As a Canadian, reading this article made me angry. If the information is not supposed to be public, it should not be reachable without authorization or authentication.
Never mind a curious 19-year-old, there are tons of crawlers and indexers out there that attempt to enumerate URLs where they think there might be other content.
Shame on them for building a poorly secured site, but even more for trying to railroad a curious kid who made them look stupid.
If some of those documents weren't appropriate to be viewed by the general populace then the company was criminally negligent in their handling of the data, the "hacker" saw an open door with a sign reading "free information" on it and didn't know any better before running a crawler over the documents to grab them.
It’s ageism but at this point I’m pretty convinced old people should be term limited from office
The problems we seem to be facing are almost entirely due to their inability to move on
Youth shouldn’t spend their lives kowtowing to geezers that quit thinking and are simply peddling what’s become etched in their neurons and “the rules”
The problems here are the usual problems within governments: venality, vanity, laziness, posturing and a certain bureaucratic indifference to human life. Which are traits well established among young and old alike.
Age isn't what's keeping anybody from understanding the technical issues here, either. A computer isn't some kind of magical oracle that only reveals its secrets to the young. Peel back the layers and I'll bet you $100 CAD it boils down to a failure of the institutional hierarchy and the communication therein. With uninformed-electorate-flavored sprinkles on top.
Young tech nerds rarely get voted into office because very few of them have done enough living to be able to assemble a coherent vision of reality and a way forward for an entire, let's say province. Don't get me wrong, a lot of successful older politicians do a shitty job of this too. But anyway, anyone who can do all that, or fake it well enough, quickly finds that messing around with computers is below his pay grade and not worth squandering his attention on. But they will still presumably have such people in their organization somewhere, and should be able to get from them a summary of WTF's going on and why.
EDIT: I guess what I'm even further saying is that this is yet another example of what's become a mantra of mine lately: The missing ingredient is almost never tech and almost always leadership.
The problems is with humans, you have those problems in courts, companies, charities, churches, clubs and small gatherings of people. The only protection we have against it is to recognize that this will always happen and strive to correct it before and when it has happend. I feel this is a closely related to Meetoo, you need to able to ask for forgiveness, but often the people accused never really get what they have done wrong and belittle their actions.
Not Canadian, but I expect this teen to be let off completely free.
I write this as I'm trying to recover my wife's website by scraping archive.org and respecting various 400 & 500 level errors.
Resource depletion from overpopulation aside, the lack of social progress we will see once we manage to extend life to the point of immortality is one of the more depressing outlooks I can imagine. Old ideas will never die.
Federal Government ministers all have their phone bill summaries released as part of public record with private information removed.
The contractor redacted the phone numbers in this instance by changing the font colour to white (same as the background) in the PDFs uploaded to the government disclosure website. So if you exported to text, or highlighted text, the phone numbers were clearly visible.
So most federal members of parliament, the former prime minister (Australia's equivalent of president) and opposition leader all had their numbers leaked.
>Federal Government ministers all have their phone bill summaries released as part of public record
I see what you did there.
"It’s very clear that the software is intended to serve as a public repository of documents. It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed."
Do you jiggle door handles out of habit to see if they're unlocked? It's antisocial behavior. If you were supposed to have access to that document, it would be accessible from a link or search box on the main site.
So while going to the filing cabinet to get the file he'd been directed to, he leafed through other files too. Why not? They're all public information, since they're sitting here in the unlocked filing cabinet with all of the other public information files.
Turns out some of them were mislabeled, and were private information in the public information filing cabinet.
Not so weird, not so antisocial, not his fault, shouldn't be his problem.
Sure, it'd actually be like checking out every book in the library, but this is the age of the internet and it's an insanely useful skill to learn how to grep large amounts of text.
IMO this looks like a company that did a poor job trying to cover their mistake by blaming "those hacker folks". I don't think it's inappropriate to confirm the kid was acting without malicious intent, but the subcontractor who setup the security for this site needs to be investigated thoroughly.
You don't seem to realize how bad of an idea this is. You're talking about making criminals of people. You know, I think I remember once reading about how chrome would try the address you type while you typed it (i.e. before pressing enter, it'd make a request for every character you typed). Users of chrome could become criminals because their software would do this.
Best analogy I can think up is an automated free vending machine, with a row covered up by a piece of cardboard. If you don't want someone drinking the cokes on the hidden bottom row, why did you put them in the machine in the first place?
If the response code is 200, it's OK. The response code (not to mention the transmission of the file) is literally permission from the system to have the resource.
If you don't want someone to come in your door, don't put up a sign that says "come in."
If you don't want someone to see a resource at a URL, don't send them a 200 response code or serve the resource. That's the convention for the web.
This conversation has devolved into arguing against the analogy. This is the internet: everything on it is public unless care is taken to make it not so.
You may choose to argue whether or not that should be, but that's the way it is.
The Internet should be treated the same. Anything put on the Internet should be presumed to be public unless there is some indication to the contrary.
In this case, most of the information he accessed was clearly intended to be public, so there was no reasonable way for him to know that there was some private information improperly co-mingled with the public information, so he can't be faulted for not realizing that he shouldn't have accessed some of the information.
Elsewhere in this thread, people have pointed out that Google has crawled (and cached) at least some of the pages that were supposedly criminally accessed.
Edit: I mean not the act of listening, but the act of storing unlicensed material
But no, it shouldn’t be illegal. Yet what he said still completely applies to stuff like fiddling with ids on a site where you suspect it might lead to content you shouldn’t be able to access
Unless you’re whitehatting and plan to inform them of the security issue (probably anonymously because the world is fucked up and whitehatting can lead to jail time -_-)
Just because what you're doing is legal, doesn't mean you're not an asshole
The kid got documents on a public facing server. He did nothing wrong.
The blame truly lies on the government for allowing such porous security. They should be glad a seemingly benign teenager discovered their flaw and not some more nefarious actor.
A terms of service can not define law, but it can make explicit what data a provider is authorising a user to access.
"The Access to Information website allows you to submit, pay and receive FOIPOP requests online. The Nova Scotia Government also posts responses to formal FOIPOP requests online on the Disclosure log. This is a free public repository of FOIPOP responses that have been approved for publication and have met a specific set of criteria (PDF file 800 KB)."
That's what a url with an id in it is
Should you not have the freedom to type what you want into the address bar of a browser?
It implies the exact opposite. The owner may have intended it to be private, but making it publicly available, without security checks on a publicly accessible server, implies the property owner intended for people to access that property.
This is like going to a library, asking the librarian if you can check out a book, being told yes, and then later being arrested because they meant to say "no".
I think the real question here is: did the website provide enough information for the user to have been assumed to understand that what they were accessing wasn’t meant to be public (e.g. did the door look like a door to a private property)? And did the user cease to access the data once they understood it (e.g. did they close the door and leave)?
> In computing, a hyperlink, or simply a link, is a reference to data that the reader can directly follow either by clicking, tapping, or hovering. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks. The text that is linked from is called anchor text. A software system that is used for viewing and creating hypertext is a hypertext system, and to create a hyperlink is to hyperlink (or simply to link). A user following hyperlinks is said to navigate or browse the hypertext.
The URL in the abstract is not a "link." A link is an element in hypertext.
Whether we like it or not, language evolves. If “literally” can, then literally any other word can too.
That's in a nutshell what happened
The employees who work there have access to all information. Why wouldn't they? They work at the information bureau.
