Hacker News new | past | comments | ask | show | jobs | submit login

The first thing that jumps out is Sweden has a national identity system, BankID. The APIs appear to be protected using those credentials. With that in mind I have two questions:

1. Who owns the data?

2. Should public funds be used for the creation of private APIs that manage the data?

The answer to (1) has consequences for (2).

I think many HN readers, including myself, and certainly these parents would argue that the data is the property of the parents. If you see the data as being the property of the parents then you would see the APIs as being the means for retrieving and manipulating your data - data that's protected by this national BankID identification.

It appears the school system believes the data is their data, and not the parents' data. Therefore retrieving the data through any other means than the "official" app is a potential data breach.

So who is right? Think about the data we manage on behalf of our customers, for example. Who owns that data? What rights do our customers have in accessing and managing that data?

This is a really interesting case and hopefully will force the answer to these questions.




(I am Christian Landgren, cofounder of the project)

You are right, the city believes they have ownership of the data, mainly because they fail to understand that they aren’t showing data in an app, but rather publishing data in an API. In Swedish law, once you have released data from a government, the receiver have the right to do whatever they want with the that data (as long as it isn’t violating any other laws).

The city in this case is responsible to check that the data is safe to share publicly and once they have- the data is not theirs. This is regulated in the constitutional law regulating free speech which goes back to year 1766.

This means that they can’t really apply the same logic as a private company can when publishing data in their api. A private company can still keep license over what can be done with the data they publish. A city can not do that because of these constitutional laws.


> You are right, the city believes they have ownership of the data, mainly because they fail to understand that they aren’t showing data in an app, but rather publishing data in an API.

Christian, it's not about the data and has never been. The data is a legal tool they are using.

The municipal administration is trying to save face. It's layers and layers of non-technical bureaucrats who have to justify their salaries.

A few talented software engineers running in circles around some multi-million dollar contract they gave to a large offshored operations with probably close to a hundred individual programmers doesn't look good for them at all.


That's an interesting angle - the government published the data via an API and therefore the data is now public and so as a result these other laws you mention come into play. Fascinating! Please keep us posted as to how this progresses.


The act of publishing has little to do with it. Sweden is open by default and the government has to provide public access to official documents to anyone and everyone - including foreign nationals.

> The principle of public access to official documents serves as a guarantee for transparency in the work of the Riksdag, the Government and the public authorities. The principle is set out in the Freedom of the Press Act, which is one of Sweden's fundamental laws, and means that everyone is entitled to access official documents.

> Everyone is entitled to contact a public authority and request a copy of an official document. Anyone requesting access to an official document does not need to provide their name or any details of how the document will be used.

The government can opt-in to secrecy.

> The Public Access to Information and Secrecy Act contains provisions on secrecy to protect public interests, for example, national security. It also contains provisions on secrecy to protect individuals’ personal or financial circumstances.

Source: https://www.riksdagen.se/en/how-the-riksdag-works/the-riksda...


US law is similar. The federal government cannot hold copyright and absent specific opt-ins for national security and so on, all data is public.

States and cities are a bit trickier because of the weird way the constitution interacts with states, but things still tend towards open access.


Is there any way to write an app that doesn’t “publish the data” by this definition? It seems like publishing was not their intent, and furthermore they were not legally allowed to “publish” personal data.

For example if their system includes an app that lets you see your students grades and disciplinary issues, presumably you would not want that published. Is it simply impossible to build an app with such data in Sweden now as it would be “published”?

Edited to add: and just to be clear, I am fully supportive of this use case. Just trying to understand the restrictions better.


No, because applications, publishing and intent doesn't factor in.

Student grades and disciplinary issues become official documents as soon as the teacher documents them regardless of form (i.e. paper, audio recording, IT-system, etc). The school is then obligated to provide those official documents to anyone upon request.

The school could argue that this information should be kept secret but student grades are not explicitly protected by law and it has already been established that this type of information is in fact public. I don't know about disciplinary issues but interactions with social services and psychologists are explicitly protected by law.

The Swedish government has always been obligated to make information accessible to humans and with new regulation regarding Open data and Digital government that obligation has increased to also make information accessible to machines. Attempting to create an application that makes this difficult would be misconduct - the Swedish government is obligated to provide APIs.


