cyberz.wtf

Working in the cyberz makes for many WTFs

Jan 14, 2020 - 6 minute read - law

I fought the Law, and the Law won - Part 1

We’ve all heard the old adage “Never bring a knife to a gunfight”. It can be adapted to all sorts of situations. Recently I learned that you shouldn’t bring cybersecurity to a legal fight either. Over my next few posts I’m going to tell you a story about how I tried to use my expertise in cybersecurity to challenge a speeding fine, and failed horribly. It was however a very educational and interesting experience, and unless you happen to be a real lawyer (like I wasn’t) you will probably learn a few things that surprise you if you follow along.

The back story.

In May last year I received an “infringement notice” for an alleged speeding offence which was detected by road safety camera (RSC) in March while I was driving through the Eastlink tunnel in Melbourne’s eastern suburbs. It was only for 87 in an 80 zone, the lowest class of speeding offence in Victoria, worth $201 and 1 demerit point. On the face of it, hardly worth arguing about, except that, as anyone who knows me will tell you, I love to argue.

Aside from my penchant for arguing for the sake of it, I was also certain that I could not have possibly been speeding. Yes, I know, so says everyone ever caught speeding. I did have my reasons though - specifically, that I had already been done speeding in exactly the same place a few months prior, so I knew there was a camera there, and had made a point of using cruise control to keep myself under the limit since then. On top of that, the placement of cameras in the tunnel is highlighted by the extra lighting they put in place to make sure that the pictures are clear enough, so if you know what to look for, you can even tell when exactly you need to slow down.

At this point, I should probably also say something about my personal opinions relating to “infringement notices”. I use that term specifically rather than “fines”, and deliberately in quotes because I believe the wording actually matters from a legal stand point. You see there is an old legal principle from English common law (which applies in Australia) that states that “fines” and other financial penalties cannot be issued arbitrarily by the Crown, they can only be issued by court following a conviction. The original intent of this principle was to limit the power of the English monarchs who had hitherto just issued whatever decrees and judgements they felt like. It’s a fundamentally important aspect of our justice system because it’s the only thing which stops our government doing the same.

So what about “infringement notices” then? Well they are basically statutory extortion. It is the government’s way of saying “if you pay us this little sum of money now, we won’t take you to court”. By paying an infringement notice you are making a voluntary contribution to the state’s coffers. You can of course, opt to have the matter heard in court, but the government really doesn’t want that, because it’s costly and time consuming for them, and the courts get clogged up with “trivial” matters. To discourage people from exercising their legal right to be heard in court, infringement notices say lots of scary things like “the penalty a court issues may be higher” which is technically true, but from what I’ve seen from my own time sitting in court, actually the opposite happens more often than not.

So it was this personal belief which was the main reason I decided to challenge the fine. A more reasonable person would have taken the easier option to simply pay the initial amount and be done with it, regardless of whether they agreed with the notice, because the amount of time and effort required to challenge an infringement notice massively outweighs the time and financial cost of paying the initial notice. I am not a reasonable person though, and it just so happens that as a self-employed consultant, I have way more time to spare on pet projects than money to spare for paying fines.

I also reasoned that I had almost nothing to lose by challenging in court, the absolute worst that could happen was that I get fined a few hundred dollars more and end up with a criminal conviction for speeding – not a big deal in the scheme of things (Despite what you’ve been probably been lead to believe, having a criminal conviction isn’t necessarily that bad – depending on what it’s for. For example, having a criminal record doesn’t automatically disqualify you from working with children – it depends on what the charge and sentence was). On the other hand, I potentially stood to gain quite a lot. I knew it was very unlikely I’d win – even if I prevailed initially I’d almost certainly end up in a higher court fighting an appeal by the Justice Department. But win or lose, it was sure to be a very educational experience… and make for a great story.

The argument.

I should first point out that I Am Not a Lawyer, and have had no legal training or education. I have only a smidge of experience even working on legal related things. Which is why I naively thought I could make a good legal case based on principles of cybersecurity.

Being firmly of the belief that I was not speeding at the time, I reasoned that the road safety camera (RSC) in question must have been malfunctioning. My years of experience in cybersecurity also allowed me to extrapolate a few things – that the RSC wasn’t just a simple camera, it was a computerised IoT device that controlled a speed measurement device and a camera. It’s well known in cybersecurity circles that IoT devices, almost without exception, have terrible security. I was also aware that there was already at least one publicly known incident of speed cameras in Victoria being infected with ransomware..

I knew it was going to be basically impossible to prove that the specific camera in my case was malfunctioning, let alone infected with malware of some kind, so I opted for a slightly different approach based on the principles of information assurance: I was going to discredit the evidence by proving that Victoria police hadn’t taken adequate steps to secure the cameras or the information captured by them, and therefore it couldn’t be trusted as authentic by the court. To anyone who works in cybersecurity, that probably seems like a pretty solid argument. The courts had a different opinion however.


In my next post I will cover my initial application for review by Fines Victoria, their subsequent denial, and my first encounters with the Victorian criminal justice system. Stay tuned!