19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases

Ichijo writes: According to CBC News, a Canadian teen "has been charged with 'unauthorized use of a computer,' which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases. The provincial government says about 250 of those contain Nova Scotians' sensitive personal information."

"When he was around eight [...] his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate," reports CBC. "That lead to a discovery on the classroom computer. 'The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted,' he said. 'I thought that was interesting.' The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests." The teen is estimated to have around 30 terabytes of online data on his hard drives, which equates to "millions" of webpages. "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

Government guilty!

[nospam007]

...of criminal stupidity.

I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.

Re:Government guilty!

[Bobrick]

Who would've thought that request #252 would follow #251 ?

Re:Government guilty!

[houghi]

#/bin/bash
for I in $(cat 1000000)
do
          wget example.com/$I.html
done

HACK THE PLANET!

Re:Government guilty!

"The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact"
Neither he, you nor I are under any such obligation and how he accessed the data was neither vulnerability nor crime.
"The kid was criminally stupid in archiving the data instead of working towards fixing the problem"
The problem is not his to "fix" and archiving the data is not a crime which could have been done by any number of spiders and bots incl The Wayback Machine.

Stop being an apologist for the criminally stupid authorities and their heavyhanded overreach

Re:Government guilty!

[bluefoxlucid]

Why is this criminal and not civil? What economic damages are there to reclaim in said civil suit?

Ah. No standing. Case dismissed!

Re:Government guilty!

[mjwx]

...of criminal stupidity.

I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.

Yes, Data Protection Acts like the EU GDPR are there to ensure that PII (Personally Identifiable Information) aren't released publicly. However this doesn't mean it wont accidentally be or cant be released. The Canadian govt was silly to let this information to be released under FOI requests (I work with FOI requests in the UK, you're supposed to ensure any PII stripped out, GDPR/DPA trumps FOI and there are strict penalties for non-compliance) but if that fails that doesn't give you carte blanche to copy it, data protection laws still apply.

However I'm going to make a prediction that wont be popular with the /. Mah Freeedums nutters but it will be more accurate, this will go to court, the Canadian will explain why he was doing what he was doing and the judge will order him to delete the records that contain PII and that will be the end of it. No jail, no fines, just a Canadian judge ordering a Canadian to adhere to the Canadian laws. chances are the guy didn't even know that the PII was there before he started.

Re:Government guilty!

[suso]

That's great, but you can also just do this with curl

curl example.com/[1-1000000].html

The range functionality is built right into curl. In fact it's even in the opening examples of the man page.

Re:Government guilty!

[JMJimmy]

This case will be dismissed if it ever makes it that far. The law they charged him under does not cover accessing public facing documents.

Re:Government guilty!

The government was in breach of PIPEDA, though I'm not a lawyer, so I don't know if the law applies to them. The documents are called "Freedom of Information" requests. If you find one through the search function, you can download it. A reasonable person would have concluded this was public information. The documents being numbered sequentially does reinforce this impression.

There was no obvious way for him to know that some of the "Freedom of Information" requests were intended to be restricted. You can't report something you don't know is wrong. Nobody wants to be the collateral damage from some larger party externalizing its incompetence or laziness. This is that, and it's wrong.

Re:Government guilty!

[gmack]

The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.

Re:Government guilty!

[Type44Q]

The kid was criminally stupid in archiving the data instead of working towards fixing the problem

This tripe got modded to 5?! fixing the problem wasn't his responsibility and while his actions might've been distasteful, thinking them to be "criminal" either requires:

A) A complete lack of understanding of digital communications, or...

B) You to be a gov't shill, or...C) An utter fucking moron.

Re:Government guilty!

[azcoyote]

... In fact it's even in the opening examples of the man page.

That's exactly why we need more women in tech!

Re: Government guilty!

You lead the way leftard.

Re: Government guilty!

Because they'd all whine about how man pages are really about misogyny and not actually shorthand for manual pages?

Re:Government guilty!

[suso]

I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual. The command was called man most likely because so many commands were shortened back then to 2 or 3 letters. There were a few women working on Unix at Bell labs in the 70s, one was Lorinda Cherry and among other things she helped write programs like the 'bc' and 'dc' commands.

Re:Government guilty!

[Tokolosh]

So manually typing in a URL is criminal?

Re:Government guilty!

The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.

By any measure these files were public. They were published online with a URL without any access control system. The question is whether they should have been made public or not. And apparently the government unintentionally published just 250 documents that contained information that was somehow privileged in the batch of 7000.

So 96.4% of the documents were supposed to be available to the public.

Any reasonable person would have looked at a freedom of information website and assume that the published documents were intended to be public as the vast majority of the documents were. The government made a mistake, overreached and is at fault for putting this person through this ordeal. Charges should be dropped with apology.

Re: Government guilty!

[K.+S.+Kyosuke]

There's a woman in your Emacs. It's in her job description to read those pages to you, actually.

Re:Government guilty!

alias woman='man'

Re:Government guilty!

[suso]

WHOOSH!

Perhaps it was a whoosh, but you never know. I err on the side of ignorance.

Re:Government guilty!

The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact

Being stupid is not a crime. Committing crimes is a crime. How is it criminal if these are part of the public record? Because they contain sensitive information? How is that his fault?

Re: Government guilty!

That was a secret. Now theyâ(TM)ll be callled person pages and there will be 58; one for each gender.

Ding, ding, ding goes tranny.

Re:Government guilty!

[fredrated]

I err on the side of ignorance.

Then you will never fail.

Re:Government guilty!

[Chewbacon]

But how dare he make the government look STOOPID! That poor schmuck IT fuckwad has found his superior and he'll be damned if it's a 19 year old with less experience than him!

Re:Government guilty!

[johnwfran]

Ignorance of the law is no excuse? I'm not saying it's fair.

Re:Government guilty!

[Wrath0fb0b]

Responsible disclosure is a fundamental principle of ethical security work. It balances the need to give the vendor a time window to fix it, the right of the public to know, and the researcher's right to publish their findings.

Also, I think it's amusing that you think I'm apologizing for the stupid authorities by calling both the authorities and the kid stupid, when the entire point of my post is that stupidity is neither finite nor conserved. Saying that he is dumb does not imply they are any less dumb. Everyone is dumb! Yay!

Re:Government guilty!

[o_ferguson]

However "Responsible Disclosure" only applies when you actually find a vulnerability. This was not a vulnerability. It was coded to work that way, and it did. He didn't break anything, and hence there was no break for him to report.

Re:Government guilty!

[o_ferguson]

Yeah but he didn't break the law.

Re:Government guilty!

[jythie]

Unfortunately there is this pervasive idea in the more libertarian end of tech that equates ethics with difficulty, thus anything that you can smart your way around is morally acceptable because the other (inferior) side did not work hard enough at stopping you. Sorta an extension of the 'it is only cheating if you get caught' taken to the logical extreme of 'it isn't cheating even if you get caught as long as you used tech to do it'

Re:Government guilty!

[BadDreamer]

The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact

The kid thought this was intended behaviour. As, for that matter, would I if I encountered it.

He had no idea this was a problem that needed fixing.

Expecting him to report intended behaviour as a vulnerability, and calling him criminally stupid for failing to do so, borders on criminally stupid.

Re:Government guilty!

[beernutz]

Again, you wrote this line verbatim with the verbiage "Criminally" right in it. This might lead someone to think you considered his actions to be... well... "Criminal"

The kid was criminally stupid in archiving the data instead of working towards fixing the problem

Re:Government guilty!

I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual.

Obviously the word "manual" is sexist, and should be changed to "personual".

Is that you Justin Trudeau?

Re: Government guilty!

[Monster_user]

This is where I see the line of thinking which led to the charges.

Suit#1: We've just learned some kid has been maintaining an archive of documents from our server.

Suit#2: So?

Suit#1: Some of those documents were not supposed to be published to the public.

Suit#2: Alright, so we need to have him delete those documents.

Suit#1: He's a teenager. Who knows where or to whom he's sent those documents? Also, he may not know how to scrub the bits from the drives, simply deleting files does not prevent their recovery. If word gets out that he had that information, other parties may be able to secure that information from his machine. He may already be infected with malware and leaking the data. We do not have control over that machine.

Suit#2: We need to get control of that machine.

Suit#1: That will require a warrant, which will require criminal charges.

Suit#2: Charge him with hacking, get the data secure and the situation contained and under control, and we'll sort out the details later. It is better to beg for forgiveness than to ask for permission when dealing with unknown and untrusted parties.

Re:Government guilty!

[q4Fry]

I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual. The command was called man most likely because so many commands were shortened back then to 2 or 3 letters.

Is this an example of "man splaining" ?

Re:Government guilty!

[Wrath0fb0b]

Doesn't that depend on whether it was coded that way intentionally or by error?

By your logic, a SQL injection where a web form causes arbitrary commands to be executed against a database is not a vulnerability either because it's "coded to work that way". I think in more clear terms, if it grants the user permissions in excess of those specified by the design, then it's clearly a vulnerability.

So to go back to these bunch of idiots, it seems that they might have intended to make each request available only to the recipient.

Re:Government guilty!

[Marxist+Hacker+42]

Uh, were they not FOI releases? So, by definition, released to the public domain to begin with?

