Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Data Storage Databases Privacy Security Technology

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases (techdirt.com) 154

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

This discussion has been archived. No new comments can be posted.

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases

Comments Filter:
  • by eric31415927 ( 861917 ) on Tuesday May 08, 2018 @10:44PM (#56578464)

    His hard drives contain sensitive info that may preclude him from ever getting them back.
    Hopefully his other family members get their computers back.

    • by Anonymous Coward

      His hard drives contain sensitive info that may preclude him from ever getting them back.
      Hopefully his other family members get their computers back.

      Hmm sensitive info.. like pron? :-)

      It is kind of sad though that the use of something like wget and a very simple script was suddently considered hacking in Canada... How can they even seize his hardware and THEN decide it was NOT hacking?

      But then again, we had a similar case in Europe... they did not seize hardware prematurely though... to my amazement, the court DID acknowledge that altering URL's even with a script is not hacking, despite a very poor politic IT history :-) ...actually the company behind

      • by Cederic ( 9623 )

        Hmm sensitive info.. like

        Like data pertaining to individuals that should not have been published on the site and to which he should not have access.

        How can they even seize his hardware and THEN decide it was NOT hacking?

        You do not seize hardware after a court case. You seize it to discover evidence that would influence a decision to prosecute. If the decision to prosecute is made, the evidence is then presented at the court case.

        On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

        • On this occasion the decision was made to not prosecute. Shitty situation for the innocent party, but still a reasonable sequence of actions.

          The big problem is that we have so many bullshit laws that so many people are getting busted for violating them that your right to a speedy trial might as well not exist. The only trials which are ever resolved at all quickly are those in which there is significant public interest, and even some of those drag on interminably.

  • Intent? (Score:5, Insightful)

    by Loki_1929 ( 550940 ) on Tuesday May 08, 2018 @10:49PM (#56578476) Journal

    Who the hell cares about his intent? He downloaded information mistakenly posted to a publicly available system. Unless he's trying to sell state secrets to the Russians, which still doesn't criminalize the act of downloading the stuff, there's absolutely nothing he's done wrong. To say otherwise is to say you can criminalize viewing information that the government posts on billboards by the highway if the government mistakenly puts up the wrong information on the billboards.

    Maybe in China.

    • Re:Intent? (Score:5, Interesting)

      by phantomfive ( 622387 ) on Tuesday May 08, 2018 @10:57PM (#56578502) Journal
      Intent is an important part of many laws. For example, it is entirely legal to carry lock-picking tools, but if you carry them with the intent of committing a crime (or even merely have them while committing a crime), that is illegal. I don't know the specifics of Canadian law, but presumably intent is an important aspect of the particular hacking law he was accused of breaking.

      In America, if you use someone else's computer in any way with the intent to hack, even just typing a simple sql exploit into your browser URL bar, then you've committed a crime.
      • Re:Intent? (Score:5, Insightful)

        by slickwillie ( 34689 ) on Tuesday May 08, 2018 @11:07PM (#56578548)
        I think the point is - intent is meaningless if you don't actually break the law. In the post above yours, what if you do have criminal intent when you read the public road signs?
        • Re: (Score:3, Funny)

          by Anonymous Coward

          Law & Order: Traffic Police.

          Officer: Sarge, I just stopped a guy for speeding, and he admitted that he intended to speed even after he read the 40 mph sign at our bottleneck/speed trap on I-5.

          Desk Sargent: Cut his license and drive him to the Precinct. I'll book him on charges of reading a road sign with malice aforethought. Make sure you read him his rights, and then ask him if he was having criminal thoughts when you read him his rights. Maybe we can get a daily double out of this one!

        • Some laws have intent written into them specifically. If there is a law that says, "If you intend to commit a crime when reading a public road sign, that is against the law," then doing so is a crime, but there is no such law.

          In America, the Computer Fraud and Abuse act includes such language: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access"
          • Comment removed (Score:4, Interesting)

            by account_deleted ( 4530225 ) on Wednesday May 09, 2018 @07:45AM (#56580058)
            Comment removed based on user account deletion
            • But he did not do any of that. He did not defraud anybody. He did not access a protected computer (with or without authorization). He did not exceed the authorized access as no authorization was given.

              He was in Canada, so you will have to look up the exact wording of the law in Canada.

            • Ah, that may be so. But did he exceed the authorization the government _intended_ to give? See, intent still plays a key role!

