As a Canadian, reading this article made me angry. If the information is not supposed to be public, it should not be reachable without authorization or authentication.
Never mind a curious 19-year-old, there are tons of crawlers and indexers out there that attempt to enumerate URLs where they think there might be other content.
Shame on them for building a poorly secured site, but even more for trying to railroad a curious kid who made them look stupid.
If some of those documents weren't appropriate to be viewed by the general populace then the company was criminally negligent in their handling of the data, the "hacker" saw an open door with a sign reading "free information" on it and didn't know any better before running a crawler over the documents to grab them.
It’s ageism but at this point I’m pretty convinced old people should be term limited from office
The problems we seem to be facing are almost entirely due to their inability to move on
Youth shouldn’t spend their lives kowtowing to geezers that quit thinking and are simply peddling what’s become etched in their neurons and “the rules”
The problems here are the usual problems within governments: venality, vanity, laziness, posturing and a certain bureaucratic indifference to human life. Which are traits well established among young and old alike.
Age isn't what's keeping anybody from understanding the technical issues here, either. A computer isn't some kind of magical oracle that only reveals its secrets to the young. Peel back the layers and I'll bet you $100 CAD it boils down to a failure of the institutional hierarchy and the communication therein. With uninformed-electorate-flavored sprinkles on top.
Young tech nerds rarely get voted into office because very few of them have done enough living to be able to assemble a coherent vision of reality and a way forward for an entire, let's say province. Don't get me wrong, a lot of successful older politicians do a shitty job of this too. But anyway, anyone who can do all that, or fake it well enough, quickly finds that messing around with computers is below his pay grade and not worth squandering his attention on. But they will still presumably have such people in their organization somewhere, and should be able to get from them a summary of WTF's going on and why.
EDIT: I guess what I'm even further saying is that this is yet another example of what's become a mantra of mine lately: The missing ingredient is almost never tech and almost always leadership.
The problems is with humans, you have those problems in courts, companies, charities, churches, clubs and small gatherings of people. The only protection we have against it is to recognize that this will always happen and strive to correct it before and when it has happend. I feel this is a closely related to Meetoo, you need to able to ask for forgiveness, but often the people accused never really get what they have done wrong and belittle their actions.
Not Canadian, but I expect this teen to be let off completely free.
I write this as I'm trying to recover my wife's website by scraping archive.org and respecting various 400 & 500 level errors.
Resource depletion from overpopulation aside, the lack of social progress we will see once we manage to extend life to the point of immortality is one of the more depressing outlooks I can imagine. Old ideas will never die.
Federal Government ministers all have their phone bill summaries released as part of public record with private information removed.
The contractor redacted the phone numbers in this instance by changing the font colour to white (same as the background) in the PDFs uploaded to the government disclosure website. So if you exported to text, or highlighted text, the phone numbers were clearly visible.
So most federal members of parliament, the former prime minister (Australia's equivalent of president) and opposition leader all had their numbers leaked.
>Federal Government ministers all have their phone bill summaries released as part of public record
I see what you did there.
"It’s very clear that the software is intended to serve as a public repository of documents. It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed."
Do you jiggle door handles out of habit to see if they're unlocked? It's antisocial behavior. If you were supposed to have access to that document, it would be accessible from a link or search box on the main site.
So while going to the filing cabinet to get the file he'd been directed to, he leafed through other files too. Why not? They're all public information, since they're sitting here in the unlocked filing cabinet with all of the other public information files.
Turns out some of them were mislabeled, and were private information in the public information filing cabinet.
Not so weird, not so antisocial, not his fault, shouldn't be his problem.
Sure, it'd actually be like checking out every book in the library, but this is the age of the internet and it's an insanely useful skill to learn how to grep large amounts of text.
IMO this looks like a company that did a poor job trying to cover their mistake by blaming "those hacker folks". I don't think it's inappropriate to confirm the kid was acting without malicious intent, but the subcontractor who setup the security for this site needs to be investigated thoroughly.
You don't seem to realize how bad of an idea this is. You're talking about making criminals of people. You know, I think I remember once reading about how chrome would try the address you type while you typed it (i.e. before pressing enter, it'd make a request for every character you typed). Users of chrome could become criminals because their software would do this.
Best analogy I can think up is an automated free vending machine, with a row covered up by a piece of cardboard. If you don't want someone drinking the cokes on the hidden bottom row, why did you put them in the machine in the first place?
If the response code is 200, it's OK. The response code (not to mention the transmission of the file) is literally permission from the system to have the resource.
If you don't want someone to come in your door, don't put up a sign that says "come in."
If you don't want someone to see a resource at a URL, don't send them a 200 response code or serve the resource. That's the convention for the web.
This conversation has devolved into arguing against the analogy. This is the internet: everything on it is public unless care is taken to make it not so.
You may choose to argue whether or not that should be, but that's the way it is.
The Internet should be treated the same. Anything put on the Internet should be presumed to be public unless there is some indication to the contrary.
In this case, most of the information he accessed was clearly intended to be public, so there was no reasonable way for him to know that there was some private information improperly co-mingled with the public information, so he can't be faulted for not realizing that he shouldn't have accessed some of the information.
Elsewhere in this thread, people have pointed out that Google has crawled (and cached) at least some of the pages that were supposedly criminally accessed.
Edit: I mean not the act of listening, but the act of storing unlicensed material
But no, it shouldn’t be illegal. Yet what he said still completely applies to stuff like fiddling with ids on a site where you suspect it might lead to content you shouldn’t be able to access
Unless you’re whitehatting and plan to inform them of the security issue (probably anonymously because the world is fucked up and whitehatting can lead to jail time -_-)
Just because what you're doing is legal, doesn't mean you're not an asshole
The kid got documents on a public facing server. He did nothing wrong.