Re:Government guilty!

[Marxist+Hacker+42]

For responsible disclosure, shouldn't there be some indication that the documents were not public?

Re:Government guilty!

[hoggoth]

You must be a blast at parties

Re:Government guilty!

[elgatozorbas]

Pro tip. The OP (the "troll") may have been joking...

Re:Government guilty!

[gmack]

96.4% of the files on that server were redacted and there were no access controls whatsoever. How was he breaking the law?

Re:Government guilty!

[fustakrakich]

Voters guilty!

Of criminal government...

Re:Government guilty!

[o_ferguson]

This is a Canadian case. The Queen is presupposed to be free of error. Those aren't bugs. They're undocumented features. Citizens are not to be punished for making use of undocumented features unless they are specifically endangering the Queen's Peace (don't fight me on this I'm an oathed-in Queen's Peace Officer.) I wouldn't have arrested this guy, though, unless he was specifically doing something with that information that is specifically illegal. What he did isn't quite there yet, and should be recognized as such.

Re:Government guilty!

[suso]

Or perhaps not everything on Slashdot is meant as a joke. Maybe azcoyote really was trying to make a point, but misunderstanding the origin of man pages. It's not condescending if you're just providing accurate unfiltered facts, regardless of any gender difference. It would be condescending if I said "they called them man pages because woman pages would be too big" or something like that. Obviously man splaining should mean having to explain something to a man, because this is what I'm having to do now.

I think you're all just trying to justify the joke of man splaining and are annoyed that I'm somehow ruining it.

Re: Government guilty!

[Type44Q]

and I don't see where I indicated that I think his actions were criminal

The thing is, the word is an adjective as well, even (oddly enough) when you use it as one. Go figure, huh?

Re:Government guilty!

[Wrath0fb0b]

Eh, I have no knowledge of Canadian law and won't comment on it, but responsible disclosure is an ethical standard, not a legal one.

Re:Government guilty!

[Wrath0fb0b]

Responsible disclosure would err on the side of reporting it in case of doubt.

Re: Government guilty!

[Type44Q]

Not being public and not intending them to be public - two different things.

Re: Government guilty!

[eaglesrule]

This is what I think is more likely.

Suit#1: Someone found a design flaw in the public documents portal that makes us look completely incompetent, and downloaded our data.

Suit#2: Who?

Suit#1: Some kid, who happens to be Canadian.

Suit#2: Well, he's within our reach then. So let's make an example of him, instead of the usual cover up. Let's put on a show by raiding his home with a battalion of officers, and drag him to court under trumped up charges. We'll exaggerate the crime so much that we don't appear to be at fault.

Suit#1: Hmm. We can call him a hacker and use broadly defined and poorly written statutes to paint him as a criminal. We'll look like we're being tough on crime while sending a message not to screw with us.

Suit#2: Exactly. What could go wrong.

Re:Government guilty!

[o_ferguson]

and ethics only apply to regulated professional societies in Canada. He shouldn't have done this if he is a doctor or lawyer but he isn't.

Re:Government guilty!

[Xenx]

Wouldn't that just make it a man in drag?

Re: Government guilty!

[edris90]

You can mislabeled it all you want, but choosing to connect anything to the net is a known gamble. It's nice and irresponsible not to admit that by pRtaking of the benefits you are opting into the risk. If you can't afford to have it examined or copyed by anyone then you send a trustee with a handcuffed briefcase to relay the info. Y'all network info gamblers need to learn to accept your gambling losses.

Re: Government guilty!

[houghi]

This explains why Emacs has everything and the kitchen sink. That way she knows where the kitchen is.

(It is a joke about computers, so it is PC correct)

Re:Government guilty!

[houghi]

Yes, Data Protection Acts like the EU GDPR are there to ensure that PII (Personally Identifiable Information) aren't released publicly. However this doesn't mean it wont accidentally be or cant be released.

Obviously not, but the GDPR explains what needs to be done and the companies with that type of URL would be guilty.
https://en.wikipedia.org/wiki/... for an interesting read.

Re: Government guilty!

[houghi]

Reminds me when I see emails with a signature that say what I should do if I was not the intended person getting the email.
It was send to my email, so I was the intended person, from my point of view.

The fact that a sender might have made a mistake does not mean I have received it in error.

Re:Government guilty!

[Marxist+Hacker+42]

I see zero reason for doubt. Public documents on a public facing website are discoverable by the public.

That some idiot in government didn't realize this is not the fault of the hacker.

Re: Government guilty!

[Marxist+Hacker+42]

Public documents on a public facing website are discoverable by the public.

That some idiot in government didn't realize this is not the fault of the hacker.

Re:Government guilty!

[Reziac]

And as everyone knows, women don't come with manuals.

Re:Government guilty!

[elpgrrrl]

"The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact"
Neither he, you nor I are under any such obligation and how he accessed the data was neither vulnerability nor crime.
"The kid was criminally stupid in archiving the data instead of working towards fixing the problem"
The problem is not his to "fix" and archiving the data is not a crime which could have been done by any number of spiders and bots incl The Wayback Machine.

Stop being an apologist for the criminally stupid authorities and their heavyhanded overreach

It sounds like many people knew of this vulnerability generally. Therefore, that IT group should have known it was an issue from the start. Sounds like this fellow is a collector like the poor sod who glommed the articles from JSTOR (prosecuted under Computer Fraud and Abuse Act of 1986 (CFAA) U.S. vs. Swarz.) He eventually committed suicide, I believe. JStor ended up releasing its archives to the public, and MIT (as much as corporately and humanly possible) did some heavy duty "soul-searching." see: https://www.theawl.com/2011/08/was-aaron-swartz-stealing/

Re:Government guilty!

[Wrath0fb0b]

I agree it's not the fault of the hacker.

But if my neighbor leaves his hose on and floods his back yard, I will knock on his door and ask if he is building a pond or made a mistake. If it's a pond, I will smile and say "OK great!".

If it's not intentional, then it's not at all my fault that he is an idiot and left the hose on. But I will have done the right thing, rather than you seeming to think that "Well, if anyone ever is an idiot and leaves a hose on that means he's actually building a pond".

Edit Address Line Is Not Hacking

[rtb61]

Lets be clear, editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is. Editing your address line on your computer and the distant server allowing it, is a fault of that distant server. A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution. Strictly their fuckup, they made that information publicly accesible without any restriction and they are fucking liars and fraudsters trying to pin their incompetance on someone else. It is not a crime to edit you address bar, it is strictly their fuck up that caused it. No user name, password request and your web site is public facing, that data is free to download, you just gave it away free from all encumbrances. No different to randomly running IP addresses to download what ever you want. No layer of security, no fucking crime, they are cunts blaming someone else for their incompetence and the victim should sue the crap out of them after this is over.

Re:Edit Address Line Is Not Hacking

[DNS-and-BIND]

You entirely miss the point. If this was a government fuckup, then someone in government is responsible. Someone senior, whose job it was to make sure these things don't happen. Someone who was given an adequate amount of money for the task. There might need to be an audit to see how this money was spent, and this must never be allowed to happen.

If this is classed as a security breach, this official's career (and everyone's career she has a mentor relationship with) is in danger. However, if it was a dirty hacker, then everyone can breathe easy: the excellent system we built was victimized. Prosecute, slap him in jail, and relax. Crisis averted. Nobody need be reassigned or demoted.

Re:Edit Address Line Is Not Hacking

No layer of security, no fucking crime

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Idiot.

Web servers do not work that way.

You don't go into the web server and take something. The web server sends it to you.

The more apt analogy would be that I asked for something I didn't own and you mail it to me. It can't be stolen since you honored the request to send it to me.

What are you going to compare it to next? rape? Someone getting unsecured files from a server is like raping you in the ass?

Re:Edit Address Line Is Not Hacking

[religionofpeas]

take something that isn't yours.

He didn't do that. He downloaded articles on a public facing web server.

Re:Edit Address Line Is Not Hacking

[bickerdyke]

But it's not breaking and entering if the open door belongs to a store. Unlocked store doors usually are an invitation to enter and look around. Publishing something on the internet is usually more comparable to an open store door than an unlocked house door. In general

However, here the knew that those documents were not there for public availability, so I don't mind if he gets sued and sentenced. However, whoever left the documents with personal data out in the open should feel severe consequences, too. Just because one side probably did commit some minor misdemeanor does not mean that the other party is free of guilt.

If you don't lock your door you will have to face consequences, too. At least from your insurance. Over here, leaving your car unlocked is even fineable

Re:Edit Address Line Is Not Hacking

[TheReaperD]

I think the door analogy would go something like this: I go into a public government building and the information I need is in open door A and then I see open doors B, C, D, E, etc and go "huh, I wonder what's behind this open door in a public building (with no warning/forbidden signs) and then someone tries to arrest me for breaking and entering.

Re:Edit Address Line Is Not Hacking

[gravewax]

sweet sounds like a great defence. No your honour I am not a hacker, all I did was sending carefully crafted packets to a server, it is not my fault it responded and gave me root access.

Re:Edit Address Line Is Not Hacking

[lindseyp]

Try typing random URLs ending in /.. and see how long it takes the internet police to be called on you.

