You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!

Hacking charge for twiddling URL – O Canada!?

Comment There's a curious legal situation developing in Nova Scotia, Canada, right now.

A teenager is suspected of breaking the nation's hacking laws by downloading PDFs containing personal information from a public government website after officials failed to redact the documents.

The 19-year-old was arrested after more than a dozen cops raided his home last week. He faces a criminal charge of "unauthorized use of a computer," although he has yet to be formally arraigned and thus publicly named.

Here's how it all started. The provincial government of Nova Scotia provides a website called the Freedom of Information and Protection of Privacy (FOIPOP) portal. It is an online database of government records and files made available to everyone on the planet.

These documents are released following successful freedom-of-information requests from journalists and other citizens. Basically, if you request a document, and it is allowed to be handed over, it eventually appears on the public portal so everyone can see it, not just the person who coughed up the five bucks to file the request. The PDFs should have any personal or private information in them redacted prior to publication.

Toe Curl'ing error

In early March this year, someone fetched 7,000 publicly available documents from the site, presumably using a simple script or Curl command line to automate the download. It's pretty easy to do. According to privacy lawyer David Fraser and software engineer Evan d’Entremont, you simply had to change the document ID number at the end of a URL and fetch it. So, you'd download document number 1234, then 1235, 1236, and so on, working through all the digits, one by one, pulling in each file associated with each ID value. It's basic enumeration.

Don't forget, this fetches records and government files that have been released to the general public. So public, in fact, that they were picked up by Google's webcache bots.

However, it turned out about 250 of those PDFs served by the FOIPOP portal had not been properly redacted prior to being made available to the public. These files, we're told, held thousands of Nova Scotians' sensitive private details, such as their social insurance numbers, dates of birth, and home addresses.

On April 5, a government staffer apparently noticed that, yup, you can enumerate all the documents in the database from the website, including the non-redacted PDFs that shouldn't have been there.

A day later, an IT contractor behind the site, Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a "non-authorized person.” Within 24 hours, police were tipped off, and officers showed up at the teenager's house in Halifax, suspecting him of illegally extracting information from the portal. He was arrested and charged, and faces up to 10 years in the clink if convicted.

Nova Scotia Premier Stephen McNeil went as far as claiming the data was "stolen." The teen's family are hoping the allegations are formally dropped before it gets to court.

Watchdog probe

Around that time, the FOIPOP website was also offline for about a week for unscheduled maintenance, which raised everyone's suspicions that something was up. Officials later claimed the site had been "breached." Privacy watchdogs announced they were shoving a probe into the affair – including investigating whether or not the portal and its information was properly secured. Top tip: it wasn't.

The young adult in question denies any wrongdoing, and insisted all he wanted to do was download public documents. "I just had no malicious intent and I shouldn't be charged for this," the teenager told Canadian telly news CBC this week. His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk.

The authorities, somewhat predictably, claim this was a deliberate attempt to swipe folks' private details. Which is exactly what we'd imagine you would allege if you were trying to deflect attention away from the fact someone on your staff bungled and put the wrong files on the public internet.

"There’s no question, this was not someone just playing around," Nova Scotia's Deputy Minister Jeff Conrad briefed journalists. "It was someone who was intentionally after information that was housed on the site."

Jeff, who isn't intentionally after information on a website when they visit it?

We're not the only ones who reckon this looks just a little bit like someone being positioned squarely under a ton of plummeting bricks to bury the fact that Nova Scotia's government screwed up.

"If any of the records contained private information that should not have been released, the government is responsible for that, not the teen," EFF staff attorney Aaron Mackey told CBC.

Nuff said. ®

Updated to add

If you want to chip in some cash to fund the teen's legal defense bills, there's a GoFundMe page here you should check out.

Keep Reading

Huawei invokes 140-year-old law at England's High Court in latest bid to thwart CFO's US-Canada extradition

Lawyers say they need HSBC UK Powerpoint slides to undo Uncle Sam's case against Meng Wanzhou

Don't scrape the faces of our citizens for recognition, Canada tells Clearview AI – delete those images

Plus: Check if your Flickr photos are in facial recognition engines and and the list of NSFW words for AI

UK, Canada could rethink the whole 'ban Huawei' thing post-Trump, whispers Huawei

Analysis Veep needles British government: Without us, you'll 'widen the north-south digital divide'

When it comes to taxing tech giants, America is out, France is in, Canada and Indonesia are going their own way

With Trump on the way out, 2021 is going to be digital levy a-go-go time

No more Genius Bar bottlenecks for you, Mr Customer? Apple exports independent repair provider program to Europe and Canada

iPhone right-to-repair movements blows in from US

Owner of Smuggler's Inn B&B ordered to put up a sign warning guests not to cross into Canada

A subtle rebranding exercise might be needed

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North

L’ACEI lance le Bouclier canadien dans le but de protéger gratuitement la vie privée et la sécurité des Canadiens en ligne

FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies

'Completely unacceptable' spouts British Foreign Secretary

Biting the hand that feeds IT © 1998–2021