The blame truly lies on the government for allowing such porous security. They should be glad a seemingly benign teenager discovered their flaw and not some more nefarious actor.
A terms of service can not define law, but it can make explicit what data a provider is authorising a user to access.
"The Access to Information website allows you to submit, pay and receive FOIPOP requests online. The Nova Scotia Government also posts responses to formal FOIPOP requests online on the Disclosure log. This is a free public repository of FOIPOP responses that have been approved for publication and have met a specific set of criteria (PDF file 800 KB)."
That's what a url with an id in it is
Should you not have the freedom to type what you want into the address bar of a browser?
It implies the exact opposite. The owner may have intended it to be private, but making it publicly available, without security checks on a publicly accessible server, implies the property owner intended for people to access that property.
This is like going to a library, asking the librarian if you can check out a book, being told yes, and then later being arrested because they meant to say "no".
I think the real question here is: did the website provide enough information for the user to have been assumed to understand that what they were accessing wasn’t meant to be public (e.g. did the door look like a door to a private property)? And did the user cease to access the data once they understood it (e.g. did they close the door and leave)?
> In computing, a hyperlink, or simply a link, is a reference to data that the reader can directly follow either by clicking, tapping, or hovering. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks. The text that is linked from is called anchor text. A software system that is used for viewing and creating hypertext is a hypertext system, and to create a hyperlink is to hyperlink (or simply to link). A user following hyperlinks is said to navigate or browse the hypertext.
The URL in the abstract is not a "link." A link is an element in hypertext.
Whether we like it or not, language evolves. If “literally” can, then literally any other word can too.
That's in a nutshell what happened
The employees who work there have access to all information. Why wouldn't they? They work at the information bureau.
They also answer all questions. Why wouldn't they? They work at the information bureau.
You walk up and ask questions. You get answers. Three days later, you're arrested for knowing state secrets.
Do you see a possible problem with this arrangement?
They are, in essence, trying to redesign the nature of the Internet by fiat.
Historically, accessible resources are accessible. Public by their very nature. If you don't want them publicly accessible, implement (effective) authentication.
But this is far too much "trouble" for self-important, "do it my way" lawyers and executives.
So, they "define", or redefine -- in a pure fiction of language -- what is "public" and "private".
Aside from all else, these... "errors in the system" should be routed around. Denied use of the system.
Unfortunately, in this regard, tech has ended up in the position of working for them, rather than vise versa.
Personally, I won't work for them, anymore. Every thing I do for them, is against my own interests and, I've come to believe, the common good.
Me: I am a Canadian citizen and am rather concerned by what appears to be increasing online censorship and erosion of privacy rights in Australia and the UK. If it can happen there, it can happen here. I'd like to do my part to ensure that we can effectively oppose bad public policy when it's proposed in Canada. I deeply respect both the EFF and the ACLU for their work in the United States, but I'm not familiar with equivalent organizations for Canada. Do you have any suggestions as to where should I be sending my holiday donations?
Michael Geist: Thanks for your note. There are several groups in Canada that do great work on these issues:
1. CIPPIC - the Canadian Internet Policy and Public Interest Clinic (cippic.ca). I founded this tech law clinic at the University of Ottawa, the only one of its kind in Canada.
2. Open Media - based in Vancouver
3. CCLA - the Canadian Civil Liberties Association
4. CJFE - Canadian Journalists for Freedom of Expression
5. BCCLA - BC Civil Liberties Association
All do great work with limited resources.
It's not all domestic oriented, they do a lot of research on internet censorship internationally, and other things that fall into the category of "government interference with the internet".
"The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities."
They helped Geocoder.ca with their 4 year lawsuit: https://geocoder.ca/?sued=1
The BCCLA is top notch if you actually need to win a court case. When they take on a case they don't fuck around, and they have high powered lawyers working pro-bono for them.
the laws are interpreted and applied by powerful people in a way that suits the way they think - that much i think could have been predicted (but not by a teenager)
did the weev ruling surprise anybody other than hackers?
"It's not my fault I left my window open and you took advantage of it. I shouldn't have to keep my windows locked."
"If you see an unlocked window it's not an opportunity for you to take advantage of."
That's admittedly fairly obtuse, but you can see elements of this play out even in this thread, where it becomes a debate about the accuracy of the metaphor and not a discussion of the actual problem. It is so much easier to attack the language than it is to dig out the real concerns and talk about those, so you get a pro and anti situation or semantic nitpicking.
If you agree that the older generation can only think in the metaphorical sense and are practically stuck in the 50s with how they describe it, you also have to accept that it is so far out of whack with reality that it causes continual debate about what actually does reflect the situation and completely detracts from the problem at hand. It is beyond idiotic and it's symbolic of an unhealthy resistance to change.
As an aside, this happens in places like HN and Reddit all the time. A metaphor is introduced into a discussion and it totally derails it, and you're not talking about the source material any more, you're talking about the metaphor and how it can be more accurate. It's like the metaphor is more important than the problem itself sometimes and it's intensely sociopathic, because the linguistics take priority over the humanity.
I think, by and large, people are constrained to thinking about things they can describe. To that extent, being able to accurately describe something is meaningful, and is therefore a linguistic issue.
Semantics are very important when you are dealing with minutiae, and the law hinges on comparisons and extremely complex semantic arguments.