They also answer all questions. Why wouldn't they? They work at the information bureau.
You walk up and ask questions. You get answers. Three days later, you're arrested for knowing state secrets.
Do you see a possible problem with this arrangement?
They are, in essence, trying to redesign the nature of the Internet by fiat.
Historically, accessible resources are accessible. Public by their very nature. If you don't want them publicly accessible, implement (effective) authentication.
But this is far too much "trouble" for self-important, "do it my way" lawyers and executives.
So, they "define", or redefine -- in a pure fiction of language -- what is "public" and "private".
Aside from all else, these... "errors in the system" should be routed around. Denied use of the system.
Unfortunately, in this regard, tech has ended up in the position of working for them, rather than vise versa.
Personally, I won't work for them, anymore. Every thing I do for them, is against my own interests and, I've come to believe, the common good.
Me: I am a Canadian citizen and am rather concerned by what appears to be increasing online censorship and erosion of privacy rights in Australia and the UK. If it can happen there, it can happen here. I'd like to do my part to ensure that we can effectively oppose bad public policy when it's proposed in Canada. I deeply respect both the EFF and the ACLU for their work in the United States, but I'm not familiar with equivalent organizations for Canada. Do you have any suggestions as to where should I be sending my holiday donations?
Michael Geist: Thanks for your note. There are several groups in Canada that do great work on these issues:
1. CIPPIC - the Canadian Internet Policy and Public Interest Clinic (cippic.ca). I founded this tech law clinic at the University of Ottawa, the only one of its kind in Canada.
2. Open Media - based in Vancouver
3. CCLA - the Canadian Civil Liberties Association
4. CJFE - Canadian Journalists for Freedom of Expression
5. BCCLA - BC Civil Liberties Association
All do great work with limited resources.
It's not all domestic oriented, they do a lot of research on internet censorship internationally, and other things that fall into the category of "government interference with the internet".
"The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities."
They helped Geocoder.ca with their 4 year lawsuit: https://geocoder.ca/?sued=1
The BCCLA is top notch if you actually need to win a court case. When they take on a case they don't fuck around, and they have high powered lawyers working pro-bono for them.
the laws are interpreted and applied by powerful people in a way that suits the way they think - that much i think could have been predicted (but not by a teenager)
did the weev ruling surprise anybody other than hackers?
"It's not my fault I left my window open and you took advantage of it. I shouldn't have to keep my windows locked."
"If you see an unlocked window it's not an opportunity for you to take advantage of."
That's admittedly fairly obtuse, but you can see elements of this play out even in this thread, where it becomes a debate about the accuracy of the metaphor and not a discussion of the actual problem. It is so much easier to attack the language than it is to dig out the real concerns and talk about those, so you get a pro and anti situation or semantic nitpicking.
If you agree that the older generation can only think in the metaphorical sense and are practically stuck in the 50s with how they describe it, you also have to accept that it is so far out of whack with reality that it causes continual debate about what actually does reflect the situation and completely detracts from the problem at hand. It is beyond idiotic and it's symbolic of an unhealthy resistance to change.
As an aside, this happens in places like HN and Reddit all the time. A metaphor is introduced into a discussion and it totally derails it, and you're not talking about the source material any more, you're talking about the metaphor and how it can be more accurate. It's like the metaphor is more important than the problem itself sometimes and it's intensely sociopathic, because the linguistics take priority over the humanity.
I think, by and large, people are constrained to thinking about things they can describe. To that extent, being able to accurately describe something is meaningful, and is therefore a linguistic issue.
Semantics are very important when you are dealing with minutiae, and the law hinges on comparisons and extremely complex semantic arguments.
To that extent, it makes sense that we argue about the metaphors.
The web is in many ways a huge collection of resources that reference each other. Some of these references are explicit in links, others in text, and some are available for programmatic access.
In fact many resources can be discovered by programmatic access, and there is no inherent reason to think this is wrong. Just because an API isn't documented doesn't make using it illegal.
For example, many URLs are actually permalinks, you can bookmark them, or send them to a friend. While most websites don't document this API, it's very common.
Lots of people configure search keywords in Firefox by injecting queries in bookmarked URLs. Few of these URL patterns are formally documented, but that doesn't make their usage illegal.
Agreed. There is no inherent or intrinsic reason to expect that any given document or any given URL ought to be restricted. However, a look at the documents could have provided some extrinsic reason to stop looking. For example, if I find a filing cabinet full of classified documents, I will not continue leafing through them after I see the first one. I will stop immediately and notify someone appropriate (after contacting my lawyer). I do not intend to access classified documents.
The question is one of intent. Did the individual intend to access documents that they knew or should have known that they ought not access. If the kid pulled down one classified document, took a look, realized what he was looking at, and deleted it and notified the authorities, then I'm with the crowd. Likewise if they pulled down the entire archive without looking at any of them. I'll be on the front lines with my pitchfork.
On the other hand, if they saw the first classified document, then pulled down the rest of the trove hunting for more, some amount of punishment is probably warranted. Even then, I would say fifteen years is too much. Maybe a few months of time and probation, depending on exactly how much willfulness was on display.
I imagine these are the kinds of questions that will be resolved during the trial.
Per the articles: nothing was "classified", it was an archive of public documents that the government published periodically. The issue is that a small subset weren't redacted properly - but there's no apparent reason the teen would have known that.
It appears that someone simply archived a bunch of documents they reasonably believed to be public information.
The license to access private property is based on the intent of the property owner. Where the intent is made express (through a sign), that governs. Where the intent is not made express, we try to figure out what a reasonable person would infer about the property owner's intent.
The method of access, therefore, is relevant insofar as it tells you about what the owner of the web server intended people to have access to. The fact that content on a website meant for the public to access is only accessible by "programmatic" means that ordinary users would not know, is strong evidence that the owners of the web server did not intend for people to access those documents.
Sorry, that is complete BS. Have you scanned the entire internet and sure sure there are no links to these files on other public pages?
Files publicly hosted by a web server (software explicitly designed and installed to make those files public) is in no shape or form private property.
Furthermore, in this specific case, there is an explicit statement saying the files are public and saying nothing about them not being accessible:
This is clearly wrong.
If I forget to lock my door when leaving my house one morning it's still trespassing if you enter the house without my permission.
This doesn't seem like an apt analogy for the actual case described in the article, though. That case seems more like: you left a bunch of stuff at the curb with a sign that says "free for the taking", but didn't realize that you left some stuff there that you actually didn't want taken.
in the context of the article and the problem at hand, the teenager downloaded a bunch of things that were supposed to be public access, but also accidentally downloaded some things that were confidential though not clearly marked as such (im assuming based on available information) and so the only real way he would have known they were confidential was if he actually perused the contents of them. that would be like having a room that is private property and off-limits, and it is marked as such, but the marking is inside the room and can only be seen by entering it and as such violating the private nature of said room. but really these are all just my thoughts on it and i certainly don't think i'm right or anything. it's just fun to talk ya know
This is why the law tends to fall back on what a hypothetical "reasonable person" would think.
I'm not as much of a hardliner as rayiner on this particular case as I think there are some facts in favor of thinking of these documents as public:
- it was a government website
- it was specifically set up for the purpose of sharing foia requests
- the data in the documents was not easily identifiable as private
But when it comes to the general principle where some HNers seem to think "If the webserver responds with a 200 then it's perfectly fine." I have to disagree.
