19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents
from the making-citizens-pay-for-the-government's-sins dept
A 19-year-old Canadian is being criminally-charged for accessing a website. The Nova Scotian government’s Freedom of Information portal (FOIPOP) served up documents it shouldn’t have and now prosecutors are thinking about adding charges on top of the ten-year sentence the teen could already be facing. (via Databreaches.net)
Journalists first spotted the problem April 5th, when the FOI portal was taken offline. The Internal Services Minister, Patricia Arab, refused to provide details about the portal’s sudden unavailability. It wasn’t until the following week that the press was given more information and those affected notified.
Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.
Seems logical, except…
But [Halifax Police Superintendent Jim] Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province’s protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement.
The suspect obtained 7,000 documents from the Freedom of Information portal. Apparently around 250 of those contained unredacted personal information. Here’s how the government portrayed the supposed hacking:
Government officials said someone got in by “exploiting a vulnerability in the system.” The person wrote a script allowing them to alter the website’s URL, which then granted access to the personal information.
Internal Services found more than 7,000 PDF documents had been downloaded by a “non-authorized user” in early March. They filed a complaint with police on Saturday.
A script made it easier, but a script wasn’t required. The URLs for FOI documents are incremental. As software engineer Evan D’Entremont points out, anyone could have done what the supposed “hacker” did.
The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:
https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1234
Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.
Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All [the “hacker’] had to do is add.
All this “hacker” did was automate the retrieval of published documents from the government’s FOI portal. That’s it. This wasn’t an attempt to access personal info. That problem lies with the government, which did not properly secure documents it hadn’t redacted yet. As D’Etremont points out, plenty of other government websites use the same software for document access. (Searching “inurl:attachmentRSN“will bring up a handful of government websites, including Nova Scotia’s temporarily disabled FOI portal).
But other sites have taken care to wall off publicly-available documents from others they’re not prepared to make public by using a PublicPortal subfolder. Nova Scotia’s site apparently did not, hence the teen’s ability to access unredacted documents. This isn’t evidence of fraudulent access or malicious hacking. This is evidence of government carelessness.
The question remains, was the access fraudulent?
Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.
It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.
This wasn’t a criminal act. This was simply efficient harvesting of publicly-available documents. If some documents weren’t supposed to be publicly-available, the blame lies with the government for failing to secure them. The fact that the government decided to get police involved gives this the ugly appearance of scapegoating. This is an embarrassed government body trying to turn its mistake into the malicious works of teen hacker.
It would be very surprising to see these charges stick. The URLs — and the documents they held — were publicly-accessible. But if they do stick — and the Halifax PD has stated it may add more charges — it will be due to the Nova Scotia government’s unwillingness to take responsibility for its own carelessness.
Filed Under: canada, criminal charges, downloading, foia, foipop, nova scotia, transparency
Comments on “19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents”
Typical, a government employee cannot be to blame for making the document public, therefore the person who accessed them must be blamed.
Re: Re:
Though I agree blame should not fall on the teenager, neither should it fall on an employee. This sounds like a known departmental issue that never got fixed because of bureaucracy.
Re: Re: Re:
Copying documents into a web accessible folder is not that easy to do by accident, and most users should not have access to those folders outside of a web browser, at least they shouldn’t if the system is set up in a reasonable fashion.
Re: Re: Re: Re:
Copying to a web accessible folder is incredibly easy if you have permissions and have perfectly normal human error rate.
cp oneFolder twoFolder redFolder blueFolder webAccessibleFolder
Wow
Us Canadians suck as much as Americans when it comes to law enforcement.
Re: Wow
Maybe worse, maybe less so, but different. Canada is unabashedly socialist and definitely, publicly, does not value individual rights. The US tries to claim “defense of the people” in public oral excrement while doing exactly the opposite. I’m not sure it’s better to still pretend “the people” are important or to simply match words with deeds as Canada does. Either way I agree, both suck.
Re: Re: Wow
The US has been far more socialist than Canada for decades. It’s just that Canada extends that socialism outside of the corporate/investor realm more often.
As it was put back in 2008 when Republicans were nationalizing the Wall Street banks and bailing out the auto industry:
Re: Re: Re: Wow
As a canadian these posts seem like scaremongering, people are aware we have democratically elected provincial ndo governments who dont do this right? Also our banking has shown to routinely be quite robust and resistant to economical depressions due to having a centralized canadian bank and more regulation around our onterest rates and inbestments.
Not perfect but id hardly call us pure socialists, just more so than the US.
and the Halifax PD has stated it may add more charges
"If we hit him with enough of the book he’s eventually going to stay down, right?"
seems to me that the Canadian government has been taking lessons from the USA DoJ, FBI, HS etc. they make multitudes of fuck ups and always manage to blame someone ‘for hacking into the system’ just to throw everyone off the scent and get someone locked up for doing nothing!!
Didn’t someone in the US get in trouble for doing the exact same thing a few years ago?
I’ve done this with things like pictures. Sometimes a site will have preview pictures numbered 5, 8, 14, etc. I try filling in the missing numbers and sometimes it turns out that they just linked to a few of the images in the directory. Or sometimes there’s one full-sized image and a bunch of thumbnails, but if you alter the filename to conform to the one big image, you can get full-sized versions of all of them.
Years ago, I found a site that had no protection for the members section, you just weren’t supposed to be able to see the URL unless you signed in. I forgot how I found it, but I was able to browse their entire site. Unfortunately I had dialup at the time and couldn’t download too much. 🙂
Re: Re:
If memory serves me, the site in the U.S.A. that made the news was an AT&T site that had to do with iPhone registration. I believe they wound up actually getting a conviction of the guy.
