19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases (www.cbc.ca)

← Back to Stories (view on slashdot.org)

19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases (www.cbc.ca)

Posted by BeauHD on Monday April 16, 2018 @07:00PM from the extracurricular-activities dept.

Ichijo writes: According to CBC News, a Canadian teen "has been charged with 'unauthorized use of a computer,' which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases. The provincial government says about 250 of those contain Nova Scotians' sensitive personal information."

"When he was around eight [...] his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate," reports CBC. "That lead to a discovery on the classroom computer. 'The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted,' he said. 'I thought that was interesting.' The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests." The teen is estimated to have around 30 terabytes of online data on his hard drives, which equates to "millions" of webpages. "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

23 of 422 comments (clear)

Min score:

Reason:

Sort:

Government guilty! by nospam007 · 2018-04-16 19:00 · Score: 5, Informative

...of criminal stupidity.
I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.
1. Re:Government guilty! by Anonymous Coward · 2018-04-17 00:59 · Score: 5, Insightful
  
  "The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact"
  Neither he, you nor I are under any such obligation and how he accessed the data was neither vulnerability nor crime.
  "The kid was criminally stupid in archiving the data instead of working towards fixing the problem"
  The problem is not his to "fix" and archiving the data is not a crime which could have been done by any number of spiders and bots incl The Wayback Machine.
  Stop being an apologist for the criminally stupid authorities and their heavyhanded overreach
2. Re:Government guilty! by mjwx · 2018-04-17 01:14 · Score: 4, Interesting
  
  ...of criminal stupidity.
  I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.
  Yes, Data Protection Acts like the EU GDPR are there to ensure that PII (Personally Identifiable Information) aren't released publicly. However this doesn't mean it wont accidentally be or cant be released. The Canadian govt was silly to let this information to be released under FOI requests (I work with FOI requests in the UK, you're supposed to ensure any PII stripped out, GDPR/DPA trumps FOI and there are strict penalties for non-compliance) but if that fails that doesn't give you carte blanche to copy it, data protection laws still apply.
  
  However I'm going to make a prediction that wont be popular with the /. Mah Freeedums nutters but it will be more accurate, this will go to court, the Canadian will explain why he was doing what he was doing and the judge will order him to delete the records that contain PII and that will be the end of it. No jail, no fines, just a Canadian judge ordering a Canadian to adhere to the Canadian laws. chances are the guy didn't even know that the PII was there before he started.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
3. Re:Government guilty! by suso · 2018-04-17 01:21 · Score: 5, Insightful
  
  That's great, but you can also just do this with curl
  curl example.com/[1-1000000].html
  The range functionality is built right into curl. In fact it's even in the opening examples of the man page.
4. Re:Government guilty! by JMJimmy · 2018-04-17 01:35 · Score: 4, Informative
  
  This case will be dismissed if it ever makes it that far. The law they charged him under does not cover accessing public facing documents.
5. Re:Government guilty! by Anonymous Coward · 2018-04-17 01:51 · Score: 5, Interesting
  
  The government was in breach of PIPEDA, though I'm not a lawyer, so I don't know if the law applies to them. The documents are called "Freedom of Information" requests. If you find one through the search function, you can download it. A reasonable person would have concluded this was public information. The documents being numbered sequentially does reinforce this impression.
  There was no obvious way for him to know that some of the "Freedom of Information" requests were intended to be restricted. You can't report something you don't know is wrong. Nobody wants to be the collateral damage from some larger party externalizing its incompetence or laziness. This is that, and it's wrong.
6. Re:Government guilty! by gmack · 2018-04-17 01:53 · Score: 5, Informative
  
  The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.
7. Re:Government guilty! by Type44Q · 2018-04-17 01:58 · Score: 4, Interesting
  
  The kid was criminally stupid in archiving the data instead of working towards fixing the problem
  This tripe got modded to 5?! fixing the problem wasn't his responsibility and while his actions might've been distasteful, thinking them to be "criminal" either requires:
  A) A complete lack of understanding of digital communications, or...
  B) You to be a gov't shill, or...C) An utter fucking moron.
8. Re:Government guilty! by azcoyote · 2018-04-17 02:23 · Score: 5, Funny
  
  ... In fact it's even in the opening examples of the man page.
  That's exactly why we need more women in tech!
  