Can a different parent look at my child's grades? Or is there still some level of privacy where only certain parties are allowed to view certain documents even if they are official.


Yes.

Edit 1: I figured I should back this up with a source but all the ones I could find are written in Swedish. So either accept my translation or ask a trustworthy Swede to translate it for you.

> Skolbetyg är allmänna handlingar, och vem som helst kan beställa fram betyg från arkiven. Journalister brukar t ex ofta vilja se på nytillträdda ministrars skolbetyg.

Source https://riksarkivet.se/skolbetyg

Translation:

School grades are official documents, and anyone can request grades from the archives. Journalists often like to see the school grades of newly elected government officials.

This source is the Swedish National Archive but this also applies to non-historical grades.

Edit 2:

> Or is there still some level of privacy where only certain parties are allowed to view certain documents even if they are official.

The government can, and will, opt-in to secrecy for things like social services and medical records.


The example you're talking about is for adults who have been out of school for a while.

I'm pretty sure you can't request information about minors, so you can't look up the grades of your neighbour's kids or something like that.



Right, ok, but you can only request final grades. So you can only do this once on 15-year-olds, after they've finished primary school. And the next time you can do this on a person, they're gonna be 18 and have graduated high school.

I thought the primary school final grades were protected until you're an adult, but apparently not.


There may be some terminology confusion at play. The data may be an "offentlig handling" ("public document"). Christian's argument is that since the data is a "public document" it can be published through his app. That argument is correct at least as long as he has an "utgivningsbevis" ("letter of publishing rights"?). However, it doesn't follow that the way his app is accessing the data is lawful. You may go to a bank and withdraw your savings but you may not break into a bank and physically take your savings.

Grades are "public documents" in all schools in Sweden. With other things like disciplinary issues it varies depending on whether the school is run by the government or a private company.


No, the app has no communication to us, we don’t even have a server. This means that from a legal standpoint we aren’t publishing any information. We only help our users to present their own data in a better format (than json).


Sorry, I see now that “they” in my comment was ambiguous. I meant “the government”, not your app that accesses the school APIs. As in, if in Sweden anything that is available from the government in an API is defined to be published, does that mean the government cannot make an API for private information such as sensitive parent/teacher communications?

Naively it seems to me that a government API could contain docs that are not published/public docs. But maybe that is so, and the argument here is simply that _in this case_ everything was in fact public, including some personal data that would seem non-public to people familiar with other legal systems.


If (and only if) the API is authenticated can you publish things that fall under various secrecy laws (sekretesslagar), the chief one I am familiar with is medical secrecy, where a person has access to all their medical records, medical staff have access to records that are relevant to ongoing treatment, and no one else has.

This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).

For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).


Hi, congrats on the app. I was curious about one thing in the article - why would the city pay to license the app when it is open source? Do you anticipate that this would be cheaper for them than them paying one of their overpriced contractors to build and publish an "official" version, given how much they spent on a CRUD app?


Thanks!

Well we have already made the source code open and free and also encouraged the city to release an app with our source code as base. They weren’t interested in that. They would rather license the app, support and maintenance to us. We have quoted a fixed sum per month for that service and we plan to use that money to reimburse everyone sending PR:s we merge.


> We have quoted a fixed sum per month for that service and we plan to use that money to reimburse everyone sending PR:s we merge

How interesting :- ) I wonder how you'll distribute the thanks-for-the-feature (PR) money — e.g. per PR, or per lines (hmm I guess not) or maybe some impact / "severity" system like for bug bounties? (but this time "feature bounties")

(From Sweden me too. How nice that you built the app and that apparently things seem to end in a good way :- ) I felt a bit upset when reading the article)


If you view your idealised version of the app as "the app" and everywhere it doesn't currently match reality as a bug, you can just use a bug bounty system for it and it will make intuitive sense for everyone :)


When writing the first line in a new project,

one in an instant adds thousands of bugs :- )


Sounds like a positive step forward, despite the grief they put you through! Ultimately it seems like democracy winning out, although sad to see the very institution that should support and endorse it acting as a gatekeeper.