Imagine a different scenario in which we were talking about tax returns instead of foia requests. You're looking at yours at http://www.canadataxes.com/return?id=1234 and you realize that if you inc the ID you get the tax return of some other random Canadian citizen. In that case it would be immediately obvious that someone had made a mistake and you were accessing information you shouldn't. A "reasonable person" would understand that a mistake had been made. It would then be clearly illegal to write a script to scrape down the docs for every ID.
"the data in the documents was not easily identifiable as private"
as a mitigating factor.
If I request access to your house (send a HTTP request) and you grant me access (give me whatever I was requesting), I don't think I should be arrested for trespassing.
We're not yet to the point where its the victim's fault when victimized by a criminal. It may seem that way when there are so many active criminals. But some places its still possible to trust your neighbors. I live in one.
I grew up in a relatively small town. Literal years went by where my parents didn't lock the back door. It would have been illegal for someone to enter the house without their permission for that entire time period.
We do. But if we fail to do so correctly, as people occasionally will, have we committed a serious crime for which we should be facing prison? Particularly in a case where societal custom is not well formed, and analogies to more familiar situations are all strained?
This young man, by his account, likes to archive stuff he finds on the Web. From the sound of it, he's done URL incrementation many times, and this is the first time he's gotten in trouble for it. Let's suppose for the sake of argument that that's true, and also that there really were no indications on this site that the information was unintentionally left accessible. Do you really want to send him to prison for that?
You might reply that as cruel as that seems, its deterrent value would make it worth doing. But I don't even want to live in a world where people without criminal intent are so succesfully deterred from experimenting with the Internet. In such a world, site owners would take even less responsibility than they do now for securing their information, and therefore actual criminals would have even more unfettered access to it.
A situation like this (security wise) isn't like leaving a window unlocked and having someone rob your house it's like
1. Leaving a pie on the window sill overhanging the side walk with paper plates and plastic utensils beside it.
2. A man knocking on your door, asking you for your bank account number without impersonating anyone of authority, you offering it up freely, then suing the man because you forgot to ask who he was first.
This guy facing prison doesn't give a shit about it feeling like a man stealing a pie from your window. It's nothing close to that because you can steal pies from windows and be held accountable in a much more reasonable way, and trying to reframe the situation only helps to an extent.
What I see is a tendency towards the metaphor because that abstraction itself poses a challenge on top of the original one and the original problem itself is less interesting than the linguistic magic layered on top of it. You can talk at length about how bad the dog > animal OOP example is but you won't have much to say about OOP without that.
It's basically bike-shedding.
wolf doesn’t care about the reasoning of sheep so long as they submit
FFS if I go to https://www.booking.com/city/ie/cork.html it loads fine. Apparently I'm breaking the law if I use my criminal-mastermind hacking skills to ALSO go to https://www.booking.com/city/ie/dublin.html
It's just ridiculous.
More like, All items on this table are free.
So far, so good.
Then someone included a couple that aren't free.
Writing a line of code to fetch a batch of info is ordinary to a literate user.
Putting some burden on him to understand that has happened is a very hard sell to me.
The Nova Scotia govt forgot to lock one of those doors and are now furiously trying to shift blame. I haven't seen them apologize or address their own internal incompetence in any of the news articles I am seeing about this.
In order to address that error, 15 police officers raided the kid's house.
That's all that happened: someone used HTTP in the way it's intended to be used, and inferred quite reasonably that the people who set up that web server knew what they were doing and meant to set it up that way. It turns out those people didn't know what they were doing, and they got embarrassed about it.
As you admit, the property owners did not intend those documents to be accessible. So the only relevant question is: would a reasonable person infer that documents which could only be accessed by editing a URL (by "tricking the HTTP server," if you insist on anthropomorphizing a dumb machine) was intended or not intended to be accessed?
I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed. And that really is the end of the analysis.
I don't think you understand the web. I'm not anthropomorphizing anything. He literally sent a request for each document he wanted to look at and the server sent a response.
You keep referring to this hypothetical "reasonable person" who doesn't understand the very basic facts about technology, but the opinion you attribute to the "reasonable person" is just one you invented that happens to match your own.
> I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed.
How would anyone know if the documents could only be accessed by editing the URL? Others in this thread have pointed out that some of those documents were indexed by Google, so actually, editing the URL is not the only way to get to them.
Computers always do what you _tell_ them to do, not what you want them to do.
The onus for keeping computerized material private is on the owner, and the owner screwed up royally by wrongly allowing sensitive material to be placed unprotected on a _public_ web site. Whether or not it was indexed is irrelevant - it was on a publicly accessible site, permissions set to publicly accessible, and the entire site was meant to be publicly accessible. One can close the analysis until the cows come home, it will not change this fact.
Accessing that material is as illegal as finding a diamond ring (or personal files) while dumpster diving. Dumpster diving may be seen as tasteless or low-class, but as far as I know, it’s not illegal.
Do we prosecute reporters for ferreting out publicly available, yet embarrassing, information?
A website isn't a trash can though.
If I accidentally leave a diamond ring (or personal files) in public somewhere and you take them that is absolutely theft.
As such, your analogies to situations (locked houses, unattended jewelry) with the opposite expectation just disprove your point. Assuming a file is private even though it's publicly accessible on a web server is as nonsensical as assuming an object is free for the taking even though it's an unattended diamond ring.
- Hey, can I GET this drink?
- 200 OK, here it is pal.
- 204 Uh, the bottle appears to be empty
- 206 I have only half the ingredients for the mix
- 300 Stirred or shaken?
- 301 That drink is now called this, but here it is!
- 400 I can't understand what you say buddy, are you drunk?
- 403 I'm sorry, but I must refuse to serve you that drink
- 404 Oops, I can't seem to find the bottle
- 411 How much do you want?
- 413 That's too much drink!
- 418 I'm actually a teapot
- 503 Too busy right now!
There are lots of things on webservers that aren't public. Try to access:
You can't, because github hasn't made a mistake and accidentally made all private repos public.
If github screwed up one day and all private repos were temporarily made public it would be illegal for you to run a script that tried to scrape them all down to your personal hard drive.
Files don't "accidentally" become publicly accessible via HTTP. i.e. you don't return to your computer one day to find everything is public.
Someone specifically took the steps to make this data public. The fact they didn't realize what they were doing isn't the fault of people that then view the data.
Hmm? It's certainly possible to configure a web server incorrectly by accident.
But as the person knows they are configuring a web server, I would say this is more carelessness / incompetence rather than an "accident" in the same way as losing a Diamond Ring would be.
If you insist on analogies involving lost rings, this situation is more like taking a picture of a ring someone lost in the street than it is like taking the ring.
If his carelessness meant communicating that you could take the ring without stealing it (say placing it in the donation basket instead of his wallet), that would absolve you of your crime.
I don’t think that’s a sensible rule and at the end of the day, it’s not the one that’s going to prevail. The Internet will be sanitized and made safe for all the people who forget their passwords and write them in their monitors. The Internet is for ordinary people now, not curious teenager hackers. And ordinary people will make the rules to suit themselves.
And how, exactly, is this "sanitization" going to occur? Are you saying that having 15 police officers raid a home and confiscate multiple computers (all but one of which had nothing to do with the incident in question), arresting a completely uninvolved person on his way to school, and taking no action at all against the stupid contractor who set up the website, is an acceptable form of "sanitization"?
> The Internet is for ordinary people now, not curious teenager hackers.