  --
  Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
9. Re:Government guilty! by suso · 2018-04-17 02:50 · Score: 4, Informative
  
  I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual. The command was called man most likely because so many commands were shortened back then to 2 or 3 letters. There were a few women working on Unix at Bell labs in the 70s, one was Lorinda Cherry and among other things she helped write programs like the 'bc' and 'dc' commands.
10. Re:Government guilty! by Anonymous Coward · 2018-04-17 03:17 · Score: 5, Insightful
  
  The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.
  By any measure these files were public. They were published online with a URL without any access control system. The question is whether they should have been made public or not. And apparently the government unintentionally published just 250 documents that contained information that was somehow privileged in the batch of 7000.
  So 96.4% of the documents were supposed to be available to the public.
  Any reasonable person would have looked at a freedom of information website and assume that the published documents were intended to be public as the vast majority of the documents were. The government made a mistake, overreached and is at fault for putting this person through this ordeal. Charges should be dropped with apology.
11. Re:Government guilty! by q4Fry · 2018-04-17 05:06 · Score: 5, Funny
  
  I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual. The command was called man most likely because so many commands were shortened back then to 2 or 3 letters.
  Is this an example of "man splaining" ?
Edit Address Line Is Not Hacking by rtb61 · 2018-04-16 19:08 · Score: 5, Insightful

Lets be clear, editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is. Editing your address line on your computer and the distant server allowing it, is a fault of that distant server. A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution. Strictly their fuckup, they made that information publicly accesible without any restriction and they are fucking liars and fraudsters trying to pin their incompetance on someone else. It is not a crime to edit you address bar, it is strictly their fuck up that caused it. No user name, password request and your web site is public facing, that data is free to download, you just gave it away free from all encumbrances. No different to randomly running IP addresses to download what ever you want. No layer of security, no fucking crime, they are cunts blaming someone else for their incompetence and the victim should sue the crap out of them after this is over.

--
Chaos - everything, everywhere, everywhen
1. Re:Edit Address Line Is Not Hacking by Anonymous Coward · 2018-04-16 19:27 · Score: 5, Insightful
  
  No layer of security, no fucking crime
  My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.
  Idiot.
  Web servers do not work that way.
  You don't go into the web server and take something. The web server sends it to you.
  The more apt analogy would be that I asked for something I didn't own and you mail it to me. It can't be stolen since you honored the request to send it to me.
  What are you going to compare it to next? rape? Someone getting unsecured files from a server is like raping you in the ass?
2. Re:Edit Address Line Is Not Hacking by TheReaperD · 2018-04-16 19:49 · Score: 4, Insightful
  
  I think the door analogy would go something like this: I go into a public government building and the information I need is in open door A and then I see open doors B, C, D, E, etc and go "huh, I wonder what's behind this open door in a public building (with no warning/forbidden signs) and then someone tries to arrest me for breaking and entering.
  
  --
  "Be particularly skeptical when presented with evidence confirming what you already believe." -
3. Re:Edit Address Line Is Not Hacking by jargonburn · 2018-04-16 20:03 · Score: 5, Insightful
  
  This is more like having a public reference book in a library, where you've been directed to page #1577 for the information you were seeking. You check and it's there. Cool. Then, you decide you're curious to read what's on the other pages.
4. Re:Edit Address Line Is Not Hacking by Anonymous Coward · 2018-04-16 22:26 · Score: 5, Insightful
  
