1. Fifteen cops showed up to arrest a teenager for using the internet
CBC reporter Jack Julian interviewed the 19 year old who was arrested in the mischaracterized “data breach” of the province’s Freedom of Information website. Julian’s article is a great piece of reporting; it is well-written, sensitive, informative, and enraging.
If police statements about how the teenager accessed the information are correct, the teenager did nothing at all wrong. He wrote a script to help him download documents from a public-facing website. He didn’t “hack” anything. He didn’t misrepresent himself. He didn’t try to hide his identity or mask his web presence. In fact, he didn’t do anything plenty of people and businesses legitimately do every day. A rich detail: the teenager was downloading the documents in order to research the government’s dispute with the teachers’ union.
Moreover, there’s been no allegation that the teenager used the documents he freely accessed to cause any harm. He didn’t steal identities or sell data.
No one with the provincial government or with the Halifax police department has provided any information to suggest that the the situation is anything other than described above.
And yet, Julian tells us:
On Friday, the premier accused the teenager of “stealing” the information.
The only way that I can understand why the province is so overreacting — going so far as Premier Stephen McNeil deeming a teenager guilty of a crime he hasn’t yet even been arraigned for — is that it is in major butt-covering mode.
The overreach goes right to the Halifax police, reports Julian:
The family was going through its morning routine last Wednesday when the police banged on the front door.
The mother says she, her husband, and two of her kids were corralled in the living room.
“They read us our rights and told us not to talk,” she said.
“Our daughter, she was really traumatized, really bad — brought her to tears, the way they conducted this,” said the father.
She says at one point there were 15 officers in the home.
“People were going into the kitchen, were going into the dining room, going upstairs. They went into the basement. They were [traipsing] through the house, everywhere,” the mother said.
She says the family is still working through the mess they left behind.
“They rifled through everything. They turned over mattresses, they took drawers and emptied out drawers, they went through personal papers, pictures,” she said. “It was totally devastating and traumatic.”
She says police seized her son’s computers, plus her husband’s cellphone and work computers, which has left him unable to do his job.
They also seized her younger son’s desktop computer, after he was arrested on the street walking to high school.
Officers took her 13-year-old daughter to question her in a police car.
“My little ones are asking, ‘Will I be able to get a job because we were arrested?'” she said.
I’ve seen more subtle police raids to arrest people charged with murder.
There’s simply no excuse for this. None. The Halifax police have a lot to answer for.
But, the police do what the police do. The outsized police response was itself in response to a directive or complaint from the province. As someone pointed out to me last night on Twitter:
There had to be someone who made an allegation of wrongdoing to start this off; that person needs to be accountable to what appears to be an instance of swatting to cover up technical incompetence by the government.
— Kevin McArthur (@KevinSMcArthur) April 16, 2018
“Swatting,” Google tells me, is “the action or practice of making a prank call to emergency services in an attempt to bring about the dispatch of a large number of armed police officers to a particular address.”
That’s not so off the mark here. Let’s review.
What’s at issue is the private information of citizens that should have been closely guarded but was instead placed on a public-facing website that had been live for over a year. My understanding is that an employee incorrectly typed in a URL and found the mistake; that employee alerted their superiors, who then looked to see if anyone else had accessed the information. They found the Halifax teenager, who had made no effort to hide his tracks because he did nothing wrong.
This was the decision point.
The civil servants and their contractor Unisys could have owned up to their screw-up, contacted those whose data was improperly shared, issued a gigantic mea culpa, and investigated what went wrong and who was responsible. That would have been the responsible thing to do. But the $4 million annual Unisys contract is up for renewal in June, and they apparently feared that placing blame where it belongs would throw a wrench into the deal. So they called the cops and blamed the hapless teenager instead.
