Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

... but when does he get his hardware back ???

[eric31415927]

His hard drives contain sensitive info that may preclude him from ever getting them back.
Hopefully his other family members get their computers back.

Intent?

[Loki_1929]

Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

Maybe in China.

Re:Intent?

[phantomfive]

Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools, but if you carry them with the intent of committing a crime (or even merely have them while committing a crime), that is illegal. I don't know the specifics of Canadian law, but presumably intent is an important aspect of the particular hacking law he was accused of breaking.

In America, if you use someone else's computer in any way with the intent to hack, even just typing a simple sql exploit into your browser URL bar, then you've committed a crime.

Re:Intent?

[slickwillie]

I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?

Re:Intent?

Law & Order: Traffic Police.

Officer: Sarge, I just stopped a guy for speeding, and he admitted that he intended to speed even after he read the 40 mph sign at our bottleneck/speed trap on I-5.

Desk Sargent: Cut his license and drive him to the Precinct. I'll book him on charges of reading a road sign with malice aforethought. Make sure you read him his rights, and then ask him if he was having criminal thoughts when you read him his rights. Maybe we can get a daily double out of this one!

Re:Intent?

[Capsaicin]

I think the point is - intent is meaningless if you don't actually break the law.

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

Unauthorized use of computer

342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) ...
... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)
...

For the purposes of the provision " computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

what if you do have criminal intent when you read the public road signs?

Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

Re:Intent?

[james_gnz]

Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

Re:Intent?

[houghi]

"knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"

But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

It is as if you walk on the grass in a public park where it is allowed and then be arrested because you walked on all of the grass over time, walking back and forth.

So even if he did it to sell it to the Russians and had any intend to sell it, that does not make it illegal.

I have done a simmilar thing in the past where a friend asked me to rip a website so he would have info on companies, so he could sell his product to those companies by knowing how much they needed.
This was public available information. All I did was automate the process instead of him going through it page by page. Got a few beers out of it.

If it's on a public facing server...

[grep+-v+'.*'+*]

If it's on a public facing server it's "fair game", whether it's supposed to be or not.

And "did not have intent to commit a criminal offense" -- maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go -- and then let's update all the knowledge of the people who thought he did so this doesn't happen again. (Tech AND Legal.)

I don't necessarily mind misteaks :-), but not for a second time. (And can you imagine -- the police arresting you just for accessing a public website?)

Sounds like he broke the law: "I don't like what you're doing." Where is that one written down anywhere? Or is this the "Nice place you've got here, shame if something ..." law?

Mistakes

People that can use computers gets punished for the mistakes made by people that can't use computers...

Reality is just like working in IT.

Dilbert - Our API

[Mr_Blank]

Dilbert. http://dilbert.com/strip/2018-05-09

Tags
#hackers, #hacking, #api, #jargon, #obliviousness, #language

View Transcript

Transcript
Narrator: Dogbert The Reporter. Dogbert: How did hackers get access to your customer data? CEO: I'm told they used something called "our A.P.I." to suck out all the data. Dogbert: I'll just say you'er stupid. CEO: Why does everyone always say that?

NRA = Gun industry lobby organization

[sjbe]

Whether you choose to accept it or not, the NRA represents a significant block of grassroots voters.

The NRA represents gun industry interests under the guise of pretending to be a grassroots interest organization. This didn't used to be true but it is unquestionably true today. While it is true that there is a large block of voters who are members and who care strongly about 2nd amendment rights, the NRA is only indirectly represents their voice on the issue at this point. The organization has been co-opted by corporations to advocate primarily for them. Whether you think this is a good or bad thing I leave up to you but don't be mislead into misunderstanding where the money in the NRA comes from or what strings are attached.

It is entirely funded by its members and represents a large voting block.

The NRA is decidedly NOT "entirely funded by its members". Significantly less than half of the NRA's money comes from program fees and membership dues. This is not conjecture - it is a known fact. Most of the NRA revenue comes from corporations with financial interests in selling firearms and related products. The NRA is de-facto the lobbying organization for the gun industry. It hasn't been a grassroots organization for several decades though it pretends to be one as there is political value in maintaining that fig leaf of a lie. Sort of like the NCAA pretending to care about "amateurism" and "student athletes" while they rake in literally billions in revenue for the colleges.