
 French journalist "hacks" govt by inputting correct URL, later fined $4,000+ - Cynddl
http://arstechnica.com/tech-policy/2014/02/french-journalist-fined-4000-plus-for-publishing-public-documents/
======
steeve
The ruling is more complicated than that. If you can read french, I suggest
you read Maitre Eolas' take on it [1].

[1] [http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-
peut...](http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-peut-
pas-%C3%AAtre-condamn%C3%A9-pour-utiliser-Gougleu)

~~~
sejje
I can't. Mind making a brief summary?

~~~
a3_nm
The main count on which Bluetouff was found guilty is that of "maintien
frauduleux dans un système de traitement automatisé de données (STAD)",
namely, remaining "in" a computing system (STAD) without being allowed. The
key point is that Bluetouff made an important admission, apparently during his
30 hours of "garde à vue", meaning, being under arrest at the police station,
where he seemingly neglected to apply his right to remain silent: he
recognized that, when going up the folder hierarchy, he landed on a username-
password login page. From this, according to the court, he should have
inferred that the documents were private and that he had nothing to do there.
Instead, he spent several hours siphoning the documents _afterwards_ , which
established his intent to remain in the system despite having found out that
he wasn't supposed to.

One can then discuss whether this law is fair or not, whether things would
have been different had Bluetouff not made this key admission, whether it is
reasonable to consider that the login page was sufficient to indicate that the
documents weren't intended to be public, and whether the 3000 EUR fine is
balanced or not.

Meanwhile, Bluetouff has appealed the ruling to the Cour de cassation,
France's last-resort court for civil and criminal cases, whose role is to
break rulings where the law was not correctly applied (without discussing the
findings, only the application of the law and the adequate forms). I do not
think we know yet how Bluetouff will phrase his appeal, but Eolas estimates
that there would be a possible way to attack the ruling based on the court's
finding that Bluetouff's retrieving the documents constitutes "vol" (theft)
though it does not fall within the scope of the formal definition of theft
(because the ANSES was not deprived of the files).

~~~
jordanthoms
This is a good time to remind people: Don't talk to the police. Ever, under
any circumstances - it can only hurt you, never help you.
[http://www.youtube.com/watch?v=6wXkI4t7nuc](http://www.youtube.com/watch?v=6wXkI4t7nuc)

~~~
pyre
This is a very US-centric view. In some places, you have a right to remain
silent, but that _can_ be used against you in a court of law...

~~~
nodata
He means don't talk to the police until your lawyer is there.

Which countries will use that against you?

~~~
ItendToDisagree
UK or US, among other countries, if you are being held on 'homeland security'
(read: Suspected terrorist) charges.

IE: You are required by law to answer questions/turn over passwords when
suspected of such things. David Miranda being a recent and well known example.

~~~
nodata
"Let's wait until my lawyer gets here" will count against me?

You got a cite for that?

~~~
ItendToDisagree
Heres the first hit on google, I'm sure many more instances, citings could be
procured.

 _According to former White House Counsel Alberto Gonzales (later the former
attorney general), “[t]he stream of intelligence would quickly dry up if the
enemy combatants were allowed contact with outsiders during the course of an
ongoing debriefing.” Warren Richey, “Beyond Padilla Terror Case, Huge Legal
Issues,” Christian Science Monitor, August 15,
2007,[http://www.csmonitor.com/2007/0815/p01s08-usju.html](http://www.csmonitor.com/2007/0815/p01s08-usju.html).
Yoo also explains that introducing a lawyer immediately after capture of an
enemy combatant would disrupt interrogation as any competent defense counsel
would tell his/her client to remain silent. Yoo, War by Other Means, 151._

~~~
refurb
That quote is in reference to enemy combatants, not those who fall within the
regular court system. I get your point though.

~~~
ItendToDisagree
As my post said _' homeland security' (read: Suspected terrorist) charges_ who
are not part of the normal court system.

But this also happens to immigrants or those stopped at the border in general.
[0] The right to counsel is being eroded at the edges (apparently not applied
to non-citizens whenever possible).

 _Over the past year, the American Immigration Council, along with the
American Immigration Lawyers Association (AILA), has documented instances
where the DHS immigration agencies—Customs and Border Protection (CBP),
Immigration and Customs Enforcement (ICE), and U.S. Citizenship and
Immigration Services (USCIS)—have deprived noncitizens of access to counsel.
For example, ICE also has taken the position that there is no right to consult
with a lawyer during an interrogation. Likewise, many CBP offices outright
deny access to all lawyers._ [1]

[0]
[http://law.psu.edu/_file/Immigrants/LAC_Right_to_Counsel.pdf](http://law.psu.edu/_file/Immigrants/LAC_Right_to_Counsel.pdf)

[1] [http://immigrationimpact.com/2012/01/23/its-time-to-
improve-...](http://immigrationimpact.com/2012/01/23/its-time-to-improve-
noncitizens-access-to-counsel/)

------
rch
> Bluetouff ended up admitting in testimony that when he found the documents,
> he had traveled back to the homepage that they stemmed from, where he found
> an authentication page, which indicated that the documents were likely
> supposed to be protected. That admission played a part in his later
> conviction in the appeals court.

