19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents

from the making-citizens-pay-for-the-government's-sins dept

A 19-year-old Canadian is being criminally-charged for accessing a website. The Nova Scotian government’s Freedom of Information portal (FOIPOP) served up documents it shouldn’t have and now prosecutors are thinking about adding charges on top of the ten-year sentence the teen could already be facing. (via Databreaches.net)

Journalists first spotted the problem April 5th, when the FOI portal was taken offline. The Internal Services Minister, Patricia Arab, refused to provide details about the portal’s sudden unavailability. It wasn’t until the following week that the press was given more information and those affected notified.

Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.

Seems logical, except…

But [Halifax Police Superintendent Jim] Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province’s protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement.

The suspect obtained 7,000 documents from the Freedom of Information portal. Apparently around 250 of those contained unredacted personal information. Here’s how the government portrayed the supposed hacking:

Government officials said someone got in by “exploiting a vulnerability in the system.” The person wrote a script allowing them to alter the website’s URL, which then granted access to the personal information.

Internal Services found more than 7,000 PDF documents had been downloaded by a “non-authorized user” in early March. They filed a complaint with police on Saturday.

A script made it easier, but a script wasn’t required. The URLs for FOI documents are incremental. As software engineer Evan D’Entremont points out, anyone could have done what the supposed “hacker” did.

The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:


Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.

Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All [the “hacker’] had to do is add.

All this “hacker” did was automate the retrieval of published documents from the government’s FOI portal. That’s it. This wasn’t an attempt to access personal info. That problem lies with the government, which did not properly secure documents it hadn’t redacted yet. As D’Etremont points out, plenty of other government websites use the same software for document access. (Searching “inurl:attachmentRSN“will bring up a handful of government websites, including Nova Scotia’s temporarily disabled FOI portal).

But other sites have taken care to wall off publicly-available documents from others they’re not prepared to make public by using a PublicPortal subfolder. Nova Scotia’s site apparently did not, hence the teen’s ability to access unredacted documents. This isn’t evidence of fraudulent access or malicious hacking. This is evidence of government carelessness.

The question remains, was the access fraudulent?

Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.

It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.

This wasn’t a criminal act. This was simply efficient harvesting of publicly-available documents. If some documents weren’t supposed to be publicly-available, the blame lies with the government for failing to secure them. The fact that the government decided to get police involved gives this the ugly appearance of scapegoating. This is an embarrassed government body trying to turn its mistake into the malicious works of teen hacker.

It would be very surprising to see these charges stick. The URLs — and the documents they held — were publicly-accessible. But if they do stick — and the Halifax PD has stated it may add more charges — it will be due to the Nova Scotia government’s unwillingness to take responsibility for its own carelessness.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Wow

Maybe worse, maybe less so, but different. Canada is unabashedly socialist and definitely, publicly, does not value individual rights. The US tries to claim “defense of the people” in public oral excrement while doing exactly the opposite. I’m not sure it’s better to still pretend “the people” are important or to simply match words with deeds as Canada does. Either way I agree, both suck.

Roger Strong (profile) says:

Re: Re: Wow

The US has been far more socialist than Canada for decades. It’s just that Canada extends that socialism outside of the corporate/investor realm more often.

As it was put back in 2008 when Republicans were nationalizing the Wall Street banks and bailing out the auto industry:

The Conservatives in Canada are roughly equivalent to the more liberal Democrats in the US.

The Liberal Party is further to the left.

MUCH further to the left we have the have the unabashedly socialist NDP. They want to do things like spending huge amounts of public money to manipulate the national economy, and nationalize or take a large financial stake in banks and some large corporations. This makes them roughly equivalent to the Republican Party.

Anonymous Coward says:

Re: Re: Re: Wow

As a canadian these posts seem like scaremongering, people are aware we have democratically elected provincial ndo governments who dont do this right? Also our banking has shown to routinely be quite robust and resistant to economical depressions due to having a centralized canadian bank and more regulation around our onterest rates and inbestments.

Not perfect but id hardly call us pure socialists, just more so than the US.

Rekrul says:

Didn’t someone in the US get in trouble for doing the exact same thing a few years ago?

