69 comments

[ 2.8 ms ] story [ 126 ms ] thread
The ruling is more complicated than that. If you can read french, I suggest you read Maitre Eolas' take on it [1].

[1] http://www.maitre-eolas.fr/post/2014/02/07/NON%2C-on-ne-peut...

I can't. Mind making a brief summary?
The main count on which Bluetouff was found guilty is that of "maintien frauduleux dans un système de traitement automatisé de données (STAD)", namely, remaining "in" a computing system (STAD) without being allowed. The key point is that Bluetouff made an important admission, apparently during his 30 hours of "garde à vue", meaning, being under arrest at the police station, where he seemingly neglected to apply his right to remain silent: he recognized that, when going up the folder hierarchy, he landed on a username-password login page. From this, according to the court, he should have inferred that the documents were private and that he had nothing to do there. Instead, he spent several hours siphoning the documents afterwards, which established his intent to remain in the system despite having found out that he wasn't supposed to.

One can then discuss whether this law is fair or not, whether things would have been different had Bluetouff not made this key admission, whether it is reasonable to consider that the login page was sufficient to indicate that the documents weren't intended to be public, and whether the 3000 EUR fine is balanced or not.

Meanwhile, Bluetouff has appealed the ruling to the Cour de cassation, France's last-resort court for civil and criminal cases, whose role is to break rulings where the law was not correctly applied (without discussing the findings, only the application of the law and the adequate forms). I do not think we know yet how Bluetouff will phrase his appeal, but Eolas estimates that there would be a possible way to attack the ruling based on the court's finding that Bluetouff's retrieving the documents constitutes "vol" (theft) though it does not fall within the scope of the formal definition of theft (because the ANSES was not deprived of the files).

Instead, he spent several hours siphoning the documents afterwards

Do we know how he accessed the documents? Did he crawl the directory with a login or without a login (meaning the directory is not protected)?

And why would he share such document with his fellow writer? What for?

The fact that a judge can't comprehend technical explanation according to the article seems to be the main issue here. Was he given a fair hearing?

This is a good time to remind people: Don't talk to the police. Ever, under any circumstances - it can only hurt you, never help you. http://www.youtube.com/watch?v=6wXkI4t7nuc
This is a very US-centric view. In some places, you have a right to remain silent, but that can be used against you in a court of law...
He means don't talk to the police until your lawyer is there.

Which countries will use that against you?

UK or US, among other countries, if you are being held on 'homeland security' (read: Suspected terrorist) charges.

IE: You are required by law to answer questions/turn over passwords when suspected of such things. David Miranda being a recent and well known example.

"Let's wait until my lawyer gets here" will count against me?

You got a cite for that?

Heres the first hit on google, I'm sure many more instances, citings could be procured.

According to former White House Counsel Alberto Gonzales (later the former attorney general), “[t]he stream of intelligence would quickly dry up if the enemy combatants were allowed contact with outsiders during the course of an ongoing debriefing.” Warren Richey, “Beyond Padilla Terror Case, Huge Legal Issues,” Christian Science Monitor, August 15, 2007, http://www.csmonitor.com/2007/0815/p01s08-usju.html. Yoo also explains that introducing a lawyer immediately after capture of an enemy combatant would disrupt interrogation as any competent defense counsel would tell his/her client to remain silent. Yoo, War by Other Means, 151.

That quote is in reference to enemy combatants, not those who fall within the regular court system. I get your point though.
As my post said 'homeland security' (read: Suspected terrorist) charges who are not part of the normal court system.

But this also happens to immigrants or those stopped at the border in general. [0] The right to counsel is being eroded at the edges (apparently not applied to non-citizens whenever possible).

Over the past year, the American Immigration Council, along with the American Immigration Lawyers Association (AILA), has documented instances where the DHS immigration agencies—Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and U.S. Citizenship and Immigration Services (USCIS)—have deprived noncitizens of access to counsel. For example, ICE also has taken the position that there is no right to consult with a lawyer during an interrogation. Likewise, many CBP offices outright deny access to all lawyers. [1]

[0] http://law.psu.edu/_file/Immigrants/LAC_Right_to_Counsel.pdf

[1] http://immigrationimpact.com/2012/01/23/its-time-to-improve-...