            • It's more like a sign saying "take this path through the grass" and you actually take another path that was accessible but not supposed to be available and wasn't advertised as being a path through the grass.
          • by Falos ( 2905315 )

            >In America, the Computer Fraud and Abuse [A]ct
            Stopped reading here. Thought we were talking about competent laws. My mistake.

        • Re:Intent? (Score:5, Insightful)

          by Capsaicin ( 412918 ) on Wednesday May 09, 2018 @01:58AM (#56578988)

          I think the point is - intent is meaningless if you don't actually break the law.

          Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security." Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security," (as trivial as this was to do), and in doing so breached the privacy of victims who, notwithstanding the negligence of the public authority, had through no act of their own been so exposed.

          The provision under which he was charged was s342.1 of the Criminal Code (R.S.C., 1985, c. C-46) which begins:

          Unauthorized use of computer

          342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
          (a) obtains, directly or indirectly, any computer service;
          (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
          (c) ...
          ... computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur)
          ...

          For the purposes of the provision " computer service includes data processing and the storage or retrieval of computer data; (service d’ordinateur),"

          The question is not whether he accessed the information indirectly (hacked|cracked), or directly, the question is whether in breaching the privacy of individuals he acted "without colour of right" and "fraudulently." It is the requirement to demonstrate that his behaviour crossed the threshold of fraud, I would image, that poses the largest hurdle to a conviction in this case, but then I am not a Canadian lawyer.

          Nonetheless, there is at least a prima facie case that he did break the law, and thus intent is, contra OP, becomes a material consideration.

          what if you do have criminal intent when you read the public road signs?

          Much of traffic law is governed, the common law world over, and for obvious reasons, by what we call strict liability offences, which is to say offences for which the state is relieved of its ordinary burden to establish intent in criminal cases. These are the exception to the rule that a crime, (in contradistinction to a tort etc.) consists of the combination of the actus reus and the mens rea. Strict liability is necessary evil (from the PoV of the democratic rights-based state) and ought to be both a rare exception as also restricted to crimes where it is both a) impracticable to establish intent (eg. particular traffic offences) and where the punishment available to the state are relatively minor (eg. fines as opposed to custodial sentences).

          In any case, there is nothing in s342.1 (1) which explicitly obviates the need to demonstrate intent. So this is not relevant here.

          Now I would have thought the requisite intent was simply to "obtain a computer service" (i.e. access the data), which his script amply evidences. And remember intent does not require knowledge that an act is criminal. But perhaps there is clear authority to that point and the police are acting on that precedent. Otherwise it should not, in a case where intent (but for some point of law) seems clear, be for the police, but rather for the courts to determine both whether the requisite act and intent are present.

          • Re:Intent? (Score:5, Insightful)

            by james_gnz ( 663440 ) on Wednesday May 09, 2018 @04:00AM (#56579394)

            Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

            I don't know how "security" is actually defined under the relevant law, however I think for something to qualify as security, it ought to require some effort or intent to bypass. Security ought to serve a "notice function". If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

            • If you can accidentally bypass it without even realising you've done so, I don't think it ought to qualify.

              Exactly. That’s why IIRC our (Dutch) laws explicitly state this in their definition of “secured”. It’s the same as trespassing on private property that looks like it might be public, has no gate, and no “private property” sign. Not punishable.

              • Comment removed based on user account deletion
              • There's even a direct equivalent in law in the USA: Trespassing vs. Criminal Trespassing (with intent) vs. Breaking and Entering — the latter requires defeating a security device, however trivial. If you walk up to someone's front door and open it and go inside just to have a look around, that may not even be a crime. In some places, a sign saying "no trespassing" is not particularly legally significant. But once you've been notified that you're trespassing, you're definitely trespassing. If your goal

            • I don't know how "security" is actually defined under the relevant law

              As you can see the word 'security' does not appear in the clauses I quoted, (nor, fyi, anywhere else in the operative clauses of this provision). Consequently any defintion of 'security' would be of no legal effect. Unsurprisingly 'security' does not appear in among the defintiions in the provision.

              The crime here is committed in "obtain[ing], directly or indirectly, any "computer service" (or in causing a function of that system to be

              • The "fraudulently" could also be affected by intent.
                Fraud is taking by deceptive, dishonest means. Therefore intent to deceive, intent to be dishonest, comes into play.

                The Théroux case touches upon intent to deceive and fraud.

