
Teenager facing prison for downloading unsecured files from government website - eigenvector
http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970
======
sbarre
This reads like the beginning of The Hacker Crackdown..

As a Canadian, reading this article made me angry. If the information is not
supposed to be public, it should not be reachable without authorization or
authentication.

Never mind a curious 19-year-old, there are tons of crawlers and indexers out
there that attempt to enumerate URLs where they think there might be other
content.

Shame on them for building a poorly secured site, but even more for trying to
railroad a curious kid who made them look stupid.

~~~
dustingetz
i can see how the older generation is thinking though, they see it like
leaving a window unlocked doesn’t mean you can

the laws are interpreted and applied by powerful people in a way that suits
the way they think - that much i think could have been predicted (but not by a
teenager)

did the weev ruling surprise anybody other than hackers?

~~~
eboyjr
Since it helps the older generation to think about digital content in
metaphors, I'd argue that the kid was entering through an open window of a
public building. Although a bit strange, no one would give this hypothetical
person a third look.

~~~
losteric
I think the most precise metaphor is: a kid walked through the front door of a
public library, borrowed a couple freely available books, then the government
realized those books mistakenly included sensitive information.

In order to address that error, 15 police officers raided the kid's house.

~~~
rayiner
That would be an accurate analogy if these documents were linked to from a
publicly-accessible portion of the site. They were not. This is more like
someone walking into an unlocked back room and grabbing books that hadn't been
shelved.

~~~
deGravity
I think that's a bit harsh. The documents at that URL were understood to be
freely available to the public.

As I physical analogy, I'd think about it more as one of those restaurant
straw dispensers. He got tired of pressing the button each time for a new
straw, and instead opened the lid and grabbed a bunch out.

~~~
harryh
Going to a restaurant and taking every single straw out of the top of the
straw dispenser is clearly anti-social and is probably theft.

~~~
bwbw223
But there’s a near infinite supply of straws and it didn’t damage the
dispenser.

~~~
harryh
It did, however, damage the privacy of various Canadian citizens.

~~~
pdonis
_> It did, however, damage the privacy of various Canadian citizens._

Did it? I understand that the stupid contractor who put this data on the
website did (potentially--but note that nobody is saying that anyone has
actually suffered harm because of that data being accessible). But did the
teenager who got this bomb dropped on him damage anyone's privacy? As I
understand it, he downloaded the data, put it on his hard drive, and left it
there; it never went anywhere else.

~~~
harryh
Can you please send me a copy of your last 3 tax returns? My email address is
in my HN profile.

I don't know you have don't particularly care about your financial situation,
so I'm not gonna read them or share them with anyone else. I'll just keep them
on my hard drive.

~~~
phaemon
> Can you please send me a copy of your last 3 tax returns?

Options:

A) Sure, here you go. Oh wait! I didn't mean to send you those. You tricked me
and stole my information. I'm going to send 15 police officers round to arrest
you and then you're going to prison for years.

B) No, that's confidential.

^^ Which option do you think is more reasonable?

~~~
harryh
A) is not comparable to the current situation because you are the one
initiating the action. I can't stop you from sending me an email so it can't
be a crime on my part if you do so.

~~~
phaemon
No, you are initiating the action by requesting the file from me. You did
request the file didn't you? Even though you should have known it wasn't
public information?

------
phnofive
Seems like a move by the provincial government to shift blame from its poor
security to an imaginary bad actor; this article also from the CBC goes into
more detail and asserts that fraudulent intent is necessary for a conviction,
so hopefully this goes nowhere.

[http://www.cbc.ca/news/canada/nova-scotia/concerns-teen-
bein...](http://www.cbc.ca/news/canada/nova-scotia/concerns-teen-being-
railroaded-in-privacy-breach-to-cover-government-slip-1.4616972)

~~~
eigenvector
Yes, it's really not clear that any crime was committed. The relevant section
of the Canadian Criminal Code[1] requires either fraudulent intent or some
actual manipulation/destruction of the server - not simply downloading data.
It seems like overreach by the police to distract from the fact that the
government failed to secure private data.