In the Netherlands you have the right to talk to a lawyer before you talk to the police. But not during the time you talk to the police. Nice huh?
Similar in Canada.
What if someone random on the street stabbed you. You wake up in a hospital and the police is asking you questions about what the attacker looked like. Should you stay silent? If it was me, I'd want to get back at that person who stabbed me, and the police would help me do that.
If you're talking to police, and you don't know who the criminal is that they are trying to find, its you.
Nice twist on the mark in a poker game.
Excellent.

Although I'm not sure the correct word here is "hacking". Law and government should stop using the word to mean "any adept use of computer knowledge or skills that result in undesirable effects for some party". That could be used to accuse anyone with a computer and an opinion. There needs to be a proper legal definition (similar to how we distinguish between degrees of murder, manslaughter and involuntary homicide).

That ship has sailed. We should pick another word.
I always compare hacking in that sense to magic tricks: As soon as you know the trick, it's hard to still consider it "magic".

Compare "They just used the Windows Remote Access feature/You just changed the document_id part of the URL" to "You just dropped that coin in your pocket".

The line between "hacking" and "expected behaviour" can get very blurry, the more knowledgeable a person is. And in the end, like with magic tricks vs con men, it's the intent that makes it right or wrong (IMO).

Yikes. And he didn't know that? Assuming if he did, he'd have kept his mouth shut about it.

We have pretty much the same law in the Netherlands. What I understand (IANAL), this goes as far as observing an open WiFi access point with the SSID named "UNAUTHORIZED ACCESS PROHIBITED", if you willingly connect to it (ignoring the message), you'll be in violation.

This is of course not security, and maybe it's kinda stupid, but the rule is also pretty clear and pragmatic. It's analogous to having a door with a "NO ACCESS" sign on it, even if it turns out to be unlocked, you're still not supposed to go there. Often such a sign will cite "Article such and such from the Book of Criminal Law Code" in smaller letters (Dutch people will know what type of signs I'm talking about), but afaik this is not necessary for the legal power of such a sign.

(comment deleted)
Basically he was charged on three count: intruding in a private computer system, maintaining himself in said computer system, and theft of private documents.

The ruling said he was innocent of the first charge, since it was due to a security flaw, but guilty of the second, since he realized he was in a private system (he admitted to navigating the hierarchy and finding that the repository was "protected" by a login and password). He was also ruled guilty of the theft (the author of the blogpost, an attorney, says he should have been charged with counterfeiting instead, since that is the proper indictment for copyright violations).

Tldr: he's not fined for entering on the website. He's fined because he kept mirroring the site after he realized it was opened by mistake (he unwisely admitted as much to the cops).

It's the digital equivalent of figuring out that a house isn't locked, and concluding it's OK to loot it.

It's the digital equivalent of figuring out that a house isn't locked, and concluding that it's OK to make a copy of the furniture. FTFY
Make a copy of the owner's diary and other sensitive documents, snoop through nightstand drawers... Equivalently, finding someone's personal computer unlocked and deciding it's all right to mirror the contents of its hard disk.
I don't agree with any of these assessments.

I think it's the equivalent of going down a public road and passing through a gate that was left open, onto private property.

While driving, off in the woods beside the road you notice a "no trespassing" sign, but it's not obvious that you're trespassing currently, even if you start to wonder.

A place on the disk was accessed that was unintended.

> it's not obvious that you're trespassing currently, even if you start to wonder.

He's admitted that he kept snooping around after he fully realized that the files were online by mistake.

My point wasn't about the theft/piracy distinction. It was that your victim being incompetent at defending themselves is not a valid excuse for committing a crime against them.

Besides, counterfeiting one's furniture doesn't cause any embarrassment. I'd rather equate it to photocopying your secret business plan, or your collection of naked self-pictures.

Pretty useless until Maître Éolas won't correct the few important mistakes he made in his blog post. Olivier pointed them out in his tweets. If you can read french you shouldn't be reading Maître Éolas (although he's usually great) but Bluetouff's own blog posts:

http://bluetouff.com/2013/04/25/la-non-affaire-bluetouff-vs-... http://bluetouff.com/2014/01/10/cher-contribuable-je-te-dema...

