Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

... but when does he get his hardware back ???

[eric31415927]

His hard drives contain sensitive info that may preclude him from ever getting them back.
Hopefully his other family members get their computers back.

Re:... but when does he get his hardware back ???

His hard drives contain sensitive info that may preclude him from ever getting them back.
Hopefully his other family members get their computers back.

Hmm sensitive info.. like pron? :-)

It is kind of sad though that the use of something like wget and a very simple script was suddently considered hacking in Canada... How can they even seize his hardware and THEN decide it was NOT hacking?

But then again, we had a similar case in Europe... they did not seize hardware prematurely though... to my amazement, the court DID acknowledge that altering URL's even with a script is not hacking, despite a very poor politic IT history :-) ...actually the company behind the goverment webservice in question was asked to step up their security, so all in all a good outcome for everybody.

It scares the hell out of me to think that I might actually be living in a country that is one of the better ones when it comes to making reasonable IT choices... Then things are really really bad out there in the big world...

Re:... but when does he get his hardware back ???

Racist AND retarded! You must be very popular with the ladies.

Re:... but when does he get his hardware back ???

[Cederic]

Hmm sensitive info.. like

Like data pertaining to individuals that should not have been published on the site and to which he should not have access.

How can they even seize his hardware and THEN decide it was NOT hacking?

You do not seize hardware after a court case. You seize it to discover evidence that would influence a decision to prosecute. If the decision to prosecute is made, the evidence is then presented at the court case.

On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

Re:... but when does he get his hardware back ???

[drinkypoo]

On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

The big problem is that we have so many bullshit laws that so many people are getting busted for violating them that your right to a speedy trial might as well not exist. The only trials which are ever resolved at all quickly are those in which there is significant public interest, and even some of those drag on interminably.

"Freedom of information" ... "redacted"

Welcome to Oceania, where the citizens are minusfriends.

PROTIP: Every time they redacted something, it is precisely because you would not like what stood there. Which usually means it is harming you.

Re:"Freedom of information" ... "redacted"

No, they redact the private information of individuals.

Re:"Freedom of information" ... "redacted"

Awww Tardchris, is your flat bony cyclist's ass all sore from the beating FCLM unleashed on you??

Re: "Freedom of information" ... "redacted"

[Brockmire]

Some Engineer will wonder why their AI bots are so retarded and then will check the training data and find shit like this.

Intent?

[Loki_1929]

Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

Maybe in China.

Re:Intent?

[phantomfive]

Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools, but if you carry them with the intent of committing a crime (or even merely have them while committing a crime), that is illegal. I don't know the specifics of Canadian law, but presumably intent is an important aspect of the particular hacking law he was accused of breaking.

In America, if you use someone else's computer in any way with the intent to hack, even just typing a simple sql exploit into your browser URL bar, then you've committed a crime.

Re:Intent?

[slickwillie]

I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?

Re:Intent?

Law & Order: Traffic Police.

Officer: Sarge, I just stopped a guy for speeding, and he admitted that he intended to speed even after he read the 40 mph sign at our bottleneck/speed trap on I-5.

Desk Sargent: Cut his license and drive him to the Precinct. I'll book him on charges of reading a road sign with malice aforethought. Make sure you read him his rights, and then ask him if he was having criminal thoughts when you read him his rights. Maybe we can get a daily double out of this one!

Re:Intent?

[phantomfive]

Some laws have intent written into them specifically. If there is a law that says, "If you intend to commit a crime when reading a public road sign, that is against the law," then doing so is a crime, but there is no such law.

In America, the Computer Fraud and Abuse act includes such language: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

Re:Intent?

[BitterOak]

What you're saying is true, but what I think the previous poster was referring to was mens rea vs. actus rea . When the police say they dropped charges because they didn't believe there was intent to commit a crime, they are suggesting there was indeed actus rea, but there was no mens rea. What the GP is suggesting, I think, is that there was neither actus rea nor mens rea, and I agree.

Re: Intent?

[phantomfive]

If I say anything about Canadian law, I am doing nothing but wildly speculating.

Re:Intent?

[Capsaicin]

I think the point is - intent is meaningless if you don't actually break the law.

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

Unauthorized use of computer

342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) ...
... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)
...

For the purposes of the provision " computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

what if you do have criminal intent when you read the public road signs?

Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

Re:Intent?

[thegarbz]

I think the point is - intent is meaningless if you don't actually break the law.

The GP's point is that many laws are contingent on intent to determine if they were actually broken. Not every law, just some. There's no law against reading a road sign at all criminal intent or not.

However there are many laws that you would be skirting around every day and the only thing causing you not to break those laws is criminal intent.

Re:Intent?

Actually depending on state and country it is NOT entirely legal to carry lock-picking tools as many require you to be a licensed locksmith or licensed for other certain trades where they can legitimately be required for the work at hand. that includes some states of the US, Canada, Australia and many European countries too.

Re:Intent?

[james_gnz]

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

Re:Intent?

"Intent to hack", with "hacking" being left entirely undefined (and having been stripped of all useful meaning in newsies' and "computer security professional" s'kiddies' vernacular to boot!), can mean anything whatsoever. That makes it bad law and a nicely fuzzy unclear example. They should've picked a different word for criminalisation in their "computer hacking" law and they should have precisely defined what their word means.

In the meantime, the legal term is "mens rea", "guilty mind". The problem, of course, is proving your mind guilty. It's why American prosecutors have such field days with character assassination, just to try and get someone convicted.

Re:Intent?

[phantomfive]

"Intent to hack", with "hacking" being left entirely undefined

It's not undefined. You have to read the law to know the definition. If you're too lazy to do that, then you won't know the definition.

Re:Intent?

He guessed URLs of documents that were not supposed to be public. That can violate hacking laws in some countries. After all, trying to get into a system by guessing passwords probably isn't legal either.

There was a case a few years ago in Germany where someone did something similar (although the URL guessing part was more complex than increasing a counter). IIRC someone managed to figure out how to access customer accounts via URL manipulation and got sued. Don't know what eventually became of the case but it's not that unusual to consider accessing information not meant for you as a potential crime.

Re:Intent?

[JaredOfEuropa]

If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

Exactly. That’s why IIRC our (Dutch) laws explicitly state this in their definition of “secured”. It’s the same as trespassing on private property that looks like it might be public, has no gate, and no “private property” sign. Not punishable.

Re:Intent?

DOJ is having issues charging a kid like this, downloading FOIA information and not charging Comey who leaked classified information to be published in the NYT.
Its probably that simple, the rest is just an attempt to justify what they were doing.

Re:Intent?

[ooloorie]

Maybe in China.

In the UK:

[The London Metropolitan Police] Though what the perpetrator has done may not be against the law, their reasons for doing it are. This means it may be possible to charge them with an offence.

Re:Intent?

[currently_awake]

How bad does the security have to be, before you can legally assume they meant to grant full access? If you store your money in a hollow pumpkin on your doorstep, can visitors assume it's free money?

Re: Intent?

[currently_awake]

You must be new here, as that hasn't stopped any of the other posters.

Re:Intent?

[houghi]

"knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

It is as if you walk on the grass in a public park where it is allowed and then be arrested because you walked on all of the grass over time, walking back and forth.

So even if he did it to sell it to the Russians and had any intend to sell it, that does not make it illegal.

I have done a simmilar thing in the past where a friend asked me to rip a website so he would have info on companies, so he could sell his product to those companies by knowing how much they needed.
This was public available information. All I did was automate the process instead of him going through it page by page. Got a few beers out of it.

Re:Intent?

[inhuman_4]

Indeed, if a crime was committed then surely it was by the person that released the documents to the public. Mishandling classified documents is a crime of negligence.

Re:Intent?

