Frenchman Fined For 'Theft' And 'Fraudulent Retention' For Finding Health Docs Via A Google Search

from the le-cluelessness dept

Mon, Feb 10th 2014 1:01pm — Glyn Moody

The basic downloading tool Wget is much in the news at the moment, and here's another story where it plays a central role. The French blogger and activist Olivier Laurelli, also known by his Twitter name Bluetouff, was searching on Google for something else when he spotted an interesting link that turned out to lead to several gigabytes of internal documents held on the French National Agency for Food Safety, Environment, and Labor's extranet (ANSES in French). Ars Technica explains what happened next:

Laurelli merely used the Linux Wget tool to download all of the contents of the Web directory that he found. He left the files on his drive for a few days and then transferred them to his desktop for more convenient reading (which the French government would later spin as "the accused made backup copies of the documents he had stolen"). A few days later, Laurelli searched through the documents he downloaded and sent some to a fellow … writer [on the activist news site Reflets.info], Yovan Menkevick. About two weeks later, a few interesting scientific slides pertaining to nano-substances from the cache were published on Laurelli's site.

When ANSES discovered this, it reported what it called "potential intrusion" and "data theft" to the police. Then France's Central Directorate of Interior Intelligence (DCRI in French) became involved. The lower court that heard the case decided Laurelli should not be punished for accessing data that was not secure; ANSES was happy to let it go at that, but DCRI appealed.

It was clear that things would not go well in the appeals court when the presiding judge seemed not to know even how to pronounce "Google " or "login" -- he said "Googluh" and "lojin" (original in French.) The prosecutor was just as bad: he started off his speech by admitting "I didn't even understand half the terms I heard today." Ars Technica reports the denouement of this high-tech French farce as follows:

The appeals court acquitted Laurelli of fraudulently accessing an information system but saw fit to convict Bluetouff of theft of documents and fraudulent retention of information. The court wrote: "It is well demonstrated that he was conscious of his irregular retention in automated data processing, accessed where he downloaded protected evidence; and that investigations have shown that these data had been downloaded before being... disseminated to others; that it is, in any event, established that Olivier Laurelli made copies of computer files inaccessible to the public for personal use without the knowledge and against the will of its owner"

Leaving aside the fact that the appeals court was clearly ill-equipped to understand the technical issues involved, and that the original files were completely unprotected and found by Google's crawler, not Laurelli, there is another disquieting aspect to this affair. Alongside his writing and activism, Laurelli also runs a small computer security company. One of the services it offers is a standard VPN. He was using this VPN service when he accessed the ANSES site, and the fact that his connection was routed via Panama -- the VPN's exit node -- counted heavily against him, he believes:

"This VPN (in fact above all this Panamanian IP address) is probably one of the strongest elements which had driven the prosecution to pursue a criminal case," he wrote.

VPNs represent one of the few tools available to ordinary Internet users to help them bolster their security and privacy against global surveillance. It's deeply troubling that the mere fact of using a VPN to access a Web site was apparently viewed by the court as evidence of criminal intent, rather than simply good online practice in the post-Snowden world.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anses, bluetouff, documents, france, liability, olivier laurelli, retention, search, security, theft, wget

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Rikuo (profile), 10 Feb 2014 @ 12:55pm

There's an update on the Ars Technica article, where they note that Laurelli, after clicking on the link that Google gave him but before he downloaded the several gigabytes worth of content, went to the home page of the directory he was on and was presented with a user name and password login box. This was used by the prosecution as indicative of his knowledge that he was on an intranet that he had no business being on and therefore he was guilty of the cyber equivalent of trespassing.
[ link to this | view in chronology ]
- aldestrawk (profile), 10 Feb 2014 @ 11:54pm
  