That's not what the police action described in the article is saying. It's saying the Internet is for government and corporations, and God help the ordinary people who get in their way. (Btw, I include "curious teenager hackers" in "ordinary people". Perhaps the fact that you don't is part of the problem.)
The only solution is site owners taking responsibility for securing their sites, in accordance with the sensitivity of the information on them. The sooner "ordinary" people realize that, the better.
Since you didn't respond when I raised it elsewhere in-thread, I would highlight again the fundamental imbalance between the rules you would impose on Facebook etc. and those you would impose on users. Firms that spend billions of dollars developing their systems only have to be as smart as the most ignorant person we can imagine. Their users, in contrast, must be geniuses to keep up with their many changes to TOS, interfaces, and functionality, while simultaneously those genius users aren't allowed to notice that numbers follow each other in sequence. This is nonsense on its face, but then again authoritarian maneuvers are their own justification, aren't they?
If we're at the topic of wishful thinking, I wished ordinary people would understand basic things about the internet. The purpose of humanity as a whole shouldn't be to dumb things down for "ordinary people". It should be to better teach and educate new generations, so we won't be able to assume ordinary people are dumb.
You do realize HN provides an API that allows you to request any item by using an ID? 
Stories, comments, jobs, Ask HNs and even polls are just items.
They're identified by their ids, which are unique integers, and
live under /v0/item/<id>.
For example: here is the link to the first story posted on HN: https://news.ycombinator.com/item?id=1
1. I don't think you can access that story by starting from the front page, because scrolling for more stories only gets you to page 25. Does that mean the intention is the story is private?
2. You can now access it by using the DOM element generated for my comment. Does that mean it's public?
While odd, `printf "GET / HTTP/1.0\r\n\r\n" | nc 126.96.36.199 80` gets you the HN home page as good as anything.
> it was far less obvious that the relevant documents were intended to be publicly available
My browser and the respective HTTP servers consider them equally obvious publicly available.
Of course they do. They consider whether or not to give me access. If they respond with 200, they are effectively telling me that the information is public and the request is approved. There's no law moral or legal that stops me from asking for information.
I could ask a law agent for classified information, but he's not going to prosecute me for asking questions. He could be suspicious and ask "how do you know a document with that number exists?". And I can reply "oh, I'm just asking for random numbers".
>There's no law moral or legal that stops me from asking for information.
I wouldn't be so confident of that if you haven't read up on the relevant laws. Many countries have prohibitions against unauthorized access that apply in circumstances where the access is not "unauthorized" in a technical sense relating to the details of the HTTP protocol. The law doesn't necessarily say what you would want it to say or what you would expect it to say. See e.g. the following example from the US. (I'm aware that the incident we're discussing occurred in Canada.)
And how do you prove intent? This is a technical problem with technical protocols involved. Intent should be provided via the protocol. If the protocol says resources are public, unless otherwise stated, you can't rely on a human to answer, post factum, what resource is private.
I believe that’s something they teach you in law school. Lawyers have been working on that problem for a while! IANAL, but I don't think you are going to be able to find a concise answer to that question that goes beyond the immediately obvious.
>Intent should be provided via the protocol.
Sure, if you say so. That’s not how the law works, though.
You're being hugely disingenuous. The owner of these files set up their website, which includes deciding which files are and are not publicly accessible, and it is reasonable to expect that the files they made publicly accessible are the files they intended to be publicly accessible.
One can certainly make the counterargument that a lack of public links suggests the owner wanted them to be private, but you are pretending that there's no evidence whatsoever that the files were meant to be public, and that's plainly not true.
I think most people don't have an intuitive understanding of this at all, which means you can get them to give any answer you want by crafting your description of the problem appropriately. That doesn't make such a procedure reasonable.
Except there's no way to know whether that's the only way to access those documents. That's what access control is for. They could be linked from elsewhere for all you know, and it's perfectly reasonable to assume that if you can access the document by punching in a URL, then it is so accessible.
Just curious about which one, or both, of those are trespassing in your perspective.
So it's more like going in to your library, using the card stack, learning about a book, going to the shelf it is on, and then looking at all the books on the same shelf.
Somebody noticed that you were looking at all the books and called the cops on you. The cops break in and arrest you for looking at books. They tell you that the bookshelf is off-limits and has personal information.
Sure, the library creates it's own card stack and google is an external service; however if you design websites for a living you expect google to perform that functionality.
I mean, I designed a service where we wanted to make it easy to share private information, so we didn't use authorization. However I realized that if I wanted the data to be private I should use a suitably long non-consecutive random ID for the resource. If anyone is guilty of criminal misconduct, it's the person who designed this asinine system or the executive who allowed it to be used on the internet.
Hell, I'd go so far as to say that the fact that the exact same system is still being used across the US is a sign that the company who runs the system is criminally negligent.
As I physical analogy, I'd think about it more as one of those restaurant straw dispensers. He got tired of pressing the button each time for a new straw, and instead opened the lid and grabbed a bunch out.
Did it? I understand that the stupid contractor who put this data on the website did (potentially--but note that nobody is saying that anyone has actually suffered harm because of that data being accessible). But did the teenager who got this bomb dropped on him damage anyone's privacy? As I understand it, he downloaded the data, put it on his hard drive, and left it there; it never went anywhere else.
I don't know you have don't particularly care about your financial situation, so I'm not gonna read them or share them with anyone else. I'll just keep them on my hard drive.
A) Sure, here you go. Oh wait! I didn't mean to send you those. You tricked me and stole my information. I'm going to send 15 police officers round to arrest you and then you're going to prison for years.
B) No, that's confidential.
^^ Which option do you think is more reasonable?
He can't be faulted for accidentally downloading some private information that was improperly mixed in with a bunch of public information that he was trying to download. He had no indication that the information he was retrieving was not supposed to be public.
If there were books in this section that shouldn't have been in there, that's not his fault. That's the librarian's fault.
Likewise, what the computer does is irrelevant, except insofar is it tells you about the owner's intent. So the question is not "did the computer let you access the file." But "what does how the computer let you access the file tell you about what the computer owner intended?"
Also, I'm not sure your analogy works at all. In the first paragraph, you seem to analogize the car to the accused "hacker", while in the second you're talking about the supposedly "hacked" host. To be clear, the point of the car example is that a machine's intelligence has no bearing on how its actions affect the duties of its operators.
The best, and most accurate, way of determining if the resource you requested is meant to be accessible, is to check to see if you got a 200 OK response or a 403 Forbidden response.
So your argument is that a better way to check this is to crawl the entire web looking for links to a resource to determine if it was meant to be publicly accessible?
Your intent argument is really shallow. People do bad things with good intentions all the time. Doesn't mean their actions are good or legal.
Or you failed to follow the rules, were careless, and hit him by mistake. Was your intention to kill him? No. Was it your fault? Yes.
If we have to resort to metaphors, then let's describe this section of the site as a ring binder, and each FOIPOP publication as a single page in the ring binder. What the kid did, then, is to take out the entire stack of pages and feed it to an automatic copier, put back the originals in the binder and left with the copied stack.
There is no indication that the "perpetrator" even looked at any page in that stack. And since the binder was clearly labeled as "free public repository of FOIPOP responses that have been approved for publication", the act of copying the entire stack is no reason to assume foul play.
Ok, not actually a metaphor -- https://www.motherjones.com/politics/2013/12/fbi-copyrighted...
