19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases

Ichijo writes: According to CBC News, a Canadian teen "has been charged with 'unauthorized use of a computer,' which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases. The provincial government says about 250 of those contain Nova Scotians' sensitive personal information."

"When he was around eight [...] his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate," reports CBC. "That lead to a discovery on the classroom computer. 'The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted,' he said. 'I thought that was interesting.' The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests." The teen is estimated to have around 30 terabytes of online data on his hard drives, which equates to "millions" of webpages. "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

Edit Address Line Is Not Hacking

[rtb61]

Lets be clear, editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is. Editing your address line on your computer and the distant server allowing it, is a fault of that distant server. A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution. Strictly their fuckup, they made that information publicly accesible without any restriction and they are fucking liars and fraudsters trying to pin their incompetance on someone else. It is not a crime to edit you address bar, it is strictly their fuck up that caused it. No user name, password request and your web site is public facing, that data is free to download, you just gave it away free from all encumbrances. No different to randomly running IP addresses to download what ever you want. No layer of security, no fucking crime, they are cunts blaming someone else for their incompetence and the victim should sue the crap out of them after this is over.

Re:Edit Address Line Is Not Hacking

No layer of security, no fucking crime

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Idiot.

Web servers do not work that way.

You don't go into the web server and take something. The web server sends it to you.

The more apt analogy would be that I asked for something I didn't own and you mail it to me. It can't be stolen since you honored the request to send it to me.

What are you going to compare it to next? rape? Someone getting unsecured files from a server is like raping you in the ass?

Re:Edit Address Line Is Not Hacking

[TheReaperD]

I think the door analogy would go something like this: I go into a public government building and the information I need is in open door A and then I see open doors B, C, D, E, etc and go "huh, I wonder what's behind this open door in a public building (with no warning/forbidden signs) and then someone tries to arrest me for breaking and entering.

Re:Edit Address Line Is Not Hacking

Where is it written that you shouldn't edit the URL for that specific website? It's no more a "hack" than dialing a random phone number, and it's perfectly fine to do on every other website.

Since when are FoI requests not public information? Isn't that the whole point?

And if private information is exposed and freely available to anyone who literally can just click on a link, why is that not the fault of whatever security manager allowed that? Why is the teenager who discovered this grievous and possibly criminal oversight not being commended, but gets locked up instead?

Re:Edit Address Line Is Not Hacking

[famebait]

Your analogy is broken in so many ways I don't know where to start.
Here's a better one:

You display a public anoncement by scribbling it on the top sheet of a flipover pad you have lying around.
You nail the whole thing to your wall, and don't even try to secure the bottom corners.
A passer-by peeks at the next sheet.
No crime.
Move along.

Re:Edit Address Line Is Not Hacking

[jargonburn]

This is more like having a public reference book in a library, where you've been directed to page #1577 for the information you were seeking. You check and it's there. Cool. Then, you decide you're curious to read what's on the other pages.

Re:Edit Address Line Is Not Hacking

Idiot.

That's always a good sign that a considered and informed response is about to follow ...

Web servers do not work that way.

You're missing the point. OP didn't claim that web servers work like that. He was refuting the obvious nonsense that lack of security precludes the possibility of criminal wrongdoing.

The more apt analogy ...

Again, OP didn't make an analogy, he pointed to a situation which successfully disproved the contention: "No layer of security, no fucking crime." And in any case, we'll leave it to the courts to determine if there was any fucking crime.

Re:Edit Address Line Is Not Hacking

And then only if the contract doesn't contradict the law. For example if a TOS says you have to give them your first born, that doesn't mean they can make you do that.

Re:Edit Address Line Is Not Hacking

What a pile of shite.

As one of the ACs in the thread above pointed out this is the wrong analogy. The server authorized the request and sent the data. A more accurate analogy would be: "I go into a public government building and ask the clerk for document #252, he says sure and hands it over. I then ask him for every other number that I can think of and he keeps saying sure, and handing them over". Your attempt at an analogy removes agency, but the web server server was configured to make the information publically available.

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

In this case though the documents returned contained personal information, which I believe has some protection in Canada. So the first time it's fine, it was clearly a mistake by the web server and you should report it.

What isn't fine is exploiting that flaw to harvest large amounts of personal data from the system. Just because you found the debug mode on the vending machine that makes it dispense free coke doesn't mean it's okay to take all the coke.

Your example of requesting someone mail you a document actually counters your argument. If you ask for someone else's records by writing their social security number on the request, even though it's stupid to rely on just that number for "authentication" you still committed fraud. The first time you might claim it was a genuine mistake, but the jury probably won't buy that you make 2000 consecutive mistakes.

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

Actually yes, if you discovered such a flaw and exploited it to get lots of free coke, you likely would be prosecuted for theft.