[houghi]

The Dutch law also sees uncrypted emails as "postcards" in such that is it unreasonable to expect security from it and it is to be expected that others will (not can) read them.
Encrypted ones are more like a letter in a sealed envelope, where opening them is clearly breaking the law.
Reading a postcard not addressed to you? OK.
Opening a letter not addressed to you? You are now a criminal.

Re:Intent?

[phantomfive]

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

He was in Canada, so you will have to look up the exact wording of the law in Canada.

Re:Intent?

[damien_kane]

Unauthorized use of computer

342.1 (1) Everyone is guilty [...] who, fraudulently and without colour of right, [...]

The kid did the equivalent of look on a bulletin board in an arena/community center, and instead of tunnel-vision to the flyer he was told he could look at, looked 2 inches to the left.
He then asked someone else (his computer) to continue moving two inches to the left until there was no more 'bulletin board' to look at.
There was neither fraud nor lack of right, as it was posted on a public board.

That's why prosecutors dropped the case, as they knew it was the server-owner's (read: government's) fault, not the kid's.

Re:Intent?

I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?

Then explain what being arrested on suspected trespassing means.

Re:Intent?

[jdavidb]

Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security,"

The law should never treat security by obscurity as "security." Punishing somebody because somebody else was stupid is beyond wrong.

Re:Intent?

[yorgasor]

Ah, that may be so. But did he exceed the authorization the government _intended_ to give? See, intent still plays a key role!

Re:Intent?

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

He was in Canada, so you will have to look up the exact wording of the law in Canada.

And then apologize.

Re:Intent?

[Capsaicin]

I don't know how "security" is actually defined under the relevant law

As you can see the word 'security' does not appear in the clauses I quoted, (nor, fyi, anywhere else in the operative clauses of this provision). Consequently any defintion of 'security' would be of no legal effect. Unsurprisingly 'security' does not appear in among the defintiions in the provision.

The crime here is committed in "obtain[ing], directly or indirectly, any "computer service" (or in causing a function of that system to be intercepted), where this computer service (which term includes "retrieval of data") is obtained without any right of acess AND fraudulently. Now circumvention of a security system might go the the fraudulent nature of the act, but "security" per se, is does not appear to be a necessary concept here.

The question is simply, a) has the accused triggered the data retrieval mechanism b) was he or was he not authorised to do and c) was there fraud involved in how he did it. On the facts of the case, I feel that intent (which presumably would be the intent to trigger data retrieval) is established and no legal reason for dropping the charges, rather it would the difficultly or arguing point c). But again, I'm ignorant of the relevant case law if any such exists.

Re:Intent?

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

If you go to every house on the street and test every door to see if it's locked, just because you find an unlocked door doesn't give you the right to enter the house and take what you want.

That's what this guy did. He went and tested every "lock" and took what he could find.

Re:Intent?

No, this was a system without security whatsoever. So, when he accessed a webpage (without any form of authentication or authorization), it returned something like "HTTP 1.1/OK". If find a secret door in my house and, upon knocking, find that it displays "come on in" (a sign I put there), how did you trespass when you came on in? Seriously, there is no way to spin this as a crime, except by just deciding that bad things are crimes even when there is no law yet, which I think, phrased, correctly the majority would agree to. Sad and scary times we live in.

Re:Intent?

[Capsaicin]

How bad does the security have to be, before you can legally assume they meant to grant full access?

If you have to use a URL other than that which given to you, either spelled out, or as an href, I doubt you will successfully be able to claim constructive authorisation to view the document behind that new URL, (where authorisation would usually be required). If you got desparate it might be worth a shot, but as the first line of defence I'd still challenge the idea that changing a URL is sufficient to constitute fraud. Remember they need to show a) that the accused "obrained" a "computer service" (which includes triggering a data retrieval mechanism) AND b) that he had no right to do so AND c) that he did so fraudulently. Defeat the weakest link in the chain and you've got your guy off.

If you store your money in a hollow pumpkin on your doorstep, can visitors assume it's free money?

So long as the visitors don't act on it, they are free to assume what they like. ;)

But no, obviously they cannot legally take that money.

Re: Intent?

Are you authorized to access doc235.html after been pointed to doc234.html? So in the USA, that is accessing a computer without authorization.... jailtime!

Re:Intent?

[drinkypoo]

There's even a direct equivalent in law in the USA: Trespassing vs. Criminal Trespassing (with intent) vs. Breaking and Entering — the latter requires defeating a security device, however trivial. If you walk up to someone's front door and open it and go inside just to have a look around, that may not even be a crime. In some places, a sign saying "no trespassing" is not particularly legally significant. But once you've been notified that you're trespassing, you're definitely trespassing. If your goal was to steal or vandalize something (or otherwise commit a crime) it was always trespassing.

On the other hand, if you're actually taking something then other laws apply. Picking up something on the street which could belong to anyone? In some places you're legally obligated to make some kind of notification, especially if it's over a certain value. If you want to take ownership of a vehicle, there is generally a specific process which must be followed, even if it's been abandoned on your land for years.

On the gripping hand, nothing was taken here, only copied. It's nice to see that cool heads prevailed.

Re:Intent?

[drinkypoo]

The law should never treat security by obscurity as "security."

Passwords can be described as security by obscurity.

Re:Intent?

[Capsaicin]

The kid did the equivalent of ...

Please spare us the corny, faulty analogies and stick to the facts of the case and the relevant law.

There was neither fraud nor lack of right

I disagree with the latter, I see no right or authorisation to access other people's private information. I do, however, tend agree with the former: trivially changing a URL to look at nearby page should not suffice to make out fraud. In any case, if either of these elements is not satisfied their case is gone.

That's why prosecutors dropped the case, as

STOP! Stop right there! That is indeed why the prosecutors dropped the case, they couldn't make out the elements of the offence. End of story, no "as" nothing. Bang, he's free!

Re:Intent?

[Capsaicin]

The law should never treat security by obscurity as "security."

You can see the law spelled out above. Where does it say anything about "security?"

Punishing somebody because somebody else was stupid is beyond wrong.

This isn't about what happens in anyone's personal opinon to be "beyond wrong." It's about whether the accused comitted an offence under 342.1 of the Criminal Code. Evidently the prosecutors decided they could not prove he did.

Re:Intent?

[anegg]

The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used. Altering a URL by editing the address line was anticipated by the protocol and is supported by practically every available client implementation of applications that support the protocol. It isn't "hacking" (whatever that is) to use an application in the manner in which it was intended to be used. The government's action in publishing the FOIA information in this way was tantamount to publishing a book with all FOIA query responses on separate pages, followed by citing specific pages to specific FOIA requestors. The government would never be able to claim "unauthorized access" if someone subsequently leafed through the pages to read all of the FOIA responses.

Re:Intent?

[Falos]

>In America, the Computer Fraud and Abuse [A]ct
Stopped reading here. Thought we were talking about competent laws. My mistake.

Re:Intent?

[Dread_ed]

I am, for once, impressed with the maturity and restraint of the /. crew. All this talk of intent, and not one mention of Hillary Clinton.

Well done!

Re: Intent?

[Type44Q]

Shill, you need to fuck off; you're getting nowhere with your hollow argument. You're clearly not cut-out for effective scumbaggery...

Re:Intent?

[Dagmar+d'Surreal]

This completely ignores the point that the kid downloaded publicly available documents from a publicly available web server which under normal circumstances and when operating as intended did not restrict access to said documents.

In short, he did not violate any law, therefore there is no reason to assess "intent". They're still trying to cover their asses for having uploaded sensitive documents to a public webserver, and using some kid as a sacrificial lamb to do it is not okay.

Re:Intent?

The question is simply, a) has the accused triggered the data retrieval mechanism b) was he or was he not authorised to do and c) was there fraud involved in how he did it. On the facts of the case, I feel that intent (which presumably would be the intent to trigger data retrieval) is established and no legal reason for dropping the charges

If mere access and lack of undefined "authorization" is what constitutes a crime worthy of investigating, nearly everyone everyday is guilty. How many times have you clicked on a link before getting authorization to do so from the computer services owner associated with that link? The same can be said for typing a URL address. Any URL address.