Given that he tried to sequentially download all possible documents by sequentially incrementing document ID in URL it's more like trying to open every window in the public building and see what happens.
Is a 19 year old a kid?
Those principles apply equally well to the Internet. Ordinary law-abiding people don't go fiddling with URLs, just like law-abiding people don't jiggle door handles or peak into windows to satisfy their curiosity.
This Orwellian attitude that looking at anything is criminal if the government retroactively decides they didn't want you to see it, is terrifying.
But as usual when it comes to authoritarian overreach by government, you're not de-facto wrong about the government sees things, but you are eloquently defending a morally horrific attitude.
That's not Orwellian or authoritarian--it's a basic part of "social" behavior in a society with private property.
However, when you make those files available through a web server, you make the "public".
You then have the ability to limit the access to those files through any one of a large number of techniques to make them private again. Now if there were evidence that they tried (and failed) to use one of these techniques or that the teenager in question deliberately circumvented these techniques, then you would have a point.
One (not particularly good) way of limiting access to files without verifying identity would be to create a hash (say using the requesters email address and the request ID) and use this in the url to access the document (similar to how google docs implement sharable document links).
If they had done this, then perhaps you could legitimately claim that there was evidence of intent to restrict access.
An incremented ID is the opposite. It is a sign that you wanted people to be able to easily predict the correct url to download the next file from. Using an incremented ID is in fact evidence that this information was intended to be public.
He literally asked the web server "can I have these files" and it responded with "yes, you are authorized, here you go".
If he wasn't authorized, the server should have responded with a 403 Forbidden!
Web servers are built around authentication and access rights! It is not the teen's fault that the government doesn't know how to configure them properly.
Edit: after few days you realize that the trash on your curb shouldn't have been there. Then you raid the trash company because your brother is a cop.
Making a mistake doesn't revoke someone's property rights.
This is a non-sequitur, nobody is saying anything about anyone's property rights being revoked.
The teen asked for access, and the content owners, via the permissions they had configured, granted it. Sure they can later decide that this was a mistake, but that doesn't make it theft for the teen to have asked for access.
They made a mistake when configuring their web server. It's obvious that this was a mistake because some of the documents contained private information from Canadian citizens.
Per the tech article, it was an open archive of public documents that the government published periodically. The reasonable assumption is that the files were all public, and there's no reason to suspect the teenager in this case thought otherwise. The fact that ~3% of the files weren't properly redacted (whatever that means) is hardly "obvious".
> Making a mistake doesn't revoke someone's property rights.
Let's keep things constructive please.
It doesn't matter if we're talking about physical property in the real world or virtual property on a server.
Leaving your property on the curb is a good example. If someone takes it, you would be hard pressed to get it back from a legal standpoint.
This is very similar. The government left all those documents on the curb.
But there weren't in this case. The express purpose of the site was to make that information publicly accessible. If you leave stuff out at your curb with a sign that says "Free to all takers", and someone takes something you didn't mean to put there, how are they supposed to know you didn't want them to take it?
This is the big problem here. There's no way the way the Freedom of Information Act in Canada is written the way it is because of the democratic wishes of Canadians. Every day our government moves further away from governing according to the will of Canadians and more toward the will of.....I don't even know. Saying it is the will of politicians doesn't explain some of the strange behavior we've been seeing in this country for quite some time.
If our fate is to ultimately live under a quasi-dictatorship masquerading as a democracy, then so be it, but I wish we could just be honest about it. This objectively false "Canada is a democratic nation" claim is infuriating to me.
That’s not even true. Trespassing requires that you be told not to be on the property, that’s why people post signs. You can’t be charged with trespassing because you went hiking and wandered onto unfenced land with no signs, it doesn’t matter if the dumb owners thought nobody would ever hike over there.
I’m an ordinary law-abiding person, and I fiddle with URLs. I know lots of people in that group.
It also doesn't take a computer whiz to use DownThemAll to enumerate URLs and download them all. They even have a dedicated function for this!
Yes, one does have to have some computer literacy to be able to do that. No, they don't have to be out of the ordinary.
Incrementing URLs by hand is one of the ways I learned about how the internet works, as a young kid. Kids are curious. This is normal behavior!
I remember a teacher yelling at me for trying some slightly advanced features in a hardware design language. I was really proud I could implement something I didn't thought possible, but her reaction was along the lines "Do you want attention? Why can't you just stay quiet and do what the rest of the class does without showing off?".
Stifling creativity and curiosity, especially in children, encouraging them to be mediocre "like ordinary people" is disgusting and counter productive.
> Aaahh, he crashed my computer!
Went the teacher. Which then swiftly closed my unsaved document. 15 minutes of work, gone. As well as any remaining trust I had for her. I had done something unexpected, and she was afraid.
I don't think I was quite able to articulate it at the time, but she would have made a fine witch hunter. I do recall a sense of unpredictability though, and reminded myself not to step on that tiger's tail ever again.
It's not a technical shell game. If you asked your mom, "hey, do you think they meant to have people be able to access those documents, where you can only get to them by editing numbers in the URL," she would say "no." That's what defines what is legal or not in this context.
If you asked your mom, "Am I free to access all the
public-facing information on the Government Freedom of Information server", what would she say? The technical details of how to make the connection are irrelevant. My mother doesn't know how to connect to a BBS, does that mean that anyone accessing a BBS is breaking the law?
No, she would say "I don't know what you're talking about, can you put that in plain English?" And then you could get her to give any answer you wanted by phrasing the plain English appropriately.
Good thing computers use unambiguous protocols to communicate explicit intent.
> If you asked your mom, [...] That's what defines what is legal or not in this context.
I'm really terrified of a world where the law is made by asking laypeople what they think. Just like we don't define borders by asking random strangers on the street where countries are, I don't see how it's a good idea to define laws for technical services and protocols by asking people who barely understand computers what they think.
That's complete nonsense. I've often changed a URL because it didn't work and had a typo. It's right there at the top of the web browser asking everyone to fiddle with it. If you were right, the URL bar would not be editable in web browsers, so you should be complaining to Google, Apple, MS, Mozilla for leaving this criminal-use-only feature so prominently on their products.
The only people here are the teenager and the property owner. And the intent that matters is the intent of the property owner. Did the property owner intend those documents to be publicly accessible? Would a reasonable person have assumed that those documents were not intended to be publicly accessible, because they could only be accessed by editing a URL?
You post often enough on this topic that we all know your position, before you post. Consider, if you will, whether your preferred position is one that will lead to improvements. I posit that it will not. Your position, if adopted, would lead more faceless totalizing organizations to amass, against our will, more of our personal data, and to be less careful stewards of the same. We have far more to fear from those organizations than from 19yos.
What a computer does may be evidence of intent, just as a lock (or lack thereof) may be evidence of intent. But just like an unlocked door is not evidence of intent to make something accessible, neither is an unlocked computer.
> Consider, if you will, whether your preferred position is one that will lead to improvements.
The Internet belongs to ordinary people, not folks who have read the HTTP spec. (It's their world, we just live in it.) "Improvements" will be had when the rules comport with what ordinary people want and expect. Ordinary people don't think about computer security; they expect that, like in the real world, people won't go into places that don't look like they're meant for the public just because there's no locks to prevent them from doing so. The law should reflect those expectations.
Laws exist to create social norms. HN users are preoccupied with data security, but ordinary people hate security measures and are bad at it. So it seems completely backward to me to codify in the law the idea that accessing data should be presumed to be permissible just because the owner of the data didn’t secure it.