                • Fraud is taking by deceptive, dishonest means. Therefore intent to deceive, intent to be dishonest, comes into play.

                  OK, point taken, it may have been fraudulent intent that the prosecution meant when they announced the case was being dropped for lack of intent. My concern about making out fraud was more basic, where is the deception intended or otherwise, but I don't know, what constitutes fraud in Canada may differ from what constitutes fraud in my jurisdiction.

          • Contrary to OP's post, was not "mistakenly posted to a publicly available system (in the sense OP intends it)," it was instead, insofar as this is relevant, posted to a server with atrociously ineffective "security."

            That is a distinction without a difference. To riff on Arthur C Clarke's famous maxim, sufficiently bad security is indistinguishable from no security. The "security" in this case was so bad as to be effectively non-existent. I don't know exactly where you draw the line as a general proposition but it's pretty clear in this case that any claim that this was "secured" data utterly absurd.

            • As sufficiently bad sex is ndistinguishable from no sex?

              That is a distinction without a difference.

              You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant" ...

              it's pretty clear in this case that any claim that this was "secured" data utterly absurd

              Who claimed that the data in this case was "secured," and why (with reference to the law I posted above) would tha

              • As sufficiently bad sex is ndistinguishable from no sex?

                You'll have to speak from your own experience... ;-) (joking)

                You can see no difference between mistakenly posting to a deliberately non-secured service and purposely posting to a service with inffective security? You also missed the "insofar as this is relevant" ...

                There is no difference because someone can access it without any indication that it is "secured". One could bypass the security without even realizing it was intended to be secure or that any laws were being violated.

                You also missed the "insofar as this is relevant" ...

                I didn't miss it and I actually thought your post was rather good. I just disagree that there is any basis (legal or technical) to say this data was "secured". They may as well have posted the data on a billboard and then tried to

                • You'll have to speak from your own experience...

                  .. some years ago I was in Germany and was introduced to a German drinking superstition. If, when toasting, you look at your glass rather than looking the person with whom you're toasting in the eye, it means you will have "5 years of bad sex." To which I replied, "5 years of bad sex is better than 5 years of no sex at all."

                  There is no difference ...

                  The original statement that the data "mistakenly posted to a publicly available system" is a clear misrep

                  • Again, I'm not sure anyone said it was secured, it was certainly not adequately secured.

                    If it wasn't secured data then there is no basis for arresting the individual accessing the data. If it was secured data it was so badly secured as to not be secured and we are back to there being no basis for law enforcement to get involved. If this data was supposed to remain private the people who posted it to the internet without any meaningful security are the ones who should be speaking to a judge and retaining counsel.

                    As I wrote in another post, a deliberate attempt to circumvent a security feature may go to the issue of "fraudlently" obtaining. Apart from that it is difficult to see what relavance the concept of "security" has to this offence.

                    And my point is that once the "security" reaches are certain level of incompetenc

                    • Fundamentally: circumvention of security is not an element of this offence as it has been drafted. (And for the record, I find this to be a peculiarly drafted law.) Perhaps you can point me to relevant curial authority which reads in that requirement? If not ...

                      If it wasn't secured data then there is no basis for arresting the individual accessing the data.

                      Why not? He wasn't charged with accessing "secured data," he was charged with "obtaining" a "computer service" and doing so "fraudulently and wit

          • How bad does the security have to be, before you can legally assume they meant to grant full access? If you store your money in a hollow pumpkin on your doorstep, can visitors assume it's free money?
            • How bad does the security have to be, before you can legally assume they meant to grant full access?

              If you have to use a URL other than that which given to you, either spelled out, or as an href, I doubt you will successfully be able to claim constructive authorisation to view the document behind that new URL, (where authorisation would usually be required). If you got desparate it might be worth a shot, but as the first line of defence I'd still challenge the idea that changing a URL is sufficient to co

            • Computer access is not legally the same as money.

              There's a lot of legal things where a security device doesn't have to be good, but it does have to be noticeable. If a lock is sufficiently fragile that it opens on a slight bump, the door isn't locked. Typically, a security feature is legally there to tell people that they aren't allowed in.

          • Unauthorized use of computer

            342.1 (1) Everyone is guilty [...] who, fraudulently and without colour of right, [...]