The law has not caught up with how web requests work. A user simply sends an HTTP get request asking for information. It's up to the server to determine authorization. If the server sends information back when both the user and the server utilize normative protocol standards alone, then the server ought to be treated as authorizing the user. From technical understanding that is exactly what happens.

Re:Intent?

Exhibit A as to why all lawyers should be shot on sight.

Re:Intent?

[suutar]

looked at from one way, yes, secret knowledge is a form of obscurity. However, that's not how the term is typically used in terms of computer security. A formal definition would be useful :) I think a first cut might be "if getting to the information requires knowledge of a secret that is closely held (like a password) it's not just obscurity. If it requires knowledge of a secret that's embedded in widely distributed and easily accessible code (like a default password in plaintext in firmware/accessible source), it's obscurity. If it doesn't require a secret at all (like web URLs) it's not security at all."

Re:Intent?

IANAL A door need not be locked for someone to be guilty of trespass. Access does not equal permission.
So just the fact that URLs are expose does not mean that someone has the authorization to download them.

Re:Intent?

" is obtained without any right of acess"

He clearly had authorization. The system responded to his request. He was only able to obtain it because they *SENT* it to him after he sent them a request for said data.

"a) has the accused triggered the data retrieval mechanism"

This is misleading. He sent a communication to the system. That system responded. If they didn't authorize him they should not have programmed the system to respond to him. It's that simple. Otherwise we're all guilty here whenever we click on a link.

Re:Intent?

[david_thornley]

Computer access is not legally the same as money.

There's a lot of legal things where a security device doesn't have to be good, but it does have to be noticeable. If a lock is sufficiently fragile that it opens on a slight bump, the door isn't locked. Typically, a security feature is legally there to tell people that they aren't allowed in.

Re:Intent?

[david_thornley]

Some of the laws are pretty unclear. Presumably they'll get corrected somehow (in the US, either by legislative action or case law). Also presumably, more situations will develop that laws don't adequately cover.

Re: Intent?

[david_thornley]

IANAL, but I believe it's been pretty well established in the USA that changing URLs is not trying to get unauthorized access.

Re:Intent?

[phantomfive]

In short, he did not violate any law,

You can't know that without reading the law.

Re:Intent?

[Capsaicin]

The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used.

No, obviously not by the authors of that particular interface, (in contradistinction to the general protocol perhaps). The designers of that interface evidently though it sufficient to give each applicant a specific URL which they were to use to access only the information they were entitled to see. It almost goes without saying that they failed even to consider the likelihood of anyone doing what the accused did .... astounding as that might seem to us.

Altering a URL by editing the address line was anticipated by the protocol and is supported by practically every available client implementation of applications that support the protocol. It isn't "hacking" (whatever that is) to use an application in the manner in which it was intended to be used.

The question is not "was it hacking." The question is: a) did the accused "obtain" a "computer service" and b) in doing so did the accused lack a specific right to obtain that service and c) was it obtained by means of fraud. How do you the motivations you impute to web client designers address those questions?

The government's action in publishing the FOIA information in this way was tantamount to ...

Not the worst analogy, up to the next point.

... The government would never be able to claim "unauthorized access" if someone subsequently leafed through the pages to read all of the FOIA responses.

Why not? If authorisation were required to access the information on any page and you were authorised to look at page 665, your looking at page 666 would be, almost by defintion, unauthorised. You would have "no colour of right" to look at the next page. Whether merely turning the page (or editing a URL) would constitute fraud, OTOH, is doubtful.

Re:Intent?

And remember intent does not require knowledge that an act is criminal.

This is a very problematic statement from a legal ethics perspective.

To have good ethics, even the appearance of conflict of interest must be avoided when alternatives exist.

If laws are written that criminalize conduct one would not reasonably expect to be criminal (whether directly, or by the use of a concept of "intent" that results in a different outcome than one would reasonably expect), then that creates an artificial demand for the services of lawyers.

As lawyers are involved both in writing and enforcing the laws, and in charging money to advise and inform on the law, there is a clear appearance of conflict of interest in such situations.

In other words, the creation (or even enforcement or use by a legal professional) of many laws (or precedents) - those that have the effect of creating legal penalty for reasonable conduct - could be considered "rent-seeking behaviour" on the part of legal professionals, and hence unethical practice of law.

It could even make people scared of their own legal system, and turn the legal profession into a protection racket.

The same considerations apply to laws that make the penalties more serious than one would expect. The concept of penalty here does not just include jail time or fines imposed after conviction, but also could include having a gun pointed at one, being arrested and restrained, having to appear in court, or even having to take the time to find a lawyer. The human life span is finite and precious: taking a portion of it (by wasting somebody's time) without strong and compelling justification is clearly wrongful conduct, even if it is done "under the colour of law".

Just as we recognize kidnapping for financial gain as being an inappropriate activity, so too must we recognize as inappropriate aspects of law that steal a portion of somebody's life by wasting their time while legal professionals are profiting from the situation.

This case is in Canada, but in other places such as the USA the legal ethics problem is even more serious, because associations of legal professionals make campaign contributions to the politicians who select judges, and who vote on the pay raises for judges, and who could (in principle) decide whether or not the judges are compliant with the "good behaviour" requirements of their position (for federal judges). Also, the Bar Associations typically participate in the selection process for judges, even if only officially in an "advisory" manner. In such a situation, it can reasonably be asserted that we have moved FAR beyond mere appearance of conflict of interest.

Claims that "ignorance is not a defence" or "intent does not require knowledge that an act is criminal" are always very tricky as a result of these legal ethics considerations. There are many circumstances where ignorance should be a defence, and there are others where it should not. There are situations where intent should require knowledge that an act is criminal, and perhaps there are those where it should not (though these would probably be quite unusual in a well designed legal system). It probably shouldn't be up to the lawyers to decide one way or the other.

A good introduction to the concepts/history/philosophy/economic aspects of law in a required high school class (something that no public education system does, to the best of my knowledge) would probably help a lot with respect to making sure that ignorance of really important stuff is addressed - but that doesn't entirely remove the problem.

Along the lines of Nuremberg, just because something is written into the law does not make it legal - and people should have the sense to do the right thing in any such situation. The police probably shouldn't have made an arrest here, but at least things seems to have worked out ok in the end.

Things could have gone a lot worse: at least they didn't send a SWAT team and shoot an unarmed person on the doorstep of their home (then try to claim it wasn't wrongful conduct).

Re: Intent?

[Brockmire]

It's more like a sign saying "take this path through the grass" and you actually take another path that was accessible but not supposed to be available and wasn't advertised as being a path through the grass.

Re:Intent?

[DarthVain]

Further to another poster's comment, intent is almost everywhere in laws. Even look at the more grievous ones (in a simplified nutshell):

1st Degree Murder: I killed someone. I intended to do it. I planned it out in advance.
2nd Degree Murder: I killed someone. I intended to do it. I didn't really plan to however.
Manslaughter: I killed someone. I didn't intend to do it, but through my negligence it happened. I didn't really plan to either.

So a pretty big difference, not only in charge, but in possible punishment. The first is more your typical murder (finding out wife is having an affair, then killing the guy 3 months later), the second typically a crime of passion (walking in on wife in bed with another man), the third was probably an accident, but one that could have been prevented (drunk driving).

So ya, "intent" is pretty critical in interpreting the law.

Re:Intent?

[laughingcoyote]

Actually, what he did was walked down a sidewalk that appeared to be open to the public. It is a reasonable assumption that a resource accessible by simple URL is intended to be made available to the general public to view. If that's not the case, there's no reasonable way he could have known that, and his presumption that it was intended to be open to the public was entirely reasonable, just like a pedestrian's presumption that they are allowed to walk along a publicly accessible sidewalk. If the sidewalk is private or restricted, it is up to its owner to clearly notify people that the default state of affairs is not true in this particular case.

