Blogger Fined €3,000 for 'Publicizing' Files Found Through Google Search

← Back to Stories (view on slashdot.org)

Blogger Fined €3,000 for 'Publicizing' Files Found Through Google Search

Posted by Soulskill on Tuesday February 11, 2014 @12:59PM from the you-crafty-hackers-and-your-keyword-searches dept.

mpicpp points out an article detailing the case of French blogger Olivier Laurelli, who had the misfortune to click links from search results. Laurelli stumbled upon a public link leading to documents from the French National Agency for Food Safety, Environment, and Labor. He downloaded them — over 7 Gb worth — and looked through them, eventually publishing a few slides to his website. When one of France's intelligence agencies found out, they took Laurelli into custody and indicted him, referring to him as a 'hacker.' In their own investigation, they said, "we then found that it was sufficient to have the full URL to access to the resource on the extranet in order to bypass the authentication rules on this server." The first court acquitted Laurelli of the charges against him. An appeals court affirmed part of the decision, but convicted him of "theft of documents and fraudulent retention of information." He was fined €3,000 (about $4,000).

21 of 248 comments (clear)

Min score:

Reason:

Sort:

Hacker??!! by bogidu · 2014-02-11 13:02 · Score: 5, Insightful

You fsckup your own security then blame the guy for accessing and republishing something you posted for the world to see?! Stupid bureaucrats.
1. Re:Hacker??!! by Anonymous Coward · 2014-02-11 13:35 · Score: 4, Interesting
  
  French law and government is just simply fucked. There really isn't a better word to describe it.
  They try to legislate all kinds of stupidity and it nearly always backfires on them. Just take a look at all the laws they've passed to improve employment in their country. Laws that fine employers for layoffs (guess how that turned out? Hint: all sane companies just laid off a bunch of people before the law came into effect and have less desire to hire anyone else), price fixing of books in a futile attempt to save bookstores, taxing the shit out of any company in an effort to fund a spendthrift government, it goes on and on.
  http://globaleconomicanalysis....
  The constant meddling has driven so many companies from their country, it just puts them in the hole even further. Speak out against any of the stupidity and rather than attempting to smarten up, they'll try to fine you. What a disaster. It's no surprise they came up with this dreadful verdict.
2. Re:Hacker??!! by presidenteloco · 2014-02-11 13:59 · Score: 5, Insightful
  
  Hey!
  The world wide web was designed to make accessible via hyperlinks (URLs) a whole bunch of documents / generated content. Key word being accessible. If someone is stupid enough to put documents intended not to be public on the public world wide web, that's their issue.
  It is not a transgression on the part of the person who used the URL to access the content, doing nothing more than the technology is explicitly designed to do.
  This is just another example of judges who got an A in social studies and a C in technical subjects making asinine rulings about use of technology they don't understand.
  
  --
  
  Where are we going and why are we in a handbasket?
3. Re:Hacker??!! by icebike · 2014-02-11 14:05 · Score: 5, Interesting
  
  Just because you CAN do something, it doesn't mean it's okay to do it. This creates a horrible survival-of-the-fittest arms race techno-bureaucracy where values are absent.
  In this case, when a PUBLIC agency violates their own security protocol, and turns over all its internal documents to the internet, it means EXACTLY that it is OK to do so.
  Your analogy of walking into an unlocked office fails the sniff test. (not to mention the stupid analogy test).
  He did not break. He did not illegally enter. There was no door. He didn't deprive them of anything. The documents might as well have been stacked neatly in the public park, with signs and arrows pointing to the juicy bits.
  The government agency already published the documents.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:Hacker??!! by presidenteloco · 2014-02-11 14:24 · Score: 5, Insightful
  
  Ok I'l give you another analogy.
  This is pretty much like leaving a stack of pamphlets on a table in a train station, then arresting those who pick one up for possession of classified material.
  I can't make it any clearer: Content that is behind a URL in a publicly searchable server directory, with no password or secure session protection, has been placed in plain sight in public. There is no fault in accessing it, nor in republishing it (posting the pamphlet on the door of your house) unless it contained an explicit copyright restriction statement.
  