Swede here. This is just a guess, but I think it's the illusion of control. Too much negative press about the conflict, and this is their attempt at controlling the narrative and "taking responsibility". We'll see what the future holds.


Well done! Both for the app and seeing the fight through. All of us would be lucky to have people as dedicated as you and your team in our cities.


But there is no API here. The article makes it clear that you were intercepting client-server communication not meant to be used by third parties in order to write your own client. That it could be used as an API doesn't matter since the intent wasn't to create an API.

I could do the same thing and write an app for, say, the tax agency by scraping its website but it would be a legal gray area.


I'm not sure I follow why that would matter. Their constitution says once data has been released, it is no longer their property (because it's a public institution). They created a way to access the data, so the data has been released to the parents and so the data now belongs to the parents. The parents own the data and as such it would seem to follow they can access it anyway they want.


It matters because the definition of data breach is very broad. For example, if I run a website and tell you that you may not browse my website but you continue to browse my website you may be guilty of data breach. If I tell you not to login to my website but you still login because I forgot to disable your account you very likely is guilty of data breach. Since the city didn't publish their information through an API, nor intended the information to be used by third parties, and also explicitly stated that they did not want Christian's app to access their information, it's quite possible that the app facilitated data breach.

See the Aaron Schwartz trial which was about essentially the same thing.


> you may be guilty of data breach.

No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.

> the city didn't publish their information through an API

Yes, they did.

> and also explicitly stated that they did not want Christian's app to access their information

If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach. In that case, it is just you consuming what is there for everyone (like unencrypted wifi - harvesting those signals using SDRs is not an issue because you are not bypassing any security), which is okay.

Edit: Legally okay, that is. How you feel about it ethically is up to you, I'm not talking about that.


> No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.

Here is the relevant paragraph:

"För dataintrång döms den som olovligen bereder sig tillgång till en uppgift som är avsedd för automatisk behandling eller olovligen ändrar, utplånar, blockerar eller i register för in sådan uppgift"

The requisites are: "olovligen", "bereder sig tillgång till", and "uppgift som är avsedd för automatisk behandling". Christian's app full fills the requisites.

API means "Application Programming Interface" and if you think the city created or intended to create such a thing you don't know what an API is.

> If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach.

You have no idea what you are talking about. There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.


They for sure intended to make an API, but also intended it only to be used between the two contractors involved in the application development. There was a requirement in the RFQ for the backend to have a well documented API. Almost all of the RFQ was about making an API. In this case the indended user e.g. the parrent is using the API to get the data they are supposed to get. Thou using a different webb-app than the intended one from the city. I have a hard time seeing how the parent by accessing the same data they are supposed to get are doing any crime. The police investigation came to the same comclusion, and the internal investigation at stockholm city also came to this comclusion. That the police cited stockholms internal investigations i think is a nice little detail here. Thou if the app would have given the parents access to data they ware not supposed to get over the API they situations might been an other. Now it's just the same information but persented in a user-friendlier way.


(translated to english)

>For data intrusion, a person who illegally prepares access to information that is intended for automatic processing or illegally changes, deletes, blocks or registers such information is sentenced

This app does not appear to meet this definition as the data they are exposing is not intended for automatic processing, but it is exposing manually consumed data (i.e. the parents were already consuming this data manually) in a different, more accessible way.

I agree the city obviously wasn't intending to expose an API.

Which precedents are you talking about. I don't know much of anything about Swedish law so any precedent you can show would be educational for me.


> There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.

Given that you know significantly more than me perhaps you could give me some examples. I'm always interested to see countries in which such jurisprudence is different from the norm, especially in Europe. Thanks :)


There is clearly an API in play here. The article mentions it numerous times. The client app has to use an API to get its data, that's a downside of deploying a SPA. You need to make an API for it to get data from.

If you don't want to make an API that exposes raw data just write a SSR app. If you want to deploy a SPA, well, you have to deploy an API as well and you need to plan around the fact that when you throw an API out into the wild and authorize people to use it (by handing out auth tokens), well, people are gonna use it.