Re:Intent?

[freudigst]

Maybe in China.

The U.S is long headed in that direction already.

I venture to say

[Hugh+Jorgen]

It was the prosecutor and not police that brought and dropped charges.

If it's on a public facing server...

[grep+-v+'.*'+*]

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

And "did not have intent to commit a criminal offense" -- maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go -- and then let's update all the knowledge of the people who thought he did so this doesn't happen again. (Tech AND Legal.)

I don't necessarily mind misteaks :-), but not for a second time. (And can you imagine -- the police arresting you just for accessing a public website?)

Sounds like he broke the law: "I don't like what you're doing." Where is that one written down anywhere? Or is this the "Nice place you've got here, shame if something ..." law?

Re:If it's on a public facing server...

[amiga3D]

James Comey specifically stated that Hilliary was not prosecuted because "she had no intent to break the law." So intent and mind reading do play a role in what laughingly passes for police work in the US Federal Bureau of Investigation.

Re:If it's on a public facing server...

[Linsaran]

Intent, specifically Mens rea is an important part of the legal system.

Although what he ultimately did was illegal (obtained unredacted state secrets). He was not originally trying to obtain state secrets, nor could he have reasonably thought that what he was doing would lead to him obtaining state secrets. He had no reason to believe that the information he was able to access via that website, whether he did it via hyperlink or via a script as described in the original article would be anything other than the publicly available information released via the FOIA. Thus even if he ultimately performed an actus reus he did it without mens rea. I don't know what lead you to believe he broke the law, but everything about this case implies to me that this guy didn't do anything I (and fortunately the courts agree) think is wrong.

Re:If it's on a public facing server...

[Aereus]

Not just that it was public facing: If it was the FOI website, wasn't that the entire point of the server? To provide these documents to citizens? The only minor issue I could see was if he didn't set a reasonable refresh time on scraping documents and was hammering the server, thereby causing troubles for other users.

Re:If it's on a public facing server...

James Comey specifically stated that Hilliary was not prosecuted because "she had no intent to break the law." So being rich, famous, and extremely well-connected do play a role in what laughingly passes for police work in the US Federal Bureau of Investigation.

Fixed that for you.

Re:If it's on a public facing server...

[91degrees]

maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go

Ignorance of the law is no defence. Ignorance of the facts can be. For example, if I buy something and it turns out it's been stolen, I'm not guilty of a crime, but if I know it's been stolen I am.

It comes down to criminal intent, or mens rea (which literally means "guilty mind"). It's always tricky to prove because it's easy enough to show that someone had the goods, or downloaded the materials but we have no guess why they did so.

Re:If it's on a public facing server...

Which is funny because the law she broke specifically did not require intent. Us servicemen had been prosecuted under the same law for accidentally throwing away a document with classified intel instead of shredding it.

Re:If it's on a public facing server...

(And can you imagine -- the police arresting you just for accessing a public website?)

Yes of course. The internet is full of images and text that if you're seen to possess its a crime.

Re:If it's on a public facing server...

[thegarbz]

If it's on a public facing server it's "fair game"

No it's not. ... I don't agree with it, but just accessing information not intended for you is illegal in some jurisdictions. The outcome of those cases is very similar to what happens when you hit someone with your car. Did you accidentally bump into them? Did you attempt to murder them?

Re:If it's on a public facing server...

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

A whole host of cybercrime, hacking, espionage, etc laws disagree. You're not allowed to break into any system just because it's on the Internet. You're not allowed to break into any house just because it's on a public road either, in case you were considering that.

You could argue that unprotected data is fair game but then you run into the question what "protected" means. Is some non-public URL the same as a password and can his actions be considered bruteforcing? How good does a "protection" have to be so that its circumvention can be considered illegal?

Re:If it's on a public facing server...

[spire3661]

James Comey is a liar......Do not refence him.

Re:If it's on a public facing server...

[jm007]

analogy time!!

- public servant needs to get info to citizen
- servant leaves a box of papers on the sidewalk for the citizen to pick up later
- trash/recycle man comes by and takes box
- gov't decides this was important personal info and the trashman is arrested for theft, etc.
- why the fuck isn't the dumbfuck entity that puts shit on the sidewalk as a normal course of business not on the hook?!?

Re:If it's on a public facing server...

[Jason+Levine]

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

Exactly this. If the government wants to go after someone, go after the person who uploaded the non-redacted documents to the public server. That's where the problem occurred, not with the kid whose script to access public documents also pulled documents that shouldn't have been there.

Re:If it's on a public facing server...

[currently_awake]

Obtaining state secrets is only illegal if you had official access to them, or broke in and stole them.

Re:If it's on a public facing server...

It is possible to both be ignorant of the law, and break it with intent.

For example: I decide to drive at 200km/h just to try it. So I went fast intentionally! Then they tell me there are speed limits on this road - I had no idea. Thought this road was part of the raceway, didn't know it was an accessway where normal rules apply.

The intention was perhaps not "to break the law" explicitly. But what I did, was done intentionally. As opposed to doing something by mistake.

On a similiar vein, you can hack into a website intentionally. Or you can click a link someone sent you, that happens to contain the " '1=1; " sql trick. Unintentional hack.

Re:If it's on a public facing server...

Are people really this stupid or are they willfully ignoring the actual situation with the whole "emails sandal".

Please tell me what law the servicemen broke that Hillary also broke. I'll wait.

In the meantime:

A) Stop bringing up servicemen. They are under entirely different rules than citizens

B) Citizens who are working for the government and who, through negligence, leak sensitive information will lose their job.

C) Citizens who are working for the government and who, through purposeful intent, leak sensitive information, will be prosecuted for a criminal offense.

Hillary is not an active member of the military, so military examples and rules don't apply. Hillary was no longer working for the State Department, so reprimands or firing her are moot points. The investigation determined she was not intentionally sending information to other parties, and therefore there was no criminal intent, simply negligence (which we've already covered, have no consequences once the individual is no longer employed).

Hillary deliberately hid and obfuscated her communications (as do many government officials). I think it is is an abhorrent practice. I think she's a deceitful individual, and I think the her lack of transparency is part of an overall culture of secret keeping in our government that needs to be eradicated. That said, see did not do anything, under our current laws, which would lead her to jail time. Maybe you think the laws need to be more strict, but lets stop harping on this ancient topic.

No one should give two shits about Hillary Clinton at this point.

Re:If it's on a public facing server...

[amiga3D]

He's got plenty of company there. The 7th floor is full of them. Congress has been content to let them abuse their power for decades and now they've gotten to the point where they feel they are entitled to act as they see fit regardless of any rules or laws. I blame Congress for all of this, it's their damn job to oversee these agencies and to reign them in. That's what they are there for.

Re:If it's on a public facing server...

When you try to drive 200 km/h in Germany, please check your rear view mirror regularly so you can move over to allow the really fast cars to pass you...

Re: If it's on a public facing server...

He's also a hollow null pointer sort of individual, so don't dereference him either!

Re:If it's on a public facing server...

Hillary lost. GET OVER IT!

Re:If it's on a public facing server...

[david_thornley]

And everywhere else. Lots of laws are based on intent. The usual difference between first-degree and second-degree murder is intention.

Re:If it's on a public facing server...

[DarthVain]

"If it's on a public facing server it's "fair game", whether it's supposed to be or not."

I don't think that is really the case, though that could be that the above comment could be interpreted differently.

Just because it is on a public facing server doesn't make it fair game. I think in this particular case what was wrong was that they didn't make a reasonable effort to keep it secure, and it was also reasonable to assume that as a result the individual didn't realize they were doing anything wrong as a result.

