possession of Mega. And so the Republic obtained from the SDNY a Letter of Request (“Request”) addressed to this Court seeking this Court's assistance in obtaining the production of specified documents which the Republic claims will lead to the identification of the hackers and hence the identity of the defendants.
In the proceedings before this Court the Republic seeks an order issuing a subpoena requiring an authorised representative of Mega to attend the High Court for examination and to produce documents in Mega's...
To continue reading
Request your trial