            The kid did the equivalent of look on a bulletin board in an arena/community center, and instead of tunnel-vision to the flyer he was told he could look at, looked 2 inches to the left.
            He then asked someone else (his computer) to continue moving two inches to the left until there was no more 'bulletin board' to look at.
            There was neither fraud nor lack of right, as it was posted on a public board.

            That's why prosecutors dropped the case, as they knew it was the server-owner's (read: government's) fault,

            • The kid did the equivalent of ...

              Please spare us the corny, faulty analogies and stick to the facts of the case and the relevant law.

              There was neither fraud nor lack of right

              I disagree with the latter, I see no right or authorisation to access other people's private information. I do, however, tend agree with the former: trivially changing a URL to look at nearby page should not suffice to make out fraud. In any case, if either of these elements is not satisfied their case is gone.

              That's why prosecut

              • Shill, you need to fuck off; you're getting nowhere with your hollow argument. You're clearly not cut-out for effective scumbaggery...
          • by jdavidb ( 449077 )

            Links would be given to individuals to access information to which they alone had been granted the legal right to access. No such right had been bestowed on the accused who circumvented the "security,"

            The law should never treat security by obscurity as "security." Punishing somebody because somebody else was stupid is beyond wrong.

            • The law should never treat security by obscurity as "security."

              Passwords can be described as security by obscurity.

              • by suutar ( 1860506 )

                looked at from one way, yes, secret knowledge is a form of obscurity. However, that's not how the term is typically used in terms of computer security. A formal definition would be useful :) I think a first cut might be "if getting to the information requires knowledge of a secret that is closely held (like a password) it's not just obscurity. If it requires knowledge of a secret that's embedded in widely distributed and easily accessible code (like a default password in plaintext in firmware/accessible sou

            • The law should never treat security by obscurity as "security."

              You can see the law spelled out above. Where does it say anything about "security?"

              Punishing somebody because somebody else was stupid is beyond wrong.

              This isn't about what happens in anyone's personal opinon to be "beyond wrong." It's about whether the accused comitted an offence under 342.1 of the Criminal Code. Evidently the prosecutors decided they could not prove he did.

          • by anegg ( 1390659 )
            The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used. Altering a URL by editing the address line was anticipated by the protocol and is supported by practically every available client implementation of applications that support the protocol. It isn't "hacking" (whatever that is) to use an application in the manner in which it was intended to be used. The government's action in publishing the FOIA info
            • The individual used the public interface to the web site in a manner which the public interface was intended by the originators of that interface to be used.

              No, obviously not by the authors of that particular interface, (in contradistinction to the general protocol perhaps). The designers of that interface evidently though it sufficient to give each applicant a specific URL which they were to use to access only the information they were entitled to see. It almost goes without saying that they failed ev

        • I think the point is - intent is meaningless if you don't actually break the law.

          The GP's point is that many laws are contingent on intent to determine if they were actually broken. Not every law, just some. There's no law against reading a road sign at all criminal intent or not.

          However there are many laws that you would be skirting around every day and the only thing causing you not to break those laws is criminal intent.

      • so traffic tickets is a committing a crime and they can use that to get you for just having them? Good thing we have the NRA to stop any BS like with guns. So bad we don't have the same power for tech stuff.

        • What rights violations has the NRA ever stopped or prevented? None. Do you think the government is afraid of your guns??
          • I think the 2014 Bundy Standoff showed that the government is very much afraid of its armed citizens. The government has nothing to fear from one armed individual. It's the other ~50 million that hold the government to account and help ensure we maintain a restrained, Constitutional republic. All the people scared of President Trump should be thankful all those armed people (including police officers and members of the US military) will never allow him to become a king, no matter how much he might like that

      • Intent is an important part of many laws.

        This. Not only intent, but also discretion. As a practical matter, we've known for centuries that democracies overcriminalize because it is in the interests of legislators to never be blamed for letting a bad person out of jail. Thus the justice system depends on the discretion of police officers not to punish every innocent mistake and the discretion of prosecutors not to prosecute when it's too counterproductive or unfair. This doesn't always work, of course, but it's a huge part of criminal justice.

        Inten

      • What you're saying is true, but what I think the previous poster was referring to was mens rea [wikipedia.org] vs. actus rea [wikipedia.org]. When the police say they dropped charges because they didn't believe there was intent to commit a crime, they are suggesting there was indeed actus rea, but there was no mens rea. What the GP is suggesting, I think, is that there was neither actus rea nor mens rea, and I agree.
      • The Canadian authorities apparently think they are the Stasi.

