back to article You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!

There's a curious legal situation developing in Nova Scotia, Canada, right now. A teenager is suspected of breaking the nation's hacking laws by downloading PDFs containing personal information from a public government website after officials failed to redact the documents. The 19-year-old was arrested after more than a dozen …

  1. Ole Juul

    Unisys screwed up

    Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a "non-authorized person.”

    This was not a "non-authorized" person because the files were publicly available.

    1. Sorry that handle is already taken. Silver badge

      Re: Unisys screwed up

      And intentionally so!

    2. Dodgy Geezer Silver badge

      Re: Unisys screwed up

      Pipped me to the post!

      I don't know the detail of Canadian law. However, if this had happened in the UK and they wanted to make an example of this young man, our computer misuse legislation would enable them to do so.

      The issue here is not that the accused accessed data that was made publicly available - which, of course, he has every right to do. The issue is that he used a non-standard way to do so, and hence (I'm guessing without knowing the technical details) circumvented the countermeasures which were put in place to control the data output. That's a crime.

      Now the circumvention was trivial - but if required to prosecute this case that is the argument I would use. Luckilly, I think I can rely on the Canadian authorities not knowing what The Register is, let alone reading it for hints as to how to proceed...

      1. Dan 55 Silver badge

        Re: Unisys screwed up

        I don't know the detail of Canadian law. However, if this had happened in the UK and they wanted to make an example of this young man, our computer misuse legislation would enable them to do so.

        Example from 2005.

        Man fined due to BT's shitty donation page.

      2. tfewster
        Facepalm

        Re: Unisys screwed up

        Typing a URL in by hand (rather than clicking on a link in a personalised email) is "non-standard"? I take your point, but a decent lawyer should get that thrown out. Similarly, wget/curl are standard tools

        If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra. Yes, that would be theft, but also entrapment.

        1. Anonymous Coward
          Anonymous Coward

          Re: Unisys screwed up

          For morons at expert bureaucratic level, yes typing URLs in instead of clicking IS "non-standard". As for wget and curl, if you showed them the shell script with loop to grab all 7000 files they'd think to themselves "we have an open and shut case of hacking here, that's obviously something only a seasoned pro hacker could manage!"

          1. CrazyOldCatMan Silver badge

            Re: Unisys screwed up

            that's obviously something only a seasoned pro hacker could manage

            ... and pretty much the only circumstance where I could even be considered "a seasoned pro hacker"..

        2. mickaroo

          Re: Unisys screwed up

          "If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra"

          I believe that this analogy only holds if it's "public money". You can take as little or as much as you want and it's totally free. The issue here is that the "public money" also contained some krugerrands the bank had stupidly forgotten to separate out, and the kid arrived with a dump truck.

          I'm Canadian, and I think the charges need tossing...

          1. Dr. Mouse

            Re: Unisys screwed up

            If he gets convicted of this, the law is not fit for purpose.

            I have, more than once, used similar techniques to grab a bunch of data from a website, as I'm sure many on here have too. I haven't always needed it all, but it was easier to grab it all then filter it later, and who has time to delete the stuff you don't want?

            Even so, if a file is on the public internet then you are authorised to download it. If you weren't, the server would respond with an error code.

            This would be analogous to a library getting a kid charged with theft for borrowing a book which should not have been there, even though the librarian stamped it out and said nothing. How the hell should he know that it's he shouldn't have it? It was there with all the other books, in a place where books are supposed to be borrowed, with no indication that he was not authorised to borrow it.

            1. Jason Bloomberg Silver badge

              Re: Unisys screwed up

              This would be analogous to a library getting a kid charged with theft for borrowing a book which should not have been there

              I would refine that to having partaken in a "grab a box of books for free" offer and not even knowing what he has taken.

              I really cannot see how they can make the charges stick. Plenty of charges though which should stick for the real criminals here.

              1. Dodgy Geezer Silver badge

                Re: Unisys screwed up

                A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.

                Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list...

                1. pmb00cs

                  Re: Unisys screwed up

                  "A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.

                  Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list..."

                  Given he could just run get requests if there was an access control system (which none of the information I have read suggest there was) it was more like the library putting that shelf outside the front door, clearly labelled to say the books are free, with a sign inside the library telling people they need to ask the librarian which books they can take, and a teenager, having never been in the library, but seeing the shelf labelled as a "free books" shelf, helps himself to some books from that shelf, not knowing there is a process to take the books, or that some of the books might not be free.

