Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Canada Crime Communications Data Storage Government Network Privacy The Internet

19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases (www.cbc.ca) 422

Ichijo writes: According to CBC News, a Canadian teen "has been charged with 'unauthorized use of a computer,' which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases. The provincial government says about 250 of those contain Nova Scotians' sensitive personal information."

"When he was around eight [...] his Grade 3 class adopted an animal at a shelter, receiving an electronic adoption certificate," reports CBC. "That lead to a discovery on the classroom computer. 'The website had a number at the end, and I was able to change the last digit of the number to a different number and was able to see a certificate for someone else's animal that they adopted,' he said. 'I thought that was interesting.' The teenager's current troubles arose because he used the same trick on Nova Scotia's freedom-of-information portal, downloading about 7,000 freedom-of-information requests."
The teen is estimated to have around 30 terabytes of online data on his hard drives, which equates to "millions" of webpages. "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."
This discussion has been archived. No new comments can be posted.

19-Year-Old Archivist Charged For Downloading Freedom-of-Information Releases

Comments Filter:
  • Government guilty! (Score:5, Informative)

    by nospam007 ( 722110 ) * on Tuesday April 17, 2018 @02:00AM (#56450475)

    ...of criminal stupidity.

    I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.

    • Re: (Score:3, Funny)

      by Bobrick ( 5220289 )
      Who would've thought that request #252 would follow #251 ?
    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Tuesday April 17, 2018 @04:57AM (#56450929)
      Comment removed based on user account deletion
      • by suso ( 153703 ) * on Tuesday April 17, 2018 @08:21AM (#56451407) Journal

        That's great, but you can also just do this with curl

        curl example.com/[1-1000000].html

        The range functionality is built right into curl. In fact it's even in the opening examples of the man page.

        • by azcoyote ( 1101073 ) on Tuesday April 17, 2018 @09:23AM (#56451787)

          ... In fact it's even in the opening examples of the man page.

          That's exactly why we need more women in tech!

        • What I want to know is that did he use a script to (or curl feature) download 7,000 documents or did he just edit the URL 6,999 times?

          And where is he storing 30TB of data? Yes that is actually affordable (say 4 drives about $250 each) but who spends that kind of pocket money for something so nearly unusable?

          Try doing a grep -r for some string on a mounted USB drive holding 1TB of data and see how long it takes. So what good is that?

          Maybe he scrolls through all those documents one by one. For what. An

    • by mjwx ( 966435 ) on Tuesday April 17, 2018 @08:14AM (#56451357)

      ...of criminal stupidity.

      I'm from Luxembourg and my chamber of representatives used the same 'security system' (people can't possibly guess numbers) and was also breached, obviously, since this 'problem' is known since 1991 or so, when the worldwide web was invented.

      Yes, Data Protection Acts like the EU GDPR are there to ensure that PII (Personally Identifiable Information) aren't released publicly. However this doesn't mean it wont accidentally be or cant be released. The Canadian govt was silly to let this information to be released under FOI requests (I work with FOI requests in the UK, you're supposed to ensure any PII stripped out, GDPR/DPA trumps FOI and there are strict penalties for non-compliance) but if that fails that doesn't give you carte blanche to copy it, data protection laws still apply.

      However I'm going to make a prediction that wont be popular with the /. Mah Freeedums nutters but it will be more accurate, this will go to court, the Canadian will explain why he was doing what he was doing and the judge will order him to delete the records that contain PII and that will be the end of it. No jail, no fines, just a Canadian judge ordering a Canadian to adhere to the Canadian laws. chances are the guy didn't even know that the PII was there before he started.

  • by rtb61 ( 674572 ) on Tuesday April 17, 2018 @02:08AM (#56450493) Homepage

    Lets be clear, editing the address line is not hacking, not in any way, shape or form. A user name and password request and getting past that is. Editing your address line on your computer and the distant server allowing it, is a fault of that distant server. A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution. Strictly their fuckup, they made that information publicly accesible without any restriction and they are fucking liars and fraudsters trying to pin their incompetance on someone else. It is not a crime to edit you address bar, it is strictly their fuck up that caused it. No user name, password request and your web site is public facing, that data is free to download, you just gave it away free from all encumbrances. No different to randomly running IP addresses to download what ever you want. No layer of security, no fucking crime, they are cunts blaming someone else for their incompetence and the victim should sue the crap out of them after this is over.