Of course the fine seems absurd to me personally, but this excerpt hints at a
couple things one should _definitely_ not do.

~~~
ben0x539
This seems weird to me.

If I go to, say, the twitter homepage, I will find an authentication page, and
yet most content on twitter is obviously intended to be public.

~~~
tempestn
I don't know about France, but in many jurisdictions, a "reasonable person"
standard is used. While I don't personally believe accessing publicly
available files should be illegal in _any_ case, I do think that in the
situation as described (with the admission of traveling up the path hierarchy
to find a login page), most "reasonable people" would indeed infer that the
files were not intended to be publicly available.

~~~
frobozz
Not really. If I found a page that redirected me to a login, I would assume
that that page is not intended to be publicly available, and that other
content that I don't know about exists which is not intended to be publicly
available.

I wouldn't infer that just because (as noted by the parent comment)
[https://twitter.com/](https://twitter.com/) requires a login, I shouldn't
look at
[https://twitter.com/twrbrdg_itself](https://twitter.com/twrbrdg_itself)

Now, if all those pages I looked at before finding the login page had a banner
saying "private, not for public consumption, don't share this with anyone who
doesn't have an account", then I might think "hmm, perhaps I'm not supposed to
be here".

~~~
tempestn
That's not a fair analogy though. I agree that I wouldn't expect every page on
twitter to be protected. But if you find a direct link to a random document
indexed by Google, then check and the page that links to that document is
protected, I personally anyway would assume the document itself was exposed
accidentally. Obviously not everyone agrees though, which makes the reasonable
person thing difficult to decide.

As for the lock on the door comment, I'd say it's more like if you noticed a
store is left unlocked in the middle of the night, and therefore assume you're
welcome to go in and walk around. In fact, they probably didn't leave it
unlocked as an intentional invitation.

------
gcb0
happened in brazil as well.

everyone knows you only build large public projects there if money change
hands. and it usually happens that the gov official get the quotes from all
the companies, call the one paying him the most and tell the other quotes and
that company submit a little lower than the lowest and get the job, later
including several hidden fees, etc.

the, for the sao paulo subway expansion, a journalist did a search and found
documents proving all that for that specific job (yellow metro line) and
published them.

gov removed the documents, waited for all signs of it ever being indexed to
disappear and then sued him. i think the trial is still going and they still
deny those documents ever existed.

~~~
whitey-chan
Do you have any links with further info on that case by any chance? Would be
interesting to see how that turns out.

------
rurban
How can government agencies still can get away with accusing someone of
"theft" and accessing a "private computer" and "private documents" when they
just publish documents on the web, and the public is consuming them? The fact
that there was a HTTPAUTH protected login page in some up path on the site
does not infer that the documents should have been protected. They are or they
are not. And they looked legit, i.e. public.

Esp. with government documents you are safe to assume that they are public, if
they are public and look public.

~~~
MildlySerious
Exactly. Also, the HTTPAUTH is directory based and does not necessarily
include subdirectories, just like permissions on all Linux distros. So that
doesn't imply in any way that subdirectories should have been private.

------
zacinbusiness
I'm really on the fence with this one. As has been pointed out, the fact that
there's some auth somewhere on the server doesn't necessarily mean that those
specific documents were supposed to be private. However, as a journalist he
decided to publish the documents on his blog which I think we can take to mean
that he assumed they were, in some way, "juicy." And he wouldn't think that if
he didn't at least suspect that they were supposed to be private.

This is all assumption, of course, but I think it's pretty logical assumption.

Still, freedom of the press is a strong right. Though freedom, as they say,
isn't free (there can be and often are consequences to exercising your
freedoms). In this case I think he's lucky to just get what amounts to a hefty
access fee. If he had stumbled onto U.S. documents he may well have found
himself taking a ride in a black helicopter.

------
higherpurpose
How many years would he get in prison for this in US? While the interpretation
of the law or the law itself are pretty bad here to begin with, at least the
punishments are saner for stuff like this. US seems to have both completely
terrible and easily abused hacking laws, but also extremely disproportionate
punishments.

------
nswanberg
This is more or less what happened to some kids applying to Harvard Business
School about seven years ago: [https://freedom-to-
tinker.com/blog/felten/harvard-business-s...](https://freedom-to-
tinker.com/blog/felten/harvard-business-school-boots-119-applicants-hacking-
admissions-site/)

Their penalty was a denial of admissions, but their hack of using a specially-
crafted URL was about the same.

------
thomasjoulin
I don't understand why he's getting fine for that. Those were publicly
accessible documents, even though they were intended not to be, as indicated
by the login form that Bluetouff admitted to know about.

If that's the law, then it needs to change.

------
fuckpig
Reminds me of what happened to Andrew Aurenheimer, only iterated a bit more.