                  I'm not saying it isn't a crime, but it ought not be, and the library management should be sacked for gross incompetence.

              2. DJSpuddyLizard

                Re: Unisys screwed up

                I would refine that to having partaken in a "grab a box of books for free" offer and not even knowing what he has taken.

                No, it's like a pile of books available for free - "please take one [or more]!", and the kid shows up with a robot that picks up the books one by one and shoves them in a box.

                The fact that one of the books is "Top Secret Methods for mounting rockets on LaserSharks" is not his fault.

            2. (AMPC) Anonymous and mostly paranoid coward

              Re: Unisys screwed up

              There are many laws on the books, but no justice

        3. Dodgy Geezer Silver badge

          Re: Unisys screwed up

          If they left it there by accident, would that also be entrapment?

        4. PacketPusher
          Headmaster

          Re: Unisys screwed up

          >>If my bank left a pile of money on a table for me to take my own, I might be tempted to take a bit extra. >>Yes, that would be theft, but also entrapment.

          No it would not be entrapment. Entrapment requires the prosecution or their agents to suggest the crime. While the money is unsecured, the bank is not suggesting you take it. We are supposed to be honest and take only what is ours.

          This does not apply to the fellow that was arrested as he had reason to believe that all of the information is public when he copied it. I suppose if he knew that there was private information there an argument could be made that it was not his to copy, but how could he know that without looking at it first.

          1. Jtom

            Re: Unisys screwed up

            This case is more like what almost happened to my brother. He was in a store that had a sign that said, "FREE," in big letters next to some inexpensive trinkets. He was just about to pocket one when he noticed the much smaller words at the bottom if the sign, "with the purchase of,"...

            He was incensed that he was almost tricked into shoplifting, a serious problem for him, even if they did not prosecute, since he is a judge.

            In this case, though, the fine print wasn't even there.

          2. My Alter Ego

            Re: Unisys screwed up

            "Entrapment requires the prosecution or their agents to suggest the crime."

            I don't know about the UK or Canada, but apparently it's completely legal in the US for law enforcement to suggest a crime. All you have to do is refuse. It becomes entrapment if they coerce you into committing the crime.

            Source: Law Comic - Entrapment The whole strip is actually pretty interesting.

      3. rg287

        Re: Unisys screwed up

        The issue here is not that the accused accessed data that was made publicly available - which, of course, he has every right to do. The issue is that he used a non-standard way to do so, and hence (I'm guessing without knowing the technical details) circumvented the countermeasures which were put in place to control the data output. That's a crime.

        An HTTP request is non-standard?

        If indeed he was just using cURL with enumeration then it is literally just HTTP requests. Automated yes, certainly quicker than browsing to individual pages and clicking "Download". But if that's a crime than web.archive.org is as criminal as they come, to say nothing of Search Spiders crawling/indexing both the file names and content.

        1. Dodgy Geezer Silver badge

          Re: Unisys screwed up

          ...Automated yes, certainly quicker than browsing to individual pages and clicking "Download". But if that's a crime...

          It's not what he did. It's what he didn't do. I don't know anything about the user interface, but if he didn't use the provided method for accessing the files, then he has avoided an access control facility. Which is, as I say, a punishable crime in many countries.

          1. stratofish

            Re: Unisys screwed up

            If the files are not protected by that access control facility then he didn't bypass or avoid anything other than an index page which is fine. Unknown links are not a defence, see the definition of "security through obscurity" for details of why that is a terrible way to protect things.

            As a web developer you protect every route to a resource not just the one that most people see. If the files were accessible by direct URL without access checks when there should have been some then the webite operator is 100% liable for those files being publicly available. If the index page links directly to that PDF URL then it is even worse because the URL is also the canonical location of that file. If the URL obviously matches a pattern then it should be expected to be enumerated at some point and protection added if that is not desirable.

      4. Dodgy Geezer Silver badge

        Re: Unisys screwed up

        I assume the thumbs-down crew are the ones looking to hack into the government, given the chance?

        In the meantime, all those who complained that just making an html request shouldn't be illegal have completely missed the point.

        The point is that the kid did not go through the officially-provided access control system. I don't know what that did, and whether it would have stopped him, but the act of avoiding any access control process is a crime in many jurisdictions.

        You can argue that it shouldn't be, that what he did did not breach the aims of the web site, and that there was no indication that he should not have accessed things this way. All true, but irrelevent. In many countries, that's a crime.

        You may not like it - I do not like it, but that's the way our laws are written...

        1. Dodgy Geezer Silver badge

          Re: Unisys screwed up

          It would be nice to know why someone disagreed with a statement of the law...

          1. Anonymous Coward
            Anonymous Coward

            Re: Unisys screwed up

            "It would be nice to know why someone disagreed with a statement of the law..."

            You haven't stated any laws, just opinion backed by some rather dodgy analogies. Secondly, this is a tech site and many of the audience have used the same methods to "download the lot and I'll sort it out later"....which is very much faster than clicking on every single link. I have done this myself, and it's a lot faster to deal with a directory full of random stuff than it is to fish out all the desired bits manually; waiting for a page refresh between each action.

            More to the point, the website is specifically for the public to download documents. If the documents in question have not been properly processed (redacted in this case) then they have no business being on a publicly-accessible website. is is negligence on the part of the website operators, pure and simple.

            Time to cut loose with a dodgy analogy of my own: The website operators are doing the equivalent of pointing at a random person and shouting "Thief!" in order to mask their own getaway. And that's wrong.

          2. Jtom

            Re: Unisys screwed up

            Don't know what the law says, don't care, but your interpretation if it makes the use of any search engine illegal.

        2. Dan 55 Silver badge

          Re: Unisys screwed up

          The point is that the kid did not go through the officially-provided access control system.

          Yes he did. It was a public link and the web server did not throw 401 Unauthorised, 403 Forbidden, 408 Busy, or 429 Too Many Requests.

        3. Allonymous Coward
          Boffin

          Re: Unisys screwed up

          just making an html^H^H^H^HHTTP request

          FTFY.

        4. tghosgor

          Re: Unisys screwed up

          The words "html request" gave the fact up that you are an illiterate on this situation and should end your illiterate claims before you embarrass yourself more.

          The browser is not "the standard" way for accessing the content on the web. Has never been. It just makes it more convenient to use. By your logic, Google would be "the standard" way of searching something on the internet and we should prosecute everyone who uses DuckDuckGo to find specific things where Google's prioritization-by-popularity technique becomes trash.

    3. Sgt_Oddball
      Paris Hilton

      Re: Unisys screwed up

      But Google's fine to index them all?

      1. dnicholas

        Re: Unisys screwed up

        Gotta cache 'em all

        1. CrazyOldCatMan Silver badge

          Re: Unisys screwed up

          Gotta cache 'em all

          "One (token) Ring the capture them and in the darkness cache them"?

          Sounds suprisingly... painful.

    4. SVV

      Re: Unisys screwed up

      "A day later, an IT contractor behind the site, Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a "non-authorized person.” Within 24 hours, police were tipped off."

      Firstly,this sounds like they just listened to Unisys trying to hide their sheer ineptitude by misdirecting them to believe that accessing publicly available files on a webserver was a "hack by a non-authorised person". Naughty Unisys. Looks like THEY made them freely available via nonsecured URLs, therefore they released them to the public, therefore they should be the ones up in court if they shouldn't have been on general release.

      Security by obscurity is NOT security,therefore it would be ideal if countries' hacking laws were clarified to make this point clear. Ask elected representatives why mistyping https://xyz.com/1234 as https://xyz.com/1235 in a browser should land you in court, cost you a fine and lose you your job and career. It is the WEBSITE'S RESPONSIBILITY to secure resources with authentication, etc if they are not to be made public. Attempts to subvert this type of security ARE hacking. Otherwise they should be legally regarded as public and freely released.

      1. gnarlymarley

        Re: Unisys screwed up

        Firstly,this sounds like they just listened to Unisys trying to hide their sheer ineptitude......

        Almost sounds like Unisys was told by the government of what to say, as the government found this before Unisys did. Seems to be that someone in the government is trying to cover their.......

    5. anothercynic Silver badge
      Facepalm

      Re: Unisys screwed up

      Of course Unisys engages standard CYA protocol: "A hacker! A hacker did this! Didn't you watch Hackers? They're all these wayward kids who steal and break things and who wear funny clothes and speak in l33t language!"

      What Unisys *should've* done was: "Oops. yeah, we cocked up, sorry! We'll fix the files and ask the guy in question nicely to the delete the ones he has and give him a fixed archive".

      OY VEY!

      1. Clunking Fist

        Re: Unisys screwed up

        "What Unisys *should've* done was"

        Yeah, someone probably suggested that. But then someone in a managerial position said "No way: that would be embarrassing".

        Of course, it the meantime, their chosen course of action has made the provincial government, police and themselves look like Orwellian bullies. The press & media will hopefully be having a field day with this. That is very very embarrassing.

  2. Paratrooping Parrot
    Mushroom

    Seems like deja vu

    Why do government officials always blame "hackers" whenever they don't want to understand when something does not go their way with computers? Then they call in the police SWAT equivalent.

    I hope that the judiciary will agree with the teenager, although I feel like they will side with the government official on this. Most of them do not understand the basics of a computer as witnessed in the questioning of Zuckerberg at congress.

    There needs to be special judges who understand computer technology as well as the law who should be the judge of computer related "crimes".

    1. Flocke Kroes Silver badge

      Re: Seems like deja vu

      A decade ago Jerry Taylor - who has "22 years in computer systems engineering and operation" - got famous for threatening to complain to FBI about Centos because his web site had Centos's "Apache not configured" page on it. According to Mr Taylor, the guy from Centos giving him free technical support "Put in on TheRegistry", where you can find stories about the aftermath. The link to the transcript of the emails is now broken, but copies remain in dusty corners of the internet.

      Goverment officials have clearly learned from this, hence the right to be forgotten.

    2. Pascal Monett Silver badge

      Re: Seems like deja vu

      You do not need to know how a computer works to balk at so-called non-authorized access to public data.

      All you need is a functional brain and an extremely basic notion of logic.

      1. Gordan

        Re: Seems like deja vu

        *All you need is a functional brain and an extremely basic notion of logic.*

        Actually, it turns out that you don't need that functional a brain to be a civil servant:

        https://www.theregister.co.uk/2007/07/23/french_no_brainer/

      2. Prst. V.Jeltz Silver badge

        Re: Seems like deja vu

        Jeff, who isn't intentionally after information on a website when they visit it?

        the guy need a captain obvious award

      3. gnarlymarley

        Re: Seems like deja vu

        All you need is a functional brain and an extremely basic notion of logic.

        They are politicians. I think the basic meaning of the word politician in the USA is someone that does not have/use a brain. Being that Nova Scotia is so close to the USA, maybe the political stupidity is bleeding over.

  3. Notas Badoff

    Govt publishes unpublic public documents! Details at <random> o'clock.

    Someone said "Give me a script I can run to upload the latest PDF to the site." Script says here you go, the next consecutive number was '1242'. What, you demand complicated interactions with public servants and 32 hex digit UUIDs? Hahaha.

    The core point here is, when is a document *published* ? If I stick a magazine on the shelf at the corner drug store, is it not published and available to all comers?

    Crap, now I'm nervous I downloaded all those IETF RFCs in sequence.

    1. DropBear

      Re: Govt publishes unpublic public documents! Details at <random> o'clock.

      For some definitions, something only counts as "authorized" access on the web if there is a way to arrive at a link saying "click here to download <thing>" strictly by clicking through from the site's main landing page. Not that I particularly agree, but things are what they are, and I can see institutions preferring to stick to this one whenever they have egg on their faces; and in a world capable of seriously debating whether linking to something is the exact same thing as publishing it yourself I wouldn't fancy my chances of judges making the right call.

  4. ThatOne Silver badge
    Unhappy

    Unequal contest

    Apparently it's way too easy to make a scapegoat out of someone when you're in power: After all this kid did visit their website and did download information he shouldn't have access to, didn't he. No reason to dwell on the fact that secret information was freely available...

    One could consider there was no way he could had known part of the documents weren't properly sanitized, one could even mention entrapment in this context, but well, I guess he can't afford a lawyer good enough to avoid him his bitter scapegoat destiny. What's 10 years of your life compared to some civil servant not getting bothered...

    1. Pascal Monett Silver badge

      Re: Unequal contest

      I think you glossed over the fact that the information was published for public access.

      So no, the kid did not download information he shouldn't have access to. He, and everyone in the world, has access to that information.

      1. Jeffrey Nonken

        Re: Unequal contest

        No, I think GP has it right: he downloaded information he shouldn't have had access to. Which is NOT the same as saying his access was unauthorized. Just that the information should not have been so easily accessed.

        He shouldn't have been able to use that trick.

        Not his fault he had access to it.

  5. Anonymous Coward
    Anonymous Coward

    Freedom of Information and Protection of Privacy Portal

    If anyone is struggling to explain irony I think this is the perfect example, there's a reason Alanis is Canadian.

    1. psychonaut

      Re: Freedom of Information and Protection of Privacy Portal

      hmm except no.

      alonis, ironic . ed byrne.

      https://www.youtube.com/watch?v=XfpB0kDLEts

  6. FozzyBear
    Black Helicopters

    Good Ol' Government Mentality

    If you break the law you will be arrested and punished.

    If we break the law you will be arrested and punished

    When we make embarrassing mistakes. You will be arrested and punished

    Friggin' muppets the lot of them !!!

    1. DropBear
      Meh

      Re: Good Ol' Government Mentality

      Yes. Embarrassing your liege has been a crime since before we invented fire. It still is. The laws proclaiming it so just happen to be unwritten, but not any less real.

    2. handleoclast

      Re: Good Ol' Government Mentality

      @FozzyBear

      Friggin' muppets the lot of them !!!

      "Muppet" is a trademark owned by Disney, who would not like your casual use of the term. Especially in combination with "Friggin'".

      I suggest you replace it with "fuppet" (c.f. "fugly").

      1. FozzyBear
        Alien

        Re: Good Ol' Government Mentality

        @Handleoclast

        I was looking for an analogy to a semi sentient life form that fucks up anything it touches. a-la Swedish chef or the drummer animal.

        Unfortunately, since the first posting I have had to deal with two separate government departments. As a result, I now have to revise my initial assessment to something more realistic. The closest I've come is some sort of primordial sludge that has accidentally burped itself out from underneath the excrement of some other single celled organism.

        My sincerest apologies to obviously more intelligent Muppet's, Please don't send Miss Piggy in retribution

        1. CrazyOldCatMan Silver badge

          Re: Good Ol' Government Mentality

          obviously more intelligent Muppet

          The dog gets called a duppet when he does something wrong.. (portmanteau of 'dog' and 'muppet' as in sprired by the song "Am I a muppet or a man"..)

          Just a small snippet of my wildly exciting home life. In other news, the 8-month old kitten has now discovered how the cat door works. It only took her 2 months of watching the other cats..

          This post bought to you courtesy of high-strength codeine painkillers. People who say "the warmth will help your joints" should, IMHO just go away. Falabh 'sa boc an airde

      2. Clunking Fist

        Re: Good Ol' Government Mentality

        ""Muppet" is a trademark owned by Disney,"

        Likewise: don't refer to Freedom of Information and Protection of Privacy (FOIPOP) portal as some kind of Mickey Mouse outfit.

  7. Milton

    Contemptible

    The government publishes information as legally required by an FoI request. It does so on a webiste, thereby making it available to anyone who wishes to see or download it.

    Some idiot forgets to redact private information that shouldn't have been part of the publication.

    People access, browse, read and presumably some also download the PDFs. That's why they were published.

    One person, wishing to do the same but without necessarily selecting individual documents, uses a simple script to grab the lot.

    Questions:

    1. Was there anywhere on the website a ToU or T&C prominently displayed, which required all users to read and agree to it?

    2. If this is existed, did it specifically say—

    2.a. You may not download stuff by any means except individual meat-finger clicks on a link, i.e. don't use any form of scripting or automation to make multiple downloads quicker

    2.b. If you notice that we have published something we shouldn't have (if you're alert enough to realise that the government has made a mistake) you must stop reading, and tell us?

    Because if not, the already weak case against this kid is even more hopelessly spurious and unfair. Why shouldn't he choose to read information published by the government ... for people to read? Why shouldn't he download it—this is a perfectly common and acceptable activity. It's especially common with tranches of docs published as PDFs. Yanking a bunch of stuff to read at leisure when offline is not even controversial. Every sentient website owner in the world assumes it may happen: if you don't want people using scripts to harvest data—perhaps for bandwidth/cost issues—you set up protocols to stop them, usually by recognising individual IPs or logins and imposing limits. This is all commonplace. It has been commonplace for more than 20 years.

    Is there any evidence whatsoever that the guy further extracted or processed the incorrectly unredacted info? That he was harvesting that data specifically? That he was offering it for sale or other dissemination?

    If not, I repeat: there is no part of what this guy did that it is remotely abnormal, forbidden, unethical, exploitative or wrong.

    All of this, because some typically useless government employee screws up? Because they don't know how to manage a website? It's utterly contemptible.

    PS What if a news organisation employee, say a journalist investigating government malpractice or corruption, had used a script to download a shedload of stuff from a government website where that information had been published for open access by anyone? Why, in short, should the use of a perfectly normal and comonplace script be considered, per se, evidence of any wrongdoing?

  8. chivo243 Silver badge
    Facepalm

    Woo woo, chug chug

    Why do I feel like this kid will be railroaded in this one?

    I was once kicked out of a bar for taking a free promotional poster for the band that was playing that night.

  9. A Non e-mouse Silver badge

    Someone should make an FoI request to see how many copies of those dodgy documents were downloaded.

  10. Doctor Syntax Silver badge

    "Which is exactly what we'd imagine you would allege if you were trying to deflect attention away from the fact someone on your staff bungled and put the wrong files on the public internet."

    Actually, no. I'd expect them to quietly fix the problem and do everything possible to avoid publicising that it ever happened. Are any of them called Streisand?

    1. Wulfhaven

      It may be that they hoped that the kid and family would be sufficiently scared to keep their mouthes shut after raiding their home and turning it inside out.

      Apparently, that hope was misplaced.

    2. Anonymous Coward Silver badge
      Facepalm

      If it were a company, you'd be right. We're dealing with government mentality here though, so deploy the "blame someone and make an example of them" technique.

  11. Nick Kew

    Unauthorised access

    Looks like he did something unauthorised, in the same sense I'm about to when I walk out of my front door to go to Sainsburys. No-one has authorised me to walk the scenic route there, nor the straight route back with a laden backpack. It's just something we do without question.

  12. Anonymous Coward
    Anonymous Coward

    "His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk."

    Ignorance of the law is no excuse.

    1. teebie

      Its not against the law to download documents from a website whose entire purpose is to allow downloading of documents.

    2. John Robson Silver badge

      "His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk."

      Ignorance of the law is no excuse.

      No - but Mens Rea is hard to demonstrate, I download a government published document from the government run site...

      Before I download it I can't know that the government have accidentally uploaded the nuclear launch codes...

      1. Anonymous Coward
        Alert

        Before I download it I can't know that the government have accidentally uploaded the nuclear launch codes...

        An interesting point. To what information might you one day make unauthorised access if you follow Trump on twitter?

      2. Mike 137 Silver badge

        Mens Rea

        Unfortunately this appears from the article to be a strict liability offence, whereupon mens rea is not necessary. It's a pity, but strict liability is becoming increasingly common. I guess it saves the courts money and time.

    3. Francis Boyle Silver badge

      Er, this is ignorance of the fact that someone did something stupid

      A slight difference there.

    4. nematoad
      FAIL

      Bah!

      "Ignorance of the law is no excuse."

      No, but not being gifted with telepathic powers that allow you to see what's in the documents before reading might be.

      The people who are presumably breaking the law in this case are those who failed to redact sensitive information before publishing it. If I were one of those affected by this I would be taking aim at the bureaucrats not some teenager.

    5. gnasher729 Silver badge

      Ignorance of the law is no excuse, but ignorance of facts is.

      I have 100 books in my garage that just take up space. I put them in a box outside my home with a sign "pick whatever you want". You can pick whathever you want, legally. Unfortunately I put one very expensive book in the pile that belongs to my neigbour by mistake. You have no right to take it, but if you take it, that's ignorance of the facts. No theft.

    6. Anonymous Coward
      Anonymous Coward

      "His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk."

      Ignorance of the law is no excuse.

      The internet should be think of it like a library, a public library. Each computer/server/cloud is a shelf, each website is a book on the shelves, each comment is a doodle on the book. Search engine here would be librarian who would pickup the books for you when you request. Finding website with links would be you picking up the book from just the book ID.

      If there is a lock on the book, and I forced opened it without the book author agreed to, then it is unauthorized access.

      Put the kid into this context, the kid here is just picking up all the books from the shelves from one section using just the book ID. Considering that there is no lock on the book (website), it should be by default not unauthorized access.

  13. Aaiieeee
    Unhappy

    Poor kid

    Depending on his personality this may really affect his future. He may grow stronger and learn to stand up for himself, he may become paranoid and distrustful of authority, or he might shrink away, being fearful of any mistep. There is a remote possibility he may remain unchanged (especially if he has really strong and down to earth parents).

    In the same way that you feel terrible when you walk past somebody in distress and don't help, there must be somebody involved feeling that way knowing they screwed up and deciding between 'do I speak up', or 'its done, don't think about it'.

    The nature of being alive I guess

  14. Aodhhan

    Laws and Lessons

    There is little doubt what he did was against the law. Just because a web site is poorly secured or coded, doesn't provide a excuse to gain access to information stored on the system. The application provided "some" controls around access and he used a tool to circumvent these.

    If I used a common tool to eavesdrop on your communications (MitM attack), this doesn't make it okay; even if the communications were done using public equipment and you didn't employ encryption.

    The question isn't about whether he broke the law. He did. There are a lot of things in life I didn't mean to do, but I was still held responsible for them. Starting when I was 11 and broke a window with a baseball.

    The questions now revolve around intent as well as damages. He stated he wanted to download government documents, but to do what (exactly) with the information? What damage was done with the information he did gather? Did he send it off to others?

    It will take some investigating to determine all of this, and we don't yet have the entire story.

    1. A Non e-mouse Silver badge
      Flame

      Re: Laws and Lessons

      The whole point of the site is to act as a central repository for documents that had already been given out to the public.

      All the kid did was iterate and download all the documents that had already been given out to members of the public.

    2. JohnArchieMcKown

      Re: Laws and Lessons

      Did you just read this? I know that I posted it on a public forum. But it contains information that I did not intended to be published (I'm an idiot is the information). You are therefore guilty of "hacking" this site to get information which you should not have. (that I'm an idiot). YOU SHOULD HAVE KNOWN BETTER!

      1. CrazyOldCatMan Silver badge

        Re: Laws and Lessons

        YOU SHOULD HAVE KNOWN BETTER

        But but but.. MY CAT TOLD ME TO DO IT!

        (Honest.)

    3. hplasm
      FAIL

      Re: Laws and Lessons

      "There is little doubt what he did was against the law."

      Wrong!

      There is a LOT of doubt about that.

      1. Swarthy

        Re: Laws and Lessons

        Had it been said that "There is little doubt if what he did was against the law." I would agree whole heartedly. There is little doubt. The kid grabbed a bunch of files made publicly available (kind of like we all do when we download software updates); there is no law against that. It's on par with "Wearing a loud shirt in a built-up area".

    4. Duncanmhor

      Re: Laws and Lessons

      "If I used a common tool to eavesdrop on your communications (MitM attack), this doesn't make it okay; even if the communications were done using public equipment and you didn't employ encryption."

      The equivalent that this kid did was to overhear you shouting by walking into a room. The only controls around access were a lack of signposts to the room. The door wasn't even shut. He circumvented nothing, he used the web as it was designed to be used

    5. DasWezel
      Facepalm

      Re: Laws and Lessons

      Read the document again slowly.

      - There was no security, because they were *publicly available documents*

      - The application provided *no* access controls, because they were *publicly available documents*

      - The publicly available documents were sent directly to the person who put in the request, as well as being made *publically available* online for anyone else to read. Deliberately.

      You hypothetically eavesdropping on my communications would be illegal, because they are not public domain. These documents were in the public domain, for public consumption, in response to Freedom of Information requests.

      So, please enlighten me: Precisely which f*cking law did he break? Because pointing out that a *public document* hasn't been redacted properly sure as hell is not illegal. And making someone who failed to do their job properly look like a pillock isn't illegal either.

      1. MVS
        Trollface

        Re: Laws and Lessons

        No, he must be held to account for stealing free & public documents; not.

        In order to break a law, you have to knowingly bypass security controls. There is no indication in the article this was done, or that there were any controls on a free and public site to even bypass.

        Use of an http tool to download documents doesn't constitute breaking of any law/policy. What if I have a slurp type plugin on me Firefox?

        How does one become an unauthorized user on a free system, assuming it was normal downloading?

        I would say that there might be a civil case against Unisys. What do you think?

        Homer keeps getting hung up on free:

        https://www.imdb.com/title/tt0779676/quotes

        (It's the fourth one down, started by Jane)

  15. localzuk Silver badge

    Easily defended?

    Surely they can just point at the fact that every search engine would have the files indexed too? No "hacking" here. Do they list on the site that you can only access files manually by clicking on each link by hand? What if he had done exactly that? Gone through and manually downloaded each document by clicking a link?

    The entire case is absurd.

  16. Anonymous Coward
    Anonymous Coward

    I say we all do the same ! Who'se in ?! wait till that shows up in their logs!

  17. Eclectic Man Silver badge

    What if ...

    he had only downloaded ONE of the documents containing personal information, and done that 'manually' as it were? Then he would have had access to the un-redacted data, but without the use of an automated script.