To that extent, it makes sense that we argue about the metaphors.
The web is in many ways a huge collection of resources that reference each other. Some of these references are explicit in links, others in text, and some are available for programmatic access.
In fact many resources can be discovered by programmatic access, and there is no inherent reason to think this is wrong. Just because an API isn't documented doesn't make using it illegal.
For example, many URLs are actually permalinks, you can bookmark them, or send them to a friend. While most websites don't document this API, it's very common.
Lots of people configure search keywords in Firefox by injecting queries in bookmarked URLs. Few of these URL patterns are formally documented, but that doesn't make their usage illegal.
Agreed. There is no inherent or intrinsic reason to expect that any given document or any given URL ought to be restricted. However, a look at the documents could have provided some extrinsic reason to stop looking. For example, if I find a filing cabinet full of classified documents, I will not continue leafing through them after I see the first one. I will stop immediately and notify someone appropriate (after contacting my lawyer). I do not intend to access classified documents.
The question is one of intent. Did the individual intend to access documents that they knew or should have known that they ought not access. If the kid pulled down one classified document, took a look, realized what he was looking at, and deleted it and notified the authorities, then I'm with the crowd. Likewise if they pulled down the entire archive without looking at any of them. I'll be on the front lines with my pitchfork.
On the other hand, if they saw the first classified document, then pulled down the rest of the trove hunting for more, some amount of punishment is probably warranted. Even then, I would say fifteen years is too much. Maybe a few months of time and probation, depending on exactly how much willfulness was on display.
I imagine these are the kinds of questions that will be resolved during the trial.
Per the articles: nothing was "classified", it was an archive of public documents that the government published periodically. The issue is that a small subset weren't redacted properly - but there's no apparent reason the teen would have known that.
It appears that someone simply archived a bunch of documents they reasonably believed to be public information.
The license to access private property is based on the intent of the property owner. Where the intent is made express (through a sign), that governs. Where the intent is not made express, we try to figure out what a reasonable person would infer about the property owner's intent.
The method of access, therefore, is relevant insofar as it tells you about what the owner of the web server intended people to have access to. The fact that content on a website meant for the public to access is only accessible by "programmatic" means that ordinary users would not know, is strong evidence that the owners of the web server did not intend for people to access those documents.
Sorry, that is complete BS. Have you scanned the entire internet and sure sure there are no links to these files on other public pages?
Files publicly hosted by a web server (software explicitly designed and installed to make those files public) is in no shape or form private property.
Furthermore, in this specific case, there is an explicit statement saying the files are public and saying nothing about them not being accessible:
This is clearly wrong.
If I forget to lock my door when leaving my house one morning it's still trespassing if you enter the house without my permission.
This doesn't seem like an apt analogy for the actual case described in the article, though. That case seems more like: you left a bunch of stuff at the curb with a sign that says "free for the taking", but didn't realize that you left some stuff there that you actually didn't want taken.
in the context of the article and the problem at hand, the teenager downloaded a bunch of things that were supposed to be public access, but also accidentally downloaded some things that were confidential though not clearly marked as such (im assuming based on available information) and so the only real way he would have known they were confidential was if he actually perused the contents of them. that would be like having a room that is private property and off-limits, and it is marked as such, but the marking is inside the room and can only be seen by entering it and as such violating the private nature of said room. but really these are all just my thoughts on it and i certainly don't think i'm right or anything. it's just fun to talk ya know
This is why the law tends to fall back on what a hypothetical "reasonable person" would think.
I'm not as much of a hardliner as rayiner on this particular case as I think there are some facts in favor of thinking of these documents as public:
- it was a government website
- it was specifically set up for the purpose of sharing foia requests
- the data in the documents was not easily identifiable as private
But when it comes to the general principle where some HNers seem to think "If the webserver responds with a 200 then it's perfectly fine." I have to disagree.
Imagine a different scenario in which we were talking about tax returns instead of foia requests. You're looking at yours at http://www.canadataxes.com/return?id=1234 and you realize that if you inc the ID you get the tax return of some other random Canadian citizen. In that case it would be immediately obvious that someone had made a mistake and you were accessing information you shouldn't. A "reasonable person" would understand that a mistake had been made. It would then be clearly illegal to write a script to scrape down the docs for every ID.
"the data in the documents was not easily identifiable as private"
as a mitigating factor.
If I request access to your house (send a HTTP request) and you grant me access (give me whatever I was requesting), I don't think I should be arrested for trespassing.
We're not yet to the point where its the victim's fault when victimized by a criminal. It may seem that way when there are so many active criminals. But some places its still possible to trust your neighbors. I live in one.
I grew up in a relatively small town. Literal years went by where my parents didn't lock the back door. It would have been illegal for someone to enter the house without their permission for that entire time period.
We do. But if we fail to do so correctly, as people occasionally will, have we committed a serious crime for which we should be facing prison? Particularly in a case where societal custom is not well formed, and analogies to more familiar situations are all strained?
This young man, by his account, likes to archive stuff he finds on the Web. From the sound of it, he's done URL incrementation many times, and this is the first time he's gotten in trouble for it. Let's suppose for the sake of argument that that's true, and also that there really were no indications on this site that the information was unintentionally left accessible. Do you really want to send him to prison for that?
You might reply that as cruel as that seems, its deterrent value would make it worth doing. But I don't even want to live in a world where people without criminal intent are so succesfully deterred from experimenting with the Internet. In such a world, site owners would take even less responsibility than they do now for securing their information, and therefore actual criminals would have even more unfettered access to it.
