A teenager faces upwards of 10 years in prison for downloading 7,000 freedom of information releases that contained people’s sensitive personal information.
On 11 April, Nova Scotia’s police raided the home of a yet-unnamed 19-year-old. As many as 15 officers seized computer equipment from the teen, who lives with his parents and siblings and is in the process of completing his secondary education. They also confiscated devices owned by his father, thereby preventing him from doing his job, and questioned his younger brother and sister.
The provincial government of Nova Scotia subsequently charged the teenager with “unauthorized use of a computer.” If convicted, the teen could spend 10 years in prison.
According to CBC News, Nova Scotia Premier Stephen McNeil said the charge is appropriate considering the young man’s act of “stealing” 7,000 documents off the province’s Freedom of Information and Protection of Privacy (FOIPOP) website. Those releases contained the personal information of thousands of Nova Scotians including their days of birth, addresses and social insurance numbers. They did not include residents’ payment card details.
A government employee discovered the breach by accident in April when they found that a typing error in the number at the end of the website’s address granted access to documents he didn’t have the necessary permissions to view. When the provincial government learned of the weakness, it took down the portal and began working with Unisys, a third-party provider, to understand the full scope of the issue. The Coast reported that officials notified Halifax’s Regional Police when they discovered that someone had downloaded releases off the site. The police ultimately traced the breach back to the teen.
As of this writing, officials are working with Unisys to to fix the flaws and get the site back online.
In an interview with reporters, the teenager argued he did nothing wrong. He said he wanted to learn more about the government’s labor troubles with teachers, so he went to the FOIPOP website, where visitors can file freedom of information (FOI) requests. He didn’t find what he was looking for, but building on a lifetime of playing around with computers, he quickly discovered the website flaw that allowed him to see other documents, which the provincial government is supposed to make public after it’s redacted people’s private information. So he wrote a script that allowed him to download all the documents so that he could review them later for relevant information into the labor dispute.
The teen said he didn’t know the documents weren’t publicly available yet. As quoted by CBC News:
I didn’t do anything to try to hide myself. I didn’t think any of this would be wrong if it’s all public information. Since it was public, I thought it was free to just download, to save.
Many in the security and privacy community feel this admission by the teen paint the government’s decision to charge the teen as an overreaction. David Fraser, a lawyer with McInnes Cooper in Halifax who specializes in technology and privacy laws, explained to CBC News in another article that the 19-year-old didn’t break the law because he didn’t have “fraudulent intent” to do so. Software engineer Evan D’Entremont went so far as to say “there wasn’t actually a breach of any kind and somebody’s just being railroaded to cover up a government problem.”
D’Entremont and others argued the problem appears to be a lack of government investment into its security. According to The Coast, officials conducted few security scans of the site, which is powered by a system developed by Unisys called AMANDA, over the past year, and Unisys didn’t flag any instances of unauthorized access. At the same time, a 2016 auditor general report revealed that Unisys met standards with its AMANDA system but that the government’s Department of Internal Services suffered from a lack of security controls and oversight, writes The Coast in another post.
Internal Services Minister Patricia Arab said the government waited until 11 April to begin notifying affected individuals of the breach because the Halifax Regional Police asked it do so. As quoted by CBC News in a third report.
We wanted the person responsible for this to not know that we knew that this had happened. We needed to let Halifax Regional Police do their job and couldn’t compromise the nature of their investigation.
Jim Perrin, superintendent of the police force, said his officers never made the request and declined to comment whether notifying affected individuals would have compromised the investigation.
The province’s privacy commissioner is currently looking into the breach.
While he awaits the outcome of the investigation along with his trial, the teen is keeping himself busy with crosswords in the hope the charge will be dropped and his reputation will be spared. Otherwise, he said he doesn’t “know what [his] future will be like.”