There are plenty of examples of PI on public facing servers, however in all cases that data should be kept secure to the extent that were someone to gain unauthorized access to it the amount of effort involved should leave no doubt to the fact that they are doing something illegal.

This is a case that the NS government was in the wrong for allowing the breach and tried to blame some kid for finding out about it.

Re:If it's on a public facing server...

[DarthVain]

Additionally, once the police are involved, they gotta do what they gotta do until the investigation is done.

Pretty sure once the police (and crown lawyers) finished finding out what had occurred, they were pretty unimpressed with the NS government, and were like "uh huh".

As mentioned in the previous article, if there is any legal action here it is more likely going to be in the form of civil suits from either the kid, or those individuals who's information was released by the negligence of having what amounts to zero security over it.

Same thing happened to Aaron Swartz...

And then that Woman happened to him!

so traffic tickets is a committing a crime and hav

[Joe_Dragon]

so traffic tickets is a committing a crime and they can use that to get you for just having them? Good thing we have the NRA to stop any BS like with guns. So bad we don't have the same power for tech stuff.

Mistakes

People that can use computers gets punished for the mistakes made by people that can't use computers...

Reality is just like working in IT.

Re:Mistakes

People that can use computers gets punished for the mistakes made by people that can't use computers...

Reality is just like working in IT.

That's because powerful people are generally the ones that can't use computers as they are too busy with grinding faces under jackboots to learn how, so it's just easier to toss a few more under the heel when it's pointed out in an embarrassing way. Kill the messenger, make an example. If you can't secure your data, terrorize your citizens so that few would even think about it and many would take precautions to make certain the possibility of even accidentally exposing government malfeasance, fraud (whose political buddies were paid to secure it?), corruption, and sloth was extremely low.

Re:so traffic tickets is a committing a crime and

"Good thing" and "NRA" in the same sentence seems a little suspect.

Tension Between Law and Technology

[ytene]

The legal profession adopted a saying which goes all the way back to ancient Greece [circa 4th Century BC]:-

"The wheels of justice turn slowly, but they grind exceedingly fine..."

Meaning that although changes to the law and the framework of justice might take a while to be developed, once done, the result tends to be pretty comprehensive. Of course, this means that there is a dynamic tension between "Justice" (which moves slowly) and anything which is dynamic and develops quickly.

What is perhaps most interesting [and most troubling] about this story is the fact that, once again, we see a failure of the incumbent justice system to acknowledge that it has a weak spot when it comes to potential or actual technology-based crime.

In this specific case, the linked article merely says that the Police Department received information which has prompted them to drop the case. What they don't say is that they will even consider a review of the way that they make determinations concerning this type of computer crime. And there's the rub. It's a little unfair to be too critical of Nova Scotia Police in this instance - all the evidence before them is that this is an isolated incident [although the article cites 11 different IP addresses had come across and exploited the same vulnerability that the un-named 19-year-old was facing potential charges for. So this one case has died a natural death and everyone returns to their default setting, but no corrections have been made to the way that law enforcement interpret this type of event.

Within the legal profession there may be the mistaken view that "technology merely allows us to automate things we used to do by hand, to alleviate the effort required" and thus that whatever laws would have been applied to the manual equivalent of a technology-enabled process can be re-applied to an automated one.

Unfortunately, this simply isn't true. Even before work on "Artifical Intelligence" started, we had plenty of evidence to show us that techniques such as BDA (Big Data Analytics) could achieve things that no human ever could.

It won't be popular with Justice Departments, but in most if not all cases these organisations need to have a complete rethink about the way that the law intersects with technology. This doesn't mean that justice's slow-moving wheels need to turn faster, but it does mean that they need to develop ways of coping with things that do.

Re:Tension Between Law and Technology

I'm having a hard time figuring out where law, justice, or legal come into play.

This was a web server serving files publicly. He was a member of the international public community and utilized the web server as it was intended to be used.

Even if his intent was criminal, it's like saying he had criminal intent to drink a cup of water or the criminal intent to obey gravity. Indeed perhaps he was criminally intent right up the wazoo but that matters not, he did nothing wrong, anyone who pretends his intent had anything to do with it, or the law has not caught up with something or other must be huffing glue.

He in no way shape or form did anything wrong, illegal, or anything else. If anyone detained him for any reason it is kidnapping and they should be thrown in jail, if they touched him it was assault and they should be charged, if they harassed him it is criminal harassment, if they threatened him it is again criminal harassment.

Whatever prosecutor has harassed this man requires jail time like any other criminal, any officer of the law with 2 brain cells to rub together who touched or held or even questioned this man should be smacked with a law book like a cockroach being squished with a rolled up magazine.

The law and everything else is entirely perfectly crystal clear, nothing wrong or illegal happened here except as perpetrated by our own legal branch of government who should pay dearly for it if he was kidnapped, assaulted or harassed.

Re:Tension Between Law and Technology

[ytene]

Sadly, that's all too simple to answer:-

The Computer Fraud and Abuse Act.

The problem is that some of the laws governing use of computers - such as the above - have been written so broadly, with such vague definitions, that a prosecutor given the facts of this case, could pretty much decide whether or not to prosecute based on how they feel that day.

As per the description in the linked Wikipedia article, take a look at "Criminal Offenses under the Act" and consider (a)(1) and (a)(2), both of which cover "access to a computer system ... exceeding authorized access". A prosecutor can argue that a user of the system was not intended to write a script to iterate through detail pages - and from that one argument can build a case to show criminal activity under the terms of the act.

Please note, I am not for one moment arguing that to do so would be fair, rational, or even sane, I am just pointing out that this is how the law works. As the entirely relevant saying goes:-

"The law may upset reason, but reason may not upset the law."

A scenario frighteningly similar to this case resulted in a federal prosecutor bringing a whole host of charges against Aaron Swartz, which, tragically, ended when he took his own life. We can only speculate, but there is a lot of circumstantial evidence in that case to suggest that either the prosecutor was out to make a name for herself, or that Aaron, with his eloquence, brilliance and passion for justice, was making a few people sufficiently nervous that the idea of having him barred from public office [because having a conviction would do that] would be in their interests...

However, in this case I think it would be inflammatory to suggest that the case would ever have gone that route. What does worry me, however, is that cases like this, which can be argued to be crimes because of a badly-formed, poorly-worded law, can result in miscarriages of justice unless they are caught in the bud.

As I'm trying to show here, the wording of the Computer Fraud and Abuse Act, even though it has been amended six times since it first made it on to the statute books, remains inflexible and out-of-touch with reality. The last amendment, for example, was in 2008. Think about all the technological breakthroughs we've seen in the last 10 years and ask yourself whether any of them might fall foul of some of the provisions of this act?

Maybe as a compromise we could set a high bar for the prosecution; maybe it's enough to demand that they show malicious intent - but if all we do is "raise the bar" for a conviction, we do nothing to stop vexatious or pointless cases being brought before a Court. The only way to do that is to change the law.

Re:Tension Between Law and Technology

[Immerman]

>utilized the web server as it was intended to be used.

That's just it - he didn't. It sounds like the server was intended to be used by making a specific request for documents, and then receiving links to those "approved" documents that satisfied the request. He bypassed that interface to download all the documents directly, and in doing so bypassed the "approved document" screening.

Of course that speaks of a "security" system so weak as to be unworthy of the name, but the fact that internal components of the system were exposed in such a way as to be easily exploitable doesn't change the intent. The intent of a cash register is that you enter a transaction and the drawer opens to allow you to insert payment and remove any change required. The fact that it exposes the internal details of "all the money in the register" doesn't change the fact that ringing up a stick of gum and stuffing all that money in your pockets is not the intended purpose.

Re:Tension Between Law and Technology

Lick that bootheel you fucking colaborator.