A situation like this (security wise) isn't like leaving a window unlocked and having someone rob your house it's like
1. Leaving a pie on the window sill overhanging the side walk with paper plates and plastic utensils beside it.
2. A man knocking on your door, asking you for your bank account number without impersonating anyone of authority, you offering it up freely, then suing the man because you forgot to ask who he was first.
This guy facing prison doesn't give a shit about it feeling like a man stealing a pie from your window. It's nothing close to that because you can steal pies from windows and be held accountable in a much more reasonable way, and trying to reframe the situation only helps to an extent.
What I see is a tendency towards the metaphor because that abstraction itself poses a challenge on top of the original one and the original problem itself is less interesting than the linguistic magic layered on top of it. You can talk at length about how bad the dog > animal OOP example is but you won't have much to say about OOP without that.
It's basically bike-shedding.
wolf doesn’t care about the reasoning of sheep so long as they submit
FFS if I go to https://www.booking.com/city/ie/cork.html it loads fine. Apparently I'm breaking the law if I use my criminal-mastermind hacking skills to ALSO go to https://www.booking.com/city/ie/dublin.html
It's just ridiculous.
More like, All items on this table are free.
So far, so good.
Then someone included a couple that aren't free.
Writing a line of code to fetch a batch of info is ordinary to a literate user.
Putting some burden on him to understand that has happened is a very hard sell to me.
In order to address that error, 15 police officers raided the kid's house.
That's all that happened: someone used HTTP in the way it's intended to be used, and inferred quite reasonably that the people who set up that web server knew what they were doing and meant to set it up that way. It turns out those people didn't know what they were doing, and they got embarrassed about it.
As you admit, the property owners did not intend those documents to be accessible. So the only relevant question is: would a reasonable person infer that documents which could only be accessed by editing a URL (by "tricking the HTTP server," if you insist on anthropomorphizing a dumb machine) was intended or not intended to be accessed?
I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed. And that really is the end of the analysis.
I don't think you understand the web. I'm not anthropomorphizing anything. He literally sent a request for each document he wanted to look at and the server sent a response.
You keep referring to this hypothetical "reasonable person" who doesn't understand the very basic facts about technology, but the opinion you attribute to the "reasonable person" is just one you invented that happens to match your own.
> I think most people would assume that documents that can only be accessed by editing an ID were not meant to be accessed.
How would anyone know if the documents could only be accessed by editing the URL? Others in this thread have pointed out that some of those documents were indexed by Google, so actually, editing the URL is not the only way to get to them.
Computers always do what you _tell_ them to do, not what you want them to do.
The onus for keeping computerized material private is on the owner, and the owner screwed up royally by wrongly allowing sensitive material to be placed unprotected on a _public_ web site. Whether or not it was indexed is irrelevant - it was on a publicly accessible site, permissions set to publicly accessible, and the entire site was meant to be publicly accessible. One can close the analysis until the cows come home, it will not change this fact.
Accessing that material is as illegal as finding a diamond ring (or personal files) while dumpster diving. Dumpster diving may be seen as tasteless or low-class, but as far as I know, it’s not illegal.
Do we prosecute reporters for ferreting out publicly available, yet embarrassing, information?
A website isn't a trash can though.
If I accidentally leave a diamond ring (or personal files) in public somewhere and you take them that is absolutely theft.
As such, your analogies to situations (locked houses, unattended jewelry) with the opposite expectation just disprove your point. Assuming a file is private even though it's publicly accessible on a web server is as nonsensical as assuming an object is free for the taking even though it's an unattended diamond ring.
- Hey, can I GET this drink?
- 200 OK, here it is pal.
- 204 Uh, the bottle appears to be empty
- 206 I have only half the ingredients for the mix
- 300 Stirred or shaken?
- 301 That drink is now called this, but here it is!
- 400 I can't understand what you say buddy, are you drunk?
- 403 I'm sorry, but I must refuse to serve you that drink
- 404 Oops, I can't seem to find the bottle
- 411 How much do you want?
- 413 That's too much drink!
- 418 I'm actually a teapot
- 503 Too busy right now!
There are lots of things on webservers that aren't public. Try to access:
You can't, because github hasn't made a mistake and accidentally made all private repos public.
If github screwed up one day and all private repos were temporarily made public it would be illegal for you to run a script that tried to scrape them all down to your personal hard drive.
Files don't "accidentally" become publicly accessible via HTTP. i.e. you don't return to your computer one day to find everything is public.
Someone specifically took the steps to make this data public. The fact they didn't realize what they were doing isn't the fault of people that then view the data.
Hmm? It's certainly possible to configure a web server incorrectly by accident.
But as the person knows they are configuring a web server, I would say this is more carelessness / incompetence rather than an "accident" in the same way as losing a Diamond Ring would be.
If you insist on analogies involving lost rings, this situation is more like taking a picture of a ring someone lost in the street than it is like taking the ring.
If his carelessness meant communicating that you could take the ring without stealing it (say placing it in the donation basket instead of his wallet), that would absolve you of your crime.
I don’t think that’s a sensible rule and at the end of the day, it’s not the one that’s going to prevail. The Internet will be sanitized and made safe for all the people who forget their passwords and write them in their monitors. The Internet is for ordinary people now, not curious teenager hackers. And ordinary people will make the rules to suit themselves.
And how, exactly, is this "sanitization" going to occur? Are you saying that having 15 police officers raid a home and confiscate multiple computers (all but one of which had nothing to do with the incident in question), arresting a completely uninvolved person on his way to school, and taking no action at all against the stupid contractor who set up the website, is an acceptable form of "sanitization"?