Re:Edit Address Line Is Not Hacking

[TheReaperD]

Except, there was no authentication required and no attempt to scramble the addresses on a public facing server. Therefore, the data was open for public viewing and likely indexed on Google if anyone wanted to do a search. Yes, the government didn't intend for it to be public view but, that's their fuckup. It's time to stop trying to prosecute people for other people's mistakes because "we're the government."

Re:Edit Address Line Is Not Hacking

[religionofpeas]

after connecting a computer to the MIT network in an unmarked and unlocked closet,

How is that the same as downloading from a public facing web server ?

Re:Edit Address Line Is Not Hacking

here the knew that those documents were not there for public availability

He may have found it odd that they were publicly available. He may have expected that someone would change their mind and take them down. Downloading things that may not remain available is relatively normal behavior. It does not show that someone believed the files to be available in error.

You access files all the time without being given explicit permission. Oh, Google had a link to it? That doesn't give you permission. Oh, someone else linked to it? Nope, not a permission. Oh, but the page looked like it was made for you? I'm sure every one of the pages that this archivist accessed looked exactly as inviting. If I post something to Slashdot to make a note for myself, are you breaking the law when you access what I didn't mean to publish? No, I don't get to decide that publishing is not publishing, and neither does Canada.

Re:Edit Address Line Is Not Hacking

[famebait]

Your analogy is broken in so many ways I don't know where to start.
Here's a better one:

You display a public anoncement by scribbling it on the top sheet of a flipover pad you have lying around.
You nail the whole thing to your wall, and don't even try to secure the bottom corners.
A passer-by peeks at the next sheet.
No crime.
Move along.

Re:Edit Address Line Is Not Hacking

[jargonburn]

This is more like having a public reference book in a library, where you've been directed to page #1577 for the information you were seeking. You check and it's there. Cool. Then, you decide you're curious to read what's on the other pages.

Re:Edit Address Line Is Not Hacking

[religionofpeas]

Which TOS exactly ?

Re:Edit Address Line Is Not Hacking

[ckatko]

And war is peace.

Re:Edit Address Line Is Not Hacking

[JaredOfEuropa]

Exactly. In real life it is pretty much always clear whether we are dealing with a store or a private home, and we are expected to act accordingly. When online, things are not so clear; on many web services it's perfectly fine to manually enter a document ID at the end of a URL.

The law over here states that 'unauthorized use of a computer' means that one knowingly accesses a computer system without permission, and that means that in many cases (such as on a public web service) privileged information has to be marked as such explicitly with a notice, or implicitly by protecting it with a login screen. I doubt this kid would even get a conviction here; even if it is shown that he should have reasonably known that the information wasn't public, he'd still get off very lightly (small fine or community service which might be suspended) since the information wasn't protected in any way, and no harm was done otherwise.

Re:Edit Address Line Is Not Hacking

[mishehu]

A very poor analogy. A webpage is more akin to living inside a house made of transparent glass. Everybody on the street can see inside, and nobody actually has to breach the walls of your house to know your activities. A subset of your webpage is like having the bathroom be the one room that is not transparent, which would be akin to some sort of authentication method. Doesn't sound like there was any real attempt at this authentication layer, so the house basically remained 100% transparent. That the user stood at the street for hours recording everything that happened in the house does not a trespass make.

Re:Edit Address Line Is Not Hacking

[Lennie]

However, download terabytes of data instead of reporting the problem is an issue.

Re:Edit Address Line Is Not Hacking

Idiot.

That's always a good sign that a considered and informed response is about to follow ...

Web servers do not work that way.

You're missing the point. OP didn't claim that web servers work like that. He was refuting the obvious nonsense that lack of security precludes the possibility of criminal wrongdoing.

The more apt analogy ...

Again, OP didn't make an analogy, he pointed to a situation which successfully disproved the contention: "No layer of security, no fucking crime." And in any case, we'll leave it to the courts to determine if there was any fucking crime.

Re:Edit Address Line Is Not Hacking

[dunkelfalke]

Which is a breech of contract, a civil offence.

Re:Edit Address Line Is Not Hacking

And then only if the contract doesn't contradict the law. For example if a TOS says you have to give them your first born, that doesn't mean they can make you do that.

Re:Edit Address Line Is Not Hacking

the exact same argument can be made for directory traversal attacks or a myriad of other attacks. the point is intentionally modifying the URL has been used to exploit servers and bypass security for years and it has been a prosecutable offense under various laws for gaining unauthorised access for years and many people have been successfully prosecuted for it.

Re:Edit Address Line Is Not Hacking

[drinkypoo]

Of course it's hacking. It's using software in a way in which it was not intended for your own purposes, what else do you call it? What it isn't is cracking. He didn't defeat any protection, because there was no protection. It's the difference between trespass, and breaking and entering. In the first, you're just someplace you're not supposed to be. In the second, you defeated a protection device to get there. This is equivalent to trespass, not B&E.

The appropriate harshness of the punishment is a separate issue. No harm, no foul. Small harm, small foul. Big harm, big foul. This seems to fall into one of the two categories.

Re:Edit Address Line Is Not Hacking

[houghi]

It might be a problem, but is it a crime? Bit like me sleeping with the SO of a friend. Not something you should do, and extremely asshole-ish but it is not illegal either.

Re:Edit Address Line Is Not Hacking

[K.+S.+Kyosuke]

Except there is no door in the first place with HTTP GET requests willingly served to the public, locked or otherwise.

Re:Edit Address Line Is Not Hacking

What a pile of shite.

As one of the ACs in the thread above pointed out this is the wrong analogy. The server authorized the request and sent the data. A more accurate analogy would be: "I go into a public government building and ask the clerk for document #252, he says sure and hands it over. I then ask him for every other number that I can think of and he keeps saying sure, and handing them over". Your attempt at an analogy removes agency, but the web server server was configured to make the information publically available.

Re:Edit Address Line Is Not Hacking

[Sduic]

Then, you decide you're curious to read what's on the other pages.

This is why page tables don't work on the honour system.

Re:Edit Address Line Is Not Hacking

[novakyu]

Unless your conduct then rises to a level of "unauthorized access," because the TOS is what gave you authorization and by breaking it, you were no longer authorized. Rightly or wrongly, there are laws that make this kinds of conduct criminal offense, which is why I said what the "archivist" did was at least very stupid (no lawyer would have advised him to do what he did, at least not without hiding his tracks).

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

In this case though the documents returned contained personal information, which I believe has some protection in Canada. So the first time it's fine, it was clearly a mistake by the web server and you should report it.

What isn't fine is exploiting that flaw to harvest large amounts of personal data from the system. Just because you found the debug mode on the vending machine that makes it dispense free coke doesn't mean it's okay to take all the coke.

Your example of requesting someone mail you a document actually counters your argument. If you ask for someone else's records by writing their social security number on the request, even though it's stupid to rely on just that number for "authentication" you still committed fraud. The first time you might claim it was a genuine mistake, but the jury probably won't buy that you make 2000 consecutive mistakes.

Re:Edit Address Line Is Not Hacking

[Barefoot+Monkey]

Why would you report it as an issue if it appears to be the intended behaviour?

Re:Edit Address Line Is Not Hacking

Idiot.

You've clearly stated your own level in the debate, haven't you?

I think the analogy isn't too far off, but even if it were a poor analogy, it still remains a criminal offence to take something isn't meant for you, if you are in any way likely to know that it isn't for you. There is no doubt, I think, that this guy knew these documents were not meant for him to see. I don't see how there can be a discussion about this at all - it is kind of elementary. In fact, your argumentation is very similar to when some low-level psychopath declares that their victims' money or valuables were "begging to be stolen", because the owner was so foolish as to trust the perpetrator.

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

Okay, but what if you find stacks of other people's personal data behind those doors, and it is obvious that it is not supposed to be available to just anyone?

If you reported the mistake you would be fine. If you went systematically through every door and make copies of other people's personal data for your own "archive"... Well, at best you could argue that you didn't realize the privacy law implications and thought that those documents were public records. And then it's down to if anyone believes you.

In this case since these were FOI requests the ignorance argument might be enough to avoid punishment. Chances are he didn't read even 1% of the documents he downloaded and the ones he saw might have been benign. But then again, he might have seen people requesting information about personal matters that they clearly wouldn't want made public.

Personally I don't think prosecuting him is the right thing to do, but it's far from as clear cut as some people seem to think. There may be other issues here too, if he felt the need to archive terabytes of 4chan...

Re:Edit Address Line Is Not Hacking

[e70838]

Event guessing login/password is not hacking if they are simplistic. There was the case of a guy who has hacked into the site (a minitel site in France) that contains the telephone number of important people. He has used it to give the telephone number of the president to a radio station that has called him in direct. The guy was never send to a judge because the login/password were: aa/ab

Re:Edit Address Line Is Not Hacking

[CrimsonAvenger]

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Actually, in many (if not most) places, it does mean exactly that. Illegal entry you may have done. Theft, petty or not so petty, likewise. The "Breaking" part? Nope. That has a legal meaning, and walking into an open front door does NOT count....

Re:Edit Address Line Is Not Hacking

[Megol]

No this was a good description of the post he (?) responded to.