Calling the cops is a huge deal. As we’ve seen, it can bring an unpredictable response that is in itself dangerous — given the wrong set of uncontrollable circumstances, people can die. At the very least, police raids are disruptive and stressful, and bringing people into the criminal justice system can and sometimes does ruin their lives. The kids in the raided house were right to ask about their future job prospects.
And about that Unisys contract…
Yesterday, I pointed out that a provincial website had been “defaced” last June, and I wondered:
Should this have been a large enough red flag that people at the province and/or Unisys should have understood that there was a security issue that had to be addressed in a more substantial manner than simply fixing the one page that was attacked?
After I published that, I was contacted by a former journalism student who brought my attention to websites hosted by the province’s Department of Education and Childhood Development. He wrote:
Years ago in journalism school I was running a Google directory search for a document on the department’s website when I saw a page that had seemed like it had been hijacked by spambots. The recent reports on the government’s online security brought this back to mind so I searched again today.
Here are examples of ednet.ns.ca websites that have either been hacked or hijacked by malicious comment bots:
Bridgewater Elementary School website has pages dedicated to online drug sales/malware
North Queens Community School “Knowledge Base” website includes comments linking to pornography/malware
Comment page on staff website includes spam comments linking to pornography/malware
Abandoned page intended as message board for teachers overtaken by comments linking to pornography/malware
(Archive.is wasn’t working with this page)
Comment page on staff website includes spam comments linking to online drug sales/malware
I could include numerous more examples, but you get the point that no one is moderating the Department of Education’s websites for malicious content and certain breaches of security.
It seems most of the pages with spam comments are mostly older pages without automatic comment filters, but the fact they’ve remained up for so long shows there’s no review or security audit occurring for this department’s online presence — or if there is, it’s failing. (And what other kind of information is stored on Nova Scotia’s schools’ public directories that should not be publicly accessible?)
The first example of an entire new page created on the Bridgewater Elementary School website is the worst example I saw of a true “security breach,” but it’s alarming that the government’s efforts towards online security haven’t even included a cursory search of all government websites for links to malicious content. It takes ten seconds to search Google for “inurl:ednet.ns.ca viagra” (or replace viagra with any other common spam term) and find a ton of content that should not be on ednet.ns.ca websites.
I forwarded the email to both the Department of Education and to Internal Services, and the infected/hacked sites were taken down within the hour. But I’m still waiting for a response to my request for comment.
I guess it takes longer to craft a meaningful response to finding porn and viagra ads on school websites than it does to call the cops on a teenager not harming anyone.
Several people in the tech industry have contacted me to say that at the heart of the issue is the relationship between Unisys and Internal Services. As explained to me, people move back and forth between the contractor and the agency, switching from employee at one to supervisor at the other. The relationship is beyond cosy and, as the auditor general discovered, has no effective oversight.
Imagine if the kind of resources that were directed at the hapless teenager were instead used to properly investigate the relationship between the province and Unisys.
StarMetro Halifax is walking back its misframing of a poll the paper commissioned of public support for a publicly financed stadium. Yesterday, editor Philip Croucher misleadingly spun the poll results as follows:
“There is a clear appetite for spending municipal tax dollars to help fund a new outdoor stadium for Halifax,” reports Philip Croucher for StarMetro Halifax under the headline “Exclusive: Poll shows people in Halifax open to using municipal taxes to pay for CFL stadium.”
But as I pointed out yesterday, the proper synopsis of the poll results should have been:
There’s no clear majority, but about the same percentage of people oppose using public money for a stadium as support it, and there’s a significant chunk of people who can’t say one way or the other.
In an article written for today’s edition, reporter Taryn Grant gives a more honest assessment of the poll results, and then quotes sports economist Moshe Lander:
Forty-two per cent of those polled said they were very favourable or favourable about using public money to build a stadium, while 41 per cent were unfavourable or very unfavourable. Fifteen per cent were neither unfavourable nor favourable, and 2 per cent were unsure.
