Slashdot Mirror

← Back to Stories (view on slashdot.org)

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases (techdirt.com)

Posted by BeauHD on from the case-dismissed dept.

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

6 of 154 comments (clear)

  1. Intent? by Loki_1929 · · Score: 5, Insightful

    Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

    Maybe in China.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Intent? by slickwillie · · Score: 4, Insightful

      I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?

    2. Re:Intent? by Capsaicin · · Score: 5, Insightful

      I think the point is - intent is meaningless if you don't actually break the law.

      Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

      The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

      Unauthorized use of computer

      342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
      (a) obtains, directly or indirectly, any computer service;
      (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
      (c) ...
      ... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)
      ...

      For the purposes of the provision " computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

      The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

      Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

      what if you do have criminal intent when you read the public road signs?

      Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

      In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

      Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

      --
      Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
    3. Re:Intent? by james_gnz · · Score: 5, Insightful

      Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

      I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

  2. Mistakes by Anonymous Coward · · Score: 3, Insightful

    People that can use computers gets punished for the mistakes made by people that can't use computers...

    Reality is just like working in IT.

  3. The real crime by Anonymous Coward · · Score: 2, Insightful

    Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.