    • Re: (Score:3, Informative)

      You entirely miss the point. If this was a government fuckup, then someone in government is responsible. Someone senior, whose job it was to make sure these things don't happen. Someone who was given an adequate amount of money for the task. There might need to be an audit to see how this money was spent, and this must never be allowed to happen.

      If this is classed as a security breach, this official's career (and everyone's career she has a mentor relationship with) is in danger. However, if it was a d

    • sweet sounds like a great defence. No your honour I am not a hacker, all I did was sending carefully crafted packets to a server, it is not my fault it responded and gave me root access.
    • Try typing random URLs ending in /.. and see how long it takes the internet police to be called on you.

    • by Lennie ( 16154 )

      However, download terabytes of data instead of reporting the problem is an issue.

    • Of course it's hacking. It's using software in a way in which it was not intended for your own purposes, what else do you call it? What it isn't is cracking. He didn't defeat any protection, because there was no protection. It's the difference between trespass, and breaking and entering. In the first, you're just someplace you're not supposed to be. In the second, you defeated a protection device to get there. This is equivalent to trespass, not B&E.

      The appropriate harshness of the punishment is a separ

      • Of course it's hacking. It's using software in a way in which it was not intended for your own purposes....

        He was using the site EXACTLY as it was intended to be used: ask the system to provide information associated with some number at the end. This was not exploiting some unintended consequence to make the system behave in an unusual or unforeseen manner. This was making the computer system act in EXACTLY the manner the developer(s) intended.

        If the Government wants to keep information private, the Government should place some form of security in front of it. As it is, there was (is?) NO security in front of

        • He was using the site EXACTLY as it was intended to be used: ask the system to provide information associated with some number at the end. This was not exploiting some unintended consequence to make the system behave in an unusual or unforeseen manner. This was making the computer system act in EXACTLY the manner the developer(s) intended.

          By that logic you could claim any penetration of a system was merely the system behaving exactly as intended because that was how the developer programmed it. I understand where you are going with your argument but it's perhaps a bit more fraught than you realize? After all, how are we as users to know what the developer intended and why should that even matter? It's an interesting question.

          The real question here is when does the system cross the line from no security to bad security from a legal stan

    • by e70838 ( 976799 )
      Event guessing login/password is not hacking if they are simplistic. There was the case of a guy who has hacked into the site (a minitel site in France) that contains the telephone number of important people. He has used it to give the telephone number of the president to a radio station that has called him in direct. The guy was never send to a judge because the login/password were: aa/ab
    • Lets be clear, editing the address line is not hacking, not in any way, shape or form.

      It is hacking if the government defines it to be hacking. Not disagreeing with you just pointing out that we're talking about the fact that the people who make the laws are the ones we're dealing with here. The scary bit is that they can define something quite innocuous to be against the law. Any time you go against the folks that make the rules things tend to get dicey for the defendant.

      A request for access was made and it as legally given, the government is screwed and a penalty should be applied for false prosecution.

      Again I don't disagree but do you really expect the government to admit fault like that?

      The interesting question is wh

    • Lets be clear, editing the address line is not hacking, not in any way, shape or form.

      Well, to be annoyingly pedantic, there's a line somewhere - for example, you can (though certainly shouldn't) have a session key in a URL, for example ...

      This situation in TFA is, of course (or should be, anyway), far far on the legal side of the line.

  • by cyn1c77 ( 928549 ) on Tuesday April 17, 2018 @02:14AM (#56450503)

    I am trying to understand what he did that was illegal?

    He downloaded documents that the government posted on the internet, by simply "guessing" the URL, which incrementally increased from the URL that he was given by the government?

    Yup, looks like a case of the government trying to offset blame to me!

    • If I seek information under 'Freedom of Information' legislation, I am getting data that the government holds about the world in general.

      If I carry out a 'data access request', I am asking for the data that the government owns on me.

      It appears that Nova Scotia operated a 'data access request' system that held the personal resulting from data access requests on a poorly protected server, which our guy proceeded to access. As such this isn't a freedom of information issue, though it will probably be used as s

      • by Mashiki ( 184564 )

        The problem is that here in Canada, we have stringent privacy laws. He's in the wrong because he got information that wasn't redacted as it was supposed to be by the law. The NS government itself is in breach of the privacy laws because they're not supposed to store personal information like this. Government agencies that handle this stuff have a PIO that scrubs information out for FOI requests. Likely, nothing will happen to him in the end or he'll be given a suspended sentence(meaning no criminal reco

  • It sounds as though he found information published on the web. If I had a book with a custom made index and I was not told that there were pages that were not indexed, is it unauthorised access to leaf it open it to one of them?
  • by Aethedor ( 973725 ) on Tuesday April 17, 2018 @02:20AM (#56450515)

    Yeah, sure. Blame the kid. Don't talk about how you fucked up your security so bad that even a kid can bypass it. No, focus on how you were done wrong.