[1] [http://laws-
lois.justice.gc.ca/eng/acts/C-46/section-342.1.h...](http://laws-
lois.justice.gc.ca/eng/acts/C-46/section-342.1.html)

~~~
inetknght
Honestly, I'd like to see the kid's lawyers push back and claim damages
against the province and its contractors.

How else shall we force problems like this to be fixed?

------
adanto6840
I agree with many of the comments here, along the lines of "intent?" and "bad
law", etc... How can I provide _material assistance_ to either this kid and/or
to the problem at large?

I'm looking for something other than "donate to the EFF [or equiv.]" ideally
though; I'd prefer to donate directly to his legal fund, or even do some
legwork myself that will help, etc.

And ideally in a way that not only helps him, but that helps prevent these
situations from occurring in the future -- i.e. working towards law change,
influencing prosecutorial discretion (meh), etc...

~~~
EamonnMR
I'm not an expert in Canadian law, but are there any elected officials in the
chain of the decision to conduct a raid? If so this ought to be severely
career limiting. If it was an elected judge who approved the warrant, for
example.

~~~
hydrox24
The provincial government or federal government appoints judges. [0]

But if it is anything like here in Australia (we are both Westminster systems)
then this does not mean the government is held accountable. Judge appointments
are assumed to be fairly neutral and it hardly ever comes up at election time.

[0]:
[https://en.wikipedia.org/wiki/Judicial_appointments_in_Canad...](https://en.wikipedia.org/wiki/Judicial_appointments_in_Canada)

------
udia
The teenager was downloading publicly available records on a Freedom-Of-
Information portal. Why law enforcement is involved, or why this is even
remotely a criminal act, completely baffles me.

~~~
drb91
It’s easier to prosecute than to fix. More than that, the kid pointed out the
service is broken. Pretty humiliating. It’s not at all unusual to prosecute to
save face, especially rather than admit that your org gave the info to a
teenager when that’s illegal.

------
bowmessage
Really worried about what the authorities might find in his 30TB of 4chan
backups. Hoping for the best outcome for them.

~~~
daodedickinson
Exactly. Why did this kid admit that? How astronomcally low are the odds
there's nothing illegal to possess in there?

~~~
astrodust
As the amount of 4chan material you've archived increases the probability of
not archiving something illegal quickly diminishes to zero.

~~~
Anon1096
Depending on the boards archived there's a pretty good chance he doesn't have
CP. Only /b/ (and I hear /sp/ as well but I never go there) really ever have
child porn, and then very very rarely and quickly deleted to the point that an
archiver might not pick it up. Due to the sheer size and uselessness of a
possible /b/ archive I kind of doubt there's anything bad.

~~~
hnaccy
If his archive was automated it's basically guaranteed he's saved a fair bit
of loli content. Not sure of the legality in Canada, but this is seems like a
case where they'd railroad you for something they normally don't enforce,
e.g., Chris Handley in the states.

CP would not be unlikely even if he just archived "safe" boards like /a/,
/tv/, and /g/.

~~~
jstarfish
If he's scraping the softcore or hardcore boards (because nobody's archiving
4chan for its intellectual discussions), he's absolutely going to have more
than a few under-18 subjects in there doing sexually explicit things. If the
state can verify the age and identity of any of them, he's toast.

~~~
Anon1096
>nobody's scraping 4chan for its intellectual discussions You'd be surprised.
There's quite a few archives out there just for keeping up board history and
discussions.

------
Nickg00617
Just like Aaron Swartz. Is it really necessary to send 15 officers and / or
sentence people to 20+ years in prison for downloading freely available
information?

Aaron Swartz faced a longer prison sentence than most murderers within the US,
and the sentence for murder in almost any other country in the world.

Common sense has completely gone out the window in both policing, and the
criminal justice system.

Was anyone injured? Did anyone suffer financial loss? Fear to self? Any form
of significant damage at all? The answer to all the previous questions is a
definitive and resounding NO!

------
bpchaps
God dammit. An almost identical thing happened to me after submitting a public
records request to Seattle's IT department for email metadata for January
2017. Instead of sending me the email metadata I requested, they ended up
accidentally sending me millions of _actual emails_. FBI investigations,
cheating husbands' texts, SSNs, credit cards, zabbix alerts (so many 100% disk
space alerts).