This is like a library. You ask for help to locate a book and get directed to a certain shelf and a number on that shelf. You read that book and then see that there are books beside it. You read them too. No crime have been committed. Nothing is stolen. That someone included sensitive information in some books aren't your doing and not your responsibility. You aren't legally required (though perhaps morally so) to inform the librarians that sensitive information is out in the open, they should already know that unless they are incompetent anyway.

Note however that many countries have laws against knowingly spreading sensitive information to others even if getting that information is fully legal.

Re:Edit Address Line Is Not Hacking

Hand the judge a stack of paper, and if they so much as look at the second page, tell them you only meant them to look at the first page, but they hacked your stack of paper.

Re:Edit Address Line Is Not Hacking

[l0n3s0m3phr34k]

it was clearly a mistake by the web server I don't think you understand the definition of "mistake". LTFTFY: "an action or judgment that is misguided or wrong". This wasn't a mistake, the web server did EXACTLY WHAT IT WAS PROGRAMMED TO DO. The server didn't have an error, or make a misguided judgment. The human programmer did; I'm guessing their project requirements didn't specify NOT to do this. It's not really even a "flaw"; it's just bad programming. It's not "debug code".

Re:Edit Address Line Is Not Hacking

[edtice1559]

We've seen people get in trouble for reporting this mistake. At least when it comes to security lapses (Not really an apt term here since there was no security to begin with), the safe thing to do is just to walk away. I would never report a security defect unless I had a written contract to be doing penetration testing. You could argue that's not very social or responsible but I'm not taking any personal risk to help some other negligent entity who may come back and sue or prosecute me for it.

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

Actually yes, if you discovered such a flaw and exploited it to get lots of free coke, you likely would be prosecuted for theft.

You know, like how fraud is still fraud even if the victim agreed to it.

Re:Edit Address Line Is Not Hacking

[ceoyoyo]

Canada has pretty strong privacy laws. It may be your responsibility to delete and possibly report protected data that have come into your possession.

Re:Edit Address Line Is Not Hacking

[Lord+Kano]

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

If your door is unlocked but closed, yes that's breaking and entering; but if your door is open, it's not breaking and entering. He is guilty of burglary and criminal trespassing .

LK

Re:Edit Address Line Is Not Hacking

[StormReaver]

Of course it's hacking. It's using software in a way in which it was not intended for your own purposes....

He was using the site EXACTLY as it was intended to be used: ask the system to provide information associated with some number at the end. This was not exploiting some unintended consequence to make the system behave in an unusual or unforeseen manner. This was making the computer system act in EXACTLY the manner the developer(s) intended.

If the Government wants to keep information private, the Government should place some form of security in front of it. As it is, there was (is?) NO security in front of the information.

If the Government wants to limit how much strain a single remote host imposes on the server, then the Government should place some firewall rules on the server. As it is, there were NO access controls on the server. It is therefore completely reasonable to assume that the Government intended for the information to be readily accessible to all guests.

This kid did absolutely NOTHING wrong.

Re:Edit Address Line Is Not Hacking

[stealth_finger]

No layer of security, no fucking crime

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Unauthorised entry maybe, breaking and entering? Nope, you left your front door open after all. Besides the actual crime there is the theft, someone could just walk in look around and leave, or make copies of your shit and leave the original or any number of things that the lack of security enabled, which is essentially why we have security. Picking something that is not yours up off the street is a lot different to breaking into a vault.

Re:Edit Address Line Is Not Hacking

[xvan]

I understood that they found the evidence among terabytes of hoarded "data" like 4chan posts.

Re:Edit Address Line Is Not Hacking

[Falos]

Your front door is property designated private.

A server openly offering files is more like reading your browser history after it became stapled to the town noticeboard. Whether you "accidentally" stapled it or another actor did is also immaterial.

GP went too far in assuming that no security = no designation = morally in the wild. I would accept that a "this document is restricted to [dept] eyes only" stamp qualifies. But that's my moral opinion - an insurance policy could accuse you of having effectively released the information. And that accusation would hold in court.

Data is a contagion. Knowledge is either quarantined or In The Wild. If you or a group wants to behave like you own information, it'll need to be in the former.

That's not a moral opinion, that's logistics. They're trade secrets, not trade dibs.

Re:Edit Address Line Is Not Hacking

[JMJimmy]

Canada has laughable privacy "principles" they aren't even strictly laws. Harper introduced so many changes to communication laws which now include something along the lines of "except for the purposes of gathering evidence" that the government can invade your privacy pretty much whenever they want.

The Privacy Act for government protecting your privacy is more of a tool to protect the government from disclosure of documents it doesn't wish to disclose.

Re:Edit Address Line Is Not Hacking

[rickb928]

"The server authorized the request"

When you anthropomorphize the server, you describe a circumstance that does not exist. The server didn't 'authorize' as you or I might, it responded to the request as programmed, delivering data as expected given the nature of the well-crafted request.

A better analogy might be that you are given a number and are waiting in line to be assisted. You have two questions, however, and since you see no one in line, you offer the next number also, and so get a second answer. And a third. Mind you, the server would happily use the same number over and over to deliver results, but you see the process and take advantage of it to acquire information you ordinarily would need to specifically ask for, and from some other authority than the server code.

And I do think this is an example of poor security and controls, misplaced blame, and possibly even a revealing incident exposing the problems of making private information available to allegedly 'public' requests. If a FOIA request in the US is honored, usually PII is redacted unless it is the point of the request, and then it's not private any more... In Canada, I dunno, but I bet it's similar for similar reasons. And has been well described here, if you're not securing it, you're doing it wrong. Not them. You.

Re:Edit Address Line Is Not Hacking

[bobbied]

here the knew that those documents were not there for public availability

He may have found it odd that they were publicly available.

ACTUALLY.... My guess is he never actually looked at any of these documents. Just a guess, but given the size of this kid's archive, I'm guessing he had a bot doing most of the collecting and never actually took the time to read everything he was fetching and in a programming short cut his bot generated URL's to fetch by modifying known good URL's.

Re:Edit Address Line Is Not Hacking

Well technically it is still a crime if he has no authorization to hand it to you it's just a different crime and you suddenly have a co conspirator

And then there is a question about what he did with the information because while getting the personal information might have been legal making it searchable even for personal use might constitute a crime.

Re:Edit Address Line Is Not Hacking

[cascadingstylesheet]

Lets be clear, editing the address line is not hacking, not in any way, shape or form.

Well, to be annoyingly pedantic, there's a line somewhere - for example, you can (though certainly shouldn't) have a session key in a URL, for example ...

This situation in TFA is, of course (or should be, anyway), far far on the legal side of the line.

Re:Edit Address Line Is Not Hacking

[gmack]

That assumes he even realized he downloaded private info. Most of the documents were not private.

Re:Edit Address Line Is Not Hacking

[fuzznutz]

Except, here in Belgium it is also illegal to leave your car behind unlocked.

Yes, misuse should be punished, but negligence as well...

And in my state it is illegal to start your car and let it warm up in the driveway unless you sit inside it. It can be -20F and covered in ice, but you can be fined for "puffing" your car. Just because something is illegal, doesn't mean it should be illegal.

Re:Edit Address Line Is Not Hacking

[stealth_finger]

No, that's a facetious comparison.

An apt comparison would be:

1) Going to city hall. 2) Asking to see a public court record by case number. 3) They hand you a microfilm holding that case and others. 4) You decide to pay for photocopies of everything on the roll instead of just the case number you originally asked about.

There's no trespassing involved in this situation, but somehow because it's "on a computer" suddenly you can go to prison for a decade and have every computer in your house taken even if they're not yours and you've never touched them before?

- WolfWings, too lazy to login to /. in far too long.

No its asking for document 1, then asking for document 2 etc. Not realising you have everything and just need to look. It's not the kids fault no one checked if he was allowed what he asked for. You can't even assume the kid knows that or if he did is even sure after it willingly gives hims loads of documents no questions asked.

Re:Edit Address Line Is Not Hacking

[ceoyoyo]

As someone who has to operate in compliance with the privacy act, I can assure you it is not laughable, and is definitely a law, in the strict sense. Clearly you're aware of this, since you used the proper name, with capitalization, "Privacy Act."

Re:Edit Address Line Is Not Hacking

[EvilSS]

How soon we forget.... AT&T Hacker 'Weev' Sentenced to 3.5 Years in Prison

Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty last November in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization after he and a colleague created a program to collect information on iPad owners that had been exposed by a security hole in AT&T's web site.

The two essentially wrote a program to send Get requests to the web site.

Re:Edit Address Line Is Not Hacking

[EvilSS]

It might be a problem, but is it a crime? Bit like me sleeping with the SO of a friend. Not something you should do, and extremely asshole-ish but it is not illegal either.

In Canada? Who knows. Now if he were in the US, then yes, it's a crime.

Re:Edit Address Line Is Not Hacking

[onepoint]

>> lets be clear editing the address line is not hacking, not in any way, shape or form

No, it is hacking in all the classical sense.Dumpster diving to get the book, moving alligator clips from one set of points to another... same idea just not classical 2600 type hacking

Re:Edit Address Line Is Not Hacking

[anegg]

Am I hacking the system if I use my remote control to sequentially access channels on my DirecTV system instead of using the DirecTV directory?

