1. “Breach of privacy”
Yesterday, the province announced that the Freedom of Information site had been “breached”:
Government is working with Halifax Regional Police to investigate a breach of information on the Freedom of Information and Protection of Privacy (FOIPOP) website.
Of the documents that were inappropriately accessed, less than four per cent, about 250, contained highly sensitive personal information. In total, about 7,000 documents were inappropriately accessed.
Examples of sensitive information may include birthdates, social insurance numbers, addresses and government services client information. Applicants’ credit card information was not accessed during the breach.
Government first became aware of the issue on Thursday, April 5, when a problem was identified with the freedom of information website. It was immediately shut down while a solution was sought for the problem. On Friday evening, April 6, government confirmed information was inappropriately accessed. Government filed a complaint with Halifax Regional Police to investigate on Saturday, April 7.
Seven minutes after the provincial announcement, Halifax police issued this statement:
Police investigating breach of confidential electronic Government information
Halifax Regional Police is currently investigating a breach of electronic Nova Scotia Government files.
At 8:30 p.m. on April 7, police received a report from provincial government corporate security advising there had been breach of security on their network. The breach occurred between March 3 and March 5, 2018 and was discovered by a government employee on April 5.
Earlier this morning investigators with the General Investigation Section and Cyber Crime Unit of the Integrated Criminal Division executed a search warrant at an address in Halifax and took a person into custody in relation to the incident. The investigation is ongoing and charges have yet to be laid.
At a press conference, details emerged, reports Jacob Boon:
At a press conference Wednesday, deputy minister of Internal Services Jeff Conrad described how an unauthorized user had — over two days in March — accessed private files held on Nova Scotia’s Freedom of Information web portal.
The hacker, if that word even applies, realized the private PDFs located on the government website could be viewed simply by changing file numbers in the URL. Using a script that sequentially replaced those digits, the individual was able to download the 7,000 documents without anyone noticing.
When I heard that, the first thing I thought was “that could’ve been me.”
See, it took me 25 years of reporting to figure this simple fact out, but all government registries number their documents sequentially. So, suppose I’m on a computer in the courthouse looking at a court filing; if I take the document number and add one, I get the next document filed. Same with corporation filings. Same with property records. And so forth.
I do this all the time, and there’s absolutely nothing illegal about it. These are public documents, and I have every right to access them. The “number trick” makes me a better reporter.
I go to the FOIPOP website nearly every day, and I link to documents from it. It kind of amazes me now that I didn’t realize those documents were numbered sequentially. Take, for example, the document I linked to in January about the Art Gallery of Nova Scotia’s plan for “cultural hub”; here’s the URL:
Because the site is down, the URL doesn’t now work. But you see that “7433” part? Had I been more attentive, I would’ve realized that if I simply changed it to 7434 I would’ve gotten the next document in the sequence. And I would have. You bet I would have. That’s my natural curiosity at work. Now, I’m not technically sophisticated, so I just do the “number trick” manually, and in this case I would waste hour after hour typing the next number into the sequence to get a new document. But if I knew how to write a script to make the process run quicker, I would have, and I would’ve just dumped the documents into a file that I could examine at my leisure.
Does that make me a potential crook? No, of course not. Intent matters. I access public documents with the aim of reporting on them, not to steal identities or defraud people. And if I found material that I knew should not have been public, I would have notified the website owner (this has actually happened twice in my career).
I don’t know what the 19-year-old who was arrested was up to, but my guess is that any privacy breaches were entirely unintended. My guess is that, like me, he saw an easy way to download information that was placed on a public-facing website, and the personal information was a byproduct, not the target. I mean, even I know that if I were up to no good, I’d mask my identity with proxy servers and borrowed IP addresses to avoid detection; obviously this person is technically savvy and could have easily done so.
But even if the arrested person had ill-intent, the cause of the primary cause of the privacy breach doesn’t rest with him, but rather with those charged with building and maintaining the website.
The arrest sure looks like an exercise in misdirection — call it crime so we don’t get blamed for sloppy procedures.
King’s journalism prof Fred Vallance-Jones echoed my sentiments in a sequence of tweets last night:
If I understand what happened, someone cycled through a bunch of URLs and methodically downloaded the content. This kind of “scraping” is commonly done by all kinds of people.
— Fred Vallance-Jones (@Fvjones) April 11, 2018
The main complaint of the government is that this someone obtained information they shouldn't have had, that the government was supposed to protect per FOIPOP. The charge has to do with the actions of scraping the site, saying that those amount to a crime.