> The Internet is for ordinary people now, not curious teenager hackers.
That's not what the police action described in the article is saying. It's saying the Internet is for government and corporations, and God help the ordinary people who get in their way. (Btw, I include "curious teenager hackers" in "ordinary people". Perhaps the fact that you don't is part of the problem.)
The only solution is site owners taking responsibility for securing their sites, in accordance with the sensitivity of the information on them. The sooner "ordinary" people realize that, the better.
Since you didn't respond when I raised it elsewhere in-thread, I would highlight again the fundamental imbalance between the rules you would impose on Facebook etc. and those you would impose on users. Firms that spend billions of dollars developing their systems only have to be as smart as the most ignorant person we can imagine. Their users, in contrast, must be geniuses to keep up with their many changes to TOS, interfaces, and functionality, while simultaneously those genius users aren't allowed to notice that numbers follow each other in sequence. This is nonsense on its face, but then again authoritarian maneuvers are their own justification, aren't they?
If we're at the topic of wishful thinking, I wished ordinary people would understand basic things about the internet. The purpose of humanity as a whole shouldn't be to dumb things down for "ordinary people". It should be to better teach and educate new generations, so we won't be able to assume ordinary people are dumb.
You do realize HN provides an API that allows you to request any item by using an ID? 
Stories, comments, jobs, Ask HNs and even polls are just items.
They're identified by their ids, which are unique integers, and
live under /v0/item/<id>.
For example: here is the link to the first story posted on HN: https://news.ycombinator.com/item?id=1
1. I don't think you can access that story by starting from the front page, because scrolling for more stories only gets you to page 25. Does that mean the intention is the story is private?
2. You can now access it by using the DOM element generated for my comment. Does that mean it's public?
While odd, `printf "GET / HTTP/1.0\r\n\r\n" | nc 18.104.22.168 80` gets you the HN home page as good as anything.
> it was far less obvious that the relevant documents were intended to be publicly available
My browser and the respective HTTP servers consider them equally obvious publicly available.
Of course they do. They consider whether or not to give me access. If they respond with 200, they are effectively telling me that the information is public and the request is approved. There's no law moral or legal that stops me from asking for information.
I could ask a law agent for classified information, but he's not going to prosecute me for asking questions. He could be suspicious and ask "how do you know a document with that number exists?". And I can reply "oh, I'm just asking for random numbers".
>There's no law moral or legal that stops me from asking for information.
I wouldn't be so confident of that if you haven't read up on the relevant laws. Many countries have prohibitions against unauthorized access that apply in circumstances where the access is not "unauthorized" in a technical sense relating to the details of the HTTP protocol. The law doesn't necessarily say what you would want it to say or what you would expect it to say. See e.g. the following example from the US. (I'm aware that the incident we're discussing occurred in Canada.)
And how do you prove intent? This is a technical problem with technical protocols involved. Intent should be provided via the protocol. If the protocol says resources are public, unless otherwise stated, you can't rely on a human to answer, post factum, what resource is private.
I believe that’s something they teach you in law school. Lawyers have been working on that problem for a while! IANAL, but I don't think you are going to be able to find a concise answer to that question that goes beyond the immediately obvious.
>Intent should be provided via the protocol.
Sure, if you say so. That’s not how the law works, though.
You're being hugely disingenuous. The owner of these files set up their website, which includes deciding which files are and are not publicly accessible, and it is reasonable to expect that the files they made publicly accessible are the files they intended to be publicly accessible.
One can certainly make the counterargument that a lack of public links suggests the owner wanted them to be private, but you are pretending that there's no evidence whatsoever that the files were meant to be public, and that's plainly not true.
I think most people don't have an intuitive understanding of this at all, which means you can get them to give any answer you want by crafting your description of the problem appropriately. That doesn't make such a procedure reasonable.
Except there's no way to know whether that's the only way to access those documents. That's what access control is for. They could be linked from elsewhere for all you know, and it's perfectly reasonable to assume that if you can access the document by punching in a URL, then it is so accessible.
Just curious about which one, or both, of those are trespassing in your perspective.
So it's more like going in to your library, using the card stack, learning about a book, going to the shelf it is on, and then looking at all the books on the same shelf.
Somebody noticed that you were looking at all the books and called the cops on you. The cops break in and arrest you for looking at books. They tell you that the bookshelf is off-limits and has personal information.
Sure, the library creates it's own card stack and google is an external service; however if you design websites for a living you expect google to perform that functionality.
I mean, I designed a service where we wanted to make it easy to share private information, so we didn't use authorization. However I realized that if I wanted the data to be private I should use a suitably long non-consecutive random ID for the resource. If anyone is guilty of criminal misconduct, it's the person who designed this asinine system or the executive who allowed it to be used on the internet.
Hell, I'd go so far as to say that the fact that the exact same system is still being used across the US is a sign that the company who runs the system is criminally negligent.
As I physical analogy, I'd think about it more as one of those restaurant straw dispensers. He got tired of pressing the button each time for a new straw, and instead opened the lid and grabbed a bunch out.
Did it? I understand that the stupid contractor who put this data on the website did (potentially--but note that nobody is saying that anyone has actually suffered harm because of that data being accessible). But did the teenager who got this bomb dropped on him damage anyone's privacy? As I understand it, he downloaded the data, put it on his hard drive, and left it there; it never went anywhere else.
I don't know you have don't particularly care about your financial situation, so I'm not gonna read them or share them with anyone else. I'll just keep them on my hard drive.