Am I hacking the system if I conduct a (legitimate) telephone survey by progressing through the phone numbers for a given area code/prefix sequentially instead of using a telephone directory organized by name that translates to a telephone number?

Am I hacking the system if I go trick-or-treating by house number up and down the block instead of using the HOA directory to find people in my neighborhood by name then go to their their address?

The individual in question didn't evade any controls on the access to the information. He scanned the information that was made freely available by sequentially stepping through the information addresses rather than going through a central directory. The idea that the mere existence of a central directory makes it illegal to scan publicly available addresses directly to access unsecured information is ridiculous. The URL address system is a well-known public interface for accessing information. If the URL address system contains an obvious regular pattern, it is well within reasonable expectations that a) individuals will notice this regular pattern, and b) use the regular pattern to optimize their access to the information. The fact that every single web browser exposes the URL and allows direct manipulation of the URL suggests that URLs are not only capable of being used in this way, but that the original protocol designers and implementors intended for it to be used in this way.

Re:Edit Address Line Is Not Hacking

[flink]

And in my state it is illegal to start your car and let it warm up in the driveway unless you sit inside it. It can be -20F and covered in ice, but you can be fined for "puffing" your car. Just because something is illegal, doesn't mean it should be illegal.

Seriously? That's idiotic. What if you are caring for an infant? You can't bring a kid out in -20 weather to sit in a cold car, and you can't leave them unattended to sit in the car while it warms up. Fuck that law.

Re:Edit Address Line Is Not Hacking

[AmiMoJo]

I agree, if they don't have a published bug bounty scheme to indicate they have a clue and welcome reports it's not worth the risk of contacting them. Since it's a government web site an anonymous tip to a journalist might be a better idea.

Re:Edit Address Line Is Not Hacking

[cascadingstylesheet]

sweet sounds like a great defence. No your honour I am not a hacker, all I did was sending carefully crafted packets to a server, it is not my fault it responded and gave me root access.

Yes, there is certainly a line somewhere.

You can (though shouldn't) have a session ID in the URL, for example. Is spoofing that to get stuff you shouldn't OK too?

Whether the line can be drawn at document.aspx?id=X+1 is the question ...

Re:Edit Address Line Is Not Hacking

[ooloorie]

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

But if you are a public government office and the front door is unlocked, people may assume that they are free to enter. And if you then have documents sitting there right on a table that says "public information" when people come in, people may assume that they can read them.

Now, how about a car analogy?

Re:Edit Address Line Is Not Hacking

[houghi]

It might be for the person who I do the act with. I am not married, so I am allowed to do it. (Still an asshole thing to do, but not illegal)
In the US adultery is a felony in 16 states https://www.womansday.com/rela... So in most of the US it is not illegal as such. That does not mean that you do not lose your house if you do it AND have to pay, but that is for breaking a contract, not because the act itself is illegal.

Re:Edit Address Line Is Not Hacking

[thegarbz]

So were the doors. The GP's analogy was fine. The other one was frigging stupid because it implied something criminal (taking something which didn't belong).

Re:Edit Address Line Is Not Hacking

[thegarbz]

All these analogies are stupid because this is Slashdot and they don't involve cars.

Re:Edit Address Line Is Not Hacking

[Sperbels]

It's obvious that a coke machine giving out free cokes is malfunctioning and you're receiving a product you didn't pay for. It's not obvious though that changing a few lines of a URL to download a different set of data is a crime, if it even is. Changing the URL a little is literally what every single web request is.

Re:Edit Address Line Is Not Hacking

[Joe_Dragon]

so I'm ok to call each number in sunnyvale california? and then log on to any system that picks up?

Re:Edit Address Line Is Not Hacking

[Pollux]

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Web servers do not work that way. You don't go into the web server and take something. The web server sends it to you. The more apt analogy would be that I asked for something I didn't own and you mail it to me. It can't be stolen since you honored the request to send it to me.

The more apt analogy would be that a public web server is just like a public business. Everything is assumed public unless clearly marked otherwise. Starbucks aside, I can't be arrested for being in a store during normal store hours. However, I can be arrested for breaking & entering if I enter the building outside normal business hours, especially if the front door is locked. I can also be arrested for trespassing if I go through the door clearly labeled, "For Employees Only". I can also get arrested if I am asked to leave an area, but I choose not to. In each case, it's the store's responsibility to instruct me where I am not permitted to go as a patron. And web servers must do the same.

Re: Edit Address Line Is Not Hacking

[Monster_user]

This needs an upvote.

No security does not mean no crime, but it also does not indicate that a crime occured.

How can one break a law which does not exist? For a law to be broken there has to be some indicator of an attempt to bypass restrictions. Accessing publicly available information in accordance with previous means supplied (the URL), does not indicate an attempt to bypass or circumvent restrictions. The situation here would be like saying finding a library book by using its letter of the alphabet and classification instead of requesting assistance from the Librarian.

Re:Edit Address Line Is Not Hacking

[anegg]

I think you are ok to call each number in Sunnyvale California as long as your calls are for a legitimate purpose; one of those legitimate (allowed by law) purposes (for example) is to conduct a telephone survey. If you are calling each of those numbers to find data protocol interfaces that you will then attempt to exploit illegally, then no, you would not be ok. You would probably be on shaky ground dialing those numbers just to search for data protocol interfaces. The original scenario is about enumerating an index in a URL for the purpose of accessing published records, not searching through a URL space for system vulnerabilities to exploit. I am contending that such usage was envisioned by the original protocol creators and is explicitly enabled by every single public tool that implements the protocol, and is therefore a reasonable use of the protocol.

Re:Edit Address Line Is Not Hacking

[Actually,+I+do+RTFA]

editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is.

Technically, most username/passwords are handled via the address line (or can be) this making the second case a subset of the first. Either supplying credentials via GET or prior to the domain.

Re:Edit Address Line Is Not Hacking

[edtice1559]

I'm not sure I would even do that. It's a much smaller risk, but it's still a risk. Next thing you know, they prosecute the journalist and then start looking for the source. If there is a bug bounty program, I'd gladly report and take the payment. If there's not, I might be able to find a black market buyer. But it would need to fetch a price high enough to justify the risk. Admittedly selling in the black market is much less risk than responsible disclosure but it is still some risk and the standard risk/reward equations come into play. For a reward of zero, well, the risk I'm willing to take is zero. I don't like that this is the world we live in. But denying reality won't change it.

Re:Edit Address Line Is Not Hacking

[SuiteSisterMary]

Well, even there, I would argue that yes, there's a difference between "Give me document 12345, my name is BobHoward and my password is 'Alpha Niner Tango Five'" and "Give me document 12345."

Re:Edit Address Line Is Not Hacking

[q4Fry]

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

But if you are a public government office and the front door is unlocked, people may assume that they are free to enter. And if you then have documents sitting there right on a table that says "public information" when people come in, people may assume that they can read them.

Now, how about a car analogy?

Your analogy is better than GP's, but this is a little more like a public government office with a sign that says "Documents available in cabinets 3-17." You might see cabinets 1 and 2 in the same room. You might even open one and see that it contained information about some of your neighbors at their behest...

But you might not photograph every document in those two cabinets and take them home with you. Unless perhaps you're a voyeur, an asshat, or an extortionist. If you're a responsible adult, you might even suggest to the clerk that they should lock the cabinets.

I don't know that this wanker needs any jail time, but I'm not against a strong warning. Also, the government needs to start locking the cabinets.

Re:Edit Address Line Is Not Hacking

[JMJimmy]

The former was referring to PIPEDA which is a set of principles, meaning there's still some question as to whether or not they are in fact laws or something legally meaningless like "guidelines"

Re:Edit Address Line Is Not Hacking

[fuzznutz]

Seriously? That's idiotic. What if you are caring for an infant? You can't bring a kid out in -20 weather to sit in a cold car, and you can't leave them unattended to sit in the car while it warms up. Fuck that law.

You're preaching to the choir. In practical terms, it's rarely enforced unless someone has their car stolen. Then the cops add insult to injury by fining the victim.

Re:Edit Address Line Is Not Hacking

[ooloorie]

but this is a little more like a public government office with a sign that says "Documents available in cabinets 3-17."

No, it's really more like a public government office with a room that says "Freedom of Information Request Archive" at the top. You look for document 15-1958 in cabinet 15. And you reasonably assume that cabinet 1 contains FOIA requests numbered "1-XXXXX", and that since all FOIA records are by definition public, you're perfectly free to look through them and copy them.

Re:Edit Address Line Is Not Hacking

[Actually,+I+do+RTFA]

Oh, I agree. Just the line wasn't drawn properly, and I could be pedantic.

Re:Edit Address Line Is Not Hacking

[EvilSS]

Not the part I was referring to but OK my point still stands.

Re:Edit Address Line Is Not Hacking

[eaglesrule]

TFA states roughly 7k documents were downloaded, and of those there was 250 with unredacted information.

It is true that most of the documents were not private. A roughly %3 figure of the total means it is also true that nearly all of the documents were not private, and would be easy to overlook that any private data was even downloaded. Especially if he was operating under the assumption that all of the sensitive information was already redacted.