“The fact is when you’re going to put up government dollars, that type of 41-42 (split) with 15 per cent undecided is not a clear mandate for using public dollars to fund the stadium,” [Lander] said.
I don’t know reporter Taryn Grant (or if I’ve met her I’ve forgotten because I’m old, so forgive me), but this is straight reporting, quoting a number of people with varying viewpoints and giving proper context to the issues.
And props to StarMetro for bringing in new reporters since its launch. I hope that continues.
Cogswell District Engagement Booth (Tuesday, 12-2pm, 4-6pm, Alderney Ferry Terminal) — info here.
Halifax and West Community Council (Tuesday, 6pm, City Hall) — here’s the agenda.
Public Information Meeting – Case 20929 (Wednesday, 10am, Gym, St. Margaret’s Bay Centre, Upper Tantallon) — this is the proposed development Philip Moscovitch reported on for the Examiner. There are three open houses, at 10am to noon, 2pm to 4pm, and 6:30pm to 9pm. It’s a small space and there’s great public interest, so people are encouraged to attend the earlier sessions if possible.
Audit and Finance Standing Committee (Wednesday, 10am, City Hall) — there’s nothing much on the agenda, but last meeting they added that convention centre report at the last minute when no one was looking.
Cogswell District Open House (Wednesday, 12-2:30pm, 6-8:30pm, Halifax Marriott Harbourfront Hotel) — info here.
FCM 2018 Conference Advisory Committee (Wednesday, 1pm, City Hall) — we’re all going to be rich.
Legislature Sits (Tuesday, 1pm, Province House)
Public Accounts (Wednesday, 9am, Province House) — Bernie Miller, the deputy minister of the Department of Business, will be asked about ” Economic Development and Employment Trends in the Nova Scotia Film Industry.”
Belong Forum: Buffy Sainte-Marie (Tuesday, 7pm, Rebecca Cohn Auditorium) — Buffy Sainte-Marie talks about diversity and inclusion and receives an honourary degree from Dalhousie. Free admission. Limited tickets available here.
Thesis Defence, Biology (Wednesday, 9:30am, room 3107, Mona Campbell Building) — PhD candidate Ernest Korankye will defend his thesis, “Physiology of Mechanical Stress-Induced Needle Loss in Postharvest Balsam Fir (Abies balsamea L.)”
Thesis Defence, Economics (Wednesday, 2pm, Room 3107, Mona Campbell Building) — PhD candidate Paul Spin will defend his thesis, “Three Essays on the Economics of Health and Well-Being.”
Newfangled Exchange Series (Wednesday, 2:30pm, Room 264, Collaborative Health Education Building) — Andrea Tricco from St. Michael’s Hospital and the University of Toronto will speak on “An Introduction to the SPOR Evidence Alliance and the PRISMA Extension to Scoping Reviews.”
Cellular Energy Sensing and Metabolism: Implications for Treating Diabetes (Wednesday, 4pm, Theatre A, Tupper Medical Building) — Gregory Steinberg from McMaster University will speak.
The Future of Learning: How Will People Learn the Skills they Need for Academe, Work, and Life? (Wednesday, 7:15pm, Potter Auditorium, Rowe Building) — Dan Russell, “Über Tech Lead for Search Quality and User Happiness for Google,” will mouth a bunch of platitudes and nonsense packaged as smart-dude stuff.
In the harbour
6am: AS Felicia, container ship, arrives at Pier 42 from Kingston, Jamaica
9am: Maersk Edward, oil tanker, arrives at Irving Oil from IJmuiden, Netherlands
11:30am: Bosporus Highway, car carrier, arrives at Autoport from Emden, Germany
4pm: Sophie Oldendorff, bulker, arrives at National Gypsum from Sydney
9pm: Atlantic Sun, container ship, arrives at Fairview Cove from Liverpool, England
9:30pm: AS Felicia, container ship, sails from Pier 42 for sea
Yes, they’ll catch me napping one day.