        Once it was on a public server, without any posted or recognizable warnings, the kid has a pretty solid defense of innocence. If there is some real security breach involved, then they should inform him politely and perhaps firmly, and ask/demand their secret info back (if it still matters).
      • I am, for once, impressed with the maturity and restraint of the /. crew. All this talk of intent, and not one mention of Hillary Clinton.

        Well done!

      • This completely ignores the point that the kid downloaded publicly available documents from a publicly available web server which under normal circumstances and when operating as intended did not restrict access to said documents.

        In short, he did not violate any law, therefore there is no reason to assess "intent". They're still trying to cover their asses for having uploaded sensitive documents to a public webserver, and using some kid as a sacrificial lamb to do it is not okay.

    • Maybe in China.

      In the UK:

      [The London Metropolitan Police] Though what the perpetrator has done may not be against the law, their reasons for doing it are. This means it may be possible to charge them with an offence.

    • Indeed, if a crime was committed then surely it was by the person that released the documents to the public. Mishandling classified documents is a crime of negligence.

    • Further to another poster's comment, intent is almost everywhere in laws. Even look at the more grievous ones (in a simplified nutshell):

      1st Degree Murder: I killed someone. I intended to do it. I planned it out in advance.
      2nd Degree Murder: I killed someone. I intended to do it. I didn't really plan to however.
      Manslaughter: I killed someone. I didn't intend to do it, but through my negligence it happened. I didn't really plan to either.

      So a pretty big difference, not only in charge, but in possible punish

    • Maybe in China.

      The U.S is long headed in that direction already.

  • by grep -v '.*' * ( 780312 ) on Tuesday May 08, 2018 @11:10PM (#56578556)
    If it's on a public facing server it's "fair game", whether it's supposed to be or not.

    And "did not have intent to commit a criminal offense" -- maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go -- and then let's update all the knowledge of the people who thought he did so this doesn't happen again. (Tech AND Legal.)

    I don't necessarily mind misteaks :-), but not for a second time. (And can you imagine -- the police arresting you just for accessing a public website?)

    Sounds like he broke the law: "I don't like what you're doing." Where is that one written down anywhere? Or is this the "Nice place you've got here, shame if something ..." law?
    • by amiga3D ( 567632 )

      James Comey specifically stated that Hilliary was not prosecuted because "she had no intent to break the law." So intent and mind reading do play a role in what laughingly passes for police work in the US Federal Bureau of Investigation.

      • James Comey is a liar......Do not refence him.
        • by amiga3D ( 567632 )

          He's got plenty of company there. The 7th floor is full of them. Congress has been content to let them abuse their power for decades and now they've gotten to the point where they feel they are entitled to act as they see fit regardless of any rules or laws. I blame Congress for all of this, it's their damn job to oversee these agencies and to reign them in. That's what they are there for.

      • And everywhere else. Lots of laws are based on intent. The usual difference between first-degree and second-degree murder is intention.

    • Intent, specifically Mens rea [wikipedia.org] is an important part of the legal system.

      Although what he ultimately did was illegal (obtained unredacted state secrets). He was not originally trying to obtain state secrets, nor could he have reasonably thought that what he was doing would lead to him obtaining state secrets. He had no reason to believe that the information he was able to access via that website, whether he did it via hyperlink or via a script as described in the original article would be anything other than

    • by Aereus ( 1042228 )

      Not just that it was public facing: If it was the FOI website, wasn't that the entire point of the server? To provide these documents to citizens? The only minor issue I could see was if he didn't set a reasonable refresh time on scraping documents and was hammering the server, thereby causing troubles for other users.

    • maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law." If he broke a law, let's have him and the law he broke. If not, let him go

      Ignorance of the law is no defence. Ignorance of the facts can be. For example, if I buy something and it turns out it's been stolen, I'm not guilty of a crime, but if I know it's been stolen I am.

      It comes down to criminal intent, or mens rea (which literally means "guilty mind"). It's always tricky to prove because it's easy enough to

    • maybe this is just in the US, but I thought that "ignorance is no excuse for breaking the law."

      It depends on precisely what you are ignorant of. "ignorance of the law is no excuse" is usually how it's phrased, IIRC, which strikes closer to the truth because it's about being ignorant of *the law*, not ignorant of *the facts*.