You know, like how fraud is still fraud even if the victim agreed to it.

Re:Edit Address Line Is Not Hacking

[anegg]

Am I hacking the system if I use my remote control to sequentially access channels on my DirecTV system instead of using the DirecTV directory?

Am I hacking the system if I conduct a (legitimate) telephone survey by progressing through the phone numbers for a given area code/prefix sequentially instead of using a telephone directory organized by name that translates to a telephone number?

Am I hacking the system if I go trick-or-treating by house number up and down the block instead of using the HOA directory to find people in my neighborhood by name then go to their their address?

The individual in question didn't evade any controls on the access to the information. He scanned the information that was made freely available by sequentially stepping through the information addresses rather than going through a central directory. The idea that the mere existence of a central directory makes it illegal to scan publicly available addresses directly to access unsecured information is ridiculous. The URL address system is a well-known public interface for accessing information. If the URL address system contains an obvious regular pattern, it is well within reasonable expectations that a) individuals will notice this regular pattern, and b) use the regular pattern to optimize their access to the information. The fact that every single web browser exposes the URL and allows direct manipulation of the URL suggests that URLs are not only capable of being used in this way, but that the original protocol designers and implementors intended for it to be used in this way.

Wow, I see a huge countersuit coming...

[cyn1c77]

I am trying to understand what he did that was illegal?

He downloaded documents that the government posted on the internet, by simply "guessing" the URL, which incrementally increased from the URL that he was given by the government?

Yup, looks like a case of the government trying to offset blame to me!

Re:Wow, I see a huge countersuit coming...

[hey!]

I understand the feeling: it shouldn't be that easy to do something illegal. That does not mean that something is automatically legal because it's easy. In order for there to be a crime, you need two components, an act and intent. If you run over someone with your car, whether or not you intended to do that is what determines if there is a crime, not how easy it was to do.

The problem is that a juror has to infer intent, and this is where biases come into play. To people like us nothing could be more natural than fiddling around with URL parameters; other people can't wrap their brain around why anyone would do that. That means to see if there's a crime you have to set aside what seems natural and obvious to you, and look at the specific circumstances of an act.

Now I think most (although not all) people realize that if a bank made this same mistake, it'd be a crime to download the transaction information for hundreds of other peoples' accounts. What's a grayer area is if you tried it with one or two randomly chosen accounts. People like us would do that with the non-criminal intent of figuring out if our bank's security is that bad. But it's risky, because if you're detected there are people who simply don't understand that; you have to hope they've got an open mind.

In this case the most important detail is that the kid was downloading what a reasonable person would assume is public information. I think you'd have to show that there was also information that wasn't in the public domain and that the kid knew it. The problem is that some people are by nature so incurious that curious behavior strikes them as suspicious.

They forgot to take the 'take one free' sign down.

[robbak]

Items placed on an open server without a login are made available for public download. Whether you meant to offer them for public download isn't relevant - you did.

He went to the server and asked politely, "Can I take one of these?" The server said, "Sure, here it is", and then tossed it to him.

Re:Government guilty!

"The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact"
Neither he, you nor I are under any such obligation and how he accessed the data was neither vulnerability nor crime.
"The kid was criminally stupid in archiving the data instead of working towards fixing the problem"
The problem is not his to "fix" and archiving the data is not a crime which could have been done by any number of spiders and bots incl The Wayback Machine.

Stop being an apologist for the criminally stupid authorities and their heavyhanded overreach

Re:Government guilty!

[suso]

That's great, but you can also just do this with curl

curl example.com/[1-1000000].html

The range functionality is built right into curl. In fact it's even in the opening examples of the man page.

Freedom-of-information not itself free?..

[mi]

downloading approximately 7,000 freedom-of-information releases

I'm confused... Shouldn't the freedom-of-information releases themselves be freely available to the general public?

Re:Government guilty!

The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.

By any measure these files were public. They were published online with a URL without any access control system. The question is whether they should have been made public or not. And apparently the government unintentionally published just 250 documents that contained information that was somehow privileged in the batch of 7000.

So 96.4% of the documents were supposed to be available to the public.

Any reasonable person would have looked at a freedom of information website and assume that the published documents were intended to be public as the vast majority of the documents were. The government made a mistake, overreached and is at fault for putting this person through this ordeal. Charges should be dropped with apology.

Re:Government guilty!

[o_ferguson]

However "Responsible Disclosure" only applies when you actually find a vulnerability. This was not a vulnerability. It was coded to work that way, and it did. He didn't break anything, and hence there was no break for him to report.

Re:Government guilty!

[beernutz]

Again, you wrote this line verbatim with the verbiage "Criminally" right in it. This might lead someone to think you considered his actions to be... well... "Criminal"

The kid was criminally stupid in archiving the data instead of working towards fixing the problem