  --
  
  Where are we going and why are we in a handbasket?
5. Re:Hacker??!! by icebike · 2014-02-11 14:42 · Score: 4, Informative
  
  In the absence of any keep out signs, (there weren't any), even in France, public items are for free for public consumption.
  The only strawman around here is you, and you seem to have most of it in your head.
  This guy did nothing wrong. The documents were freely available on the web. There was no security on the site, and no copyright on the documents.
  As he states on TFA:
  
  Through a Google search which strictly did not have anything to do with ANSES or with public health, I found myself in the ANSES extranet. Simply by clicking on a search result.
  First observation: there are a lot of documents freely available here.
  Second observation: they speak about public health.
  Third observation: L’ANSES is a public establishment.
  Question: Is it that this ought to be public?
  Response: (too) obvious at the time: yes.
  And he was acquitted!!! But an embarrassed agency appealed..
  
  --
  Sig Battery depleted. Reverting to safe mode.
6. Re:Hacker??!! by Anonymous Coward · 2014-02-11 15:09 · Score: 3, Interesting
  
  In a sane world, yes. You go after the people illegally distributing it, not the people receiving it.
7. Re:Hacker??!! by dnavid · 2014-02-11 15:22 · Score: 5, Informative
  
  In the absence of any keep out signs, (there weren't any), even in France, public items are for free for public consumption.
  The only strawman around here is you, and you seem to have most of it in your head. This guy did nothing wrong. The documents were freely available on the web. There was no security on the site, and no copyright on the documents.
  As he states on TFA:
  The article has an update posted:
  
  UPDATE: Laurelli ended up admitting in testimony that when he found the documents, he traveled back to the homepage that they stemmed from and found an authentication page. This indicated that the documents were likely supposed to be protected. That admission played a part in his later conviction in the appeals court.
  In other words, he admitted to the court that he deliberately attempted to determine if the documents were intended to be publicly accessible or not, and had determined *to his own satisfaction* that they were likely not intended to be made public. That's probably why he was not acquitted on the basis of the documents being public. They were, to an uninitiated person. But Laurelli actually knew what he was doing and admitted to the court that he himself believed the documents were not intended to be publicly accessible. So while he thought they "ought to be" public, he also knew they were not intended to be. So by his own admission, he had the requisite intent to steal them from people who did not want them taken.
  It seems the lower court acquitted him because all they knew was he got the documents through a public search, and did the right thing by acquitting him. And the appeals court also did the right thing in upholding that acquittal. What they convicted him of was the different crime of retaining and disseminating those documents *after* he realized they were not intended to be public.
8. Re:Hacker??!! by TapeCutter · 2014-02-11 15:26 · Score: 3, Insightful
  
  and no copyright on the documents
  Copyright is automatic, you don't need to state it explicitly for it to apply. That's why downloading movies from TPB is perfectly legal but redistribution without permission is not.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
9. Re:Hacker??!! by Wycliffe · 2014-02-11 16:10 · Score: 4, Interesting
  
  It's insane to try to prosecute the downloader. My 6 year old loves to watch youtube videos.
  Alot of the words she knows how to spell like 'dora' and 'mickey mouse' are copyrighted.
  How is she (or her grandma or anyone else) suppose to know that video A is ok to watch
  but video B (which youtube is still getting ad revenue from) is copywrited and illegal.
  Honestly half the time I can't even tell. I assume that full length movies on youtube
  (yes there are quite a few, my kids stumble upon them all the time) are illegal but youtube
  does a terrible job of enforcing it on all but the most popular movies and there is tons
  of gray area as I'm assuming some of the shows like the disney ones are probably
  actually licensed but then again even some of those have poorer quality and might
  be bootleg. Prosecuting the downloader especially if the provider is someone like
  google or youtube is like prosecuting someone because walmart sold them a bootleg
  dvd.
10. Re:Hacker??!! by Redmancometh · 2014-02-11 18:27 · Score: 4, Interesting
  