— Fred Vallance-Jones (@Fvjones) April 11, 2018
The criminal code section in question speaks of obtaining, fraudulently or without a right, a computer service, or intercepting a functioning of a computer system, or committing mischief by doing things that don't appear to have been done here.
— Fred Vallance-Jones (@Fvjones) April 11, 2018
The Cogswell Interchange plan was rolled out last night, to positive reviews, reports Lama El Azrak for…. er, what do we call that thing now? Metro? The Star? “Star Metro Halifax” is a mouthful, but that’s how it’s branded.
I don’t have strong opinions about the concept plan one way or the other, except to offer two suggestions:
1. Tear down the casino and build an actual waterfront park. The casino is a dead zone on the waterfront, and removing it would open up the entire Cogswell district. The costs of the dead waterfront, the hellish architecture and soul-sucking parking garage, and the social ills that come with gambling far outweigh whatever money comes in from the thing. Tear it down.
2. Remove the pedway that connects the TradeMart building to the Scotia Square parking garage. Nobody much uses it anyway, and those who do can use a proper crosswalk at street level. Removing the pedway would open up a partial view (mostly, Purdy’s Wharf is still in the way) of the waterfront from upper Cogswell Street, which fits into the philosophy of HRM By Design. But more importantly, it would give some much needed space to the block, which now feels like a dank hallway into a torture chamber.
Besides that, in the wake of recent news that office space assessments are way down, I wonder if the financial side of the plan still makes sense. I suppose the whole thing will be built up with condos; there’s nothing inherently wrong with that, but most likely that will be very high-end housing, not for the commoners.
3. Chinese in Halifax
Canadian Press reporter Brett Bundale takes a look at Halifax’s growing Chinese population.
“Do you hear a word or a phrase and think ‘I should remember that, it might come in handy’?” asks Stephen Archibald.
Me too! But I have the attention span of a gnat, so unless I scribble down the bons mots they vanish. My work surface gets littered with little pieces of paper and eventually I’ll do some curation and add the words and phrases to a document on my computer. (The document is called Channel Blurring because that was the first phrase I saved back in 2004 or so).
Now, just like Facebook, I’m giving you access of my private file. For the first time you get a glimpse at what attracts my attention in the word department (“shiny object” was one of the phrases that caught my eye).
You can go to the link to see all of Archibald’s words, but here’s his conclusion:
Around 1970 Time Magazine published three columns of jargon words called a Baffle-Gab Generator. All you had to do was chose a random word from each column to make some contemporary, sounding gibberish. Just for you I’ve produced an up to date generator from my collection of words. Fill your boots.
Appeals Standing Committee (Thursday, 10am, City Hall) — here’s the agenda.
Cogswell District Engagement Booth (Thursday, 12pm and 6pm, Halifax North Memorial Public Library) — all about Cogswell.
Centre Plan – Discuss Package A (Thursday, 6pm,
NSCC Waterfront Campus the FABULOUS RAY IVANY MEMORIAL AND CELEBRATORY CAMPUS) — info here.
Public Information Meeting – Case 21099 (Thursday, 7pm, Cafeteria, Basinview Drive Community School, Bedford) — a thing on Fourth Street in Bedford.
Community Design Advisory Committee (Friday, 11:30am, City Hall) — here’s the agenda.
No public meetings today or Friday.
Search List in Online Marketplace: Two User Experience Studies (Thursday, 11:30am, Auditorium, Goldberg Computer Science Building) — Kewen Wu from the University of Saskatchewan will speak.
The Central Limit Theorem in Algebra and Number Theory (Thursday, 2:30pm, Room 319, Chase Building) — M. Ram Murty from Queen’s University will speak.
Department of Urology Research Day (Thursday, 4:30pm, Theatre B, Tupper Link) — keynote speaker Colin P. N. Dinney will speak on “Emerging Therapy for BCG Unresponsive NMIBC.”
New Developments in Mali and the Sahel (Thursday, 6:30pm, Lindsay Room, Halifax Central Library) — a roundtable discussion with Bruno Charbonneau, Shelly Whitman, and David Black.
In the harbour
8am: Acadian, oil tanker, sails from Irving Oil for sea
8:45am: Scotian Sea, supply vessel, moves from old Coast Guard base to Pier 9
10am: Skogafoss, container ship, sails from Pier 42 for sea
11am: Morning Clara, car carrier, arrives at Autoport from Southampton, England
Noon: Nolhanava, ro-ro cargo, sails arrives at Pier 36 from Saint-Pierre
4:30pm: ZIM Tarragona, container ship, sails from Pier 41 for New York
Short Morning File today because I have to go to court early.