When I contacted Seattle them to tell them what happened (on my own will), the
conversation quickly turned to a point where we had to get lawyers involved.
Basically, they told me that if I agreed to have Kroll [1] scan my hard drives
to prove that I deleted the records, then they would give me "legal
indemnification". They eventually agreed to accept an affidavit that I deleted
everything, and had to wipe TRIM and that I wrote a script to confirm deletion
to the effect of, "grep -r $FILES_HEADER_FIELDS /".

One part that led to such a strong action by them was that they didn't see in
their logs how I downloaded everything and thought that I found a backdoor to
download all of their emails. They had some annoying rate limiting that
prevented too many files from being downloaded at once, so I copied the files
from the page's source, then ran a wget against everything. Since the files
were being downloaded from S3, their webserver logs didn't include most of the
downloads, which led to some suspicion.

Funny enough, Seattle told me it would cost $32m and 320 years of employee
salary, but I ended up sending them $40.

It just blows my mind.

[https://crosscut.com/2017/10/seattle-information-
technology-...](https://crosscut.com/2017/10/seattle-information-technology-
department-email-leak-city-scrambles)

[1] [https://www.kroll.com/](https://www.kroll.com/)

~~~
jstarfish
The way things played out for you is exactly how we handle corporate
exfiltration. Employees are unilaterally terminated for the violation, but
we'll agree to not press charges if they disclose any dissemination and attest
to its deletion.

Good for you for not having to deal with Kroll.

------
brandon272
I am absolutely incensed reading this.

The government made no reasonable effort to conceal the information and put it
on a _publicly accessible_ web server. They made the information available to
the public whether or not that was their intention. How can any reasonable
person conclude that typing in an HTTP url qualifies as an illegal breach?

~~~
gtlondon
They've made the information publicly accessible via HTTP, yet react like this
when someone then views in. Scary stuff.

I just can't comprehend this at all. To even describe it as a "breach" is
inaccurate -- the real headline is "government publishes data they hadn't
intended to".

------
WestCoastJustin
I've contacted the reporter to see if we can setup a legal fund for this guy.
It sounds like he's being bullied. This could also get a very bad precedent in
Canada as this is totally absurd.

~~~
anaphor
I would love to help out if possible. I'm a Canadian citizen but not in
Halifax, so I guess I can write my MP but I don't think they have much
authority to look into a provincial matter like this.

~~~
4cad
[https://www.gofundme.com/ns-teen-railroaded-by-
government?ut...](https://www.gofundme.com/ns-teen-railroaded-by-
government?utm_source=internal&utm_medium=email&utm_content=campaign_title&utm_campaign=donation_receiptv5)

------
politician
Add "help avoid sending teenagers to prison" to the list of reasons why you
should prefer UUIDs over integers in your Internet-facing REST API.

This API was supposed to be private and yet supported trivial enumeration?

~~~
Someone1234
Many UUIDs aren't secure either and can be trivially enumerated. A better
approach might be a long number generated using a secure random number
generator and converted to a BASE-64 string.

~~~
goshx
If things should be secure, they should be behind authentication and
authorization for that content. To argue about what is the best ID to be used
is just trying to fix what is not broken, IMHO.

~~~
quickthrower2
Security is multi layered.

~~~
scrumption
Obscurity is not a security layer.

~~~
Someone1234
So a password or private encryption key isn't security?

------
j32fun
Since this is publicly accessible, what would be the chance that search
engines indexed the files? In this case, would Google bot be charged? Or if
this were, say, Equifax or Facebook. I mean, in those situations, the
companies were blamed for "the leak". It seems rather convenient to cherry
pick the law to apply on this poor teenager.

~~~
mikekij
I think I read that Google had, in fact, indexed all of these pages.

~~~
Declanomous
Google did indeed index these files according to the following article:

[https://evandentremont.com/some-information-on-the-
freedom-o...](https://evandentremont.com/some-information-on-the-freedom-of-
information-hack/)

------
komali2
>Officers took her 13-year-old daughter to question her in a police car.

Why are the cops allowed to do this? Why do you have to be "rescued" by your
lawyer in order to not be questioned by the police without legal
representation? Not sure how it works elsewhere but the cops badgered the
_fuck_ out of me until my lawyer finally got to the station and chased them
out. So, if I was a 13 year old on the way to school and thrown into the
police car, they could just do that until I crack?

------
CosmicShadow
Not the kind of response I would expect as a Canadian. Can't they send someone
undercover ahead of time to find out it's just some kid at his family house
and then take the appropriate response? There are better ways to handle this,
and there are certainly better ways to secure government files!

If it's publicly accessible, it's public information. Obfuscation doesn't
count!