  Re:
  Effectively, there was no security, but why didn't the Google bot notice there was a log-in required on the home page? A person not as technically astute as Laurelli would not have known they weren't supposed to be looking at these documents. It seems that the security was supposed to be limiting access to URLs to only those who logged in on the home page. I am speculating that the mistake was that at the same time someone was logged in (who had the password "Fatalitas") the Google bot came by to index all the linked pages without needing a separate login. Once indexed, and also in the Google cache, this allowed any person access to the pages. Laurelli has been fined only because he admitted traveling back to the home page and noting there was an authentication step. It seems that knowledge is enough to warrant a penalty. This goes beyond the matter of criminal intent being a required element of a crime. What we have here is mind boggling in that a crime is only a crime if you know it is a crime.
  [ link to this | view in chronology ]
  - Pragmatic, 11 Feb 2014 @ 5:16am
    
    Re: Re:
    At a very rough guess, they hadn't bothered to put robots.txt or any other "do not index" indicators on that particular page. Bots aren't sentient, you know. They're dumb, they only know what you tell 'em.
    
    And it's up to the site owners, not Google, to manage site security, otherwise they'll have to charge for indexing websites.
    [ link to this | view in chronology ]
    - aldestrawk (profile), 11 Feb 2014 @ 9:33am
      
      Re: Re: Re:
      My comment about the Google bot was rhetorical. Of course, it is not up to the web spiders, or the companies that build them, to try to figure out if the builders of the website really wanted a page to be public or not. Outside of the convention of robots.txt, if a bot can read a page then it gets read, indexed, and cached. If ANSES had done the authentication and authorization correctly they wouldn't even need to use robots.txt.
      My point was that it is equally absurd to penalize a person who reads and caches a webpage that has no effective protection against unauthorized persons reading it. There is a cultural assumption that pages on the Internet are for public consumption unless there is some technical method which prevents straightforward navigation and reading. This is contrary to the usual trespassing analogies where the cultural assumption is that a place is private property and you are trespassing unless you have explicit permission.
      
      Here, we have a situation where attempted webpage protection was completely ineffective. This allowed Google, and any other bot or human, to read, index, and cache a large set of pages that were intended to be private. You can't punish someone for doing a search and then reading the resulting webpages that are unprotected. Laurelli is being punished because, after reading those pages, he travels back to the home page and sees that ANSES intended those pages to be accessible only after logging in. This is very screwed up justice and I will dare to offer this trespassing analogy:
      
      Suppose you have a park in the US which seems to be public. You walk into the park, wander around, and then leave through the main entrance. At this entrance you turn around and there is a sign, in Russian, which says "no trespassing". Is the government only going to prosecute those trespassers who can speak Russian?
      [ link to this | view in chronology ]
- Sheogorath (profile), 14 Feb 2014 @ 9:53am
  
  Re:
  Which is stupid. I'm an admin of a forum, and on the homepage there are boxes in which to put a user name and password. So do I or the webmaster have an issue if you access the forum without being signed in? Of course not, it's open to public view. Thus the evidence that the mere existence of user name/password boxes do not prove that a network is a 'private intranet'.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 1:16pm

well, of course he is guilty. he is french...
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 1:22pm

is there any difference here with what has happened to people in the USA and UK? the government can twist the law so it means whatever they want it to mean under whatever the circumstances are at the time. is it any wonder people dont say anything when it could mean peoples safety? they would be accused, then locked up for creating the hazard in the first place! and all because the government refuses to be wrong!!
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 1:27pm

I left a big bag full of money sitting out in a dark corner of some mall, and someone stole it! Charge them with theft, and charge them with armed robbery!

It's their responsibility not to take advantage of my own stupidity!
[ link to this | view in chronology ]
- John Fenderson (profile), 10 Feb 2014 @ 1:36pm
  
  Re:
  They didn't steal it, though. They just took all the bills out and photocopied them. You still have your bag of cash.
  [ link to this | view in chronology ]
- Anonymous Coward, 10 Feb 2014 @ 2:52pm
  
  Response to: Anonymous Coward on Feb 10th, 2014 @ 1:27pm
  I left a magazine out on a magazine rack and someone picked it up, read it, put it back, and remembered what it said! Theft! Unlawful retention!
  [ link to this | view in chronology ]
Mason Wheeler (profile), 10 Feb 2014 @ 1:28pm

that it is, in any event, established that Olivier Laurelli made copies of computer files inaccessible to the public for personal use without the knowledge and against the will of its owner

Wait, what now? Isn't the fact that he found this on a Google search prima facie evidence that the data was, in fact, accessible to the public?
[ link to this | view in chronology ]
- Anonymous Coward, 10 Feb 2014 @ 1:53pm
  
  Re:
  -- Wait, what now? Isn't the fact that he found this on a Google search prima facie evidence that the data was, in fact, accessible to the public?
  