  What a pile of shite.
  As one of the ACs in the thread above pointed out this is the wrong analogy. The server authorized the request and sent the data. A more accurate analogy would be: "I go into a public government building and ask the clerk for document #252, he says sure and hands it over. I then ask him for every other number that I can think of and he keeps saying sure, and handing them over". Your attempt at an analogy removes agency, but the web server server was configured to make the information publically available.
5. Re:Edit Address Line Is Not Hacking by anegg · 2018-04-17 02:37 · Score: 4, Insightful
  
  Am I hacking the system if I use my remote control to sequentially access channels on my DirecTV system instead of using the DirecTV directory?
  Am I hacking the system if I conduct a (legitimate) telephone survey by progressing through the phone numbers for a given area code/prefix sequentially instead of using a telephone directory organized by name that translates to a telephone number?
  Am I hacking the system if I go trick-or-treating by house number up and down the block instead of using the HOA directory to find people in my neighborhood by name then go to their their address?
  The individual in question didn't evade any controls on the access to the information. He scanned the information that was made freely available by sequentially stepping through the information addresses rather than going through a central directory. The idea that the mere existence of a central directory makes it illegal to scan publicly available addresses directly to access unsecured information is ridiculous. The URL address system is a well-known public interface for accessing information. If the URL address system contains an obvious regular pattern, it is well within reasonable expectations that a) individuals will notice this regular pattern, and b) use the regular pattern to optimize their access to the information. The fact that every single web browser exposes the URL and allows direct manipulation of the URL suggests that URLs are not only capable of being used in this way, but that the original protocol designers and implementors intended for it to be used in this way.
Wow, I see a huge countersuit coming... by cyn1c77 · 2018-04-16 19:14 · Score: 5, Insightful

I am trying to understand what he did that was illegal?
He downloaded documents that the government posted on the internet, by simply "guessing" the URL, which incrementally increased from the URL that he was given by the government?
Yup, looks like a case of the government trying to offset blame to me!
They forgot to take the 'take one free' sign down. by robbak · 2018-04-16 19:34 · Score: 4, Insightful

Items placed on an open server without a login are made available for public download. Whether you meant to offer them for public download isn't relevant - you did.
He went to the server and asked politely, "Can I take one of these?" The server said, "Sure, here it is", and then tossed it to him.

--
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
This is where Canada is going? by SCVonSteroids · 2018-04-16 22:46 · Score: 4, Interesting

As an Atlantic Canadian this makes me unbelievably sad.
They just traumatized a family because the government was incompetent. Is this truly where we're going?
They fucking interrogated his 13 year old sister?! I mean the documentation was fucking public; THIS IS HOW THEY CHOOSE TO HANDLE THEIR INCOMPENTENCY?
PM is outright saying he stole sensitive information; 15 officers raided the house.
Atlantic Canada is a pretty quiet place, and there's already enough sketchiness about how the general population feels about our police force; they're really not helping their case. I swear if they (Gov. & police force, RCMP I presume) don't get any repercussions for this I'll be legitimately scared of continuing to live in this country. This is beyond fucking ridiculous. I mean 10 fucking years in prison??
Yeah; I'm fucking angry, sorry.

--
I tend to rant.
1. Re:This is where Canada is going? by drew_kime · 2018-04-17 03:32 · Score: 4, Funny
  
  Yeah; I'm fucking angry, sorry.
  That's the most Canadian thing I've ever read.
  
  --
  Nope, no sig
In My Backyard by hipp5 · 2018-04-17 02:01 · Score: 4, Informative

So I live in Nova Scotia; i.e. this is happening in my backyard. This is absolutely about the provincial government trying to cover its a**. The mistake was discovered internally when a government employee did basically the same thing and accidentally put in a wrong URL... and instead of getting a 404 got documents that shouldn't have been public-facing (including docs with personal info, SINs and the like). Rather than owning up to the mistake and dealing with the consequences, the provincial government kept it quiet for 7 weeks, and are now using this kid as a scapegoat ("EVIL HACKERS, CLUTCH YOUR PEARLS!!!!"). It's absolutely disgusting, and I hope the court of public opinion judges them (the gov) harshly.