~~~
marzell
There really should be accountability of whoever chose to store the data in an
insecure manner.

------
amatecha
If you can see the data by iterating a single number in a URL, and there's
zero authentication or verification of credentials, there's no possible way to
call it malicious. The fact this family's home was raided was already a
colossal mistake. The fact charges are even _suggested_ is such a joke I don't
even have words to describe it.

------
gburt
Please write to CIPPIC [0] and the Members of Parliament [1] and Members of
the Provincial Leglisation [2] for both your local jurisdiction if appropriate
and Halifax, Nova Scotia to help protect this kid. The federal Minister of
Justice [3] and Technology [4] may be good additions. Remember what happened
last time we let a government go wild on a kid incrementing a number in a
public URL.

The fact is, it is the organization who published "personally identifiable
information" on the public internet who should be punished - and, in any case,
criminal law is not the tool to do it. The kid who incremented a number in a
URL to download that information is not the bad guy. What if the kid was not
Canadian? Are you going to try to extradite a Russian national over accessing
information on a public web server?

When a server announces to the world that it can answer HTTP requests, making
a reasonable number of HTTP requests is, to me and most technologists I know,
authorization (and thus, should be seen as with colour of right or non-
fraudulent). The fact those HTTP requests released data he was apparently not
entitled to is a security issue, a bug, a problem to be paid for by the actor
who manages the HTTP server, not a problem of law. Unfortunately, this section
of law has not been used often enough to clarify to me the interpretation of
those words.

Here are some follow on questions:

\- Why was there "personal information" in FOI releases? Surely a FOI release
was intended _for the public_ , as that is the intent of the act. Who's fault
is it that there was undesired information in the releases?

\- How do we get this law changed? As the law is written, it hangs on the
words "fraudulently and without colour of right" \- the rest of the clause is
incoherent babble of a 1985 technophobe.

[0] [https://cippic.ca/](https://cippic.ca/)

[1]
[https://www.ourcommons.ca/Parliamentarians/en/members/Andy-F...](https://www.ourcommons.ca/Parliamentarians/en/members/Andy-
Fillmore\(88325\))

[2] [https://nslegislature.ca/members](https://nslegislature.ca/members)

[3]
[http://www.justice.gc.ca/eng/contact/index.html](http://www.justice.gc.ca/eng/contact/index.html)

[4]
[http://www.ic.gc.ca/eic/site/icgc.nsf/eng/h_00279.html](http://www.ic.gc.ca/eic/site/icgc.nsf/eng/h_00279.html)

------
jonathanwallace
If you're frustrated by this story and live in Georgia, USA, you should
immediately contact the Governor's office and express your concern and share
that he veto a similar bill sitting on his desk, SB 315.

[https://action.eff.org/o/9042/p/dia/action4/common/public/?a...](https://action.eff.org/o/9042/p/dia/action4/common/public/?action_KEY=10692)

------
XorNot
And this is why I'm going to route all my kids traffic through an offshore VPN
by default and whitelist low latency stuff.

~~~
jopsen
I've been thinking I wanted a router with two wi-fi networks.

One that goes through the ISP and one that goes out over a proxy.

I haven't found a solution just yet. I guess a raspberry pi with iptables and
routing based on device ID could do the trick too.

~~~
kuon
I use the following configuration:

I run two tinyproxy instances on my home server and I point all browser
traffic to the first instance. The first instance run with the default routing
table on port 8888 and has entries like upstream localhost:8889
".somesite.com" the second instance, which run on port 8889 is run with the
vpn as default route (I use setfib under FreeBSD).

With this setup, traffic goes by default directly on the net, but the
tinyproxy config file can be used to redirect some traffic through the VPN.

Of course, you can do it the other way around to have traffic by default on
the VPN and direct some traffic.

~~~
jopsen
Won't this leak DNS and won't lots of system process go avoid the HTTP_PROXY
settings?

~~~
kuon
I have my own DNS server on my local network. And yes, this is only for my
browser. But this is intended.

If you want to route all traffic to a vpn for a specific machine, you can use
pf rules to forward an ip through another routing table.