Re:Edit Address Line Is Not Hacking

[mmdurrant]

That's entry with intent to commit a crime aka burglary.

Re: Edit Address Line Is Not Hacking

[edris90]

Anyone who uses computers as a computer and not just appliances , would never concieve that anybody would have a problem with interfacing through url. I do it all the time to error correct unwanted behavior s or formatting on web pages. It's such an obviously better way to interface sometimes that it seems crazy that anyone would reguard it as anything bac

Re:Edit Address Line Is Not Hacking

[hackertourist]

Shouldn't be illegal? Because stinking up the neighborhood for 15-30 minutes (times the number of cars in the neighborhood) is such a civilized thing to do...

Re:Edit Address Line Is Not Hacking

[houghi]

I understand. I once reported child porn and the police then tried to threaten me with, fraud (Giving a false address at a free email company), obstruction of the law (Informed the newspaper after 2 weeks, because the site was still up. They never even replied they where looking into it, because their email was broken) and spreading of child porn (because I _replied_ to a Usenet posting in an abuse group with the URL intact.)

Never seen anything illegal since then. Nothing. Not ever.

Re:Edit Address Line Is Not Hacking

[JesseMcDonald]

Well, to be annoyingly pedantic, there's a line somewhere - for example, you can (though certainly shouldn't) have a session key in a URL, for example ...

From a technical point of view, if someone can guess a valid session ID, you're Doing It Wrong(TM). This is in addition to the fact that the session ID should not be in the URL—you don't want the session ID to be included if someone shares a link to the page.

On a moral level, the difference is that the session ID is a form of credential, equivalent to a username and password. By using someone else's session ID you're assuming their identity and committing fraud in order to gain access. A simple sequential document number, however, is not in any sense a form of credential—the number itself is not secret, and its purpose is identification, not authorization. Simply requesting arbitrary documents without making any false claims regarding your own identity should not be considered a crime.

Re:Edit Address Line Is Not Hacking

[toddestan]

My state has a similar, but more reasonable law, that you can't leave your car running unattended with the keys in the ignition. So the solution is one of those remote starters that lets the car run without the keys in it, and here that is legal.

Even if the keys are in it, you don't actually have to have your ass in the driver's seat, so long as the car is not unattended. So if you're scraping the ice off or are otherwise nearby you're not breaking the law even if there's no one actually in the car.

Wow, I see a huge countersuit coming...

[cyn1c77]

I am trying to understand what he did that was illegal?

He downloaded documents that the government posted on the internet, by simply "guessing" the URL, which incrementally increased from the URL that he was given by the government?

Yup, looks like a case of the government trying to offset blame to me!

Re:Wow, I see a huge countersuit coming...

[hey!]

I understand the feeling: it shouldn't be that easy to do something illegal. That does not mean that something is automatically legal because it's easy. In order for there to be a crime, you need two components, an act and intent. If you run over someone with your car, whether or not you intended to do that is what determines if there is a crime, not how easy it was to do.

The problem is that a juror has to infer intent, and this is where biases come into play. To people like us nothing could be more natural than fiddling around with URL parameters; other people can't wrap their brain around why anyone would do that. That means to see if there's a crime you have to set aside what seems natural and obvious to you, and look at the specific circumstances of an act.

Now I think most (although not all) people realize that if a bank made this same mistake, it'd be a crime to download the transaction information for hundreds of other peoples' accounts. What's a grayer area is if you tried it with one or two randomly chosen accounts. People like us would do that with the non-criminal intent of figuring out if our bank's security is that bad. But it's risky, because if you're detected there are people who simply don't understand that; you have to hope they've got an open mind.

In this case the most important detail is that the kid was downloading what a reasonable person would assume is public information. I think you'd have to show that there was also information that wasn't in the public domain and that the kid knew it. The problem is that some people are by nature so incurious that curious behavior strikes them as suspicious.

The information was published

[AxeTheMax]

It sounds as though he found information published on the web. If I had a book with a custom made index and I was not told that there were pages that were not indexed, is it unauthorised access to leaf it open it to one of them?

Blame the kid!

[Aethedor]

Yeah, sure. Blame the kid. Don't talk about how you fucked up your security so bad that even a kid can bypass it. No, focus on how you were done wrong.

Seriously, if a small kid can bypass your security, you deserve to be 'hacked'. No mercy for incompetence!

Re:Blame the kid!

[gizmod]

There is no security! Zero authentication is done to access those pages. Any person on the planet can access that information. I bet googles spider bots have crawled and cached that entire dataset long ago allready as well. Sue google next?

They forgot to take the 'take one free' sign down.

[robbak]

Items placed on an open server without a login are made available for public download. Whether you meant to offer them for public download isn't relevant - you did.

He went to the server and asked politely, "Can I take one of these?" The server said, "Sure, here it is", and then tossed it to him.

Freedom of Information Data access request

[Bruce66423]

If I seek information under 'Freedom of Information' legislation, I am getting data that the government holds about the world in general.

If I carry out a 'data access request', I am asking for the data that the government owns on me.

It appears that Nova Scotia operated a 'data access request' system that held the personal resulting from data access requests on a poorly protected server, which our guy proceeded to access. As such this isn't a freedom of information issue, though it will probably be used as such to allow governments to wind down their commitment to freedom of information.

Re:Publishing on the internet.

[91degrees]

Yes, but now add a septuagenarian judge who knows nothing about computers, a court appointed defender who may be well meaning but isn't all that up to speed on the matter, and is pretty damn overworked, and a hysterical manager who really needs to cover his ass, and realises that the easiest way to do that is deflect blame onto some teenager.

I'm old a cynical and I hope justice prevails, but all to often it doesn't.

We're talking Nova Scotia here

[Bruce66423]

We appear to have a classic example of government ineptitude in an obscure part of Canada, where it will be very hard to find competent IT staff. We should not be surprised at the cockup...

Will do wonders for the bureaucracy's budget

[Bruce66423]

When the IT department of the province goes to the assembly, it will be able to use this to demand a big rise in their budget. Hog heaven for top managers who can avoid the blame!!

4Chan - uh oh!

[TJHook3r]

If he was backing up deleted 4Chan posts he may have bigger legal problems than 'hacking'!

Re:Naa just a Newfie

[wolfheart111]

It gets really boring there in small town newfoundland... :(

He did no Hacking.

[thesupraman]

Except he did not walk in the door.

What he did is the equivalent of walking up to the public documents window (just dream that such a thing exists..) as saying 'could I please have the FOI request number 1' then saying 'could I please have the FOI request number 2'.... until he had 7000 of them.

The fault in that case, and quite obviously in this, would be in the person (or server) that GAVE HIM THE DOCUMENTS WITHOUT ANY ATTEMPT TO VERIFY THAT HE WAS AUTHORISED TO RECEIVE THEM.

Remember, he didnt falsify ANY information, he didnt impersonate anyone, he didnt do anything else but ask the server if it would kindly send him this document, which it did.

So, your position is that asking for a document is breaking the law? Oh dear.

Re:He did no Hacking.

[rahvin112]

At least in the US none of that matters. What matters is that he accessed that computer without the direct permission of the owner. That's how the CFAA works in the US and I imagine the Canadian version is similar.

Nothing matters except if the owner (government) knowingly approved of him receiving the documents and if he doesn't have it in writing it's whatever they say after the fact.

The CFAA is so broad as to be virtually impossible not to breach.

Re:He did no Hacking.

[davecb]

The province broke federal law, the Personal Information Protection and Electronic Documents Act by putting personal information on a public server. See https://www.canlii.org/en/ca/l...

Arguably the federal Privacy Commissioner should apply to the Federal Court for punitive sanctions against the province of Nova Scotia.

Re:He did no Hacking.

[rahvin112]

Yes they should but they won't because they are going to scapegoat the guy that downloaded what was offered publicly.

All FOIA request SHOULD be public and freely downloadable by anyone else that wants that same data.

Re:He did no Hacking.

[davecb]

Yes they should but they won't ...

The Privacy Commissioner of Nova Scotia has already opened an investigation into the privacy breach, beating the federal commissioner. In the US, you'd say they're both pissed. In Canada, we say "there is an expression of concern" (;-))

Re:He did no Hacking.

[davecb]

At least in the US none of that matters. What matters is that he accessed that computer without the direct permission of the owner. That's how the CFAA works in the US and I imagine the Canadian version is similar.

The Canadian version is substantially (In USian, "completely") different. He made a request for information that is public, and the site unlawfully served him a docoument which contained personal information. The federal and Nova Scotia privacy commissioners have noted that the site has arguably breached PIPEDA by doing so.

Re:They forgot to take the 'take one free' sign do

[ckatko]

It's basically like going to a library and pulling your book. And then there's another whole row of books right next to yours and you look at them that just so happens to be "FORBIDDEN KNOWLEDGE!@#!1111".

