19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents
from the making-citizens-pay-for-the-government's-sins dept
A 19-year-old Canadian is being criminally-charged for accessing a website. The Nova Scotian government's Freedom of Information portal (FOIPOP) served up documents it shouldn't have and now prosecutors are thinking about adding charges on top of the ten-year sentence the teen could already be facing. (via Databreaches.net)
Journalists first spotted the problem April 5th, when the FOI portal was taken offline. The Internal Services Minister, Patricia Arab, refused to provide details about the portal's sudden unavailability. It wasn't until the following week that the press was given more information and those affected notified.
Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.
Seems logical, except…
But [Halifax Police Superintendent Jim] Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province's protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement.
The suspect obtained 7,000 documents from the Freedom of Information portal. Apparently around 250 of those contained unredacted personal information. Here's how the government portrayed the supposed hacking:
Government officials said someone got in by "exploiting a vulnerability in the system." The person wrote a script allowing them to alter the website's URL, which then granted access to the personal information.
Internal Services found more than 7,000 PDF documents had been downloaded by a "non-authorized user" in early March. They filed a complaint with police on Saturday.
A script made it easier, but a script wasn't required. The URLs for FOI documents are incremental. As software engineer Evan D'Entremont points out, anyone could have done what the supposed "hacker" did.
The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:
https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1234
Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.
Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All [the "hacker'] had to do is add.
All this "hacker" did was automate the retrieval of published documents from the government's FOI portal. That's it. This wasn't an attempt to access personal info. That problem lies with the government, which did not properly secure documents it hadn't redacted yet. As D'Etremont points out, plenty of other government websites use the same software for document access. (Searching "inurl:attachmentRSN"will bring up a handful of government websites, including Nova Scotia's temporarily disabled FOI portal).
But other sites have taken care to wall off publicly-available documents from others they're not prepared to make public by using a PublicPortal subfolder. Nova Scotia's site apparently did not, hence the teen's ability to access unredacted documents. This isn't evidence of fraudulent access or malicious hacking. This is evidence of government carelessness.
The question remains, was the access fraudulent?
Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.
It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.
This wasn't a criminal act. This was simply efficient harvesting of publicly-available documents. If some documents weren't supposed to be publicly-available, the blame lies with the government for failing to secure them. The fact that the government decided to get police involved gives this the ugly appearance of scapegoating. This is an embarrassed government body trying to turn its mistake into the malicious works of teen hacker.
It would be very surprising to see these charges stick. The URLs -- and the documents they held -- were publicly-accessible. But if they do stick -- and the Halifax PD has stated it may add more charges -- it will be due to the Nova Scotia government's unwillingness to take responsibility for its own carelessness.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, criminal charges, downloading, foia, foipop, nova scotia, transparency
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Copying to a web accessible folder is incredibly easy if you have permissions and have perfectly normal human error rate.
cp oneFolder twoFolder redFolder blueFolder webAccessibleFolder[ link to this | view in chronology ]
Wow
[ link to this | view in chronology ]
Re: Wow
[ link to this | view in chronology ]
Re: Re: Wow
The US has been far more socialist than Canada for decades. It's just that Canada extends that socialism outside of the corporate/investor realm more often.
As it was put back in 2008 when Republicans were nationalizing the Wall Street banks and bailing out the auto industry:
[ link to this | view in chronology ]
Re: Re: Re: Wow
Not perfect but id hardly call us pure socialists, just more so than the US.
[ link to this | view in chronology ]
and the Halifax PD has stated it may add more charges
"If we hit him with enough of the book he's eventually going to stay down, right?"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I've done this with things like pictures. Sometimes a site will have preview pictures numbered 5, 8, 14, etc. I try filling in the missing numbers and sometimes it turns out that they just linked to a few of the images in the directory. Or sometimes there's one full-sized image and a bunch of thumbnails, but if you alter the filename to conform to the one big image, you can get full-sized versions of all of them.
Years ago, I found a site that had no protection for the members section, you just weren't supposed to be able to see the URL unless you signed in. I forgot how I found it, but I was able to browse their entire site. Unfortunately I had dialup at the time and couldn't download too much. :)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
https://en.wikipedia.org/wiki/Weev#AT&T_data_breach
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
It seems to me there was this guy Aaron Swartz. He downloaded documents that were available to visitors at MIT.
He was maliciously prosecuted and committed suicide as a result.
Perhaps that is what the Canadians are hoping for.
[ link to this | view in chronology ]
I'm sorry but the fucking protocol says it's available, other people's dreams and wishes not withstanding, http get.
I'm getting pretty fucking tired of the seemingly total incompetence of "authority" reacting excessively if not violently to "this computer thingy and those meddling kids".
An information repository accessible on the network is a PUBLIC FUCKING KIOSK of any and all information contained therein. Choose wisely (or just shoot the fucking messengers, apparently).
This is the epitome of cunty authority. Bad governance defined.
[ link to this | view in chronology ]
It contained her address, driver's licence number and everything else needed for identity theft. Like the case above, you could change the record number at the end to see a different record.
The point is, Google had indexed the whole thing. And it'll do the same with PDF files.
Yeah, the data the kid was arrested for was publicly accessible.
[ link to this | view in chronology ]
Re:
Of course, the other side of all this is that Canadian law weighs heavily on intent. If the kid was downloading it all just because he could, this won't go anywhere. However, if he was found actively selling the PII on a Russian underground marketplace, I say throw the book at him. This may be what the "other charges" are that they're pursuing.
[ link to this | view in chronology ]
This computer stuff isn't that hard if people stop thinking its magic and anyone who does something they don't want is a hacker.
[ link to this | view in chronology ]
Re:
We might see some sanity in this area once Gen Y enters politics. As long as we're still being run by Gen X and its predecessor we're going to keep being the "beneficiaries" of this kind of enlightened legislation.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Just because someone uses technology doesn't mean they know how it works. And even if they know how it works won't stop them being self-serving and corrupt.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"This wasn't a criminal act"...but...
And it *is* a criminal act...it's called intimidating researchers.
[ link to this | view in chronology ]
Re: "This wasn't a criminal act"...but...
don't make us hurt you to get what vee want
Vee ember da torture is for your own protection
[ link to this | view in chronology ]
Monkeying with a site's URLs?
"The person wrote a script allowing them to alter the website's URL"
Moreover I am usure it is the scripting part that makes it illegal. I suspect "guessing" possible URLs is also illegal.
Can somebody please tell me how I can check the law on that point myself? I don't wish to pay a lawyer to ask them!
Cheers
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
That’s already grounds for prosecution and conviction.
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
He's not "monkeying with" anything of the site's; he's sending a series of HTTP gets, which the site happily responded to. You can craft any arbitrary URL; it's up to sites to decide how to respond.
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
Wouldn't that make an editable address field in a web browser illegal?
[ link to this | view in chronology ]
Re: Monkeying with a site's URLs?
There was a guy who got fined £1,000 for pinging a donation page after the Boxing Day (26th Dec) Tsunami.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
wVMYRF6X0jL www.yandex.ru
[ link to this | view in chronology ]