------
erpellan
This is appalling. The operators of the site should be charged for criminal
negligence. You don't get to call it stealing if all it took was 3 keystrokes
in the address bar of a browser. Backspace. Number. Return. Hacked!!

------
ryandrake
Good thing he’s in Canada and _only_ got raided. If he were in the USA, they
would have tossed flashbangs and tear gas into his house, vaulted in through
the windows, shot the family dog, and held the whole family at gun point,
boots on their necks.

It’s a shame that police departments think these “shock and awe” tactics are
even remotely appropriate for dealing with non-violent suspects.

~~~
jstarfish
I don't like or agree with it either, but it is unfortunately necessary for
the preservation of digital evidence.

Many nonviolent actors involved in cybercrimes have prepared killswitches or
some other manner of instantly burning everything to the ground if you give
them enough time to react when you show up with a warrant.

~~~
jessaustin
If we can't enforce the law without making society terrible, let's get rid of
the law.

------
isostatic
I wonder how they noticed.

Perhaps the lowest-bid contract company that made the site decided to use
something like amazon glacier for storage of boring documents nobody will ever
need. Then along comes someone that causes them all to be extracted at great
cost, some middle manager receives a bill for $millions and wants to blame the
kid rather than his own failings.

~~~
amatecha
The truth is even sadder than you might expect (the rest of this post is a
quote from this article[0]):

Conrad said the breach was detected by a provincial employee, but it was a
fluke.

“The employee was involved in doing some research on the site and
inadvertently made an entry to a line on the site — made a typing error and
identified that they were seeing documents they should not have seen,” Conrad
told a technical briefing.

[0]: [http://toronto.citynews.ca/2018/04/11/halifax-police-
probing...](http://toronto.citynews.ca/2018/04/11/halifax-police-probing-n-s-
freedom-of-information-site-breach-government-says/)

~~~
jessaustin
There's a bit of a leap from that to knowing this dude had done the same
thing? That describes the employee finding a vulnerability. It probably took
some study of the logs to find "the breach". How many similar breaches by
actors overseas and less-vulnerable Canadians did they ignore?

------
whack
This might be a controversial opinion here, but intent does matter. If I see a
bunch of stuff sitting the sidewalk and I take some because I think it's free,
that's a reasonable thing to do. But going into someone's house and taking
their tv is not. _" It's their own fault for not locking the door"_ isn't a
valid legal defense, and I would prefer not to live in a country where victim-
blaming becomes a get-out-of-jail-free card.

Based on what little I've read thus far, the teenager does indeed seem to have
good intent. If that's the case, I'm cautiously optimistic that the court
system will set him free without any consequences. But if the prosection can
prove that he was aware of the data's confidentiality and was acting with
malicious intent, then he deserves a conviction. Let's let the legal system
run its course, before gathering our pitchforks.

~~~
gcommer
That analogy assumes a lot about how hard/hidden obvious id numbers in URLs
are. I'd counter that this situation is more like "putting your stuff on the
curb and being mad when people take it". Rather than scapegoat the kid, the
government should be investigating themselves for criminal negligence.

~~~
whack
> _" That analogy assumes a lot about how hard/hidden obvious id numbers in
> URLs are"_

Well, I did give 2 different analogies, and without knowing more specifics,
I'm not taking a stand on which analogy better fits this case. Depending on
the specific design the government used, and the steps the teenager took to
access the content, either analogy could be applicable.

> _" Rather than scapegoat the kid, the government should be investigating
> themselves for criminal negligence."_

That's a false dichotomy. Investigating government officials for negligence
shouldn't preclude prosecuting a (hypothetical) malicious hacker.

------
cryptoz
Wow. The trauma inflicted upon the children in the family when the Canadian
government bursts into their house can never be undone or taken back. Nor can
the financial and mental, emotional stress of losing their computers and
ability to do productive work and go to school. (Edit: will there be any
reparations for this abhorrent behaviour? Have they apologized? Will they, at
least? Not that it matters, the damage to this entire family is done.)

Some questions. Is the website still online? What happens if every Canadian
downloads the files?

What a dystopia. Do we only have one part of the story, can the situation
really be as bad as depicted on the article? This is atrocious.