Re:They forgot to take the 'take one free' sign do

[Bongo]

Also, re. manually editing a link, how does one know that url isn’t linked to from elsewhere? Ie. it was published for all, and all you did was shortcut straight to it?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Freedom of Information Data access request

[Mashiki]

The problem is that here in Canada, we have stringent privacy laws. He's in the wrong because he got information that wasn't redacted as it was supposed to be by the law. The NS government itself is in breach of the privacy laws because they're not supposed to store personal information like this. Government agencies that handle this stuff have a PIO that scrubs information out for FOI requests. Likely, nothing will happen to him in the end or he'll be given a suspended sentence(meaning no criminal record after a year or two if he keeps his nose clean). The NS government though, now has a serious privacy breach problem and is in violation of not only provincial laws, but federal laws privacy laws. Which could lead to an awful lot of lawsuits.

Translation

[Opportunist]

If your government is too stupid to secure their databases, you go to jail.

The code bellow is illegal.

[houghi]

# for I in $(seq 100000); do wget example.com/$I.html;done

It is highly illegal code and I should be getting 10 years for that, because that is basically what he did.

Re:The code bellow is illegal.

[iggymanz]

that might be a munition under U.S. law

Re:Breach...

[Opportunist]

They got lucky because he's in the same country and they can actually charge him. If he had been a, say, Russian hacker...

Ok, then we would probably not even hear about it because then they'd have to admit they fucked up and there's nothing they can blame but themselves for criminal neglect.

In other words, who says it didn't already happen exactly that way, too?

Re:See Kevin Mitnick...

[Opportunist]

Government prosecutors actually think Hollywood produces documentaries.

Part of my job is to help law enforcement with computer related crimes. I really, really wish I could make at least half of the utter stupidity that drools out of some of the requests public.

Re:Publishing on the internet.

[Opportunist]

Which is a pity, considering that he's more computer savvy and qualified for the job than the useless cunt that created the system. Who is, by the way, the one who should be thrown in the slammer and forbidden to ever come closer than a lightyear to a computer.

This is where Canada is going?

[SCVonSteroids]

As an Atlantic Canadian this makes me unbelievably sad.
They just traumatized a family because the government was incompetent. Is this truly where we're going?
They fucking interrogated his 13 year old sister?! I mean the documentation was fucking public; THIS IS HOW THEY CHOOSE TO HANDLE THEIR INCOMPENTENCY?

PM is outright saying he stole sensitive information; 15 officers raided the house.

Atlantic Canada is a pretty quiet place, and there's already enough sketchiness about how the general population feels about our police force; they're really not helping their case. I swear if they (Gov. & police force, RCMP I presume) don't get any repercussions for this I'll be legitimately scared of continuing to live in this country. This is beyond fucking ridiculous. I mean 10 fucking years in prison??

Yeah; I'm fucking angry, sorry.

Re:This is where Canada is going?

[sinij]

This is why Canadians need to have stronger rights against government. Be thankful they didn't attempt to revoke kid's citizenship or detain him indefinitely on terrorism charges. All of this is possible under Canadian law.

Re:This is where Canada is going?

As a maritimer, you should know the difference between the PM (Justin Trudeau) and the Premier - Stephen McNeil in Nova Scotia.
Also it was not the RCMP - it was the Halifax Police Service.
That said, it's still a giant clusterfuck on the part of the province.
http://www.cbc.ca/news/canada/nova-scotia/breach-information-access-to-information-police-protocol-1.4615233

This kid is never going to see jail time*, however some public servants in Nova Scotia are going to get fired.
http://www.cbc.ca/news/canada/nova-scotia/concerns-teen-being-railroaded-in-privacy-breach-to-cover-government-slip-1.4616972

*Proving the mens rea in this case is going to be next to impossible, and you need that for criminal prosecution.

Re:This is where Canada is going?

[optimus2861]

The current Nova Scotia provincial government is downright nasty against anyone whom they perceive as against them, or who make them look bad. It's easily the worst bunch of cynical assholes who've ever held office in the ~15 years I've lived here. The worst part is, they just got reelected last year with another majority government, so we're stuck with them until at least 2021.

This province is swirling the drain, and the general populace barely seems to notice, doesn't care, and/or doesn't think things can be any better. That's Atlantic Canada in a nutshell for you, sadly.

The cops will no doubt deny it, but they probably got some pretty stern "suggestions" from up high in the provincial cabinet to make an example of this kid, for the cardinal sin of making the Liberals look bad.

Re:This is where Canada is going?

[PmanAce]

Why would Canada revoke his citizenship? Where would they send him? Antarctica? An oil rig in international waters? The ISS?

Re:This is where Canada is going?

[drew_kime]

Yeah; I'm fucking angry, sorry.

That's the most Canadian thing I've ever read.

Re:This is where Canada is going?

[ooloorie]

PM is outright saying he stole sensitive information; 15 officers raided the house.

Well, unlike the US, they at least didn't shoot his dog.

Re:This is where Canada is going?

Claims to be Canadian.

Yeah; I'm fucking angry, sorry.

Checks out.

Re:This is where Canada is going?

[SCVonSteroids]

As a maritimer, I should know that it doesn't matter. Both will fuck us in the ass the moment they get a chance.

If you put it on a public web server...

[sandbagger]

...expect that people will find it. This is not hacking, this is shoddy practices by the people running the FOI site and they're blaming the public. Of course, it would require a modicum of technical understanding to not blame someone else.

"Intent"

[Tablizer]

Ultimately it will probably come down the regular old "Hillary thing" of "intent", and judges or juries will make that determination. Did the alleged perpetrator "intend" to gain unauthorized access.

Re: "Intent"

[Tablizer]

Congress doesn't need a specific law violation to impeach and remove a misbehaving President; it merely needs enough votes.

By the way, what's an example of somebody "obstructing justice" without intent? Accidentally falling on an officer and squashing them?

Information hoarder

[xvan]

"He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

I thought that only porn hoarders existed, but this guy was hoarding 4chan's shitposts.

Re:Publishing on the internet.

[l0n3s0m3phr34k]

But...but...but...I coded to the specs given! You didn't say anything about security in the project requirements!

Where is the line between bad and no security?

[sjbe]

Lets be clear, editing the address line is not hacking, not in any way, shape or form.

It is hacking if the government defines it to be hacking. Not disagreeing with you just pointing out that we're talking about the fact that the people who make the laws are the ones we're dealing with here. The scary bit is that they can define something quite innocuous to be against the law. Any time you go against the folks that make the rules things tend to get dicey for the defendant.

A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution.

Again I don't disagree but do you really expect the government to admit fault like that?

The interesting question is when does it become "security" and therefore "hacking"? In all fairness it's not as easy a question as it might seem. Does ROT13 count as encryption and therefore security? It's certainly bad security to the point of being laughable but it will keep the technologically impaired out so it's clearly effective to a degree. And it's possible to pass laws where it could be a violation of the law to crack their system even if doing so is absurdly simple. (see DMCA for example) Where is the bright line that distinguishes bad security from no security from a legal standpoint? (from a technical standpoint they are identical)

Should developer intent matter?

[sjbe]

He was using the site EXACTLY as it was intended to be used: ask the system to provide information associated with some number at the end. This was not exploiting some unintended consequence to make the system behave in an unusual or unforeseen manner. This was making the computer system act in EXACTLY the manner the developer(s) intended.

By that logic you could claim any penetration of a system was merely the system behaving exactly as intended because that was how the developer programmed it. I understand where you are going with your argument but it's perhaps a bit more fraught than you realize? After all, how are we as users to know what the developer intended and why should that even matter? It's an interesting question.

The real question here is when does the system cross the line from no security to bad security from a legal standpoint. Technologically there is no difference but legally their can be. Because that is the point where legally it goes from using a system to "hacking" a system in the negative legal sense. Something as simple as ROT13 could be considered intent to secure the system despite being laughably easy to bypass but you could still find yourself in a court room for bypassing it under certain laws.

In My Backyard

[hipp5]

So I live in Nova Scotia; i.e. this is happening in my backyard. This is absolutely about the provincial government trying to cover its a**. The mistake was discovered internally when a government employee did basically the same thing and accidentally put in a wrong URL... and instead of getting a 404 got documents that shouldn't have been public-facing (including docs with personal info, SINs and the like). Rather than owning up to the mistake and dealing with the consequences, the provincial government kept it quiet for 7 weeks, and are now using this kid as a scapegoat ("EVIL HACKERS, CLUTCH YOUR PEARLS!!!!"). It's absolutely disgusting, and I hope the court of public opinion judges them (the gov) harshly.

Public information

[ArhcAngel]

Just because there isn't a hyperlink to the page with the document doesn't make the information private. If there wasn't security on the page/s in question they were public information regardless of what the government intended. The boy broke no laws. And no this is not like leaving your door unlocked and someone walking in to your house/car. It's more like I posted all of these documents on a public document pin board in the middle of the square but put a blank page over them so you couldn't read them without lifting the blank page. I would charge whoever designed the site (not the page coder but the person who decided not to invest in any security) with gross negligence.

Used the same method in my degenerate youth

[cascadingstylesheet]

Used the same URL tweaking method in my degenerate youth ... they weren't government documents though.

(Though doubtless accessed by many government officials ...)

Freedom-of-information not itself free?..

[mi]

downloading approximately 7,000 freedom-of-information releases

I'm confused... Shouldn't the freedom-of-information releases themselves be freely available to the general public?

Re:Government guilty! No. Kid is insane.