To be fair, one of the party's own blog is hardly the most objective on the matter.
You can get the facts right, at least ;)
I don't get it, what are the mistakes?
so, when you found something like that, lease a dedicated server overseas and use it to download everything. once done, go to a cybercafe and download it to a zip file or something similar via http directly to a usb memory.

they can follow your transaction with the company once they find out, but it's going to be a little more difficult.

He is a journalist, he wasn't found when he downloaded the files, but when he wrote about their content.

Leasing a server wouldn't have changed a thing in that specific case.

Anyway, bluetouff is well-versed in computer security and the co-founder of a VPN service, so I suspect the files weren't downloaded from a french IP adress.

Yes it says "Panama", right in the article.
(comment deleted)
> Bluetouff ended up admitting in testimony that when he found the documents, he had traveled back to the homepage that they stemmed from, where he found an authentication page, which indicated that the documents were likely supposed to be protected. That admission played a part in his later conviction in the appeals court.

Of course the fine seems absurd to me personally, but this excerpt hints at a couple things one should definitely not do.

This seems weird to me.

If I go to, say, the twitter homepage, I will find an authentication page, and yet most content on twitter is obviously intended to be public.

That, exactly that.

If you have a secret document, when I come knocking on your door and ask for that document, you'll refuse to give it to me, or at least ask for something that convinces you that can access it. Nobody would be crazy enough to charge me by a crime if I ask you the document, and you give it to me without any kind of verification.

But now, configure a computer to do that exact thing, and suddenly you manufacture plenty of new criminals.

It's more like if you walk up and find the document on my doorstep, turn around to see the 'no trespassing' sign, then leave with the document anyway.

Again - I don't really agree with the ruling here - just trying to clarify.

Except I found the documents on Google. It's the equivalent to advertising a yard sale but not realising what you were selling / showing the public.
I dunno, having a yard sale is 'opt-in', since you're putting up the signs etc, showing up on Google is more 'opt-out'.
Isn't it more opt-in because you need to put a link somewhere on the public www before Google can find it?
If your side gate was open when the googlecar drove by and put it on streetview, does that mean that anyone else is entitled to wander in and take things should the gate be open as they pass by?
Yes but links can leak in the most accidental fashions. Google seems to find a lot of stuff that makes me wonder how Googlebot ever found such links. Part of the explanation might be referer logs, and such.

Anyway, the point is, it's smarter to be explicit and also opt-out using robots.txt or something similar.

That sounds about right, actually. Half the yard is clearly free, but they failed to mention that you can't even view the other half.

But wasn't the quote indicating that it was made clear somehow? Looking at the anses.fr site isn't particularly helpful, if that's even the site in question.

Except that advertising takes positive effort on your part, whereas it takes positive effort to avoid being listed on Google.
I don't know, but I think "putting up a web server" qualifies for "positive effort" ;-) And while it does take extra work to ensure an Intranet isn't available on the public web, or that it's correctly configured to require a login to view documents ... there has to be a line somewhere.

I mean, I've stumbled on FTP sites that allow anonymous users. By providing no password and still seeing content, would I have "hacked" them? It's a configuration issue, and password prompts are just that. Of course, where do you then draw the line? If you call it a security flaw that the documents were public, then accessing them could be an exploit. But... a very flimsy one, since we rarely execute injection attacks to visit websites, but we often click links on Google. The bar is clearly very low. ;-)

This might, of course, change if the access was not indicated on Google but instead on a site like shodanhq.com ...