Re: Re: Re:
It was Weev.
https://en.wikipedia.org/wiki/Weev#AT&T_data_breach
Re: Re: Re: Re:
Thanks for the Link. If I knew his conviction had been overturned, I had forgotten. The bad news is that it was overturned on a technicality, rather than the stupidness of the prosecution in the first place.
Re: Re:
It seems to me there was this guy Aaron Swartz. He downloaded documents that were available to visitors at MIT.
He was maliciously prosecuted and committed suicide as a result.
Perhaps that is what the Canadians are hoping for.
NS PM calling it theft. Yet another top-level authoritarian cunt that doesn’t even remotely *want* to understand where actual accountability and responsibility lies.
I’m sorry but the fucking protocol says it’s available, other people’s dreams and wishes not withstanding, http get.
I’m getting pretty fucking tired of the seemingly total incompetence of “authority” reacting excessively if not violently to “this computer thingy and those meddling kids”.
An information repository accessible on the network is a PUBLIC FUCKING KIOSK of any and all information contained therein. Choose wisely (or just shoot the fucking messengers, apparently).
This is the epitome of cunty authority. Bad governance defined.
A few years ago I did a Google search on my (Canadian) apartment building. One of the first links returned was a user record in text format from a site helping people find apartments.
It contained her address, driver’s licence number and everything else needed for identity theft. Like the case above, you could change the record number at the end to see a different record.
The point is, Google had indexed the whole thing. And it’ll do the same with PDF files.
Yeah, the data the kid was arrested for was publicly accessible.
Re: Re:
You raise a good point. Did they have their robots.txt file configured correctly? Was this stuff being indexed by bots too?
Of course, the other side of all this is that Canadian law weighs heavily on intent. If the kid was downloading it all just because he could, this won’t go anywhere. However, if he was found actively selling the PII on a Russian underground marketplace, I say throw the book at him. This may be what the “other charges” are that they’re pursuing.
This is the epitome of insecure “security”. If people working for the government don’t think people can count to the next number, they are dumber than advertised. The least they could have done is used a pseudo-random hash value instead of an incremented numeric id (add some randomness to the values)… but then again the people doing this possibly don’t understand that putting files on a web-server means the server will serve them even if they aren’t redacted.
This computer stuff isn’t that hard if people stop thinking its magic and anyone who does something they don’t want is a hacker.
Re: Re:
We might see some sanity in this area once Gen Y enters politics. As long as we’re still being run by Gen X and its predecessor we’re going to keep being the "beneficiaries" of this kind of enlightened legislation.
Re: Re: Re:
Hmm? Gen X is just entering politics. Gen X is people like Trudeau fighting to legalize drugs. It’s the boomers who are still trying to hang on to power who crafted such enlightened legislation. You’ve still got another 20 years before Gen Y is in power… better hope that Gen X does a better job than the Boomers.
Re: Re: Re:
“We might see some sanity in this area once Gen Y enters politics. As long as we’re still being run by Gen X and its predecessor we’re going to keep being the “beneficiaries” of this kind of enlightened legislation.”
Just because someone uses technology doesn’t mean they know how it works. And even if they know how it works won’t stop them being self-serving and corrupt.
Almost like a burger joint giving away free fries with a drink then arresting for not paying for said fries when they leave
The government, on the other hand, will face no charges and nobody is gonna be punished for grossly mishandling documents and leaving them open to the public before review.
"This wasn't a criminal act"...but...
But it *was* a criminal act…on the part of the government.
And it *is* a criminal act…it’s called intimidating researchers.
Re: "This wasn't a criminal act"...but...
Vee have ways of making you talk
don’t make us hurt you to get what vee want
Vee ember da torture is for your own protection
Monkeying with a site's URLs?
I believe in Australian law the below would be illegal, can anybody confirm?
“The person wrote a script allowing them to alter the website’s URL”
Moreover I am usure it is the scripting part that makes it illegal. I suspect “guessing” possible URLs is also illegal.
Can somebody please tell me how I can check the law on that point myself? I don’t wish to pay a lawyer to ask them!
Cheers
Re: Monkeying with a site's URLs?
That’s already grounds for prosecution and conviction.
Re: Monkeying with a site's URLs?
Is a link to https://dropsafe.crypticide.com/article/1312 now grounds for a comment to be held for moderation?
Re: Monkeying with a site's URLs?
Seems like it is.
Re: Monkeying with a site's URLs?
The “one-line script” would just be a wget or curl command (which come built-in to various OSes) with a range wildcard like [0001-7000] (quoted as necessary). It will iterate over the range and request each URL, usually with a default or specified delay to avoid DOSing the site.
He’s not “monkeying with” anything of the site’s; he’s sending a series of HTTP gets, which the site happily responded to. You can craft any arbitrary URL; it’s up to sites to decide how to respond.
Re: Monkeying with a site's URLs?
Wouldn’t that make an editable address field in a web browser illegal?
Re: Monkeying with a site's URLs?
Not Australian, but it would be under UK law.
There was a guy who got fined £1,000 for pinging a donation page after the Boxing Day (26th Dec) Tsunami.
No way in hell should this teen face ten fucking years in prison for this. Try to find a lawyer in Nova Scotia that could save this person from seeing freedom until they are thirty.. good luck.
wVMYRF6X0jL www.yandex.ru