Concerns teen being 'railroaded' in privacy breach to cover government slip
Privacy lawyer David Fraser adds police 'probably jumped the gun' in charging 19-year-old man
Software and privacy experts say an embarrassed Nova Scotia government seems to be seeking a scapegoat, following Halifax police's quick arrest of a 19-year-old man for accessing private documents publicly visible on a provincial website.
The teenager is charged with unauthorized use of a computer, which carries a prison term of up to 10 years.
"In order to break this law, you have to have done it with fraudulent intent," said David Fraser, a lawyer with McInnes Cooper in Halifax who specializes in technology and privacy laws.
"From everything that's being discussed about this, it's likely the person was likely trying to download content of public documents from a public internet site."
The province's Freedom of Information and Protection of Privacy Act web portal is intended to allow people to make freedom-of-information requests, including for government-held personal information, and access the documents that result.
In most cases the results are made public, after personal information and other private information has been redacted. In the case of personal records, the information is supposed to remain private.
The province's chief information officer, Sandra Cascadden, has said it's believed someone created a script that let them download one document after another, including some that were supposed to be private.
"Unfortunately, what had happened is someone went in through the URL and just sequentially went through every document available on the portal," she said.
But Fraser said the provincial government should not have made sensitive information publicly available online. He said organizations use scripts routinely to copy information; that's how search engines and online archives work.
"I think they probably jumped the gun in charging him, unless police got a statement from him at the time that did in fact have some fraudulent or nefarious purpose," Fraser said.
"It certainly does have the appearance that charge was laid in order to appear that they were doing something about this. Obviously, this was something that's particularly embarrassing to the provincial government and I can imagine that there is a fair amount of pressure to find a scapegoat, point the finger and press some charges."
The main problem, Fraser said, is that the private information was publicly available, obscured only by document numbers. "Why was this information publicly available on the internet in the first place?"
He said if someone could access the documents without a username or password, and without "backdoor" channels, that shows an insecure system.
Common practice in security research
Evan D'Entremont is a software engineer who has been following the case.
"As the details started to come out, it started to make me concerned there wasn't actually a breach of any kind and somebody's just being railroaded to cover up a government problem," he told CBC News.
He said what police and the province say is a crime in this case is something he's done "a hundred times" himself. "To say it's criminal behaviour really just takes a lot of security research and makes it illegal."
D'Entremont said the FOIPOP website has a number at the end of every URL. The script pulled down all the documents numbered one to 7,000. He noted that the province says an employee found the problem by accidentally doing the same thing.
"The system they were using is largely intended for serving public repositories of documents," he said.
He said the province is ultimately at fault for not protecting the data.
More than 7,000 documents were accessed. About four per cent were determined to have "highly sensitive personal information," according to government officials. They said the number of Nova Scotians affected is "in the thousands."
Sensitive information accessed includes birth dates, social insurance numbers, addresses and government-services client information. Credit card information was not accessed during the breach, according to the government.
"This is not great news," Internal Services Minister Patricia Arab said Wednesday.