A) Sure, here you go. Oh wait! I didn't mean to send you those. You tricked me and stole my information. I'm going to send 15 police officers round to arrest you and then you're going to prison for years.
B) No, that's confidential.
^^ Which option do you think is more reasonable?
He can't be faulted for accidentally downloading some private information that was improperly mixed in with a bunch of public information that he was trying to download. He had no indication that the information he was retrieving was not supposed to be public.
If there were books in this section that shouldn't have been in there, that's not his fault. That's the librarian's fault.
Likewise, what the computer does is irrelevant, except insofar is it tells you about the owner's intent. So the question is not "did the computer let you access the file." But "what does how the computer let you access the file tell you about what the computer owner intended?"
Also, I'm not sure your analogy works at all. In the first paragraph, you seem to analogize the car to the accused "hacker", while in the second you're talking about the supposedly "hacked" host. To be clear, the point of the car example is that a machine's intelligence has no bearing on how its actions affect the duties of its operators.
The best, and most accurate, way of determining if the resource you requested is meant to be accessible, is to check to see if you got a 200 OK response or a 403 Forbidden response.
So your argument is that a better way to check this is to crawl the entire web looking for links to a resource to determine if it was meant to be publicly accessible?
Your intent argument is really shallow. People do bad things with good intentions all the time. Doesn't mean their actions are good or legal.
Or you failed to follow the rules, were careless, and hit him by mistake. Was your intention to kill him? No. Was it your fault? Yes.
If we have to resort to metaphors, then let's describe this section of the site as a ring binder, and each FOIPOP publication as a single page in the ring binder. What the kid did, then, is to take out the entire stack of pages and feed it to an automatic copier, put back the originals in the binder and left with the copied stack.
There is no indication that the "perpetrator" even looked at any page in that stack. And since the binder was clearly labeled as "free public repository of FOIPOP responses that have been approved for publication", the act of copying the entire stack is no reason to assume foul play.
Ok, not actually a metaphor -- https://www.motherjones.com/politics/2013/12/fbi-copyrighted...
Given that he tried to sequentially download all possible documents by sequentially incrementing document ID in URL it's more like trying to open every window in the public building and see what happens.
Is a 19 year old a kid?
The Nova Scotia govt forgot to lock one of those doors and are now furiously trying to shift blame. I haven't seen them apologize or address their own internal incompetence in any of the news articles I am seeing about this.
Those principles apply equally well to the Internet. Ordinary law-abiding people don't go fiddling with URLs, just like law-abiding people don't jiggle door handles or peak into windows to satisfy their curiosity.
This Orwellian attitude that looking at anything is criminal if the government retroactively decides they didn't want you to see it, is terrifying.
But as usual when it comes to authoritarian overreach by government, you're not de-facto wrong about the government sees things, but you are eloquently defending a morally horrific attitude.
That's not Orwellian or authoritarian--it's a basic part of "social" behavior in a society with private property.
However, when you make those files available through a web server, you make the "public".
You then have the ability to limit the access to those files through any one of a large number of techniques to make them private again. Now if there were evidence that they tried (and failed) to use one of these techniques or that the teenager in question deliberately circumvented these techniques, then you would have a point.
One (not particularly good) way of limiting access to files without verifying identity would be to create a hash (say using the requesters email address and the request ID) and use this in the url to access the document (similar to how google docs implement sharable document links).
If they had done this, then perhaps you could legitimately claim that there was evidence of intent to restrict access.
An incremented ID is the opposite. It is a sign that you wanted people to be able to easily predict the correct url to download the next file from. Using an incremented ID is in fact evidence that this information was intended to be public.
He literally asked the web server "can I have these files" and it responded with "yes, you are authorized, here you go".
If he wasn't authorized, the server should have responded with a 403 Forbidden!
Web servers are built around authentication and access rights! It is not the teen's fault that the government doesn't know how to configure them properly.
Edit: after few days you realize that the trash on your curb shouldn't have been there. Then you raid the trash company because your brother is a cop.
Making a mistake doesn't revoke someone's property rights.
This is a non-sequitur, nobody is saying anything about anyone's property rights being revoked.
The teen asked for access, and the content owners, via the permissions they had configured, granted it. Sure they can later decide that this was a mistake, but that doesn't make it theft for the teen to have asked for access.
They made a mistake when configuring their web server. It's obvious that this was a mistake because some of the documents contained private information from Canadian citizens.
Per the tech article, it was an open archive of public documents that the government published periodically. The reasonable assumption is that the files were all public, and there's no reason to suspect the teenager in this case thought otherwise. The fact that ~3% of the files weren't properly redacted (whatever that means) is hardly "obvious".
> Making a mistake doesn't revoke someone's property rights.
Let's keep things constructive please.
It doesn't matter if we're talking about physical property in the real world or virtual property on a server.
Leaving your property on the curb is a good example. If someone takes it, you would be hard pressed to get it back from a legal standpoint.
This is very similar. The government left all those documents on the curb.
But there weren't in this case. The express purpose of the site was to make that information publicly accessible. If you leave stuff out at your curb with a sign that says "Free to all takers", and someone takes something you didn't mean to put there, how are they supposed to know you didn't want them to take it?
This is the big problem here. There's no way the way the Freedom of Information Act in Canada is written the way it is because of the democratic wishes of Canadians. Every day our government moves further away from governing according to the will of Canadians and more toward the will of.....I don't even know. Saying it is the will of politicians doesn't explain some of the strange behavior we've been seeing in this country for quite some time.
