19-Year-Old Canadian Facing Criminal Charges For Downloading Publicly-Accessible Documents

from the making-citizens-pay-for-the-government's-sins dept

A 19-year-old Canadian is being criminally-charged for accessing a website. The Nova Scotian government's Freedom of Information portal (FOIPOP) served up documents it shouldn't have and now prosecutors are thinking about adding charges on top of the ten-year sentence the teen could already be facing. (via Databreaches.net)

Journalists first spotted the problem April 5th, when the FOI portal was taken offline. The Internal Services Minister, Patricia Arab, refused to provide details about the portal's sudden unavailability. It wasn't until the following week that the press was given more information and those affected notified.

Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.

Seems logical, except…

But [Halifax Police Superintendent Jim] Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province's protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement.

The suspect obtained 7,000 documents from the Freedom of Information portal. Apparently around 250 of those contained unredacted personal information. Here's how the government portrayed the supposed hacking:

Government officials said someone got in by "exploiting a vulnerability in the system." The person wrote a script allowing them to alter the website's URL, which then granted access to the personal information.

Internal Services found more than 7,000 PDF documents had been downloaded by a "non-authorized user" in early March. They filed a complaint with police on Saturday.

A script made it easier, but a script wasn't required. The URLs for FOI documents are incremental. As software engineer Evan D'Entremont points out, anyone could have done what the supposed "hacker" did.

The way the documents are stored is simple. They’re available at a specific URL, which David Fraser, a Halifax-based privacy lawyer, was happy to provide:

https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1234

Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.

Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All [the "hacker'] had to do is add.

All this "hacker" did was automate the retrieval of published documents from the government's FOI portal. That's it. This wasn't an attempt to access personal info. That problem lies with the government, which did not properly secure documents it hadn't redacted yet. As D'Etremont points out, plenty of other government websites use the same software for document access. (Searching "inurl:attachmentRSN"will bring up a handful of government websites, including Nova Scotia's temporarily disabled FOI portal).

But other sites have taken care to wall off publicly-available documents from others they're not prepared to make public by using a PublicPortal subfolder. Nova Scotia's site apparently did not, hence the teen's ability to access unredacted documents. This isn't evidence of fraudulent access or malicious hacking. This is evidence of government carelessness.

The question remains, was the access fraudulent?

Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.

It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.

This wasn't a criminal act. This was simply efficient harvesting of publicly-available documents. If some documents weren't supposed to be publicly-available, the blame lies with the government for failing to secure them. The fact that the government decided to get police involved gives this the ugly appearance of scapegoating. This is an embarrassed government body trying to turn its mistake into the malicious works of teen hacker.

It would be very surprising to see these charges stick. The URLs -- and the documents they held -- were publicly-accessible. But if they do stick -- and the Halifax PD has stated it may add more charges -- it will be due to the Nova Scotia government's unwillingness to take responsibility for its own carelessness.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 17 Apr 2018 @ 9:44am

    Typical, a government employee cannot be to blame for making the document public, therefore the person who accessed them must be blamed.

    reply to this | link to this | view in chronology ]

    • identicon
      A Nony Mouse, 17 Apr 2018 @ 1:23pm

      Re:

      Though I agree blame should not fall on the teenager, neither should it fall on an employee. This sounds like a known departmental issue that never got fixed because of bureaucracy.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2018 @ 1:50pm

        Re: Re:

        Copying documents into a web accessible folder is not that easy to do by accident, and most users should not have access to those folders outside of a web browser, at least they shouldn't if the system is set up in a reasonable fashion.

        reply to this | link to this | view in chronology ]

        • identicon
          anon, 18 Apr 2018 @ 12:13pm

          Re: Re: Re:

          Copying to a web accessible folder is incredibly easy if you have permissions and have perfectly normal human error rate.

          cp oneFolder twoFolder redFolder blueFolder webAccessibleFolder

          reply to this | link to this | view in chronology ]

  • identicon
    Jordan, 17 Apr 2018 @ 9:51am

    Wow

    Us Canadians suck as much as Americans when it comes to law enforcement.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2018 @ 11:49am

      Re: Wow

      Maybe worse, maybe less so, but different. Canada is unabashedly socialist and definitely, publicly, does not value individual rights. The US tries to claim "defense of the people" in public oral excrement while doing exactly the opposite. I'm not sure it's better to still pretend "the people" are important or to simply match words with deeds as Canada does. Either way I agree, both suck.

      reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 17 Apr 2018 @ 12:09pm

        Re: Re: Wow

        The US has been far more socialist than Canada for decades. It's just that Canada extends that socialism outside of the corporate/investor realm more often.