Edit: And where is the case against the people in the office who put the
sensitive information of others into public view, (assuming and against the
law), the _actual_ perpetrators of an actual crime?

~~~
remir
The Gov of Nova-Scotia shut down the site, but you can still find some
documents on Google (they're cached).

The subcontractor of the site fucked up and they're blaming this kid.

------
czbond
Cases like this make me want to attend law school. I am well versed in
technology, have acted as CISO and other capacities. I bet I could decimate
many prosecuting attorneys trying to make their weak cases.

~~~
drtillberg
Interdisciplinary skills are really undervalued in law practice. Usually (US)
lawyers try to fill a room with 1 subject experts, which is uneconomical, and
a government typically is not going to do it. So, in a run-of-the-mill matter
like this there is no interdisciplinary skills available to stop the slow
motion train wreck.

------
FroshKiller
This story resonates with me. I faced a similar charge in college. I got
indicted by a grand jury, and it was years before the DA dismissed the
charges. Absolutely nerve-wracking, and I was innocent!

------
flashman
This is crap. Late last year I found a public S3 bucket with 23,000 JSON files
in it, which I used to make a visualisation:
[https://vimeo.com/249970399](https://vimeo.com/249970399)

The reason I felt confident to do this was because there was no access control
on the files and I'd reported it to PUBG Corp, with the bucket remaining
public weeks later.

Before people are punished for downloading unprotected information, the person
who left it like that should be hauled up in front of the courts.

------
Magi604
He's archived portions of 4chan?

It's likely then that he's gotten some "bad" stuff without him really knowing
it. The police will search through his files, find the bad stuff, and charge
him with some sort of possession/accessing/downloading charge.

Life = ruined.

------
simonh
I've actually done a similar thing myself. When my wife was doing her Nursing
degree she was downloading some documents she wanted to reference from an NHS
web sites. The report for one year wasn't linked, so I checked the URL scheme,
figured out what the URL for the report should be (only the date was different
in the file names of reports for different years) and downloaded it directly.

It never occurred to me I might be committing a crime.

------
swampthinker
Am I crazy? Aren't FOIA requests, by definition, public information?

~~~
dumbfounder
This happened in Canada. They might have a FOIA equivalent, but I wouldn't
assume it has the same rules as in the US.

~~~
Kelbit
In this case, most of the documents were public, but there were a small number
which had confidential information and were inappropriately stored on the
public portal.

------
nkrisc
If a URL responds to any unauthorized HTTP request with data, how is the
requester supposed to know that the data they received is supposed to be
private or sensitive?

~~~
null0pointer
A better (more accurate) analogy than finding an open window/door is that of
asking a government employee for data.

Kid: "Hi, what is the personal info in that file?"

Employee:

    
    
        What they should say: "You are not authorised to see the contents of that file."
    
        What they actually said: "Sure, here's all the information in that file."

------
wardn
Damn kids. They're all alike.

~~~
GuiA
[http://archive.org/stream/The_Conscience_of_a_Hacker/hackers...](http://archive.org/stream/The_Conscience_of_a_Hacker/hackersmanifesto.txt)

[https://en.wikipedia.org/wiki/Hacker_Manifesto](https://en.wikipedia.org/wiki/Hacker_Manifesto)

------
plopilop
In France, we had a similar case, a computer guy with the pseudonym
Bluetouff[0].

He downloaded loads of national agencies confidential documents, because they
were available on Google.

However, he was sentenced (3,000€ fine), because when he explored the website,
he arrived on a connection page, thus realizing he should not have accessed
these files, but continued anyway.

I just hope for the teenager that he did not encounter any login page in his
search (which seems unlikely because he used a script).

[0] (in french): [http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-
peut...](http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-peut-
pas-%C3%AAtre-condamn%C3%A9-pour-utiliser-Gougleu)

------
dandare
> His bedroom is upstairs. That's where police found him sleeping when 15
> officers raided the family home last Wednesday morning.

Calculate the cost of the 15 officers raid plus prosecution plus the damages
to the teenager and repeatedly bash it over the head of the responsible
officer in the next election. This is how to deal with this shit in democracy.
Even if people are insensitive to someone else's freedom they are sensitive
about their money.

------
danso
This reminds me of a purported "hack" back in the Governor Schwarzenegger
days. An employee from a rival campaign found a public-accessible FTP
directory full of audio files, which they then leaked to the press. IIRC, the
California Highway Patrol opened up an investigation but ended up not pursuing
charges.