  Yeah this isn't a "door was left open" scenario. That scenario is more comparable to network infrastructure without a password on it like ssh. There is a door, but it's been left unlocked. This wasn't even a house (private network) this was a public place.
  In the scenario we're talking about the object was both left in a public place and said public place was referenced in another. I can't think of anything analogous to the real world, but real world analogues only cloud judgement.
  The bottom line is this had to be in a directory literally called "public_html" or the equivalent for IIS/Nginx. This folder, and it's contents, are shared with everybody. Not only that, but the URL was advertised in an unspecified public place. This URL was also indexed by google.
  Further there were 7GB worth of files..plural..so directory listing was on. This is DIRECT EVIDENCE that the French prosecution/government is simply spinning things.
  "In their own investigation, they said, "we then found that it was sufficient to have the full URL to access to the resource on the extranet in order to bypass the authentication rules on this server."
  Obviously he didn't need the full URL if he was able to wget 7 gigs worth of text and/or pdf files. If he was able to download the entire directory there was no authentication mechanism to be bypassed, and the only offense by the French government is farcical. This has a double impact, as it also proves this was conclusively NOT an extranet by definition.
  So if I was the defense I would say:
  1) The "open door" example is intentionally (and obviously) misleading and biased, and that's probably the exact analogy they used. It seems like that analogy gets used in all court cases.
  2) There is clear intent by the person who designed the server to make said documents public information. The intent is proven by a very simple fact: the site has been crawled by google. Without a robots.txt google will not crawl your site (at least these days.)
  As this file must have been created and configured intent couldn't be any more clear.
  3) To further prove the intent of the French administrator the files were (most likely willfully and knowingly) placed in a directory specifically marked for sharing files.
  4) Laurelli never bypassed (or even provably encountered) any authentication mechanism whatsoever.
  5) The French government's argument is non-unique as these documents were already made "public for advertising or promotional purposes" when indexed by google, and this claim is supported by google's own mission statement:
  
  google's mission is to organize the world’s information and make it universally accessible and useful."
  google's mission statement (by it's own admission) is to make the world's (what they choose..via indexing) information universal. This is obviously for promotional purposes of google and would fall neatly into the definition of "publicizing." So by crawling google announced their intent to publicize the documents, and by indexing said documents as step 1, we have both a provable intent and provable action moving towards publicizing the documents at hand. The next step in publicizing after indexing is of course to wait for users to access and share the content. This is exactly what my client did (teehe I couldn't resist).
  In summation it is very clear cut that there is indeed only 1 victim here...but there are 2 villains in this story. The first (and lesser at least under French law) was the network engineer/admin who either misrepresented his/her ability, got lazy, or was grossly negligent.
  The second, and greater villain, and the true perpetrator of this crime was google. For the intent of gaining profit using the French government's documents (which google indexed to grow their search database) in the pursuit of adding content for their userbase in an effort to grow said userbase and profit via advertising targeted to it's users.
  Mr Laurelli is the clear victim of both goo
11. Re:Hacker??!! by noh8rz10 · 2014-02-11 18:37 · Score: 5, Interesting
  
  Thing is. In the US you can be tried twice for the same crime. It all depends on how far the prosecutor (and you) want to push things. This is what various appeals courts, all the way up to the Supreme Court are.
  nopee. the first court is the only court that hears matters of fact, i.e. evidence, witnesses, etc. all the appeals courts only hear matters of law, i.e. whatever. further, if the defendant wins a court case, the prosecutors can't appeal. So, no you can't be tried more than once.
  
  In the US, you can be convicted in absentia as well. Take Andrew Luster as an example.
  The supreme court has ruled over and over and over again that people have the right to be present at trial, and if a trial happens without them it is a violation of due process protections. Congress codified this in 1946 to lay out specific protections and enumerate specific exemptions. One exemption "the defendant waives his or her right to be present if he or she voluntarily leaves the trial after it has commenced". Your dude Andrew Luster bolted from the trial and fled the country. He got sentenced anyway.
  You sir are my chief pedant of the peasant's pedant brigade. USA is an exceptional nation.
Saving face by hurting innocent people by ZorinLynx · 2014-02-11 13:03 · Score: 5, Interesting

I HATE it when governments do this. They can't simply admit to having made a mistake and made those files public (albeit difficult to find). They have to fine this poor person just for coming across something interesting and posting it.
Fuck them. Fuck them hard with a chainsaw, every last one of them who pushed for this.
Laws server their purpose by EMG+at+MU · 2014-02-11 13:12 · Score: 4, Insightful

In this scenario the Law worked perfectly.