Using SPA vs SSR as the sole factor in determining "published" status rings hollow for me, because it completely excludes any analysis based on intent, and intent usually matters in law! (Though I admit I'm not familiar in this case and this country.)

Also it's easy to poke holes: does this mean that scraping data from html is always hacking, regardless of the expressed intent? (See recent Missouri case for what that might degenerate into.) What if it's "semantic web" and the html contains metadata specifically designed to aid data extraction?

I think the parents should own the data, and that's why it should be open. But I don't think drawing the line based on which kind of technology is used to deliver the content is a good method of adjudicating published intent.


Publication intent is trivial to verify.

Q) Are you able to retrieve a document using the credentials issued to you by the API? A) Yes: Then you're authorized to view it. No: You're not authorized to view it.

An API is the encoding of business rules around data access and modification. If your API is allowing access that you don't intend a user to have, fix your authorizations.


See I like this argument better because it has nothing to do with being an API or HTML and everything to do with access authorization. It doesn't make sense for the government to have the power to control how the data the parents are authorized to view is displayed, or what tool they use to display it.


> drawing the line based on which kind of technology is used to deliver the content is a good method

Apart from other reasons, it would almost certainly result in providers obfuscating data or reverting to SSR which is a perverse outcome.


It might technically look like an API - but it could still not count as an API legally (for the constitutional trick) if the interface was not intended to be public.

If you want to stretch the terms, everything on and off the web that does communication is basically an API - it's just that some of those APIs use JSON to encode their data and make it really easy to access... and some of them bury it in mountains of HTML - but if the data is there the data is there. There really isn't a functional difference between a scraper that goes from TEXT => DATA and a json decoder that goes from TEXT => DATA except how easy it is to write and maintain it.

One outcome of this fight might be that government organizations are directed to use more proprietary communication methods which would be a poor outcome for everyone involved.


The law is not specific at all in regards to the format of the document. So to talk about an “API legally” has no meaning. In a private scenario it makes sense but what we are talking about here is public documents which are sent through an API. The city has responsibility to only send information I have (as a parent) legally right to see. How I parse it and present it is up to me as citizen (through an app or save it as json and upload to an excel file or such)

One implication of this project could be that government agencies in Sweden can not have private API:s.

To use more proprietary methods (private api:s) will have no effect on the constitutional law. You still have received a public document as a citizen.


> How I parse it and present it is up to me as citizen

I know technologists like to think that way but very often the law doesn't work like that. They will think about intent - was the intent to give you the raw data or was the intent to convey a specific representation of it that may omit some parts or further transform or presentation layer changes to achieve a different final result to what the raw data would have conveyed?

If it is the latter then that is the "public document" you have access to, not the raw data from the API.


> convey a specific representation ... is the "public document" you have access to, not the raw data

Seems you're saying it might be illegal to convert a HTML file to PDF format, or to use a screen reader to read the text.

I wonder in which country you are (where apparently there can be laws like that)


Or even just print it out. Or put it in a binder. Or make it your desktop wallpaper. Or print it on your toilet paper rolls. Or make paper airplanes out of it. Hmmm it seems like this is a bit of a ridiculous argument. I highly doubt any free government would/could make it illegal for me to print the laws on toilet paper, downloaded via their API.


An app that parses a news sites articles, removes all advertisements from it, and adds its own might very well be illegal in some jurisdictions.


that would be a bit less clear I think .... perhaps it may make it more concrete to think about an example.

Say the education department has a requirement that where ever a student's grades are displayed, the legend to explain their meaning and a disclaimer about limitations is included. It could even be a hard requirement (like, they got sued once for not doing it so their lawyers have told them they must enforce this). So they are careful that in their app, that requirement is always satisfied, since failing to do that could lead to harmful confusion that could impact a student.

So in their view the "document" they made public is the fully rendered version of that. If you print it out you are effectively doing a transformation that preserves its form and essential characteristics. If you screen shot it, cut out the disclaimers and legend and then paste it on a public web site ... you could create the same problems that you are by taking raw data out of the API.


Here's one possible issue though - I asked (in another sibling comment) if `ls` could be considered a filesystem API - I strongly believe it is. That means we probably (for sanity's sake) need to differentiate internal vs. external APIs and provide a method for safely allowing this public document method to be well defined.