      Generally in criminal law (at least in the US), a mistake of law ("I did not think it was illegal to do X") will not excuse a crime, but a mistake of fact ("I did not think I was doing X") can sometimes negate a required element of the crime. So if you take a pen knowing it belong

    • If it's on a public facing server it's "fair game"

      No it's not. ... I don't agree with it, but just accessing information not intended for you is illegal in some jurisdictions. The outcome of those cases is very similar to what happens when you hit someone with your car. Did you accidentally bump into them? Did you attempt to murder them?

    • by jm007 ( 746228 )
      analogy time!!

      - public servant needs to get info to citizen
      - servant leaves a box of papers on the sidewalk for the citizen to pick up later
      - trash/recycle man comes by and takes box
      - gov't decides this was important personal info and the trashman is arrested for theft, etc.
      - why the fuck isn't the dumbfuck entity that puts shit on the sidewalk as a normal course of business not on the hook?!?
    • If it's on a public facing server it's "fair game", whether it's supposed to be or not.

      Exactly this. If the government wants to go after someone, go after the person who uploaded the non-redacted documents to the public server. That's where the problem occurred, not with the kid whose script to access public documents also pulled documents that shouldn't have been there.

    • "If it's on a public facing server it's "fair game", whether it's supposed to be or not."

      I don't think that is really the case, though that could be that the above comment could be interpreted differently.

      Just because it is on a public facing server doesn't make it fair game. I think in this particular case what was wrong was that they didn't make a reasonable effort to keep it secure, and it was also reasonable to assume that as a result the individual didn't realize they were doing anything wrong as a res

    • Additionally, once the police are involved, they gotta do what they gotta do until the investigation is done.

      Pretty sure once the police (and crown lawyers) finished finding out what had occurred, they were pretty unimpressed with the NS government, and were like "uh huh".

      As mentioned in the previous article, if there is any legal action here it is more likely going to be in the form of civil suits from either the kid, or those individuals who's information was released by the negligence of having what amou

  • Mistakes (Score:3, Insightful)

    by Anonymous Coward on Wednesday May 09, 2018 @12:16AM (#56578696)

    People that can use computers gets punished for the mistakes made by people that can't use computers...

    Reality is just like working in IT.

  • The legal profession adopted a saying which goes all the way back to ancient Greece [circa 4th Century BC]:-

    "The wheels of justice turn slowly, but they grind exceedingly fine..."

    Meaning that although changes to the law and the framework of justice might take a while to be developed, once done, the result tends to be pretty comprehensive. Of course, this means that there is a dynamic tension between "Justice" (which moves slowly) and anything which is dynamic and develops quickly.

    What is perhaps mo
  • > did not have intent to commit a criminal offense by accessing the information,

    When the computer hacking laws were introduced, that was one of the drawbacks: Intent does not matter, for the law. So in this case, it is just the law enforcement being nice in not pursuing the case while they are convinced there was no intent.

    But according to the letter of the law, intent does not matter!

  • Putting an address in the address bar of a browser is not a crime?
    Call me shocked.

  • We all have something to hide from the state, to wit every single activity you perform because it can piss them off arbitrarily.

  • There is still a little bit of hope for Canada. I am happy.
  • The real crime (Score:2, Insightful)

    by Anonymous Coward

    Why is noone interested in why the non-redacted data was there publicly available in the first place? It seems a far more relevant topic to me than whether or not someone accessing it is in the right or wrond. If anyone should be sanctioned, it should be those people or the agency which publicized the private data to begin with.

  • by Mr_Blank ( 172031 ) on Wednesday May 09, 2018 @06:11AM (#56579728) Journal

    Dilbert. http://dilbert.com/strip/2018-05-09 [dilbert.com]

    Tags
    #hackers, #hacking, #api, #jargon, #obliviousness, #language

    View Transcript

    Transcript
    Narrator: Dogbert The Reporter. Dogbert: How did hackers get access to your customer data? CEO: I'm told they used something called "our A.P.I." to suck out all the data. Dogbert: I'll just say you'er stupid. CEO: Why does everyone always say that?

  • So first off, yeah, overall this is a good thing. I don't think the kid deserved to be charged at all and it was a case of grossly mishandling private information, what little there was. The FOIA content itself really ought to be public anyway.

    But this is a real kick in the pants for the rule of law. It's "high profile", so the cops won't touch it? It means you really need to go to the press and get people angry about issues and get them to mail officials. Bitching and moaning and mob rule is the new rule.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...