Everyone involved in this mess should be criminally charged. There is no question, there is no quarter, they will either be charged or we will make them pay.

Grow a spine you worthless coward, your ancestors would piss upon you for what you have become and rightfully so.

Re:Tension Between Law and Technology

I would say the problem is in the statement; "He was a member of the international public community and utilized the web server as it was intended to be used."
Intending to be used by whom?
The person in the government who set up the systems seems to have thought; "People will access the document I authorize them to see by clicking the link I send them that will take them to the URL I have authorize them to witness."
As a computer person you (and I) would tend to think: "If I can type the URL into a web browser I am authorized to view (and save) the resultant document. It's how the protocol works."
So Intending to be used by Whom? The government official (who doesn't seem to understand how the technology works) or you and I (who does)?

Re:Tension Between Law and Technology

[david_thornley]

However, looking inside a cash drawer is legal.

Typically, a security system has to be strong enough so that someone's aware of breaking it. I'd suggest that a security system you can break without trying is no security system. It's possible to mistype a URL, so a system based on URLs for security doesn't count. A login that's easily cracked, or enforces bad passwords, requires an intruder to bypass the login mechanism or type a password, so that would count.

Again, IANAL, so consult an actual lawyer before doing anything potentially suspicious with other people's computers.

Re:Tension Between Law and Technology

I would have to say reality has the final vote. Reality is that you put a document out for the public it is for the public end of discussion. That is how this system was setup and has been operating for 35 years. There is literally no one at this point who does not know how the internet works, we have all grown up with it, even the elderly cannot claim ignorance of something that has been around and a core of society for 35 goddamned years. That is like saying these people are aliens from another planet and did not know that we don't greet each other by jamming our foot up each others anus'. It is ridiculous to pretend people do not know what a computer is, how to use it, or how the internet works. People pretend that way when it is convenient but I think it is time we stopped playing the naivety game after THREE AND A HALF DECADES it has certainly been enough that we we can safely assume anyone saying they don't know how it works is being a disingenuous liar, especially in this case as these were government officials who no doubt deal with computers on a day in and day out basis.

Let there be no mistake, the government screwed up, then sent in jack boot thugs to turn this man and his families life upside down, stole their property, illegally assaulted him, harassed him, dragged his name through the mud, kidnapped him, and illegally forcibly confined him.

If there is justice in Canada the prosecutor will be in a jail cell very soon.

Intent, Discretion, and Mens Rea

[SeattleLawGuy]

Intent is an important part of many laws.

This. Not only intent, but also discretion. As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail. Thus the justice system depends on the discretion of police officers not to punish every innocent mistake and the discretion of prosecutors not to prosecute when it's too counterproductive or unfair. This doesn't always work, of course, but it's a huge part of criminal justice.

Intent is also critical. Most crimes have a "mens rea" and an "actus rea," basically the criminal intent and the criminal act. So if I take your laptop knowing it's yours, that's theft, but if I mistake your laptop for mine, my mistake of fact (i.e. I thought it was my laptop) negates the criminal intent part of the crime, so I haven't committed theft. (YMMV in practice, since a police officer or a prosecutor or a jury has to believe me.)

Of course, intent in law frequently means intent to do the thing, rather than intent to do the thing with an evil motive. So talking about classified documents may be a crime even if the government accidentally mails them to you or they are published in the Times, but no reasonable prosecutor is likely to go after you for that unless something else pretty bad is going on. That's where discretion comes in.

(And yes, obviously there are first amendment limitations that could come up, which would be balanced by a court against national security interests.)

Re:Intent, Discretion, and Mens Rea

[houghi]

As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail.

Uh, no. "Innocent until proven guilty" by definition means that guilty people WILL walk free. The fact that this is seen as such in the US is unrelated to other democracies.
I am sure that every country has plenty of cases where they KNEW who the guilty where and still let them go, because of the due process. e.g. letting people go because their case has aged. If this where not the case, there would not be a time limit on many types of crime.

So, no, you are wrong. The reason democracies have so many laws is because there are so many expectations and rules. If I where the sole ruler I would only need one law "I am always right and I decide what punishment will be." This could be different from day by day on how I feel, but there would be only one law.

Overcriminalyze is a pure US invention where people are found guilty of crimes that are not even crimes and then convince other countries to adapt these laws.

Re:Intent, Discretion, and Mens Rea

[david_thornley]

It isn't illegal for me to do anything with classified material. It's illegal to leak the stuff. Try another example.

Re:Intent, Discretion, and Mens Rea

[SeattleLawGuy]

See, e.g., https://www.law.cornell.edu/us...

Read it literally, and it doesn't require you to be the original leaker of the information. Because you are knowingly and willingly communicating the still classified information to an unauthorized person.

Which is kind of besides the point, since the particular example doesn't matter much.

Intent...

[rew]

> did not have intent to commit a criminal offense by accessing the information,

When the computer hacking laws were introduced, that was one of the drawbacks: Intent does not matter, for the law. So in this case, it is just the law enforcement being nice in not pursuing the case while they are convinced there was no intent.

But according to the letter of the law, intent does not matter!

Re:Intent...

Only - He was not "hacking" the computer, he was merely mass-downloading public available documents. That is in no way and in any form a "hack". The only "criminals" where the ones that made the documents publicly available that should not have been available.

Now - Why are they not the ones that are prosecuted?

Re:Intent...

[hyades1]

Maybe that's how it is in the US. In Canada, we still have a few tattered shreds of our Charter of Rights and Freedoms left.

Re:Intent...

[Layzej]

When the computer hacking laws were introduced, that was one of the drawbacks: Intent does not matter, for the law. So in this case, it is just the law enforcement being nice in not pursuing the case while they are convinced there was no intent.

"In order to break this law, you have to have done it with fraudulent intent," said David Fraser, a lawyer with McInnes Cooper in Halifax who specializes in technology and privacy laws.

I'm shocked

[nospam007]

Putting an address in the address bar of a browser is not a crime?
Call me shocked.

Ignorance of *the law* is no excuse

[SeattleLawGuy]

maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law."

It depends on precisely what you are ignorant of. "ignorance of the law is no excuse" is usually how it's phrased, IIRC, which strikes closer to the truth because it's about being ignorant of *the law*, not ignorant of *the facts*.

Generally in criminal law (at least in the US), a mistake of law ("I did not think it was illegal to do X") will not excuse a crime, but a mistake of fact ("I did not think I was doing X") can sometimes negate a required element of the crime. So if you take a pen knowing it belongs to someone else you are committing a crime (albeit a small one), but if you take a pen because you confused it with your pen you are generally innocent (unless nobody believes you because you have a habit of stealing pens). It depends on what the specific elements of the crime are, which vary a bit from state to state.

Re:so traffic tickets is a committing a crime and

[spire3661]

Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters. It is entirely funded by its members and represents a large voting block.

Yes their Intent is important...

[harvey+the+nerd]

The Canadian authorities apparently think they are the Stasi.

Once it was on a public server, without any posted or recognizable warnings, the kid has a pretty solid defense of innocence. If there is some real security breach involved, then they should inform him politely and perhaps firmly, and ask/demand their secret info back (if it still matters).

I really need to start paying for a VPN

[Pinky's+Brain]

We all have something to hide from the state, to wit every single activity you perform because it can piss them off arbitrarily.

Re:so traffic tickets is a committing a crime and

[crunchygranola]

It is entirely funded by its members

Not according to this article. More than half of its money comes from the gun industry. And then there are all those foreign contributions, including Russian sources.

Hope for Canada

[thesnable]

There is still a little bit of hope for Canada. I am happy.

Re:so traffic tickets is a committing a crime and

[DamnOregonian]

lolwut? Amazing. Every word of what you just said... is wrong.

Re:so traffic tickets is a committing a crime and

Funding - half of a large number is still a large number (assuming the above statement could be correct).
Gun Manufactures can not constitute a signifigant portion of NRA voting membership, regardless of how much funding they provide.