I’ve done this with things like pictures. Sometimes a site will have preview pictures numbered 5, 8, 14, etc. I try filling in the missing numbers and sometimes it turns out that they just linked to a few of the images in the directory. Or sometimes there’s one full-sized image and a bunch of thumbnails, but if you alter the filename to conform to the one big image, you can get full-sized versions of all of them.

Years ago, I found a site that had no protection for the members section, you just weren’t supposed to be able to see the URL unless you signed in. I forgot how I found it, but I was able to browse their entire site. Unfortunately I had dialup at the time and couldn’t download too much. 🙂

Rapnel (profile) says:

NS PM calling it theft. Yet another top-level authoritarian cunt that doesn’t even remotely *want* to understand where actual accountability and responsibility lies.

I’m sorry but the fucking protocol says it’s available, other people’s dreams and wishes not withstanding, http get.

I’m getting pretty fucking tired of the seemingly total incompetence of “authority” reacting excessively if not violently to “this computer thingy and those meddling kids”.

An information repository accessible on the network is a PUBLIC FUCKING KIOSK of any and all information contained therein. Choose wisely (or just shoot the fucking messengers, apparently).

This is the epitome of cunty authority. Bad governance defined.

Roger Strong (profile) says:

A few years ago I did a Google search on my (Canadian) apartment building. One of the first links returned was a user record in text format from a site helping people find apartments.

It contained her address, driver’s licence number and everything else needed for identity theft. Like the case above, you could change the record number at the end to see a different record.

The point is, Google had indexed the whole thing. And it’ll do the same with PDF files.

Yeah, the data the kid was arrested for was publicly accessible.

Anonymous Coward says:

Re: Re:

You raise a good point. Did they have their robots.txt file configured correctly? Was this stuff being indexed by bots too?

Of course, the other side of all this is that Canadian law weighs heavily on intent. If the kid was downloading it all just because he could, this won’t go anywhere. However, if he was found actively selling the PII on a Russian underground marketplace, I say throw the book at him. This may be what the “other charges” are that they’re pursuing.

TripMN (profile) says:

This is the epitome of insecure “security”. If people working for the government don’t think people can count to the next number, they are dumber than advertised. The least they could have done is used a pseudo-random hash value instead of an incremented numeric id (add some randomness to the values)… but then again the people doing this possibly don’t understand that putting files on a web-server means the server will serve them even if they aren’t redacted.

This computer stuff isn’t that hard if people stop thinking its magic and anyone who does something they don’t want is a hacker.

Anonymous Coward says:

Re: Re: Re:

Hmm? Gen X is just entering politics. Gen X is people like Trudeau fighting to legalize drugs. It’s the boomers who are still trying to hang on to power who crafted such enlightened legislation. You’ve still got another 20 years before Gen Y is in power… better hope that Gen X does a better job than the Boomers.

tin-foil-hat says:

Re: Re: Re:

“We might see some sanity in this area once Gen Y enters politics. As long as we’re still being run by Gen X and its predecessor we’re going to keep being the “beneficiaries” of this kind of enlightened legislation.”

Just because someone uses technology doesn’t mean they know how it works. And even if they know how it works won’t stop them being self-serving and corrupt.

@blamer on twitter (user link) says:

Monkeying with a site's URLs?

I believe in Australian law the below would be illegal, can anybody confirm?

“The person wrote a script allowing them to alter the website’s URL”

Moreover I am usure it is the scripting part that makes it illegal. I suspect “guessing” possible URLs is also illegal.

Can somebody please tell me how I can check the law on that point myself? I don’t wish to pay a lawyer to ask them!


nan says:

Re: Monkeying with a site's URLs?

The “one-line script” would just be a wget or curl command (which come built-in to various OSes) with a range wildcard like [0001-7000] (quoted as necessary). It will iterate over the range and request each URL, usually with a default or specified delay to avoid DOSing the site.

He’s not “monkeying with” anything of the site’s; he’s sending a series of HTTP gets, which the site happily responded to. You can craft any arbitrary URL; it’s up to sites to decide how to respond.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...