If a spy is filling out an expense report via secure email after an undercover mission to Norway (trying to figure out if Norway is hording lutefisk, I assume) which ends up resulting in a bombshell report to the public about international lutefisk accessibility then that report is clearly public - but the spy's expense report (including, I'd assume, their identity) is something that should logically be kept secret. There's some press secretary in the middle that takes the raw information and turns it into the scandal we all know it would be.

The data being transmitted over an API is not intended to be directly consumed by the public - there is, instead, an application that exists to take that raw data and transform it into something that is publicly viewable. That application is the corollary for our press secretary here.

I am concerned this might be a bigger rabbit hole than you expect. I totally agree that the town shouldn't flip out and be stupid calling in legal authorities like it currently is - but I think this might be more complex.


In this particular example, It’s likely none of that would be digital (over the web) and it would be classified.


Possibly? Or maybe they use a web based expense reporting system like almost everybody in the modern world. I also think it's a pretty open argument whether the definition of what is and isn't an API relies on things being served on the web.


Privately documented APIs are still APIs.


I don't disagree (though when it comes to this particular case it's a question of what the opinion of Swedish courts is) but there's just a lot of grey area there.

Would you consider `ls` an API for exposing your filesystem?


> Would you consider `ls` an API for exposing your filesystem?

I don't see why not.

It has an interface for input and output, conforms to well known specifications and is publicly documented.

There's also multiple implementations behind the API.


I would consider "ls" a presentation tool that uses an API to present information about a file system. I would consider stat/lstat/opendir/readdir/closedir the API that "ls" use to gather the information.


When you combine it with shell scripts, I'd say that ls is an API to itself.


> One outcome of this fight might be that government organizations are directed to use more proprietary communication methods which would be a poor outcome for everyone involved.

I agree with the rest of your argument, but I think that this part is not necessarily a good example of the risks. Far easier would be to use a shared key between the app and the site, and thus use encryption to prevent reading the data, while still sending it in JSON over HTTPS. A pinned certificate would do the trick, at least on phones which prevent the user from inspecting app bundles.


I think it depends on the outcome of the case - I could see some possible resolution like the Swedish supreme court declaring that JSON counts as a public record and that forcing a block on prohibitive encryption of JSON endpoints offered by the government (assuming everything the OP said about constitutionality is correct).

We've seen such bizarre technical decisions from high courts before.


I dont think the swedish legal system uses precedents though. Does that matter?


I don't know - I think all legal systems use precedents to a certain extent - they're just extremely formalized in America and Britain. Sorry but I'm not familiar enough with their system to reply with confidence but I would say that if a high court in a country rules a certain way, even if that isn't binding to future rulings, it will cause people to adjust their behavior to avoid falling into a trap that's been clearly called out already.

Uh, also, IANAL.


A website is an API (poorly designed).

The only way to not make an API out of publicly available data, is to encrypt it. Then nobody can read it unless they have the right keys.


If you encrypt it, you have to, at some point, also send the keys to the user. The key has the same legal protection as the rest of the document so encrypting the data has no implication on the legal discussion.


> If you encrypt it, you have to, at some point, also send the keys to the user.

Not if you're using a public key cryptosystem and the user generates their own private key. Only the public part is communicated (from the user to the source of the information), and that isn't enough to decrypt the document.


No, because if those keys have to be extracted from elsewhere to bypass a security measure it becomes a breach. The way the documents are published and the way in which they are accessed are relevant to the discussion.


I feel like focusing on who owns the data is unnecessary.

If there is an API that grants access to data by passing in a valid auth token, then it doesn’t matter if it’s called from a SPA app or postman or curl.

As long as you are using the public API and haven’t forged an auth token then it doesn’t matter how you call the public API.


Agree. Who cares about the client implementation?! You sent me the data, I decide how to process and render it. Otherwise we can sue people for having a black and white screen, using a text-only browser, a custom stylesheet or even for closing their eyes when the TV commercials are on.


I'm obligated to point out that bank id is not a national id. It's an electronic ID issued by private banks.


Your medical records are the property of your doctor.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: