You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!
Hacking charge for twiddling URL – O Canada!?
Comment There's a curious legal situation developing in Nova Scotia, Canada, right now.
A teenager is suspected of breaking the nation's hacking laws by downloading PDFs containing personal information from a public government website after officials failed to redact the documents.
The 19-year-old was arrested after more than a dozen cops raided his home last week. He faces a criminal charge of "unauthorized use of a computer," although he has yet to be formally arraigned and thus publicly named.
Here's how it all started. The provincial government of Nova Scotia provides a website called the Freedom of Information and Protection of Privacy (FOIPOP) portal. It is an online database of government records and files made available to everyone on the planet.
These documents are released following successful freedom-of-information requests from journalists and other citizens. Basically, if you request a document, and it is allowed to be handed over, it eventually appears on the public portal so everyone can see it, not just the person who coughed up the five bucks to file the request. The PDFs should have any personal or private information in them redacted prior to publication.
Toe Curl'ing error
In early March this year, someone fetched 7,000 publicly available documents from the site, presumably using a simple script or Curl command line to automate the download. It's pretty easy to do. According to privacy lawyer David Fraser and software engineer Evan d’Entremont, you simply had to change the document ID number at the end of a URL and fetch it. So, you'd download document number 1234, then 1235, 1236, and so on, working through all the digits, one by one, pulling in each file associated with each ID value. It's basic enumeration.
Don't forget, this fetches records and government files that have been released to the general public. So public, in fact, that they were picked up by Google's webcache bots.
However, it turned out about 250 of those PDFs served by the FOIPOP portal had not been properly redacted prior to being made available to the public. These files, we're told, held thousands of Nova Scotians' sensitive private details, such as their social insurance numbers, dates of birth, and home addresses.
On April 5, a government staffer apparently noticed that, yup, you can enumerate all the documents in the database from the website, including the non-redacted PDFs that shouldn't have been there.
A day later, an IT contractor behind the site, Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a "non-authorized person.” Within 24 hours, police were tipped off, and officers showed up at the teenager's house in Halifax, suspecting him of illegally extracting information from the portal. He was arrested and charged, and faces up to 10 years in the clink if convicted.
Nova Scotia Premier Stephen McNeil went as far as claiming the data was "stolen." The teen's family are hoping the allegations are formally dropped before it gets to court.
Around that time, the FOIPOP website was also offline for about a week for unscheduled maintenance, which raised everyone's suspicions that something was up. Officials later claimed the site had been "breached." Privacy watchdogs announced they were shoving a probe into the affair – including investigating whether or not the portal and its information was properly secured. Top tip: it wasn't.
The young adult in question denies any wrongdoing, and insisted all he wanted to do was download public documents. "I just had no malicious intent and I shouldn't be charged for this," the teenager told Canadian telly news CBC this week. His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk.
The authorities, somewhat predictably, claim this was a deliberate attempt to swipe folks' private details. Which is exactly what we'd imagine you would allege if you were trying to deflect attention away from the fact someone on your staff bungled and put the wrong files on the public internet.
"There’s no question, this was not someone just playing around," Nova Scotia's Deputy Minister Jeff Conrad briefed journalists. "It was someone who was intentionally after information that was housed on the site."
Jeff, who isn't intentionally after information on a website when they visit it?
We're not the only ones who reckon this looks just a little bit like someone being positioned squarely under a ton of plummeting bricks to bury the fact that Nova Scotia's government screwed up.
"If any of the records contained private information that should not have been released, the government is responsible for that, not the teen," EFF staff attorney Aaron Mackey told CBC.
Nuff said. ®
Updated to add
If you want to chip in some cash to fund the teen's legal defense bills, there's a GoFundMe page here you should check out.