Re: BeauHD is a homo and homos are gay.

Well at least yours is.

The real crime

Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.

Re:The real crime

Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.

The documents accessed were created by the government in response to specific freedom of information requests by individuals about themselves. Each document was sequentially labelled, not with a scrambled unique identifier difficult to guess, so the accused attempted to retrieve a document via this sequential identifier. How the accused came across the first document (URI) is immaterial though possibly as a result of a search engine query which returned an embedded URI as part of the data.

Re:so traffic tickets is a committing a crime and

[spire3661]

The NRA is a grass-roots organization, who draws its power DIRECTLY from the citizens that are its constituents. MILLIONS of citizens support the NRA directly.

Dilbert - Our API

[Mr_Blank]

Dilbert. http://dilbert.com/strip/2018-05-09

Tags
#hackers, #hacking, #api, #jargon, #obliviousness, #language

View Transcript

Transcript
Narrator: Dogbert The Reporter. Dogbert: How did hackers get access to your customer data? CEO: I'm told they used something called "our A.P.I." to suck out all the data. Dogbert: I'll just say you'er stupid. CEO: Why does everyone always say that?

Re:so traffic tickets is a committing a crime and

[110010001000]

What rights violations has the NRA ever stopped or prevented? None. Do you think the government is afraid of your guns??

Activist??

So Activists are the bad guys now, and hackers and running hackatons in big corps...way to flip the meaning of words.

george green

You are the dumbest cop on the force George, the dumbest...

Sufficiently bad security = no security

[sjbe]

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

That is a distinction without a difference. To riff on Arthur C Clarke's famous maxim, sufficiently bad security is indistinguishable from no security. The "security" in this case was so bad as to be effectively non-existent. I don't know exactly where you draw the line as a general proposition but it's pretty clear in this case that any claim that this was "secured" data utterly absurd.

Re:Sufficiently bad security = no security

[Capsaicin]

As sufficiently bad sex is ndistinguishable from no sex?

That is a distinction without a difference.

You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant" ...

it's pretty clear in this case that any claim that this was "secured" data utterly absurd

Who claimed that the data in this case was "secured," and why (with reference to the law I posted above) would that be material?

Re:Sufficiently bad security = no security

Plus this isn't security. Sure, if he had accessed the links through some other system which had authorization and authentication, it might be considered bypassing security. But, if he knew the direct links, visited them and received "HTTP/1.1 OK..." with content and without any authentication, how did he bypass security? That's not minimal security. That's no security. There was a different route that had (insufficient) security, but this kid didn't take that route, and, therefore, did not encounter any form of authentication or authorization controls.

NRA = Gun industry lobby organization

[sjbe]

Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters.

The NRA represents gun industry interests under the guise of pretending to be a grassroots interest organization. This didn't used to be true but it is unquestionably true today. While it is true that there is a large block of voters who are members and who care strongly about 2nd amendment rights, the NRA is only indirectly represents their voice on the issue at this point. The organization has been co-opted by corporations to advocate primarily for them. Whether you think this is a good or bad thing I leave up to you but don't be mislead into misunderstanding where the money in the NRA comes from or what strings are attached.

It is entirely funded by its members and represents a large voting block.

The NRA is decidedly NOT "entirely funded by its members". Significantly less than half of the NRA's money comes from program fees and membership dues. This is not conjecture - it is a known fact. Most of the NRA revenue comes from corporations with financial interests in selling firearms and related products. The NRA is de-facto the lobbying organization for the gun industry. It hasn't been a grassroots organization for several decades though it pretends to be one as there is political value in maintaining that fig leaf of a lie. Sort of like the NCAA pretending to care about "amateurism" and "student athletes" while they rake in literally billions in revenue for the colleges.

Intent is not always necessary

Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools,

this assertion is dead wrong. all the state needs is evidence from which they can reasonably infer intent. I cite a US definition below, but I'm certain similar definitions are in place in every jurisdiction. decades ago In my southern Az town, if the cops caught you with a screwdriver and a can of freon, that was presumptive evidence you intended to break somebody's Kryptonite U-lock and steal her bicycle, and was enough to get you charged with theft along side whatever other crime they had already detained you for (in this client's case, failure to yield right of way to a pedestrian).

Re:so traffic tickets is a committing a crime and

The NRA is a shill organization for the firearms industry, and its power is in creating a raucous outcry of fear and terror to drive gun sales. Millions of citizens are cozened into supporting the NRA, to the point where they allow a known criminal who acted unlawfully to harm American citizens to be selected as the leader of it.

It's like the grass on a golf course, fed a diet of shit, and crushed by rich guys playing around.

It's not security if you can't tell its secured

[sjbe]

As sufficiently bad sex is ndistinguishable from no sex?

You'll have to speak from your own experience... ;-) (joking)

You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant" ...

There is no difference because someone can access it without any indication that it is "secured". One could bypass the security without even realizing it was intended to be secure or that any laws were being violated.

You also missed the "insofar as this is relevant" ...

I didn't miss it and I actually thought your post was rather good. I just disagree that there is any basis (legal or technical) to say this data was "secured". They may as well have posted the data on a billboard and then tried to arrest anyone who read it.

Re:It's not security if you can't tell its secured

[Capsaicin]

You'll have to speak from your own experience...

.. some years ago I was in Germany and was introduced to a German drinking superstition. If, when toasting, you look at your glass rather than looking the person with whom you're toasting in the eye, it means you will have "5 years of bad sex." To which I replied, "5 years of bad sex is better than 5 years of no sex at all."

There is no difference ...

The original statement that the data "mistakenly posted to a publicly available system" is a clear misrepresentation of the facts. I was deliberately posted, the "mistake," if any, was that that publicly available system was adequately secured (insofar as security is a relevant consideration here). I feel confident you do not lack the ability to distinguish between the two situations (but if you do, some career advice ... forget law!).

I just disagree that there is any basis (legal or technical) to say this data was "secured".

Again, I'm not sure anyone said it was secured, it was certainly not adequately secured. As I wrote in another post, a deliberate attempt to circumvent a security feature may go to the issue of "fraudlently" obtaining. Apart from that it is difficult to see what relavance the concept of "security" has to this offence. Thus the moment you claim the system was completely unsecured, the notion of "security" must vanish from our analysis. Security is no real issue in this case.

They may as well have posted the data on a billboard and then tried to arrest anyone who read it.

No, anyone can read everything posted on a billboard, indeed it would take effort to avert one's eyes and read only the notice(s) specifically addressed to you. Not anyone poked beyond the specific URL they were given to look at other people's information, it was the accused took the effort to do so. Maybe you like to fashion an analogy out of a stack of manilla folders? I'd prefer simply to work with the facts of the case: it's like he was given a url, realised that by making trivial changes to it he could view other people's information and did so ... a lot like ;)

Re:so traffic tickets is a committing a crime and

Funding - half of a large number is still a large number (assuming the above statement could be correct).
Gun Manufactures can not constitute a signifigant portion of NRA voting membership, regardless of how much funding they provide.

but it is actually less than half from the individual members. And as a voting block, the NRA is nothing compared to the AARP! That said, the NRA can create a message that it provides to its membership but originates in a manufacturer or foreign donor, and drive its voting block towards specific politicians.

As a result of their actions in the past, Pres George H. W. Bush canceled his lifetime membership in rebuke of the NRA stances. https://www.snopes.com/fact-check/bush-nra-resignation/
https://www.google.com/search?q=george+bush+cancels+nra+membership&rlz=1C1GGRV_enUS751US752&oq=George+Buch+cnacels+&aqs=chrome.1.69i57j0l4.9904j0j8&sourceid=chrome&ie=UTF-8

Reality is, their membership is not as big as they would like people to believe.