More of a 'keep off the grass' sign. It's not at all obvious that the authentication is supposed to apply to other areas.
If you happened upon my 'protected' account with some mal-formed link, then saw the standard 'tweets are protected' message on my main page, you might be in a spot if you went back and save all those secret tweets. Under the interpretation being discussed anyway.
I don't know about France, but in many jurisdictions, a "reasonable person" standard is used. While I don't personally believe accessing publicly available files should be illegal in any case, I do think that in the situation as described (with the admission of traveling up the path hierarchy to find a login page), most "reasonable people" would indeed infer that the files were not intended to be publicly available.
And how would a "reasonable person" decide that? That is kind of like say "if there is a lock on the door, you should know that it was meant to be locked. Yeah 7/11, open 24 hours, has a lock on the door.
We don't even have to make analogies; if it is protected information a "reasonable person" expects some kind of _obligatory_ login authentication, not an optional one.
Not really. If I found a page that redirected me to a login, I would assume that that page is not intended to be publicly available, and that other content that I don't know about exists which is not intended to be publicly available.

I wouldn't infer that just because (as noted by the parent comment) https://twitter.com/ requires a login, I shouldn't look at https://twitter.com/twrbrdg_itself

Now, if all those pages I looked at before finding the login page had a banner saying "private, not for public consumption, don't share this with anyone who doesn't have an account", then I might think "hmm, perhaps I'm not supposed to be here".

That's not a fair analogy though. I agree that I wouldn't expect every page on twitter to be protected. But if you find a direct link to a random document indexed by Google, then check and the page that links to that document is protected, I personally anyway would assume the document itself was exposed accidentally. Obviously not everyone agrees though, which makes the reasonable person thing difficult to decide.

As for the lock on the door comment, I'd say it's more like if you noticed a store is left unlocked in the middle of the night, and therefore assume you're welcome to go in and walk around. In fact, they probably didn't leave it unlocked as an intentional invitation.

Yes we have that, its name has changed recently because it was something like "good family father" (it came from greek democracy) and was deemed sexist.
How so? Was it made clear that the authentication page was for the documents he subsequently downloaded?
Even if it was, this is ridiculous.

What kind of security let's you download documents without authentication?

It's a surprisingly common bug in custom web-based systems that handle documents or images - I've found this a number of times in systems I was reviewing (and I'm not a security expert).
How many years would he get in prison for this in US? While the interpretation of the law or the law itself are pretty bad here to begin with, at least the punishments are saner for stuff like this. US seems to have both completely terrible and easily abused hacking laws, but also extremely disproportionate punishments.
I don't understand why he's getting fine for that. Those were publicly accessible documents, even though they were intended not to be, as indicated by the login form that Bluetouff admitted to know about.

If that's the law, then it needs to change.

Reminds me of what happened to Andrew Aurenheimer, only iterated a bit more.
happened in brazil as well.

everyone knows you only build large public projects there if money change hands. and it usually happens that the gov official get the quotes from all the companies, call the one paying him the most and tell the other quotes and that company submit a little lower than the lowest and get the job, later including several hidden fees, etc.

the, for the sao paulo subway expansion, a journalist did a search and found documents proving all that for that specific job (yellow metro line) and published them.

gov removed the documents, waited for all signs of it ever being indexed to disappear and then sued him. i think the trial is still going and they still deny those documents ever existed.

Do you have any links with further info on that case by any chance? Would be interesting to see how that turns out.
How can government agencies still can get away with accusing someone of "theft" and accessing a "private computer" and "private documents" when they just publish documents on the web, and the public is consuming them? The fact that there was a HTTPAUTH protected login page in some up path on the site does not infer that the documents should have been protected. They are or they are not. And they looked legit, i.e. public.

Esp. with government documents you are safe to assume that they are public, if they are public and look public.

Exactly. Also, the HTTPAUTH is directory based and does not necessarily include subdirectories, just like permissions on all Linux distros. So that doesn't imply in any way that subdirectories should have been private.
I'm really on the fence with this one. As has been pointed out, the fact that there's some auth somewhere on the server doesn't necessarily mean that those specific documents were supposed to be private. However, as a journalist he decided to publish the documents on his blog which I think we can take to mean that he assumed they were, in some way, "juicy." And he wouldn't think that if he didn't at least suspect that they were supposed to be private.

This is all assumption, of course, but I think it's pretty logical assumption.

Still, freedom of the press is a strong right. Though freedom, as they say, isn't free (there can be and often are consequences to exercising your freedoms). In this case I think he's lucky to just get what amounts to a hefty access fee. If he had stumbled onto U.S. documents he may well have found himself taking a ride in a black helicopter.