If our fate is to ultimately live under a quasi-dictatorship masquerading as a democracy, then so be it, but I wish we could just be honest about it. This objectively false "Canada is a democratic nation" claim is infuriating to me.
That’s not even true. Trespassing requires that you be told not to be on the property, that’s why people post signs. You can’t be charged with trespassing because you went hiking and wandered onto unfenced land with no signs, it doesn’t matter if the dumb owners thought nobody would ever hike over there.
I’m an ordinary law-abiding person, and I fiddle with URLs. I know lots of people in that group.
It also doesn't take a computer whiz to use DownThemAll to enumerate URLs and download them all. They even have a dedicated function for this!
Yes, one does have to have some computer literacy to be able to do that. No, they don't have to be out of the ordinary.
Incrementing URLs by hand is one of the ways I learned about how the internet works, as a young kid. Kids are curious. This is normal behavior!
I remember a teacher yelling at me for trying some slightly advanced features in a hardware design language. I was really proud I could implement something I didn't thought possible, but her reaction was along the lines "Do you want attention? Why can't you just stay quiet and do what the rest of the class does without showing off?".
Stifling creativity and curiosity, especially in children, encouraging them to be mediocre "like ordinary people" is disgusting and counter productive.
> Aaahh, he crashed my computer!
Went the teacher. Which then swiftly closed my unsaved document. 15 minutes of work, gone. As well as any remaining trust I had for her. I had done something unexpected, and she was afraid.
I don't think I was quite able to articulate it at the time, but she would have made a fine witch hunter. I do recall a sense of unpredictability though, and reminded myself not to step on that tiger's tail ever again.
It's not a technical shell game. If you asked your mom, "hey, do you think they meant to have people be able to access those documents, where you can only get to them by editing numbers in the URL," she would say "no." That's what defines what is legal or not in this context.
If you asked your mom, "Am I free to access all the
public-facing information on the Government Freedom of Information server", what would she say? The technical details of how to make the connection are irrelevant. My mother doesn't know how to connect to a BBS, does that mean that anyone accessing a BBS is breaking the law?
No, she would say "I don't know what you're talking about, can you put that in plain English?" And then you could get her to give any answer you wanted by phrasing the plain English appropriately.
Good thing computers use unambiguous protocols to communicate explicit intent.
> If you asked your mom, [...] That's what defines what is legal or not in this context.
I'm really terrified of a world where the law is made by asking laypeople what they think. Just like we don't define borders by asking random strangers on the street where countries are, I don't see how it's a good idea to define laws for technical services and protocols by asking people who barely understand computers what they think.
That's complete nonsense. I've often changed a URL because it didn't work and had a typo. It's right there at the top of the web browser asking everyone to fiddle with it. If you were right, the URL bar would not be editable in web browsers, so you should be complaining to Google, Apple, MS, Mozilla for leaving this criminal-use-only feature so prominently on their products.
The only people here are the teenager and the property owner. And the intent that matters is the intent of the property owner. Did the property owner intend those documents to be publicly accessible? Would a reasonable person have assumed that those documents were not intended to be publicly accessible, because they could only be accessed by editing a URL?
You post often enough on this topic that we all know your position, before you post. Consider, if you will, whether your preferred position is one that will lead to improvements. I posit that it will not. Your position, if adopted, would lead more faceless totalizing organizations to amass, against our will, more of our personal data, and to be less careful stewards of the same. We have far more to fear from those organizations than from 19yos.
What a computer does may be evidence of intent, just as a lock (or lack thereof) may be evidence of intent. But just like an unlocked door is not evidence of intent to make something accessible, neither is an unlocked computer.
> Consider, if you will, whether your preferred position is one that will lead to improvements.
The Internet belongs to ordinary people, not folks who have read the HTTP spec. (It's their world, we just live in it.) "Improvements" will be had when the rules comport with what ordinary people want and expect. Ordinary people don't think about computer security; they expect that, like in the real world, people won't go into places that don't look like they're meant for the public just because there's no locks to prevent them from doing so. The law should reflect those expectations.
Laws exist to create social norms. HN users are preoccupied with data security, but ordinary people hate security measures and are bad at it. So it seems completely backward to me to codify in the law the idea that accessing data should be presumed to be permissible just because the owner of the data didn’t secure it.
Very few "ordinary people" would describe websites as "places", anyway. They don't say they're "at" Facebook, they say they're "on" it, much like they could be "on the phone" or "on TV". Maybe this hasn't always been the case, but the courts aren't tied to 1990s-era metaphors. No one on a jury remembers those silly "Welcome to the BatCave, Come on in if you Dare" geocities pages.
Incidentally, Facebook and its ilk hold ordinary people to much more complicated standards of behavior than those to which you and they would hold sites, all the time. Oh, you didn't read all 50 pages of TOS and then update the (hidden) configuration, every week? Silly user, that's why we gave all your data to the English!
Meanwhile, you don't think Facebook should have to understand how HTTP works, just because one person working at the company might not. Interesting, that the benefits go one direction and the duties go the other.
In the physical world, one can accidentally walk into a room they shouldn't have, perhaps mistaking it for the bathroom, and then leave without having committed any transgression. Entering a room you shouldn't be in doesn't mean you've automatically taken the contents of the room. On the internet, however, visiting a URL means just that. There's no "oh, it looks like I shouldn't be here" opportunity.
URLs are not doors. They aren't rooms. The same reasoning can't be applied to them, as they behave in fundamentally different ways.
If those sensitive documents were on a _public_ website intended to be browsed by the _public_, who presumably did not require authentication, and the documents did not cause an “Authorization required” response when accessed, it feels rather totalitarian to treat that as a crime.