  18. Anonymous Coward
    Anonymous Coward

    Canada, It's Canada.

    It's even more complicated for this teen than it appears. To see that it helps to have an understanding of Canada.

    On the federal level the government does not have to act in the peoples interest.

    Of the three branches of government 2 of them are appointed and the third with elected members controlled by party rule that prevents the elected from voting in the interests of their constituents. Although there are 10 provinces the appointed Supreme Court of Canada has only 9 judges, 6 of which are appointed from only two provinces and the other three appointed are now effectively required to have received their legal training in one of those provinces and meet certain ethnic and/or linguistic requirements. Comments from this tiny clique have shown they view provinces like Nova Scotia as a region of Canada, or part of a region, rather than a province on equal standing with others. That's problem if there is a problem.

    Thanks to the Government by appointment system the Supreme Court, like all branches and departments of government, almost always have the governments back. Failure to do so, even as a Senator or Judge, has consequences, and far more so further down the very long line of very many appointments that effectively rule Canadians, regardless of how they vote.

    That pattern of being ruled by the appointed does not change at the provincial level. The secrecy and obscurity of "Royal" appointments, particularly legal appointments, is if anything higher at the provincial level. Provincial legal systems are "old boys" clubs which require all who want advancement of any kind to fall into line or risk not being appointed to any position. There is no public veto or in most cases even knowledge of who is appointed. The appointed answer to those that appoint and can remove them, not the public or any perceived public interest.

    It is up against that system, a system of rule by the appointed, this Teen must now do battle with. Even his own lawyers will be from that system, beholden to it if those lawyers want any chance of being appointed to anything. Even Canada's media answers to the appointed, which is why they very rarely point out the lack of democracy or our rule by the appointed.

    If the Canada's appointed rulers have said this person has broken the law he is in for a very rough ride even if he is completely innocent, which isn't really presumed as many Canadian believe.

    Up against that details as to the public availability of the data or how it was accessed is of minor consequence but still worth trying to get out there. Our government fears revolting peasants might pull back the curtain so a large enough outcry can change predetermined decisions. Best of Luck!

    and as usual the disclaimer that comments at this site are censored/moderated, this is not an open discussion of the issue.

  19. davenewman

    Child molestation?

    Has anyone thought about applying child protection laws to the Nova Scotia minister, the police and the Unisys administrators?

  20. PghMike

    Just piling on

    The Nova Scotia government is just showing how technologically incompetent they are by prosecuting someone for enumerating public documents.

    Hopefully the prosecutor will drop the charges if they can find someone in New Scotland who knows anything about web servers, and can explain it to them.

  21. J27

    This is ridiculous, all that kid did was access publicly-accessible documents. If the system made private documents public that's a software bug (or world-endingly massive incompetence), not hacking.

    Any technical expert they get is going to identify these documents as publicly-available by definition. Hopefully this is dismissed before trial.

    1. Anonymous Coward
      Anonymous Coward

      Canadian technical expert

      Any Canadian technical expert with a concern about their future will identify these documents as our appointed rulers want them identified. Standing up and telling the truth, even an honest opinion, will limit their access to appointed positions, positions controlled by the appointed, and access to government contracts.

      Outside of Canada you might think that an overstatement but inside we can see it very clearly. The higher ranks of our departments, and Crown Corps ruled by those appointed, are homogeneous in their political views (even among those few claiming to support other parties) and all of them know the rules of advancement.

      Canada is a country where even access to government programs can depend on agreeing to the values of the government. Access to any career connected to government goes much farther than just agreeing to "values". The Tech Expert will know what is good for them or they will not be consulted.

  22. Clunking Fist

    Give a Little

    Anyone found a give a little page for this young person?

  23. Anonymous Coward
    Anonymous Coward

    As a taxpayer in Nova Scotia...

    I hope that the young man and his family sue the Province of Nova Scotia for several million dollars, and win.

  24. Brian Allan 1

    Governments are renown for attracting and retaining idiots; sadly!

  25. Jonathan Richards 1
    FAIL

    This happened in early March? And yet https://foipop.novascotia.ca still re-directs to a "System Unavailable" notice, even at Mon 23 Apr 10:38:23 UTC 2018.

    I was about to exercise my leet skills with wget inside

    $ for n in $(seq 100 199); ...; done

    I hope that the prosecutors see sense, and charges are dropped/not laid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like