Very few "ordinary people" would describe websites as "places", anyway. They don't say they're "at" Facebook, they say they're "on" it, much like they could be "on the phone" or "on TV". Maybe this hasn't always been the case, but the courts aren't tied to 1990s-era metaphors. No one on a jury remembers those silly "Welcome to the BatCave, Come on in if you Dare" geocities pages.
Incidentally, Facebook and its ilk hold ordinary people to much more complicated standards of behavior than those to which you and they would hold sites, all the time. Oh, you didn't read all 50 pages of TOS and then update the (hidden) configuration, every week? Silly user, that's why we gave all your data to the English!
Meanwhile, you don't think Facebook should have to understand how HTTP works, just because one person working at the company might not. Interesting, that the benefits go one direction and the duties go the other.
In the physical world, one can accidentally walk into a room they shouldn't have, perhaps mistaking it for the bathroom, and then leave without having committed any transgression. Entering a room you shouldn't be in doesn't mean you've automatically taken the contents of the room. On the internet, however, visiting a URL means just that. There's no "oh, it looks like I shouldn't be here" opportunity.
URLs are not doors. They aren't rooms. The same reasoning can't be applied to them, as they behave in fundamentally different ways.
If those sensitive documents were on a _public_ website intended to be browsed by the _public_, who presumably did not require authentication, and the documents did not cause an “Authorization required” response when accessed, it feels rather totalitarian to treat that as a crime.
Most of the metaphors I’ve seen about this are not fitting. As excessive as the barrage of metaphors may be, allow me to add my own:
As part of a free treasure hunt, a person gives you the address of their house and says, “Whatever is not locked up is fair game for you to look over, take photos, or copy.”
You go there and have a great time. Then the homeowner has a fit because you discovered a hidden cellar full of pornography, which was apparently off limits but the door was inadvertently left unlocked. Now the homeowner is charging you with breaking and entering, saying you should have known better and it was common sense.
The answer, even in the realm of physical property, is clearly not 'never', so where is it, and what leads you to believe its threshold was not crossed here?
The law is that the onus falls on the owner or their agents at the point where a reasonable person would not be able to infer the scope of the implied license from the circumstances.
I posit that a reasonable person (not an HN reader) would infer from a document being only accessible by editing a URL that it was not intended to be publicly accessible.
Do you view 'a HN reader' as a reasonable representation of someone skilled in the art [of creating and serving websites]?
Unless I'm missing something, the only conclusion that I can see following this line of reasoning is that skill in the art is inversely proportional to a person's 'reasonableness' in this matter.
If a quorum of experts are coherently proposing that certain actions are reasonable, even if you find them distasteful, at what point is 'reasonable' no longer reasonable?
For what it's worth, despite sounding like a rhetorical question, I am truly interested to know your thoughts on that last matter.
People on HN are not representative, because they know about computer security and HTTP access codes. We don’t live in a world where those people get to make the rules. We live in a world where the rules are set by reference to ordinary people. My mom gets to set the rules for what’s “reasonable” (what are the social norms everyone has to follow). Not you or me.
My point is that a reasonable layman would assume that if a document was not linked or indexed from a public portion of the site, it was not meant to be accessed. That makes sense, because if the document was meant to be accessed, it would be made accessible in a way a reasonable lay person would know how to access it.
And others point out that editing a URL to increment an ID which is obviously sequential is absolutely a reasonable way of browsing the web. That doesn't mean a lay person has to know how to do it, but that they wouldn't think anything criminal was happening if they watched someone else do it.
An ordinary person would infer from accessing a url and receiving information, that the information was intended to be public
It might be hard to prosecute, but just because I invite you over to my house I have absolutely not granted you permission to enter any room you want.
If you, for example, went into my office and started rifling through my file cabinet that would be a huge invasion of my privacy despite the fact that I (like many people) do not have a physical lock on my office or filing cabinet.
there are also PDF and epub versions if you google for it.
> If the information is not supposed to be public, it should not be reachable without authorization or authentication.
I don't lock my car, and often not my house either. I don't think that means you should be able to snoop around and see what interests you. Websites are private property. It is obvious what parts you're supposed to see and what parts you're not supposed to see. You should be able to prosecute snoops as an alternative to locking things down, as you would with any other private property.
Your car, presumably, is not offered as a public resource.
This is silly. Your door analogies have no place at all.
A great many websites work this way.
Unless you’re injecting metacharacters into URLs, or requesting AAAAAAAA * 65535 followed by shellcode, changing paramter values is using HTTP exactly as designed, and a well-formed request has many possible error codes for the exact purpose of letting you know what you are allowed to access.
It’s perfectly normal for people to alter URLs. The fact that people who are unfamiliar with URLs don’t do that is irrelevant, and you could say the same for any subject. Just yesterday I changed lat= and lon= to get a NOAA forecast. Is that snooping or hacking? How about when we change the integer at the end of an XKCD comic to view another one without previously confirming there is a hyperlink somewhere?
At least in the Weev case, people could take his IRC logs out of context as well as argue the fact that it was plainly obvious that the server was misconfigured and he was seeing content that he should not. But getting a response when incrementing an integer, generally speaking, does not mean you are viewing something unintended for you. When you are downloading public documents, it would be entirely unreasonable to assume that the material was non-public.
Also, take a step back to really think about what you are advocating. Is society better off by ruining this kid’s life? It blows my mind that someone even remotely technical can think this particular case is a good use of the justice system, or can even compare it to someone snooping around their neighborhood and trying their doors.
Doesn't seem obvious to me. So now I have to check for a specific anchor to a URL to see if a URL is considered publicly accessible?
Here's a better analogy; you put up a "yard sale" sign in your front yard, fill the driveway with property, and then call the police on the first person who shows up claiming they are trespassing.
A public web page is no different. A reasonable person would not assume that content you can only get to by editing a URL manually is supposed to be accessible to the public. A typical person would not even know that you can do that. Those typical people are the ones that get to set the rules, not hackers.
Websites are not only meant to be accessed by humans either. Are you telling me that bots should employ human reason to guess what should be viewed or not?
I'm not even sure what you're proposing. The web has always been public space.
How about if someone takes the url, and doesn't view it, but posts it on some other website with high traffic. Now all people that click the link have broken the law?
A reasonable person could totally use crawlers like DownThemAll, and fail to notice that some URLs they request are not, in fact, accessible by clicking through a web page. That's different from accessing something you know isn't accessible by mainstream means.
I did that several time to download some porn. The process is simple: search for whatever I'm interested in in a search engine, click on whatever image looks interesting, see if I the URL has numbers I can modify to access nearby images (they will have hopefully the same theme, or even depict the same scene).
The first URL was clearly publicly available. I got it legitimately through a search engine, or by clicking around. How am I supposed to guess that some of the others are off limits?
It's really not a reasonable comparison.
or to the owner of the car!
How else shall we force problems like this to be fixed?
Not quite. The test is:
> Everyone is guilty... who, fraudulently and without colour of right, obtains, directly or indirectly, any computer service (including... the storage or retrieval of computer data)
The Crown can argue that the documents were retrieved/obtained using manipulation of the server (since the public URLs were manipulated to find non-public URLs.)
It's not clear if the links to the documents with sensitive information were public or not. Yes, it's absolutely stupid to have security by obscurity, but from a legal point of view abusing someone's stupidity may look like a crime. The story, while sad, doesn't look black and white to me as CBC tries to paint it.