[https://www.dailynews.com/2006/09/13/arnolds-audio-open-
to-p...](https://www.dailynews.com/2006/09/13/arnolds-audio-open-to-public-
foe-claims/)

edit: the other parallel, IIRC, was that part of the web site was kept
private. But the user found the audio by navigating to a parent directory
which was apparently open to the public:

[https://www.dailynews.com/2007/02/02/chp-clears-angelides-
ca...](https://www.dailynews.com/2007/02/02/chp-clears-angelides-camp-in-flap-
over-web-audio-files/)

> _Essentially, aides opened the Web address, or URL, from one of
> Schwarzenegger’s speeches and lopped a few characters from the end of the
> address. That yielded a directory of audio recordings._

------
Rotdhizon
The most interesting part of this to me is that for the charge to stick, they
have to prove he did what he did with malicious intent.Keeping in mind the
article states that other employees of this business also viewed these
classified documents and are facing no repercussions because the company
states they did it on accident. While in every scenario this kid should get
off completely, that very well may not be the case. The US is extremely
stringent when it comes to cyber crime, more often than not they like to make
an example out of people rather than show mercy. The technical writeup for
this was spot on, it seems like the company is embarrassed and instead of
admitting they severely screwed up, they are doubling down on trying portray
this teen as some super high tech malicious hacker who was trying to steal
government secrets. It doesn't matter how lax your security is, if you can
convince the population that this teen was nothing but an unethical, scumbag
hacker, no one will show him sympathy.

~~~
kamranjon
Isn't this Canada though?

------
stevew20
Each officer and official involved in this should face prison, as would any
common burgler who holds a family at gunpoint in their own home.

------
zupa-hu
Couldn't it be argued that clicking links on a web page are no different from
changing an ID in the URL?

Web pages contain loads of URLs. You can't tell if you have the right to
access the content behind it. The URL itself is simply an address to something
- or nothing (404).

Having an ID in the URL is a compact way of signaling a huge list of URLs.

Thus, the kid simply followed links published on the website.

------
lurker456
perhaps we need an RFC that defines this type of approach (pages "secured"
behind easily guessable urls) as public information.

~~~
astrodust
Instead of actual security why not have a spec for /humans.txt which can say
things like "Please don't read anything in the /secret directory."

~~~
gruez
and what would that achieve? all it's going to do is force companies to add
legal boilerplate (eg. those "this message is intended for the recipient
only..." that you see in email signatures) to every imaginable place to cover
their ass, meanwhile doing nothing to improve security.

~~~
FundThrowaway
Talk about no sense of humour.

------
makecheck
What is it about headlines involving charges that love to focus on “facing
prison”. At the very _least_ this should indicate the RANGE of punishments,
and there is a hell of a range.

From the article, he’s been charged with “unauthorized use of a computer”.
IANAL but there would seem to be at least two possible interpretations of this
charge [1], and the “Summary Election” variant has a MAXIMUM punishment of
$5000 fine or 6 months. The other interpretation “Indictable Election” is a
_maximum_ of 10 years.

As with any case, details matter. Judges aren’t just sending every hacker to
prison for 10 years. He may be judged not guilty (evil intent must be proven;
then there’s his age, etc.), or given a way, way, way smaller punishment than
this “prison” he “faces”.

[1]
[http://criminalnotebook.ca/index.php/Unauthorized_Use_of_Com...](http://criminalnotebook.ca/index.php/Unauthorized_Use_of_Computer_\(Offence\))

------
billofwrongs
Remember Aaron.

~~~
manfredo
Aaron Swartz' situation is substantially different. Swartz knowingly violated
the terms of service of JSTOR, and deliberately circumvented it's rate
limiting. And he knew what he was doing was against the law, he even published
a manifesto outlining his intentions to do this as a form of civil
disobedience.

The kid in this story just incremented sequential IDs on what was supposed to
be public information.

------
ikeboy
>He estimates he has around 30 terabytes of online data on hard drives in his
home, the equivalent of "millions" of web pages.

Wow.

------
Cofike
This is pretty disgusting. The provincial government should be absolutely
ashamed of themselves.

------
c3534l
No one will face prison for making these documents public in the first place,
I'm sure.

------
itronitron
what part of _freedom of information portal_ do they not understand?

------
Scoundreller
> Around the same time, his Grade 3 class adopted an animal at a shelter,
> receiving an electronic adoption certificate.

> "The website had a number at the end, and I was able to change the last
> digit of the number to a different number and was able to see a certificate
> for someone else's animal that they adopted," he said. "I thought that was
> interesting."

He's like, 20 years ahead of his classmates.

------
ersh
This is really funny to see people comparing downloading a file to breaking
into an unlocked window.

You guys don't really have a clue on what Internet is.

