19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases

Ichijo writes: According to CBC News, a Canadian teen "has been charged with 'unauthorized use of a computer,' which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases. The provincial government says about 250 of those contain Nova Scotians' sensitive personal information."

"When he was around eight [...] his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate," reports CBC. "That lead to a discovery on the classroom computer. 'The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted,' he said. 'I thought that was interesting.' The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests." The teen is estimated to have around 30 terabytes of online data on his hard drives, which equates to "millions" of webpages. "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

Government guilty!

[nospam007]

...of criminal stupidity.

I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.

Re:Government guilty!

"The kid was criminally stupid in not reporting the vulnerability through the responsible disclosure contact"
Neither he, you nor I are under any such obligation and how he accessed the data was neither vulnerability nor crime.
"The kid was criminally stupid in archiving the data instead of working towards fixing the problem"
The problem is not his to "fix" and archiving the data is not a crime which could have been done by any number of spiders and bots incl The Wayback Machine.

Stop being an apologist for the criminally stupid authorities and their heavyhanded overreach

Re:Government guilty!

[suso]

That's great, but you can also just do this with curl

curl example.com/[1-1000000].html

The range functionality is built right into curl. In fact it's even in the opening examples of the man page.

Re:Government guilty!

The government was in breach of PIPEDA, though I'm not a lawyer, so I don't know if the law applies to them. The documents are called "Freedom of Information" requests. If you find one through the search function, you can download it. A reasonable person would have concluded this was public information. The documents being numbered sequentially does reinforce this impression.

There was no obvious way for him to know that some of the "Freedom of Information" requests were intended to be restricted. You can't report something you don't know is wrong. Nobody wants to be the collateral damage from some larger party externalizing its incompetence or laziness. This is that, and it's wrong.

Re:Government guilty!

[gmack]

The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.

Re:Government guilty!

[azcoyote]

... In fact it's even in the opening examples of the man page.

That's exactly why we need more women in tech!

Re:Government guilty!

The kid was has been quoted as saying he thought that the records were public and he didn't know he wasn't supposed to be able to do that.

By any measure these files were public. They were published online with a URL without any access control system. The question is whether they should have been made public or not. And apparently the government unintentionally published just 250 documents that contained information that was somehow privileged in the batch of 7000.

So 96.4% of the documents were supposed to be available to the public.

Any reasonable person would have looked at a freedom of information website and assume that the published documents were intended to be public as the vast majority of the documents were. The government made a mistake, overreached and is at fault for putting this person through this ordeal. Charges should be dropped with apology.

Re:Government guilty!

[q4Fry]

I agree, but man pages have nothing to do with gender. It's called a man page because it's short for manual. The command was called man most likely because so many commands were shortened back then to 2 or 3 letters.

Is this an example of "man splaining" ?

Edit Address Line Is Not Hacking

[rtb61]

Lets be clear, editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is. Editing your address line on your computer and the distant server allowing it, is a fault of that distant server. A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution. Strictly their fuckup, they made that information publicly accesible without any restriction and they are fucking liars and fraudsters trying to pin their incompetance on someone else. It is not a crime to edit you address bar, it is strictly their fuck up that caused it. No user name, password request and your web site is public facing, that data is free to download, you just gave it away free from all encumbrances. No different to randomly running IP addresses to download what ever you want. No layer of security, no fucking crime, they are cunts blaming someone else for their incompetence and the victim should sue the crap out of them after this is over.

Re:Edit Address Line Is Not Hacking

No layer of security, no fucking crime

My leaving my front door unlocked does not mean you aren't guilty if breaking and entering if you open the door, walk in, and take something that isn't yours.

Idiot.

Web servers do not work that way.

You don't go into the web server and take something. The web server sends it to you.

The more apt analogy would be that I asked for something I didn't own and you mail it to me. It can't be stolen since you honored the request to send it to me.

What are you going to compare it to next? rape? Someone getting unsecured files from a server is like raping you in the ass?

Re:Edit Address Line Is Not Hacking

[jargonburn]

This is more like having a public reference book in a library, where you've been directed to page #1577 for the information you were seeking. You check and it's there. Cool. Then, you decide you're curious to read what's on the other pages.

Re:Edit Address Line Is Not Hacking

What a pile of shite.

As one of the ACs in the thread above pointed out this is the wrong analogy. The server authorized the request and sent the data. A more accurate analogy would be: "I go into a public government building and ask the clerk for document #252, he says sure and hands it over. I then ask him for every other number that I can think of and he keeps saying sure, and handing them over". Your attempt at an analogy removes agency, but the web server server was configured to make the information publically available.

Wow, I see a huge countersuit coming...

[cyn1c77]

I am trying to understand what he did that was illegal?

He downloaded documents that the government posted on the internet, by simply "guessing" the URL, which incrementally increased from the URL that he was given by the government?

Yup, looks like a case of the government trying to offset blame to me!