[AlanObject]

What I want to know is that did he use a script to (or curl feature) download 7,000 documents or did he just edit the URL 6,999 times?

And where is he storing 30TB of data? Yes that is actually affordable (say 4 drives about $250 each) but who spends that kind of pocket money for something so nearly unusable?

Try doing a grep -r for some string on a mounted USB drive holding 1TB of data and see how long it takes. So what good is that?

Maybe he scrolls through all those documents one by one. For what. Anybody know?

Just what could he use all this crap for. What is wrong with his brain that he wasn't just downloading porn like every other kid?

Security

[DivineKnight]

How does it work?

Incompetent IT

[PmanAce]

That is why folks you don't put IDs as urls for something like this.

Intent matters

[Layzej]

Intent matters:

"In order to break this law, you have to have done it with fraudulent intent," said David Fraser, a lawyer with McInnes Cooper in Halifax who specializes in technology and privacy laws.

"From everything that's being discussed about this, it's likely the person was likely trying to download content of public documents from a public internet site."

Archivist

[HeckRuler]

"Archivist"? A 19 year old.... archivist? What kind of bullshit made up term is...

The teen is estimated to have around 30 terabytes of online data on his hard drives

...Well alright then. I'm not even mad. Props to the archivist.

Re:Archivist

[SuricouRaven]

Beats me. I'm only up to 20TB.

Re: Government guilty! No. Kid is insane.

Right. I got the 10TB for 350. Now itâ(TM)s 310. So itâ(TM)s a grand of slow Hard drives. With totally useless data. Unless he was doing some NPL processing or classification stuff for school. And guessing urls is a crime? Isnâ(TM)t an entity supposed to implement reasonable security?

You could mistype a url and break the law. That wonâ(TM)t fly. Itâ(TM)s mishandling their classified? material to load it into that public website.

Re:Freedom of Information Data access request

[ooloorie]

He's in the wrong because he got information that wasn't redacted as it was supposed to be by the law.

No, that's a problem with the people who failed to do the redacting.

The NS government though, now has a serious privacy breach problem and is in violation of not only provincial laws, but federal laws privacy laws. Which could lead to an awful lot of lawsuits.

And tax payers are going to keep paying the government employees that failed to redact, their lawyers, the lawyers for the people filing the suits, and the damages to the people whose information wasn't redacted. Everybody walks away richer from this, except for the taxpayer.

The problem is that here in Canada, we have stringent privacy laws.

Truer words have never been spoken.

Re:Government guilty! No. Kid is insane.

[suso]

He's not insane, people value and buy/sell archived data. Here is one of my own stories. Back in 2010 I did a complete reverse DNS scan on the Internet just for fun/curiosity. It came out to about 1TB of uncompressed data. A few years later someone found out that I had done that and wanted to buy a copy of the historical data from me for several hundred dollars. In hindsight, I probably could have charged more, but who knew what the market was on historical DNS data. The point is, data has value and the guy in Nova Scotia knows that. Like most things, the interest in the data and it's rarity and the longer you can preserve it, the more it could be worth. archive.org is in the business of archiving data. Sure, they rely on donations, but money is coming in.

Re:How many dollars (Canadian)

[dstyle5]

Two large double doubles and a box of Timbits, eh.

Did he make money off any of this?

[Rick+Schumann]

Did he extort anyone with this information? No? Then I think it's maybe 'malicious mischief' at best. Sentence the kid to community service and let it go at that.

self service soda fountain

[Joe_Dragon]

what about self service soda fountains?

Most places with them have free refills and most casinos they are 100% free.

But let's say some places wants to be greedy and says no free refills then they have to post in way that it's not hidden or move to place where you need have some person working there to get it for you.

Canada

We love our freedom of information here in Canada, and governments resent it. As an example from just days ago, have a look at http://www.cbc.ca/news/politics/rcmp-access-information-money-laundering-legault-dagg-delay-extension-1.4616137 to see what a government letter explaining that they need to delay an information request for 80 years looks like.

Nothing like having your house raided for accessing freedom of information related information.

Re:Government guilty! No. Kid is insane.

[SuricouRaven]

Data hoarders, like me, collect it for the fun of collecting. It's no different from people who collect stamps, or tacky plaster statues. The fun is in acquiring the data and finding the best way to store, sort and manage it.

and violation of TOS is not a crime much less

[Joe_Dragon]

and violation of TOS is not a crime much less one where you can be facing hard time.

To bad that jury trial is not an right in canada for all crimes. In the usa just having the jury have to read an full 100+ page TOS may push them to vote non guilty just to get it over.

Re:Publishing on the internet.

[Opportunist]

I'm not talking about the one executing the design, I'm talking about the useless cunt that designed it.

Re:They forgot to take the 'take one free' sign do

[Holi]

If an ATM starts spitting money at you, or gives you more money then you requested can you legally keep it?

What law did he break, exactly?

[wardrich86]

If the documents were public-facing, what law did he break? I'm honestly confused, and I hope this goes up the chain of government to be sorted out.

"Hacking"

[DarthVain]

First what he did is in no way shape or form of "Hacking". I'm sorry, but even the most unknowledgeable judge or jury is going to raise a serious eyebrow when the prosecution tries to argue that the changing of a public facing URL equates to "unauthorized use of a computer" i.e. Hacking.

Second the government of NS literally did the stupidest most ill advised thing I can think of by raiding and chaging the guy.

About the only thing actually criminal here is the breach of personal information by the NS government who has a responsibility to reasonably safeguard said information within their custody. I'm pretty sure what this kid did pretty much says that they were negligent in that regard. So instead of quietly fixing the issue, and dealing with the kid about the data loss, they now just made it a public news spectacle.

About the only thing I see here is charges being dropped, and a lot of embarrassment for NS and possible legal action, not only by the kid, but by those impacted by the FOI breach.

However... that is all based on the content of the new article, which is a bit light on some information... Which may have an impact.

i.e. How was he caught? Were there some super cyber security watchdogs monitoring website activity and noting that the same IP address was seeming to access an awful lot of stuff? I seriously doubt it. Or did he like most folks that get caught for this kind of stuff bragging around chat groups etc... that happened to be monitored regularly by police... As that would sort of invalidate his innocent tale... If I had to guess, some peon in IT realized that there was a potential vulnerability in their POS FOI portal, was looking into fixing the oversight, and decided just in case to check the logs (well after the fact), saw a lot more activity than might be reasonable, looked a bit deeper, saw most the activity from one source (oh shit), and reported it starting the whole cascading snowball, but I bet management didn't ask the peon "how" (or them being the one who designed it, wasn't eager to share that information). I guess what I am getting at is the most likely event being the only way they would have caught the guy (apart from bragging), would be prior knowledge that their system wasn't secure at all in the first place which would sort of invalidate their charges. About all they have is reasonable intent (i.e. did he know what he was accessing was prohibited?), which sounds like they would have a pretty hard time to prove...

What we do with non-conformists

[OrangeTide]

We denounce them as heretics and put them in prison. (We can't burn them at the stake anymore)

And behavior that makes the mainstream uncomfortable is to be punished as if it were equivalent to the actions of a criminal with ill intent.

Oh, Canada!

[Applehu+Akbar]

Why does a country with such a small, relatively homogeneous population need such a huge intrusive government?

I have the same question about Australia.

car analogy

[nten]

This is /. We do car analogies here.

It is like going to a used car lot and sitting in each car in the row, and then being arrested because half of them belonged to customers.

Re:Government guilty! No. Kid is insane.

[houghi]

"Because he can" used to be a valid enough answer. There are plenty of people who are hoarders. There are tv shows dedicated to them. He just hoards data. And why? Well, why not?

I know a person who tries to download as much software as possible and sorts them in directories. These are all programs that he never ever uses and most he has no idea what they do. Why? Because he likes to do it.

Other people collect stamps. Just as silly.

The downside of Life in Canada....

[LinuxLuver]

Generally, things are pretty good in Canada, compared to most places. But public servant caught it being flagrantly incompetent, as in this example, too often try to blame the person who discovered the mistake. At the same time, the kid can be said you be authorised to view his own documents / information, but not authorised to view anyone else's. If this was explicit in any terms & conditions, then the kid is guilty. If you discover someone's house isn't locked, it's still stealing to go inside and take stuff.

Correct Outcome

[nowwith25percentmore]

The correct outcome is that they 1) let the kid go free and compensate him & his family for wronging them, and 2) they fire & prosecute the system administrators for misclassifying and failing to secure private information.

Defense fund set up!

[xtal]

A GoFundMe has been set up to pay for the legal defense, and an expert lawyer has been retained.

Please consider donating. The kid isn't without fault, but he's being railroaded by the local government.

https://www.gofundme.com/ns-te...

Please consider donating to the defense fund.

[xtal]

A GoFundMe has been set up to pay for the legal defense, and a expert lawyer has been retained.

Please consider donating. The kid isn't without fault, but he's being railroaded by the local government.

https://www.gofundme.com/ns-te...

What's up with Canada?

[ebvwfbw]

Seems like things went to pot with that Rob Ford ( https://en.wikipedia.org/wiki/...) guy that was the butt of Jay Leno jokes.
Now it seems like they're in the news almost daily for dumb law enforcement on dumb laws.