You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid! There's a curious legal situation developing in Nova Scotia, Canada, right now. A teenager is suspected of breaking the nation's hacking laws by downloading PDFs containing personal information from a public government website after officials failed to redact the documents. The 19-year-old was arrested after more than a dozen …
Pipped me to the post!
I don't know the detail of Canadian law. However, if this had happened in the UK and they wanted to make an example of this young man, our computer misuse legislation would enable them to do so.
The issue here is not that the accused accessed data that was made publicly available - which, of course, he has every right to do. The issue is that he used a non-standard way to do so, and hence (I'm guessing without knowing the technical details) circumvented the countermeasures which were put in place to control the data output. That's a crime.
Now the circumvention was trivial - but if required to prosecute this case that is the argument I would use. Luckilly, I think I can rely on the Canadian authorities not knowing what The Register is, let alone reading it for hints as to how to proceed...
I don't know the detail of Canadian law. However, if this had happened in the UK and they wanted to make an example of this young man, our computer misuse legislation would enable them to do so.
Man fined due to BT's shitty donation page.
Typing a URL in by hand (rather than clicking on a link in a personalised email) is "non-standard"? I take your point, but a decent lawyer should get that thrown out. Similarly, wget/curl are standard tools
If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra. Yes, that would be theft, but also entrapment.
For morons at expert bureaucratic level, yes typing URLs in instead of clicking IS "non-standard". As for wget and curl, if you showed them the shell script with loop to grab all 7000 files they'd think to themselves "we have an open and shut case of hacking here, that's obviously something only a seasoned pro hacker could manage!"
"If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra"
I believe that this analogy only holds if it's "public money". You can take as little or as much as you want and it's totally free. The issue here is that the "public money" also contained some krugerrands the bank had stupidly forgotten to separate out, and the kid arrived with a dump truck.
I'm Canadian, and I think the charges need tossing...
If he gets convicted of this, the law is not fit for purpose.
I have, more than once, used similar techniques to grab a bunch of data from a website, as I'm sure many on here have too. I haven't always needed it all, but it was easier to grab it all then filter it later, and who has time to delete the stuff you don't want?
Even so, if a file is on the public internet then you are authorised to download it. If you weren't, the server would respond with an error code.
This would be analogous to a library getting a kid charged with theft for borrowing a book which should not have been there, even though the librarian stamped it out and said nothing. How the hell should he know that it's he shouldn't have it? It was there with all the other books, in a place where books are supposed to be borrowed, with no indication that he was not authorised to borrow it.
This would be analogous to a library getting a kid charged with theft for borrowing a book which should not have been there
I would refine that to having partaken in a "grab a box of books for free" offer and not even knowing what he has taken.
I really cannot see how they can make the charges stick. Plenty of charges though which should stick for the real criminals here.
A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.
Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list...
"A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.
Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list..."
Given he could just run get requests if there was an access control system (which none of the information I have read suggest there was) it was more like the library putting that shelf outside the front door, clearly labelled to say the books are free, with a sign inside the library telling people they need to ask the librarian which books they can take, and a teenager, having never been in the library, but seeing the shelf labelled as a "free books" shelf, helps himself to some books from that shelf, not knowing there is a process to take the books, or that some of the books might not be free.
I'm not saying it isn't a crime, but it ought not be, and the library management should be sacked for gross incompetence.
I would refine that to having partaken in a "grab a box of books for free" offer and not even knowing what he has taken.
No, it's like a pile of books available for free - "please take one [or more]!", and the kid shows up with a robot that picks up the books one by one and shoves them in a box.
The fact that one of the books is "Top Secret Methods for mounting rockets on LaserSharks" is not his fault.
>>If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra. >>Yes, that would be theft, but also entrapment.
No it would not be entrapment. Entrapment requires the prosecution or their agents to suggest the crime. While the money is unsecured, the bank is not suggesting you take it. We are supposed to be honest and take only what is ours.
This does not apply to the fellow that was arrested as he had reason to believe that all of the information is public when he copied it. I suppose if he knew that there was private information there an argument could be made that it was not his to copy, but how could he know that without looking at it first.