I'm looking for something other than "donate to the EFF [or equiv.]" ideally though; I'd prefer to donate directly to his legal fund, or even do some legwork myself that will help, etc.
And ideally in a way that not only helps him, but that helps prevent these situations from occurring in the future -- i.e. working towards law change, influencing prosecutorial discretion (meh), etc...
Talk to your law enforcement agencies about computer crimes.
Write and talk publicly about the issues.
But if it is anything like here in Australia (we are both Westminster systems) then this does not mean the government is held accountable. Judge appointments are assumed to be fairly neutral and it hardly ever comes up at election time.
Sometimes you get Freedom of Information Act information because you got an individual's consent to release information that would otherwise not be released (e.g. something about your spouse/family member that consented to the information not being redacted).
Perhaps the same portal handled Privacy Act requests where people requested their own information that the government holds.
Basically all possession laws (really all laws in general) require some sort of knowledge and intent. Just like you can't be convicted for possession of drugs if they were stuck to the bottom of your shoe when you came out of a club (don't actually try this), you can't be convicted with possession of illegal digital material if you weren't aware you were in possession of it.
I did digital forensic work at an old job and one of the cases was someone who liked to indiscriminately download huge amounts of porn off dodgy p2p applications. We found gigabytes of indecent images of children, but no searches in the p2p application for commonly used IIoC terms, and no evidence that he'd either opened the folders containing the IIoC or actually viewed any of it. Police gave his hard drives back (after wiping them ofc) and let him go.
I wouldn't be concerned about his 4chan backups, any lawyer will be able to get him off the hook for anything illegal in there provided he hasn't actually opened it.
Clearly not all laws in general: https://www.npr.org/templates/story/story.php?storyId=188420...
Yes, that seems extremely exploitable. No, I don't know if anyone has ever weaponised child porn this way. I wouldn't be surprised if it happened (and worked) though.
That is a haunting reflection of the state of affairs with regards to information and laws regarding information. Criminalizing the mere possession of information should be a tool only of the despotic and/or idiotic.
Of course, these clowns left "private" information accessible by public urls without identification, so we know that they're at least idiots.
CP would not be unlikely even if he just archived "safe" boards like /a/, /tv/, and /g/.
There's plenty of good discussion as long as you stay away from /b/, /v/, and the porn boards.
/diy/ always has interesting projects. /g/ seems to be the one tech board on the internet that takes consumer privacy seriously (Even HackerNews seems to give Microsoft a free pass in this regard)
I'm hoping Canadian laws treat this differently but if he were German and they found anything like that in his archive, he'd be facing child pornography possession charges.
Intent and knowledge of the illegal material of which you are in possession could easily be a requirement.
I'm no laywer, but archiving the internet is hardly illegal.
Tell that to the part of the law enforcement that decided to arrest this kid for accessing a public website.
30TB is a stupid amount of anything for any one person -- I've always used wayback if I wanted to see an old page
I had a lot of things saved through Instapaper right from its inception, but I stopped using it regularly and one day when I went back I didn't appear to have anything saved anymore.
Since then, I've been much quicker to download things I might want in the future. Storage is cheap, archaeological effort is not.
Aaron Swartz faced a longer prison sentence than most murderers within the US, and the sentence for murder in almost any other country in the world.
Common sense has completely gone out the window in both policing, and the criminal justice system.
Was anyone injured? Did anyone suffer financial loss? Fear to self? Any form of significant damage at all? The answer to all the previous questions is a definitive and resounding NO!
When I contacted Seattle them to tell them what happened (on my own will), the conversation quickly turned to a point where we had to get lawyers involved. Basically, they told me that if I agreed to have Kroll  scan my hard drives to prove that I deleted the records, then they would give me "legal indemnification". They eventually agreed to accept an affidavit that I deleted everything, and had to wipe TRIM and that I wrote a script to confirm deletion to the effect of, "grep -r $FILES_HEADER_FIELDS /".
One part that led to such a strong action by them was that they didn't see in their logs how I downloaded everything and thought that I found a backdoor to download all of their emails. They had some annoying rate limiting that prevented too many files from being downloaded at once, so I copied the files from the page's source, then ran a wget against everything. Since the files were being downloaded from S3, their webserver logs didn't include most of the downloads, which led to some suspicion.
Funny enough, Seattle told me it would cost $32m and 320 years of employee salary, but I ended up sending them $40.
It just blows my mind.
Good for you for not having to deal with Kroll.
The government made no reasonable effort to conceal the information and put it on a _publicly accessible_ web server. They made the information available to the public whether or not that was their intention. How can any reasonable person conclude that typing in an HTTP url qualifies as an illegal breach?
I just can't comprehend this at all. To even describe it as a "breach" is inaccurate -- the real headline is "government publishes data they hadn't intended to".
for i in `seq 1 7000`; do
This API was supposed to be private and yet supported trivial enumeration?
Relying ONLY on obscurity is a failure.
EDIT: I'm mostly kidding.
If you know the hash, you likely already know the file.
Cryptographic hashes aren't random by nature.
Edit: even if they aren't PDFs, you can feed the content to the hash function.
With a hash it’s more expensive to compute the ID, but you get advantages such as content-addressability, data integrity without trust, and easily mergeable databases. It’s a good amount of bang for not much more buck.
At the cost of leaking more metadata in the ID, by including a checksum/namespace, you can recognise a valid ID or determine the type of object it refers to without fetching anything from storage, mitigating some DOS attacks.
IDs are a subtle thing, and in my experience, often overlooked as a design issue. A lot of times it ends up as something like “id integer primary key autoincrement” without any thought.
Why are the cops allowed to do this? Why do you have to be "rescued" by your lawyer in order to not be questioned by the police without legal representation? Not sure how it works elsewhere but the cops badgered the fuck out of me until my lawyer finally got to the station and chased them out. So, if I was a 13 year old on the way to school and thrown into the police car, they could just do that until I crack?
If it's publicly accessible, it's public information. Obfuscation doesn't count!
The fact is, it is the organization who published "personally identifiable information" on the public internet who should be punished - and, in any case, criminal law is not the tool to do it. The kid who incremented a number in a URL to download that information is not the bad guy. What if the kid was not Canadian? Are you going to try to extradite a Russian national over accessing information on a public web server?
When a server announces to the world that it can answer HTTP requests, making a reasonable number of HTTP requests is, to me and most technologists I know, authorization (and thus, should be seen as with colour of right or non-fraudulent). The fact those HTTP requests released data he was apparently not entitled to is a security issue, a bug, a problem to be paid for by the actor who manages the HTTP server, not a problem of law. Unfortunately, this section of law has not been used often enough to clarify to me the interpretation of those words.
Here are some follow on questions:
- Why was there "personal information" in FOI releases? Surely a FOI release was intended for the public, as that is the intent of the act. Who's fault is it that there was undesired information in the releases?
- How do we get this law changed? As the law is written, it hangs on the words "fraudulently and without colour of right" - the rest of the clause is incoherent babble of a 1985 technophobe.
One that goes through the ISP and one that goes out over a proxy.
I haven't found a solution just yet. I guess a raspberry pi with iptables and routing based on device ID could do the trick too.
I run two tinyproxy instances on my home server and I point all browser traffic to the first instance. The first instance run with the default routing table on port 8888 and has entries like upstream localhost:8889 ".somesite.com" the second instance, which run on port 8889 is run with the vpn as default route (I use setfib under FreeBSD).