    Seriously, if a small kid can bypass your security, you deserve to be 'hacked'. No mercy for incompetence!

    • We appear to have a classic example of government ineptitude in an obscure part of Canada, where it will be very hard to find competent IT staff. We should not be surprised at the cockup...

    • by gizmod ( 931775 )
      There is no security! Zero authentication is done to access those pages. Any person on the planet can access that information. I bet googles spider bots have crawled and cached that entire dataset long ago allready as well. Sue google next?
  • If your government is too stupid to secure their databases, you go to jail.

  • Comment removed based on user account deletion
  • by SCVonSteroids ( 2816091 ) on Tuesday April 17, 2018 @05:46AM (#56451059)

    As an Atlantic Canadian this makes me unbelievably sad.
    They just traumatized a family because the government was incompetent. Is this truly where we're going?
    They fucking interrogated his 13 year old sister?! I mean the documentation was fucking public; THIS IS HOW THEY CHOOSE TO HANDLE THEIR INCOMPENTENCY?

    PM is outright saying he stole sensitive information; 15 officers raided the house.

    Atlantic Canada is a pretty quiet place, and there's already enough sketchiness about how the general population feels about our police force; they're really not helping their case. I swear if they (Gov. & police force, RCMP I presume) don't get any repercussions for this I'll be legitimately scared of continuing to live in this country. This is beyond fucking ridiculous. I mean 10 fucking years in prison??

    Yeah; I'm fucking angry, sorry.

  • by sandbagger ( 654585 ) on Tuesday April 17, 2018 @05:57AM (#56451093)

    ...expect that people will find it. This is not hacking, this is shoddy practices by the people running the FOI site and they're blaming the public. Of course, it would require a modicum of technical understanding to not blame someone else.

  • by xvan ( 2935999 ) on Tuesday April 17, 2018 @08:12AM (#56451349)

    "He usually copies online forums such as 4chan and Reddit, where posts are either quickly erased or can become difficult to locate."

    I thought that only porn hoarders existed, but this guy was hoarding 4chan's shitposts.

  • In My Backyard (Score:5, Informative)

    by hipp5 ( 1635263 ) on Tuesday April 17, 2018 @09:01AM (#56451633)

    So I live in Nova Scotia; i.e. this is happening in my backyard. This is absolutely about the provincial government trying to cover its a**. The mistake was discovered internally when a government employee did basically the same thing and accidentally put in a wrong URL... and instead of getting a 404 got documents that shouldn't have been public-facing (including docs with personal info, SINs and the like). Rather than owning up to the mistake and dealing with the consequences, the provincial government kept it quiet for 7 weeks, and are now using this kid as a scapegoat ("EVIL HACKERS, CLUTCH YOUR PEARLS!!!!"). It's absolutely disgusting, and I hope the court of public opinion judges them (the gov) harshly.

  • by ArhcAngel ( 247594 ) on Tuesday April 17, 2018 @09:03AM (#56451655)
    Just because there isn't a hyperlink to the page with the document doesn't make the information private. If there wasn't security on the page/s in question they were public information regardless of what the government intended. The boy broke no laws. And no this is not like leaving your door unlocked and someone walking in to your house/car. It's more like I posted all of these documents on a public document pin board in the middle of the square but put a blank page over them so you couldn't read them without lifting the blank page. I would charge whoever designed the site (not the page coder but the person who decided not to invest in any security) with gross negligence.
  • downloading approximately 7,000 freedom-of-information releases

    I'm confused... Shouldn't the freedom-of-information releases themselves be freely available to the general public?

  • by HeckRuler ( 1369601 ) on Tuesday April 17, 2018 @10:24AM (#56452189)

    "Archivist"? A 19 year old.... archivist? What kind of bullshit made up term is...

    The teen is estimated to have around 30 terabytes of online data on his hard drives

    ...Well alright then. I'm not even mad. Props to the archivist.

Keep up the good work! But please don't ask me to help.

Working...