This case is more like what almost happened to my brother. He was in a store that had a sign that said, "FREE," in big letters next to some inexpensive trinkets. He was just about to pocket one when he noticed the much smaller words at the bottom if the sign, "with the purchase of,"...
He was incensed that he was almost tricked into shoplifting, a serious problem for him, even if they did not prosecute, since he is a judge.
In this case, though, the fine print wasn't even there.
"Entrapment requires the prosecution or their agents to suggest the crime."
I don't know about the UK or Canada, but apparently it's completely legal in the US for law enforcement to suggest a crime. All you have to do is refuse. It becomes entrapment if they coerce you into committing the crime.
Source: Law Comic - Entrapment The whole strip is actually pretty interesting.
The issue here is not that the accused accessed data that was made publicly available - which, of course, he has every right to do. The issue is that he used a non-standard way to do so, and hence (I'm guessing without knowing the technical details) circumvented the countermeasures which were put in place to control the data output. That's a crime.
An HTTP request is non-standard?
If indeed he was just using cURL with enumeration then it is literally just HTTP requests. Automated yes, certainly quicker than browsing to individual pages and clicking "Download". But if that's a crime than web.archive.org is as criminal as they come, to say nothing of Search Spiders crawling/indexing both the file names and content.
...Automated yes, certainly quicker than browsing to individual pages and clicking "Download". But if that's a crime...
It's not what he did. It's what he didn't do. I don't know anything about the user interface, but if he didn't use the provided method for accessing the files, then he has avoided an access control facility. Which is, as I say, a punishable crime in many countries.
If the files are not protected by that access control facility then he didn't bypass or avoid anything other than an index page which is fine. Unknown links are not a defence, see the definition of "security through obscurity" for details of why that is a terrible way to protect things.
As a web developer you protect every route to a resource not just the one that most people see. If the files were accessible by direct URL without access checks when there should have been some then the webite operator is 100% liable for those files being publicly available. If the index page links directly to that PDF URL then it is even worse because the URL is also the canonical location of that file. If the URL obviously matches a pattern then it should be expected to be enumerated at some point and protection added if that is not desirable.
I assume the thumbs-down crew are the ones looking to hack into the government, given the chance?
In the meantime, all those who complained that just making an html request shouldn't be illegal have completely missed the point.
The point is that the kid did not go through the officially-provided access control system. I don't know what that did, and whether it would have stopped him, but the act of avoiding any access control process is a crime in many jurisdictions.
You can argue that it shouldn't be, that what he did did not breach the aims of the web site, and that there was no indication that he should not have accessed things this way. All true, but irrelevent. In many countries, that's a crime.
You may not like it - I do not like it, but that's the way our laws are written...
"It would be nice to know why someone disagreed with a statement of the law..."
You haven't stated any laws, just opinion backed by some rather dodgy analogies. Secondly, this is a tech site and many of the audience have used the same methods to "download the lot and I'll sort it out later"....which is very much faster than clicking on every single link. I have done this myself, and it's a lot faster to deal with a directory full of random stuff than it is to fish out all the desired bits manually; waiting for a page refresh between each action.
More to the point, the website is specifically for the public to download documents. If the documents in question have not been properly processed (redacted in this case) then they have no business being on a publicly-accessible website. is is negligence on the part of the website operators, pure and simple.
Time to cut loose with a dodgy analogy of my own: The website operators are doing the equivalent of pointing at a random person and shouting "Thief!" in order to mask their own getaway. And that's wrong.
The words "html request" gave the fact up that you are an illiterate on this situation and should end your illiterate claims before you embarrass yourself more.
The browser is not "the standard" way for accessing the content on the web. Has never been. It just makes it more convenient to use. By your logic, Google would be "the standard" way of searching something on the internet and we should prosecute everyone who uses DuckDuckGo to find specific things where Google's prioritization-by-popularity technique becomes trash.
"A day later, an IT contractor behind the site, Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a "non-authorized person.” Within 24 hours, police were tipped off."
Firstly,this sounds like they just listened to Unisys trying to hide their sheer ineptitude by misdirecting them to believe that accessing publicly available files on a webserver was a "hack by a non-authorised person". Naughty Unisys. Looks like THEY made them freely available via nonsecured URLs, therefore they released them to the public, therefore they should be the ones up in court if they shouldn't have been on general release.
Security by obscurity is NOT security,therefore it would be ideal if countries' hacking laws were clarified to make this point clear. Ask elected representatives why mistyping https://xyz.com/1234 as https://xyz.com/1235 in a browser should land you in court, cost you a fine and lose you your job and career. It is the WEBSITE'S RESPONSIBILITY to secure resources with authentication, etc if they are not to be made public. Attempts to subvert this type of security ARE hacking. Otherwise they should be legally regarded as public and freely released.
Firstly,this sounds like they just listened to Unisys trying to hide their sheer ineptitude......
Almost sounds like Unisys was told by the government of what to say, as the government found this before Unisys did. Seems to be that someone in the government is trying to cover their.......
Of course Unisys engages standard CYA protocol: "A hacker! A hacker did this! Didn't you watch Hackers? They're all these wayward kids who steal and break things and who wear funny clothes and speak in l33t language!"
What Unisys *should've* done was: "Oops. yeah, we cocked up, sorry! We'll fix the files and ask the guy in question nicely to the delete the ones he has and give him a fixed archive".
OY VEY!
"What Unisys *should've* done was"
Yeah, someone probably suggested that. But then someone in a managerial position said "No way: that would be embarrassing".
Of course, it the meantime, their chosen course of action has made the provincial government, police and themselves look like Orwellian bullies. The press & media will hopefully be having a field day with this. That is very very embarrassing.
Why do government officials always blame "hackers" whenever they don't want to understand when something does not go their way with computers? Then they call in the police SWAT equivalent.
I hope that the judiciary will agree with the teenager, although I feel like they will side with the government official on this. Most of them do not understand the basics of a computer as witnessed in the questioning of Zuckerberg at congress.
There needs to be special judges who understand computer technology as well as the law who should be the judge of computer related "crimes".
A decade ago Jerry Taylor - who has "22 years in computer systems engineering and operation" - got famous for threatening to complain to FBI about Centos because his web site had Centos's "Apache not configured" page on it. According to Mr Taylor, the guy from Centos giving him free technical support "Put in on TheRegistry", where you can find stories about the aftermath. The link to the transcript of the emails is now broken, but copies remain in dusty corners of the internet.
Goverment officials have clearly learned from this, hence the right to be forgotten.
All you need is a functional brain and an extremely basic notion of logic.
They are politicians. I think the basic meaning of the word politician in the USA is someone that does not have/use a brain. Being that Nova Scotia is so close to the USA, maybe the political stupidity is bleeding over.
Someone said "Give me a script I can run to upload the latest PDF to the site." Script says here you go, the next consecutive number was '1242'. What, you demand complicated interactions with public servants and 32 hex digit UUIDs? Hahaha.
The core point here is, when is a document *published* ? If I stick a magazine on the shelf at the corner drug store, is it not published and available to all comers?
Crap, now I'm nervous I downloaded all those IETF RFCs in sequence.
For some definitions, something only counts as "authorized" access on the web if there is a way to arrive at a link saying "click here to download <thing>" strictly by clicking through from the site's main landing page. Not that I particularly agree, but things are what they are, and I can see institutions preferring to stick to this one whenever they have egg on their faces; and in a world capable of seriously debating whether linking to something is the exact same thing as publishing it yourself I wouldn't fancy my chances of judges making the right call.
Apparently it's way too easy to make a scapegoat out of someone when you're in power: After all this kid did visit their website and did download information he shouldn't have access to, didn't he. No reason to dwell on the fact that secret information was freely available...
One could consider there was no way he could had known part of the documents weren't properly sanitized, one could even mention entrapment in this context, but well, I guess he can't afford a lawyer good enough to avoid him his bitter scapegoat destiny. What's 10 years of your life compared to some civil servant not getting bothered...
No, I think GP has it right: he downloaded information he shouldn't have had access to. Which is NOT the same as saying his access was unauthorized. Just that the information should not have been so easily accessed.
He shouldn't have been able to use that trick.
Not his fault he had access to it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