  No, bureaucrats will only consider something as being publicly accessible if they have first said it is publicly accessible
  [ link to this | view in chronology ]
  - That One Guy (profile), 10 Feb 2014 @ 2:10pm
    
    Re: Re:
    No, bureaucrats will only consider something as being publicly accessible if they have first said it is publicly accessible
    
    That should count as sarcasm, it really should, but as various governments have shown, claiming that documents are still classified even when they've been widely made public, that's exactly their line of thinking.
    [ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 1:31pm

The universal arrogance of prosecutors and judges who consider their admitted ignorance of the underlying facts these cases no barrier to deciding guilt and dispensing punishment cannot be considered as having any more merit than witch burning.
[ link to this | view in chronology ]
- That One Guy (profile), 10 Feb 2014 @ 1:38pm
  
  Re:
  Quite, you'd have to look hard to find a better reason for a judge to recuse themself from a case than 'I don't understand a single word they just said'.
  
  The fact that they still moved on with the case, despite both the judge and prosecution admitting that they didn't have a clue as to the technical details of what was being discussed just shows how little they cared about seeing justice done.
  [ link to this | view in chronology ]
MadMatt (profile), 10 Feb 2014 @ 1:39pm

Typical
It is typical of courts in general and higher courts in particular. They have no idea, are presided over by people who should be in a retirement home due to their forgetfulness and usually completely technophobic.

The unfortunate truth of most of the worlds legal system is those deciding are deciding using the morality of several generation ago and the fiscal resources of the elite. They are unchallengeable for the most part (judicial independence) and have no liability for the quality of their decisions. The system does not really care if 100% of their decisions are overturned on appeal. Add to that governments who would like to pretend they don't understand (plausible deniability) and bureaucracies that traditionally have worked on regulation, not action and this is what you get. They don't need security... they have made a rule about security. Problem solved.
[ link to this | view in chronology ]
That One Guy (profile), 10 Feb 2014 @ 1:44pm

Missed a rather important detail:
Incredibly, although a lower criminal court ruled that Laurelli could not be penalized for accessing data that was not secure, the DCRI decided to appeal the decision. That's after ANSES, the organization from which the documents were �stolen� in the first place, decided not to pursue any civil action.

This was yet another case where the one 'hacked' didn't even care enough about it to want to bring it to trial, and yet a government agency stepped in to 'make an example' out of the 'hacker'.
[ link to this | view in chronology ]
alex, 10 Feb 2014 @ 2:28pm

Googluh
There was a case in the UK couple years back where Google cars were downloading off people's unsecured wifi. At first I thought, well that's public, it's linked and unsecured, so Google are getting something that is effectively internet. Then I changed my view. Leaving your door open is not an invitation to come in and go through your filing cabinet. Then I changed my view again. Walking into someone' property through an open door and going through their filing cabinet is not illegal. Then I started getting confused over where the line lies exactly.
[ link to this | view in chronology ]
- David, 10 Feb 2014 @ 2:37pm
  
  Re: Googluh
  Okay, the whole purpose of a web server is to serve documents to those requesting them. So this is like leaving your filing cabinets on your porch.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 10 Feb 2014 @ 2:42pm
    
    Re: Re: Googluh
    No, you'd still be trespassing. It's more like leaving your documents in a box on the sidewalk with a sign that says "Read Stuff Here".
    [ link to this | view in chronology ]
    - PRMan, 10 Feb 2014 @ 4:07pm
      
      Re: Re: Re: Googluh
      Actually, more like carting your personal filing cabinets to a public library and then getting mad that somebody had the audacity to go through them and make photocopies and put the documents back.
      [ link to this | view in chronology ]
    - J'hn1, 11 Feb 2014 @ 11:40am
      
      Re: Re: Re: Googluh
      Not as such.
      Hmmm
      More like putting the files in a cabinet on the back steps, then locking the handle and deadbolt of the front door.
      [ link to this | view in chronology ]
      - J'hn1, 11 Feb 2014 @ 11:43am
        
        Re: Re: Re: Re: Googluh
        Oh, and no gate or even fence to the back yard, just a high traffic alleyway running past the back.
        [ link to this | view in chronology ]
- Niall (profile), 11 Feb 2014 @ 4:49am
  
  Re: Googluh
  That doesn't work. The whole point of wi-fi is broadcasting - so if you are broadcasting an unencrypted signal, it's like complaining that anyone walking their dog on the hill beside you can see in your lit, un-curtained window.
  [ link to this | view in chronology ]
kyle clements (profile), 10 Feb 2014 @ 2:39pm

wget
If the authorities think "wget" is some sort of elite hacker tool, just wait until they find out about "dd".

*Facepalm*

Freaking out over wget is almost as laughable as hearing something like "using "Ctrl+C" and "Ctrl+V", a group of elite hackers were able to steal the contents of several websites and recreate various articles on their own computers at home."
[ link to this | view in chronology ]
- Anonymous Coward, 10 Feb 2014 @ 3:43pm
  
  Re: wget
  FBI arrest hacker who stole entire webpage
  Used previously unknown hack called "Save Page As".
  The hacker will be charged with violating the CFAA, and also with 35 separate counts of copyright infringement.
  [ link to this | view in chronology ]
chicostix, 10 Feb 2014 @ 3:51pm

pffttt
Why doesn't DCRI blame Google for allowing the public to access the private documents? DCRI sounds like one dumb fucking agency.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Feb 2014 @ 1:09am
  
  Re: pffttt
  Well, they are French.
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Feb 2014 @ 1:38am
  
  Re: pffttt
  Because they have far too many lawyers so they won't get the easy win they want.
  [ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 6:44pm

Keep this in mind if you support the statists in even one area of the destruction of liberty, you support them in all areas of the destruction of LIBERTY.
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 9:03pm

WTF is wrong with the French legal system? I swear to God every time you read a an utterly whack legal outcome, it's a 50/50 bet it's French.
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2014 @ 10:14pm

the other 50% it`s the US
[ link to this | view in chronology ]
- Niall (profile), 11 Feb 2014 @ 4:50am
  
  Re:
  And the other 50% is either British or Canadian (serving their US masters).
  [ link to this | view in chronology ]
  - Sheogorath (profile), 14 Feb 2014 @ 10:01am
    
    Re: Re:
    By bending over.
    Disclaimer: I'm from the UK.
    [ link to this | view in chronology ]
techflaws (profile), 11 Feb 2014 @ 2:51am

It's deeply troubling that the mere fact of using a VPN to access a Web site was apparently viewed by the court as evidence of criminal intent

Seems to be standard these days, the NSA sees encryption as evidence of criminal intent.
[ link to this | view in chronology ]
Fred Z, 11 Feb 2014 @ 12:51pm

Socialists
The French have voted for socialists for a long time so what could anyone expect?

Lawyers, practicing and judicial, are notoriously incompetent at technical matters - did anyone think that electing socialists would improve this?
[ link to this | view in chronology ]
dmitryb, 11 Feb 2014 @ 12:55pm

So when Google grabs people's info from wide open access points that's labeled as evil and they are being dragged through courts under happy applause from Europeans, but this somehow is not the same? Let's at the very least pretend to be consistent.

Also, don't know anything about French law, but under many jurisdictions in US if I find a wad of cash on the street and not attempt to return it, I can be charged with theft or larceny. Just because something is in the public view doesn't mean it's ok to take.
[ link to this | view in chronology ]