Most of the metaphors I’ve seen about this are not fitting. As excessive as the barrage of metaphors may be, allow me to add my own:
As part of a free treasure hunt, a person gives you the address of their house and says, “Whatever is not locked up is fair game for you to look over, take photos, or copy.”
You go there and have a great time. Then the homeowner has a fit because you discovered a hidden cellar full of pornography, which was apparently off limits but the door was inadvertently left unlocked. Now the homeowner is charging you with breaking and entering, saying you should have known better and it was common sense.
The answer, even in the realm of physical property, is clearly not 'never', so where is it, and what leads you to believe its threshold was not crossed here?
The law is that the onus falls on the owner or their agents at the point where a reasonable person would not be able to infer the scope of the implied license from the circumstances.
I posit that a reasonable person (not an HN reader) would infer from a document being only accessible by editing a URL that it was not intended to be publicly accessible.
Do you view 'a HN reader' as a reasonable representation of someone skilled in the art [of creating and serving websites]?
Unless I'm missing something, the only conclusion that I can see following this line of reasoning is that skill in the art is inversely proportional to a person's 'reasonableness' in this matter.
If a quorum of experts are coherently proposing that certain actions are reasonable, even if you find them distasteful, at what point is 'reasonable' no longer reasonable?
For what it's worth, despite sounding like a rhetorical question, I am truly interested to know your thoughts on that last matter.
People on HN are not representative, because they know about computer security and HTTP access codes. We don’t live in a world where those people get to make the rules. We live in a world where the rules are set by reference to ordinary people. My mom gets to set the rules for what’s “reasonable” (what are the social norms everyone has to follow). Not you or me.
My point is that a reasonable layman would assume that if a document was not linked or indexed from a public portion of the site, it was not meant to be accessed. That makes sense, because if the document was meant to be accessed, it would be made accessible in a way a reasonable lay person would know how to access it.
And others point out that editing a URL to increment an ID which is obviously sequential is absolutely a reasonable way of browsing the web. That doesn't mean a lay person has to know how to do it, but that they wouldn't think anything criminal was happening if they watched someone else do it.
An ordinary person would infer from accessing a url and receiving information, that the information was intended to be public
It might be hard to prosecute, but just because I invite you over to my house I have absolutely not granted you permission to enter any room you want.
If you, for example, went into my office and started rifling through my file cabinet that would be a huge invasion of my privacy despite the fact that I (like many people) do not have a physical lock on my office or filing cabinet.
there are also PDF and epub versions if you google for it.
> If the information is not supposed to be public, it should not be reachable without authorization or authentication.
I don't lock my car, and often not my house either. I don't think that means you should be able to snoop around and see what interests you. Websites are private property. It is obvious what parts you're supposed to see and what parts you're not supposed to see. You should be able to prosecute snoops as an alternative to locking things down, as you would with any other private property.
Your car, presumably, is not offered as a public resource.
This is silly. Your door analogies have no place at all.
A great many websites work this way.
Unless you’re injecting metacharacters into URLs, or requesting AAAAAAAA * 65535 followed by shellcode, changing paramter values is using HTTP exactly as designed, and a well-formed request has many possible error codes for the exact purpose of letting you know what you are allowed to access.
It’s perfectly normal for people to alter URLs. The fact that people who are unfamiliar with URLs don’t do that is irrelevant, and you could say the same for any subject. Just yesterday I changed lat= and lon= to get a NOAA forecast. Is that snooping or hacking? How about when we change the integer at the end of an XKCD comic to view another one without previously confirming there is a hyperlink somewhere?
At least in the Weev case, people could take his IRC logs out of context as well as argue the fact that it was plainly obvious that the server was misconfigured and he was seeing content that he should not. But getting a response when incrementing an integer, generally speaking, does not mean you are viewing something unintended for you. When you are downloading public documents, it would be entirely unreasonable to assume that the material was non-public.
Also, take a step back to really think about what you are advocating. Is society better off by ruining this kid’s life? It blows my mind that someone even remotely technical can think this particular case is a good use of the justice system, or can even compare it to someone snooping around their neighborhood and trying their doors.
Doesn't seem obvious to me. So now I have to check for a specific anchor to a URL to see if a URL is considered publicly accessible?
Here's a better analogy; you put up a "yard sale" sign in your front yard, fill the driveway with property, and then call the police on the first person who shows up claiming they are trespassing.
A public web page is no different. A reasonable person would not assume that content you can only get to by editing a URL manually is supposed to be accessible to the public. A typical person would not even know that you can do that. Those typical people are the ones that get to set the rules, not hackers.
Websites are not only meant to be accessed by humans either. Are you telling me that bots should employ human reason to guess what should be viewed or not?
I'm not even sure what you're proposing. The web has always been public space.
How about if someone takes the url, and doesn't view it, but posts it on some other website with high traffic. Now all people that click the link have broken the law?
A reasonable person could totally use crawlers like DownThemAll, and fail to notice that some URLs they request are not, in fact, accessible by clicking through a web page. That's different from accessing something you know isn't accessible by mainstream means.
I did that several time to download some porn. The process is simple: search for whatever I'm interested in in a search engine, click on whatever image looks interesting, see if I the URL has numbers I can modify to access nearby images (they will have hopefully the same theme, or even depict the same scene).
The first URL was clearly publicly available. I got it legitimately through a search engine, or by clicking around. How am I supposed to guess that some of the others are off limits?
It's really not a reasonable comparison.
or to the owner of the car!