Slashdot Mirror

← Back to Stories (view on slashdot.org)

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases (techdirt.com)

Posted by BeauHD on from the case-dismissed dept.

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

21 of 154 comments (clear)

  1. ... but when does he get his hardware back ??? by eric31415927 · · Score: 3, Interesting

    His hard drives contain sensitive info that may preclude him from ever getting them back.
    Hopefully his other family members get their computers back.

  2. Intent? by Loki_1929 · · Score: 5, Insightful

    Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

    Maybe in China.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Intent? by phantomfive · · Score: 5, Interesting

      Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools, but if you carry them with the intent of committing a crime (or even merely have them while committing a crime), that is illegal. I don't know the specifics of Canadian law, but presumably intent is an important aspect of the particular hacking law he was accused of breaking.

      In America, if you use someone else's computer in any way with the intent to hack, even just typing a simple sql exploit into your browser URL bar, then you've committed a crime.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Intent? by slickwillie · · Score: 4, Insightful

      I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?

    3. Re:Intent? by Anonymous Coward · · Score: 3, Funny

      Law & Order: Traffic Police.

      Officer: Sarge, I just stopped a guy for speeding, and he admitted that he intended to speed even after he read the 40 mph sign at our bottleneck/speed trap on I-5.

      Desk Sargent: Cut his license and drive him to the Precinct. I'll book him on charges of reading a road sign with malice aforethought. Make sure you read him his rights, and then ask him if he was having criminal thoughts when you read him his rights. Maybe we can get a daily double out of this one!

    4. Re:Intent? by phantomfive · · Score: 2

      Some laws have intent written into them specifically. If there is a law that says, "If you intend to commit a crime when reading a public road sign, that is against the law," then doing so is a crime, but there is no such law.

      In America, the Computer Fraud and Abuse act includes such language: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Intent? by Capsaicin · · Score: 5, Insightful

      I think the point is - intent is meaningless if you don't actually break the law.

      Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

      The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

      Unauthorized use of computer

      342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
      (a) obtains, directly or indirectly, any computer service;
      (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
      (c) ...
      ... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)
      ...

      For the purposes of the provision " computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

      The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

      Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

      what if you do have criminal intent when you read the public road signs?

      Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

      In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

      Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

      --
      Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
    6. Re:Intent? by james_gnz · · Score: 5, Insightful

      Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

      I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

    7. Re:Intent? by JaredOfEuropa · · Score: 2

      If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

      Exactly. That’s why IIRC our (Dutch) laws explicitly state this in their definition of “secured”. It’s the same as trespassing on private property that looks like it might be public, has no gate, and no “private property” sign. Not punishable.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    8. Re:Intent? by houghi · · Score: 3, Interesting

      "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

      But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

      It is as if you walk on the grass in a public park where it is allowed and then be arrested because you walked on all of the grass over time, walking back and forth.

      So even if he did it to sell it to the Russians and had any intend to sell it, that does not make it illegal.

      I have done a simmilar thing in the past where a friend asked me to rip a website so he would have info on companies, so he could sell his product to those companies by knowing how much they needed.
      This was public available information. All I did was automate the process instead of him going through it page by page. Got a few beers out of it.

      --
      Don't fight for your country, if your country does not fight for you.
  3. If it's on a public facing server... by grep+-v+'.*'+* · · Score: 4, Interesting

    If it's on a public facing server it's "fair game", whether it's supposed to be or not.

    And "did not have intent to commit a criminal offense" -- maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go -- and then let's update all the knowledge of the people who thought he did so this doesn't happen again. (Tech AND Legal.)

    I don't necessarily mind misteaks :-), but not for a second time. (And can you imagine -- the police arresting you just for accessing a public website?)

    Sounds like he broke the law: "I don't like what you're doing." Where is that one written down anywhere? Or is this the "Nice place you've got here, shame if something ..." law?

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:If it's on a public facing server... by Linsaran · · Score: 2

      Intent, specifically Mens rea is an important part of the legal system.

      Although what he ultimately did was illegal (obtained unredacted state secrets). He was not originally trying to obtain state secrets, nor could he have reasonably thought that what he was doing would lead to him obtaining state secrets. He had no reason to believe that the information he was able to access via that website, whether he did it via hyperlink or via a script as described in the original article would be anything other than the publicly available information released via the FOIA. Thus even if he ultimately performed an actus reus he did it without mens rea. I don't know what lead you to believe he broke the law, but everything about this case implies to me that this guy didn't do anything I (and fortunately the courts agree) think is wrong.