~~~
evincarofautumn
It’s more like taking a photo of a public bulletin board with a hundred posts
on it, where three of the posts contain private information and so shouldn’t
have been posted.

Anyone could have viewed the posts on the board one by one; he just copied
them all at once for later viewing.

------
govtransparency
I work in a US city government doing government transparency work. I have a
title that can get people on the phone. What can I do to help?

------
bcheung
The levels of security:

1) Formal methods and cryptography

2) Obfuscation

3) Litigation

Looks like they chose the latter.

------
dennisgorelik
After figuring out that they screwed up, government agents should have
politely visit the teen, interview him, go through his computer together and
delete compromised files.

Then quietly fix the vulnerability.

Instead they produced PR disaster by disrupting lives of a law-abiding family.

These are signs of arrogance and incompetence of decision makers at that
government department.

------
ebullientocelot
It isn't a breach if the administrators of the repository failed to secure the
information. Regardless of the likelihood of conviction it is reprehensible to
terrify some kid with the threat of losing his freedom as a means of saving
face, which is what this appears to be. I certainly hope he gets out of this.

------
shkkmo
I assume it was the large number of requests over a short period from a single
IP that drew their eye to it?

I wonder how many other people found the same thing and slurped this data down
in a more circumspect way before this kid was kind enough to expose this
privacy breach for us?

------
Simulacra
This is very sad. Any information that is not secured, and thus CAN be
accessed, should be considered publicly available. If that rule or precedent
were in place (a law would never happen) it might force system owners to be
more cautious.

------
hoc_opus
>At the family's request, CBC News is granting him anonymity because of his
hope the charge will be dropped and his reputation preserved.

The only thing about this article that didn't irritate me.

------
hoc_opus
>At the family's request, CBC News is granting him anonymity because of his
hope the charge will be dropped and his reputation preserved.

The only part of this article that didn't irritate me.

------
EamonnMR
This is shockingly heavy handed. Would they try and extradite Sundar Pichai if
Google's crawler happened to index the pages?

------
amarant
Teenager facing prison for looking at poster the government (mistakenly) put
up...

Mandatory xkcd: [https://xkcd.com/932/](https://xkcd.com/932/)

------
alex7o
I can give a very anecdotal example, where I live all the doors on the flat
look the same, the just have small numbers over the door. Because the exit
door is the same just without a number and it is next to the door of my
flatmate. Because I was in a hurry I accidentally entered my flatmate room
when I intended to get out of the flat. This is more or less the same.

------
_pmf_
I think people would be less upset about the teenager going to jail if the
chain of highly paid Peter principle executives responsible for the files
being accessible would also have to face any investigation at all.

------
FundThrowaway
From the article: "When he was around eight, he remembered playing around with
the HTML of the Google search page, making the coloured letters spell out his
name."

Isn't the Google logo an image? Smells a bit fishy to me.

~~~
hazeii
I make that about 11 years ago - the page was rather different then.

~~~
FundThrowaway
It was an image 11 years ago also.

[http://web.archive.org/web/20070106132559/http://www.google....](http://web.archive.org/web/20070106132559/http://www.google.com:80/)

------
frostirosti
Sounds an awful lot like the computer fraud and abuse act

------
Introvertuous
What an age we live in, utterly depressing.

------
some_account
American culture strikes again.

------
bitmapbrother
I find the his story of "archiving the Internet" extremely amusing. Good luck
with that defense. He was 19 at the time and knew exactly what he was doing -
or should I say "archiving".

 _He estimates he has around 30 terabytes of online data on hard drives in his
home, the equivalent of "millions" of web pages. He usually copies online
forums such as 4chan and Reddit, where posts are either quickly erased or can
become difficult to locate._

 _" I preserve things, I archive the internet. I have history on my computer,
and all of that should be saved and preserved," he said._

~~~
realusername
You are not providing any argument against why he should not do that.