Rule of law

[HeckRuler]

So first off, yeah, overall this is a good thing. I don't think the kid deserved to be charged at all and it was a case of grossly mishandling private information, what little there was. The FOIA content itself really ought to be public anyway.

But this is a real kick in the pants for the rule of law. It's "high profile", so the cops won't touch it? It means you really need to go to the press and get people angry about issues and get them to mail officials. Bitching and moaning and mob rule is the new rule. Old rule? Have we regressed to criminality being determined by popularity? On the other hand, a lot of tech laws are shit. So in that sense, the undermining of the rule of law is a good thing.

Just another shade in the eternal endless grey that is tech-legal.

Fraudulent intent, intent to deceive (ThÃ

[raymorris]

The "fraudulently" could also be affected by intent.
Fraud is taking by deceptive, dishonest means. Therefore intent to deceive, intent to be dishonest, comes into play.

The Théroux case touches upon intent to deceive and fraud.

Re:so traffic tickets is a committing a crime and

I think the government is terrified of my guns.
The hysteria of left wing hypocrites with their licensed, private, armed security forces trying to prevent the rest of us from being able to defend ourselves shows just how much they are afraid.
Remember when seconds count the police are only minutes away.

Re:so traffic tickets is a committing a crime and

[Loki_1929]

I think the 2014 Bundy Standoff showed that the government is very much afraid of its armed citizens. The government has nothing to fear from one armed individual. It's the other ~50 million that hold the government to account and help ensure we maintain a restrained, Constitutional republic. All the people scared of President Trump should be thankful all those armed people (including police officers and members of the US military) will never allow him to become a king, no matter how much he might like that. He's the President and has only the powers provided to the President by the US Constitution until someone else is lawfully elected to the office, he's lawfully removed from office, or he hits the term limits as set by the 22nd Amendment. He would not be allowed to become president for life. It's been that way since the formation of the United States. See also: Federalist 46:

Let a regular army, fully equal to the resources of the country, be formed; and let it be entirely at the devotion of the federal government; still it would not be going too far to say, that the State governments, with the people on their side, would be able to repel the danger. The highest number to which, according to the best computation, a standing army can be carried in any country, does not exceed one hundredth part of the whole number of souls; or one twenty-fifth part of the number able to bear arms. This proportion would not yield, in the United States, an army of more than twenty-five or thirty thousand men. To these would be opposed a militia amounting to near half a million of citizens with arms in their hands, officered by men chosen from among themselves, fighting for their common liberties, and united and conducted by governments possessing their affections and confidence. It may well be doubted, whether a militia thus circumstanced could ever be conquered by such a proportion of regular troops.

You're welcome.

Re:Fraudulent intent, intent to deceive (ThÃ

[Capsaicin]

Fraud is taking by deceptive, dishonest means. Therefore intent to deceive, intent to be dishonest, comes into play.

OK, point taken, it may have been fraudulent intent that the prosecution meant when they announced the case was being dropped for lack of intent. My concern about making out fraud was more basic, where is the deception intended or otherwise, but I don't know, what constitutes fraud in Canada may differ from what constitutes fraud in my jurisdiction.

Not secure data = no basis for charges

[sjbe]

Again, I'm not sure anyone said it was secured, it was certainly not adequately secured.

If it wasn't secured data then there is no basis for arresting the individual accessing the data. If it was secured data it was so badly secured as to not be secured and we are back to there being no basis for law enforcement to get involved. If this data was supposed to remain private the people who posted it to the internet without any meaningful security are the ones who should be speaking to a judge and retaining counsel.

As I wrote in another post, a deliberate attempt to circumvent a security feature may go to the issue of "fraudlently" obtaining. Apart from that it is difficult to see what relavance the concept of "security" has to this offence.

And my point is that once the "security" reaches are certain level of incompetence (like it did here) it ceases to be security and there is no basis for accusing the accessing party of any fraudulent attempt at access. Just because there wasn't a direct link to it doesn't mean it wasn't publicly accessible information. The failure of the party posting the data to realize this fact is not and should not be anyone else's problem.

Not anyone poked beyond the specific URL they were given to look at other people's information, it was the accused took the effort to do so.

"Effort" is a bit of a stretch description. A minor tweak to the URL hardly something that qualifies as effort. I've done that exact thing myself now and then and I'm hardly a genius hacker.

No, anyone can read everything posted on a billboard, indeed it would take effort to avert one's eyes and read only the notice(s) specifically addressed to you.

It's an analogy meant to illustrate the intent of a point, not the point itself. If something can be accessed by URL it will be. Just because many people cannot be bothered is irrelevant.

I'd prefer simply to work with the facts of the case: it's like he was given a url, realised that by making trivial changes to it he could view other people's information and did so ... a lot like ;)

And there is nothing wrong with that. There has to be some measure of standard of care on the part of the people charged with keeping private data private. If I put private documents in a place where someone can access them with minimal effort I should not be surprised when someone goes ahead and does that.

Re:Not secure data = no basis for charges

[Capsaicin]

Fundamentally: circumvention of security is not an element of this offence as it has been drafted. (And for the record, I find this to be a peculiarly drafted law.) Perhaps you can point me to relevant curial authority which reads in that requirement? If not ...

If it wasn't secured data then there is no basis for arresting the individual accessing the data.

Why not? He wasn't charged with accessing "secured data," he was charged with "obtaining" a "computer service" and doing so "fraudulently and without colour of right."

Reading the provision above, in ignorance of case law, it appears you need to show a) that the accused gained access to some service such as for example allowing him to retrieve data (such arguably as we are doing reading slashdot) AND b) he did so without any right to do so (which, I guess, might an implied right but which the practice of that department in issuing specific urls to specific clients strongly argues against in the present case) AND c) you have to demonstrate fraudulent behaviour (which is a very long stretch I should think). Iff all three evaluate to T, the actus reus is established. Breach of security is not an element that needs to be evaluated.

And to be clear as to what constitutes 'fraud' at common law, this from Osbornes:

fraud
The obtaining of material advantage, by unfair of wrongful means; it involves the making of a false representation knowingly, or without belief in its truth, or recklessly.

I do not know if 'fradulently' for the purposes of this provision has a different meaning at Canadian law (but I should be surprised if it is too different).

And my point is that once the "security" reaches are certain level of incompetence ... it ceases to be security

Which is succinctly and rigorously captured by the phrase "inadequate security." I clearly understood your point, I simply question it's relevance. If, as you say there was no security, then why mention it?

On a different fact set, say especially where some social engineering was employed to by-pass a security measure, then the means by which security was breached might be relevant to help establish one of the elements (i.e. fraud). But that is not this case. So let's not mention "security" again.

"Effort" is a bit of a stretch description. A minor tweak to the URL hardly something that qualifies as effort. I've done that exact thing myself now and then and I'm hardly a genius hacker.

He wrote a script, it's effort, (as is manually tweaking). And of course I too go make minor tweaks to urls all the time --even as part of my paid employ (since I don't practise, but develop), so it MUST be effort. ;) And isn't it precisely this, the suggestion that our innocent tweaking, might have been criminalised by some jurisdiction somewhere, what is drawing so much of the ire here?

And BTW, even if we were dealing with a circumvention offence, you would not need to be a "genius hacker" to be convicted, again a very trivial method of circumvention might suffice.

It's an analogy meant to illustrate the intent of a point

I'm sorry, I found the analogy poor and the point not to require illustration. I don't want to be unfriendly, but look ... we both clearly have sufficient technical understanding to get the facts in and of themselves; any analogy really could serve only to disguise rather than illuminate them. Though they may be of pedagogic value (sometimes analogies really do provide valuable illumination), there are good reasons not to argue by analogy.

There has to be some measure of standard of care on the part of the people charged with keeping private data private.

One should certainly hope so! That however, is a separate issue and is to be resolved by (a) separate legal action(s), as between different parties.