      --
      In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
    2. Re:If it's on a public facing server... by Aereus · · Score: 2

      Not just that it was public facing: If it was the FOI website, wasn't that the entire point of the server? To provide these documents to citizens? The only minor issue I could see was if he didn't set a reasonable refresh time on scraping documents and was hammering the server, thereby causing troubles for other users.

    3. Re:If it's on a public facing server... by currently_awake · · Score: 2

      Obtaining state secrets is only illegal if you had official access to them, or broke in and stole them.

  4. Mistakes by Anonymous Coward · · Score: 3, Insightful

    People that can use computers gets punished for the mistakes made by people that can't use computers...

    Reality is just like working in IT.

  5. Intent, Discretion, and Mens Rea by SeattleLawGuy · · Score: 2

    Intent is an important part of many laws.

    This. Not only intent, but also discretion. As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail. Thus the justice system depends on the discretion of police officers not to punish every innocent mistake and the discretion of prosecutors not to prosecute when it's too counterproductive or unfair. This doesn't always work, of course, but it's a huge part of criminal justice.

    Intent is also critical. Most crimes have a "mens rea" and an "actus rea," basically the criminal intent and the criminal act. So if I take your laptop knowing it's yours, that's theft, but if I mistake your laptop for mine, my mistake of fact (i.e. I thought it was my laptop) negates the criminal intent part of the crime, so I haven't committed theft. (YMMV in practice, since a police officer or a prosecutor or a jury has to believe me.)

    Of course, intent in law frequently means intent to do the thing, rather than intent to do the thing with an evil motive. So talking about classified documents may be a crime even if the government accidentally mails them to you or they are published in the Times, but no reasonable prosecutor is likely to go after you for that unless something else pretty bad is going on. That's where discretion comes in.

    (And yes, obviously there are first amendment limitations that could come up, which would be balanced by a court against national security interests.)

    --
    Real lawyers write in C++
  6. Ignorance of *the law* is no excuse by SeattleLawGuy · · Score: 2

    maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law."

    It depends on precisely what you are ignorant of. "ignorance of the law is no excuse" is usually how it's phrased, IIRC, which strikes closer to the truth because it's about being ignorant of *the law*, not ignorant of *the facts*.

    Generally in criminal law (at least in the US), a mistake of law ("I did not think it was illegal to do X") will not excuse a crime, but a mistake of fact ("I did not think I was doing X") can sometimes negate a required element of the crime. So if you take a pen knowing it belongs to someone else you are committing a crime (albeit a small one), but if you take a pen because you confused it with your pen you are generally innocent (unless nobody believes you because you have a habit of stealing pens). It depends on what the specific elements of the crime are, which vary a bit from state to state.

    --
    Real lawyers write in C++
  7. Re:so traffic tickets is a committing a crime and by spire3661 · · Score: 2

    Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters. It is entirely funded by its members and represents a large voting block.

    --
    Good-bye
  8. The real crime by Anonymous Coward · · Score: 2, Insightful

    Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.

  9. Dilbert - Our API by Mr_Blank · · Score: 4, Funny

    Dilbert. http://dilbert.com/strip/2018-05-09

    Tags
    #hackers, #hacking, #api, #jargon, #obliviousness, #language

    View Transcript

    Transcript
    Narrator: Dogbert The Reporter. Dogbert: How did hackers get access to your customer data? CEO: I'm told they used something called "our A.P.I." to suck out all the data. Dogbert: I'll just say you'er stupid. CEO: Why does everyone always say that?

  10. NRA = Gun industry lobby organization by sjbe · · Score: 3, Informative

    Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters.

    The NRA represents gun industry interests under the guise of pretending to be a grassroots interest organization. This didn't used to be true but it is unquestionably true today. While it is true that there is a large block of voters who are members and who care strongly about 2nd amendment rights, the NRA is only indirectly represents their voice on the issue at this point. The organization has been co-opted by corporations to advocate primarily for them. Whether you think this is a good or bad thing I leave up to you but don't be mislead into misunderstanding where the money in the NRA comes from or what strings are attached.

    It is entirely funded by its members and represents a large voting block.

    The NRA is decidedly NOT "entirely funded by its members". Significantly less than half of the NRA's money comes from program fees and membership dues. This is not conjecture - it is a known fact. Most of the NRA revenue comes from corporations with financial interests in selling firearms and related products. The NRA is de-facto the lobbying organization for the gun industry. It hasn't been a grassroots organization for several decades though it pretends to be one as there is political value in maintaining that fig leaf of a lie. Sort of like the NCAA pretending to care about "amateurism" and "student athletes" while they rake in literally billions in revenue for the colleges.