Experts question NS data breach charge

[Matrix]

A recent charge against a 19-year-old Halifax man in a breach of the provincial government’s freedom of information web portal is raising questions about what constitutes criminal behaviour when it comes to accessing publicly available data.

Police told reporters Wednesday that the breach, which affected about 7,000 documents, was made possible through a system vulnerability, not through any fancy hacking tricks or by circumventing security. Officials said about 300 of those documents contained personal information.

The computer files associated with thousands of freedom of information requests were available to anyone who had the web address, commonly known as a URL, and all one needed to do was change the number at the end of the URL in sequence to access the next file.

According to police, this weakness was accidentally discovered by a government employee who stumbled across it by typing in the wrong URL, prompting officials to check if anyone else had accessed the documents.

The teen was charged with unauthorized use of a computer, a rare federal offence that carries with it a prison term of up to 10 years.

Fred Vallance-Jones, who teaches data journalism at the University of King’s College, said the case prompts big questions.

“Here you have an instance where someone has gone to the government’s website and downloaded something that was directly available to anyone that could go there,” he said.

In order to access that many documents, 7,000 over the course of a couple of days, the accused allegedly used a tactic called scraping, essentially employing a program that allows you extract large amounts of information without having to manually enter URLs and download the data.

Vallance-Jones knows all about scraping — it’s something he teaches in journalism school.

“Journalists use this all the time to get information,” Vallance-Jones said.

Scraping is not an illegal act any more than manually typing in a URL and downloading information, Vallance-Jones said, raising the question: when does accessing public information become criminal?

“Is it when you download one piece of information? When you download hundreds? Does it become a crime when you go beyond what this person did and circumvent security?”

Halifax privacy lawyer David Fraser said for him the case raised similar questions.

Fraser said access to the information portal allowed anyone to search for previously released access to information documents.

Once someone like a journalist or non-government organization requests and receives a document via the Freedom of Information Act on something like the cost of paving a particular highway, Fraser said there is a two-week period before the document is made searchable through the database.

People can also request information about themselves — for instance, someone receiving social assistance can request a copy of any Department of Community Services records that mention their name. These documents, Fraser expects, are the ones that were not meant to be publicly available on the system.

But Fraser said the system is cumbersome to use, and does not allow one to search within the text of the computer documents themselves.

If someone, for pure curiosity, journalism, or whatever reason wanted to get a copy of all the documents that contained reference to a specific government project, the only way to do it using the government interface would be to manually download each one and either convert them to a searchable format or read them all.

“Would it not make sense (to use a program) to download them all, batch convert them to searchable format then search them on your computer?” Fraser said.

While on the surface, downloading all 7,000 documents on the server may seem like a suspicious activity, that’s just one example of a perfectly legitimate reason why someone would want to scrape all the files at once.

“We don’t know enough about what this person’s intent was, and intent is really what this offense is about.”

Based on what the police and government have said about the case, Fraser also noted that the accused did not seem to have made any effort whatsoever to obscure his identity when accessingthe documents, which also raises questions of whether he even knew he was doing something that could be classified as unauthorized.

“It seems to me the more information we’re receiving the less criminal it appears,” he said.

Fraser said he also wonders if the charges might have been a distraction — a way to have someone to point to as being at fault. He said he’s concerned the charges against the accused were premature.

“It’s been called a privacy breach, a security breach, (government is saying) ‘our website was hacked,’ that’s the sort of language that was used. One can imagine if you start from that point of view that of course it’s a reasonable response to bring out all the guns,” he said.

Vallance-Jones said he’s worried the case could have a chilling effect on journalists and academics who might fear facing similar charges for simply seeking out publicly available information.

“We’re opening up this can of worms of using criminal law to go after people who might access information from government servers,” Vallance-Jones said. “Not information that’s hidden behind passwords or security, not someone who broke in, but someone who accessed what anybody could get just by having the technical know how.”

Source

[Jogs]

Some one keeps all the doors open and if someone enters through any of those doors then that person is accused. This not the fault of the person entering but the fault lies with the person who kept the doors open. Here the govt. agency  that didn't do enough to protect the data should actually be prosecuted.