        As it was put back in 2008 when Republicans were nationalizing the Wall Street banks and bailing out the auto industry:

        The Conservatives in Canada are roughly equivalent to the more liberal Democrats in the US.

        The Liberal Party is further to the left.

        MUCH further to the left we have the have the unabashedly socialist NDP. They want to do things like spending huge amounts of public money to manipulate the national economy, and nationalize or take a large financial stake in banks and some large corporations. This makes them roughly equivalent to the Republican Party.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Apr 2018 @ 2:38pm

          Re: Re: Re: Wow

          As a canadian these posts seem like scaremongering, people are aware we have democratically elected provincial ndo governments who dont do this right? Also our banking has shown to routinely be quite robust and resistant to economical depressions due to having a centralized canadian bank and more regulation around our onterest rates and inbestments.

          Not perfect but id hardly call us pure socialists, just more so than the US.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2018 @ 9:59am

    and the Halifax PD has stated it may add more charges

    "If we hit him with enough of the book he's eventually going to stay down, right?"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2018 @ 10:15am

    seems to me that the Canadian government has been taking lessons from the USA DoJ, FBI, HS etc. they make multitudes of fuck ups and always manage to blame someone 'for hacking into the system' just to throw everyone off the scent and get someone locked up for doing nothing!!

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 17 Apr 2018 @ 10:19am

    Didn't someone in the US get in trouble for doing the exact same thing a few years ago?

    I've done this with things like pictures. Sometimes a site will have preview pictures numbered 5, 8, 14, etc. I try filling in the missing numbers and sometimes it turns out that they just linked to a few of the images in the directory. Or sometimes there's one full-sized image and a bunch of thumbnails, but if you alter the filename to conform to the one big image, you can get full-sized versions of all of them.

    Years ago, I found a site that had no protection for the members section, you just weren't supposed to be able to see the URL unless you signed in. I forgot how I found it, but I was able to browse their entire site. Unfortunately I had dialup at the time and couldn't download too much. :)

    reply to this | link to this | view in chronology ]

  • icon
    Rapnel (profile), 17 Apr 2018 @ 10:22am

    NS PM calling it theft. Yet another top-level authoritarian cunt that doesn't even remotely *want* to understand where actual accountability and responsibility lies.

    I'm sorry but the fucking protocol says it's available, other people's dreams and wishes not withstanding, http get.

    I'm getting pretty fucking tired of the seemingly total incompetence of "authority" reacting excessively if not violently to "this computer thingy and those meddling kids".

    An information repository accessible on the network is a PUBLIC FUCKING KIOSK of any and all information contained therein. Choose wisely (or just shoot the fucking messengers, apparently).

    This is the epitome of cunty authority. Bad governance defined.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 17 Apr 2018 @ 10:47am

    A few years ago I did a Google search on my (Canadian) apartment building. One of the first links returned was a user record in text format from a site helping people find apartments.

    It contained her address, driver's licence number and everything else needed for identity theft. Like the case above, you could change the record number at the end to see a different record.

    The point is, Google had indexed the whole thing. And it'll do the same with PDF files.

    Yeah, the data the kid was arrested for was publicly accessible.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2018 @ 1:41pm

      Re:

      You raise a good point. Did they have their robots.txt file configured correctly? Was this stuff being indexed by bots too?

      Of course, the other side of all this is that Canadian law weighs heavily on intent. If the kid was downloading it all just because he could, this won't go anywhere. However, if he was found actively selling the PII on a Russian underground marketplace, I say throw the book at him. This may be what the "other charges" are that they're pursuing.

      reply to this | link to this | view in chronology ]

  • icon
    TripMN (profile), 17 Apr 2018 @ 11:41am

    This is the epitome of insecure "security". If people working for the government don't think people can count to the next number, they are dumber than advertised. The least they could have done is used a pseudo-random hash value instead of an incremented numeric id (add some randomness to the values)... but then again the people doing this possibly don't understand that putting files on a web-server means the server will serve them even if they aren't redacted.