Government sets rules on what you can and cannot do,
Government interprets those rules,
Government imposes punishments based on those interpretations.

You piss off the government, they use the laws to make your life hell.
French government by DoofusOfDeath · 2014-02-11 13:18 · Score: 3, Funny

Often I marvel at how banal the American government is. Then, occasionally, the UK or French governments make me feel a little better.
1. Re:French government by zippthorne · 2014-02-11 13:35 · Score: 3, Interesting
  
  How can you appeal an acquital?
  
  --
  Can you be Even More Awesome?!
2. Re:French government by Anonymous Coward · 2014-02-11 14:03 · Score: 5, Informative
  
  Uh, no, they cannot. In the US that is known as "double jeopardy" and is not allowed. If you're acquitted, you're done. They can find new evidence, you can write a full confession, it doesn't matter. When that gavel comes down on the "not guilty" verdict, you're no longer capable of being held criminally liable for that particular crime.
  If a case is dismissed without prejudice, it can be retried. There is no verdict in that scenario. There's also a separate sovereigns exception, which in some circumstances could allow the feds their own shot at prosecuting, though that wouldn't be applicable here since this would have been tried as a federal crime to begin with.
Re:Why is anything accessable on the internet rega by Anonymous Coward · 2014-02-11 13:44 · Score: 5, Insightful

If you left a book on the street out the front of your house, but didn't give anybody your address, is it somebodies fault if they read the book?
There is no expectation of privacy here, it is a publicly accessible web page.
Fortunately by Greyfox · 2014-02-11 14:29 · Score: 4, Funny

Having learned from previous mistakes, the agency had taken the precaution of encrypting the documents using an incomprehensible standard known as "French," so no one really paid it any mind.

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Re:Reasonable by jklovanc · 2014-02-11 14:48 · Score: 3, Informative

From the article

UPDATE: Laurelli ended up admitting in testimony that when he found the documents, he traveled back to the homepage that they stemmed from and found an authentication page. This indicated that the documents were likely supposed to be protected. That admission played a part in his later conviction in the appeals court.
The hung out an "authorized persons only" sign but forgot to lock the door.
Re:Reasonable by Sabriel · 2014-02-11 21:05 · Score: 3, Informative

Hmm. It's not clear to me from reading the article whether he knew before downloading them that he was not authorised. That said, I will grant that as soon as he did find out, he had a problem and should have acted accordingly.
Concerning the court's competence, I found this part disturbing:

Incredibly, although a lower criminal court ruled that Laurelli could not be penalized for accessing data that was not secure, the DCRI decided to appeal the decision. That's after ANSES, the organization from which the documents were “stolen” in the first place, decided not to pursue any civil action. Although the court documents are not yet available, French technology news site Numerama and the French-language version of Slate both quote a baffling scene from the first appeals-court hearing in December 2013, which Mediapart (paywalled link) attended. During those opening arguments, a presiding judge appeared unable to pronounce Google (saying “gogleu” instead) and demonstrated an ignorance of how logins occur. The prosecutor did not help this perception, saying at the hearing, "half the words I heard today, I did not even understand."
The appeals court acquitted Laurelli of fraudulently accessing an information system but saw fit to convict Bluetouff of theft of documents and fraudulent retention of information. The court wrote: "It is well demonstrated that he was conscious of his irregular retention in automated data processing, accessed where he downloaded protected evidence; and that investigations have shown that these data had been downloaded before being... disseminated to others; that it is, in any event, established that Olivier Laurelli made copies of computer files inaccessible to the public for personal use without the knowledge and against the will of its owner"

1. The first court ruled the Laurelli wasn't guilty. ANSES, the source of the documents, subsequently declined to pursue any civil action. Despite this, the DCRI appealed and pursued _anyway_, yet the prosecution didn't have a proper understanding of what they were prosecuting!
2. It was actually established by ANSES that those files (however inadvertently) were _accessible_, not inaccessible, to the public, so the court has rendered judgement directly contrary to the evidence presented by the same national agency from which the data was downloaded.