With this setup, traffic goes by default directly on the net, but the tinyproxy config file can be used to redirect some traffic through the VPN.
Of course, you can do it the other way around to have traffic by default on the VPN and direct some traffic.
If you want to route all traffic to a vpn for a specific machine, you can use pf rules to forward an ip through another routing table.
There are a couple of other things on my todo list still. Such as easier switching of VPN node (current method is to ssh in and restart OpenVPN with a new config...) and ad blocking.
Hope this can help you although it's still a bit immature and quite hacky IMO
I considers using a raspberry pi, but I'm not sure the range is ideal.
It’s a shame that police departments think these “shock and awe” tactics are even remotely appropriate for dealing with non-violent suspects.
Many nonviolent actors involved in cybercrimes have prepared killswitches or some other manner of instantly burning everything to the ground if you give them enough time to react when you show up with a warrant.
Perhaps the lowest-bid contract company that made the site decided to use something like amazon glacier for storage of boring documents nobody will ever need. Then along comes someone that causes them all to be extracted at great cost, some middle manager receives a bill for $millions and wants to blame the kid rather than his own failings.
that would make its own interesting information request. you probably couldn't directly ask "how'd you find him out?" at this point, but you could ask for maybe IT costs per month over the last X months broken out by organization the money was paid out to.
also possible (probable, even, in my mind) he just crawled too hard, the machine was slow, and the folks in the office working on it complained. (god only knows how much processing the service does behind the scenes when a PDF is requested. for all we know it is being reassembled from tiffs of individual pages every time.)
Conrad said the breach was detected by a provincial employee, but it was a fluke.
“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen,” Conrad told a technical briefing.
Based on what little I've read thus far, the teenager does indeed seem to have good intent. If that's the case, I'm cautiously optimistic that the court system will set him free without any consequences. But if the prosection can prove that he was aware of the data's confidentiality and was acting with malicious intent, then he deserves a conviction. Let's let the legal system run its course, before gathering our pitchforks.
The kid sent a request to the server for a document and Nova Scotia's web server graciously provided the content with a "200 OK" response code. The Nova Scotia government doesn't know how the internet works.
Well, I did give 2 different analogies, and without knowing more specifics, I'm not taking a stand on which analogy better fits this case. Depending on the specific design the government used, and the steps the teenager took to access the content, either analogy could be applicable.
> "Rather than scapegoat the kid, the government should be investigating themselves for criminal negligence."
That's a false dichotomy. Investigating government officials for negligence shouldn't preclude prosecuting a (hypothetical) malicious hacker.
Not at all clear that files on a public webserver look very much like a private house.
The internet is public by default.
I don't like this but I think it's how it legally could play out.
If I sent them a dead tree letter requesting a document and they replied with a copy of that document, would you consider this the equivalent of going into their house and taking their TV?
URLs have no way to classify them to legal and illegal ones. You can propose a plan to w3c and to government to mark URLs with string 'illegal' in them, if they are illegal to visit without special permissions. It will make them distinguishable from legal URLs, and then it would be normal to charge for visiting illegal URLs. But this rule should be a widely known social norm, not a local rule of some site hidden on some obscure page that easy to miss.
It would be logical to assume that as the files have specifically been made public via HTTP then no laws are being broken by viewing them unless a warning message appears saying otherwise.
A closer analogy would be two tables out the front of your house covered in fruit, with a sign saying "Free Fruit" on one table and then expecting people not take fruit from the other table.
Some questions. Is the website still online? What happens if every Canadian downloads the files?
What a dystopia. Do we only have one part of the story, can the situation really be as bad as depicted on the article? This is atrocious.
Edit: And where is the case against the people in the office who put the sensitive information of others into public view, (assuming and against the law), the actual perpetrators of an actual crime?
The subcontractor of the site fucked up and they're blaming this kid.
The reason I felt confident to do this was because there was no access control on the files and I'd reported it to PUBG Corp, with the bucket remaining public weeks later.
Before people are punished for downloading unprotected information, the person who left it like that should be hauled up in front of the courts.
It never occurred to me I might be committing a crime.
It's likely then that he's gotten some "bad" stuff without him really knowing it. The police will search through his files, find the bad stuff, and charge him with some sort of possession/accessing/downloading charge.
Life = ruined.
For the UK, you can find out more information about the specifics of this from the data protection act, which includes clauses about FOI requests.
Kid: "Hi, what is the personal info in that file?"
What they should say: "You are not authorised to see the contents of that file."
What they actually said: "Sure, here's all the information in that file."
He downloaded loads of national agencies confidential documents, because they were available on Google.
However, he was sentenced (3,000€ fine), because when he explored the website, he arrived on a connection page, thus realizing he should not have accessed these files, but continued anyway.
I just hope for the teenager that he did not encounter any login page in his search (which seems unlikely because he used a script).
 (in french): http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-peut...
Calculate the cost of the 15 officers raid plus prosecution plus the damages to the teenager and repeatedly bash it over the head of the responsible officer in the next election. This is how to deal with this shit in democracy. Even if people are insensitive to someone else's freedom they are sensitive about their money.
edit: the other parallel, IIRC, was that part of the web site was kept private. But the user found the audio by navigating to a parent directory which was apparently open to the public:
> Essentially, aides opened the Web address, or URL, from one of Schwarzenegger’s speeches and lopped a few characters from the end of the address. That yielded a directory of audio recordings.
Web pages contain loads of URLs. You can't tell if you have the right to access the content behind it. The URL itself is simply an address to something - or nothing (404).
Having an ID in the URL is a compact way of signaling a huge list of URLs.
Thus, the kid simply followed links published on the website.
There could also be other RFCs covering our usage of the internet, and our expectations of what our rights are as internet users. Or perhaps stick that all in one "definitive" RFC.
From the article, he’s been charged with “unauthorized use of a computer”. IANAL but there would seem to be at least two possible interpretations of this charge , and the “Summary Election” variant has a MAXIMUM punishment of $5000 fine or 6 months. The other interpretation “Indictable Election” is a maximum of 10 years.
As with any case, details matter. Judges aren’t just sending every hacker to prison for 10 years. He may be judged not guilty (evil intent must be proven; then there’s his age, etc.), or given a way, way, way smaller punishment than this “prison” he “faces”.
The kid in this story just incremented sequential IDs on what was supposed to be public information.
> "The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted," he said. "I thought that was interesting."
He's like, 20 years ahead of his classmates.
You guys don't really have a clue on what Internet is.
Anyone could have viewed the posts on the board one by one; he just copied them all at once for later viewing.
1) Formal methods and cryptography
Looks like they chose the latter.
Then quietly fix the vulnerability.
Instead they produced PR disaster by disrupting lives of a law-abiding family.
These are signs of arrogance and incompetence of decision makers at that government department.
I wonder how many other people found the same thing and slurped this data down in a more circumspect way before this kid was kind enough to expose this privacy breach for us?
The only thing about this article that didn't irritate me.
The only part of this article that didn't irritate me.
Mandatory xkcd: https://xkcd.com/932/
Isn't the Google logo an image? Smells a bit fishy to me.
He estimates he has around 30 terabytes of online data on hard drives in his home, the equivalent of "millions" of web pages. He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate.
"I preserve things, I archive the internet. I have history on my computer, and all of that should be saved and preserved," he said.