    This computer stuff isn't that hard if people stop thinking its magic and anyone who does something they don't want is a hacker.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2018 @ 11:54am

      Re:

      We might see some sanity in this area once Gen Y enters politics. As long as we're still being run by Gen X and its predecessor we're going to keep being the "beneficiaries" of this kind of enlightened legislation.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Apr 2018 @ 1:43pm

        Re: Re:

        Hmm? Gen X is just entering politics. Gen X is people like Trudeau fighting to legalize drugs. It's the boomers who are still trying to hang on to power who crafted such enlightened legislation. You've still got another 20 years before Gen Y is in power... better hope that Gen X does a better job than the Boomers.

        reply to this | link to this | view in chronology ]

      • identicon
        tin-foil-hat, 18 Apr 2018 @ 8:04am

        Re: Re:

        "We might see some sanity in this area once Gen Y enters politics. As long as we're still being run by Gen X and its predecessor we're going to keep being the "beneficiaries" of this kind of enlightened legislation."

        Just because someone uses technology doesn't mean they know how it works. And even if they know how it works won't stop them being self-serving and corrupt.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Apr 2018 @ 12:07pm

    Almost like a burger joint giving away free fries with a drink then arresting for not paying for said fries when they leave

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 17 Apr 2018 @ 12:10pm

    The government, on the other hand, will face no charges and nobody is gonna be punished for grossly mishandling documents and leaving them open to the public before review.

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 17 Apr 2018 @ 12:57pm

    "This wasn't a criminal act"...but...

    But it *was* a criminal act...on the part of the government.

    And it *is* a criminal act...it's called intimidating researchers.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Apr 2018 @ 1:08pm

      Re: "This wasn't a criminal act"...but...

      Vee have ways of making you talk
      don't make us hurt you to get what vee want
      Vee ember da torture is for your own protection

      reply to this | link to this | view in chronology ]

  • identicon
    @blamer on twitter, 17 Apr 2018 @ 3:23pm

    Monkeying with a site's URLs?

    I believe in Australian law the below would be illegal, can anybody confirm?

    "The person wrote a script allowing them to alter the website's URL"

    Moreover I am usure it is the scripting part that makes it illegal. I suspect "guessing" possible URLs is also illegal.

    Can somebody please tell me how I can check the law on that point myself? I don't wish to pay a lawyer to ask them!

    Cheers

    reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 17 Apr 2018 @ 5:05pm

      Re: Monkeying with a site's URLs?

      reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 17 Apr 2018 @ 5:06pm

      Re: Monkeying with a site's URLs?

      Is a link to https://dropsafe.crypticide.com/article/1312 now grounds for a comment to be held for moderation?

      reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 17 Apr 2018 @ 5:06pm

      Re: Monkeying with a site's URLs?

      Seems like it is.

      reply to this | link to this | view in chronology ]

    • identicon
      nan, 17 Apr 2018 @ 5:12pm

      Re: Monkeying with a site's URLs?

      The "one-line script" would just be a wget or curl command (which come built-in to various OSes) with a range wildcard like [0001-7000] (quoted as necessary). It will iterate over the range and request each URL, usually with a default or specified delay to avoid DOSing the site.

      He's not "monkeying with" anything of the site's; he's sending a series of HTTP gets, which the site happily responded to. You can craft any arbitrary URL; it's up to sites to decide how to respond.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Apr 2018 @ 12:42am

      Re: Monkeying with a site's URLs?

      I suspect "guessing" possible URLs is also illegal.

      Wouldn't that make an editable address field in a web browser illegal?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Apr 2018 @ 2:57am

      Re: Monkeying with a site's URLs?

      Not Australian, but it would be under UK law.

      There was a guy who got fined £1,000 for pinging a donation page after the Boxing Day (26th Dec) Tsunami.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Apr 2018 @ 1:29am

    No way in hell should this teen face ten fucking years in prison for this. Try to find a lawyer in Nova Scotia that could save this person from seeing freedom until they are thirty.. good luck.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.