Why am I not surprised?
Last Monday, Halifax police dropped all charges against the 19-year-old they’d arrested less than a month before for “unauthorized use of a computer with fraudulent intent.”
The fact is this case has been a cock-up from the beginning.
Even before the beginning.
Perhaps especially before the beginning.
On April 5, an employee with the provincial archives was rutting around in a government computer searching for a recently released file when he “made a mistake keying in the URL and observed an incoming [Freedom of Information/Protection of Privacy] request.Thinking it was a one-off, [he] typed in random numbers, which led him to believe that he was no longer inside the government system and that the material was unprotected on the internet.”
He alerted his bosses, who altered their bosses, who must have alerted someone in the province’s internal services department who clearly hadn’t been paying close attention to the security of the government’s website. That someone then alerted someone else at Unisys, the private contractor the government pays millions of dollars to each year to keep its information secure, but which clearly hadn’t done a very good job at its job.
When some other someone at Unisys belatedly riffled through their activity logs, they discovered that, between March 3–5 — a full month before the public servant’s accidental discovery —“unauthorized persons made 40,735 access attempts to confidential Province of Nova Scotia files. These persons were successful in accessing 7,675 confidential files.”
In fact, 2,500 of those files had already been “vetted and released” — the information in them was public — and “a majority of the files were believed to be files that were releasable in whole or in part.”
Still, bad stuff could have happened, so Unisys shut down access to the FOIPOP server.
And then the government shut up. Internal Services Minister Patricia Arab vaguely called it “an issue,” though she wouldn’t say what the issue was. “We take privacy and security very seriously, but all I can say today is that there was an issue.”
Thank you for that.
Which must have been about the time when what had started — as my colleague Tim Bousquet correctly described it — as a “security failure” on the part of the provincial government and its private contractor morphed into a three-alarm-flashing-lights-hacker-alert data breach.
After which, the search for someone on whom to pin the blame began in earnest.
“There’s no question this was not someone just playing around,” Jeff Conrad, the deputy minister of internal service, ominously told Canadian Press. “It was someone who was intentionally after information that was housed on the site.”
Conrad called in the cops.
Arab then explained she’d had to keep the details of the faux breach quiet at the request of the police. The police said that wasn’t true.
Premier Stephen McNeil called it “stealing.”
Book ’em, Dan-o. Murder One!
Early on the morning of April 11, a flying squad of 15 officers from the Halifax police department’s cyber-crime unit teamed up with the integrated criminal division and raided a house in Halifax’s north end, penned the family in their living room, read them their rights, seized all the family’s computers, including the father’s work-required equipment, “turned over mattresses… took drawers… emptied out drawers… went through personal papers, pictures…” ultimately arresting that 19-year-old young man as if they were taking down a crime boss.
The problem was there had been no crime. The young man was simply doing what journalists, lawyers, and semi-savvy civilians do every day — changing one character on a URL to access the next sequential file in what is a notoriously, laughably insecure government system.
The young man, who explained to the CBC that “I preserve things, I archive the internet,” insisted he’d just been looking for freedom of information releases related to the recent teachers’ dispute with the province.
According to search warrant documents obtained by the Halifax Examiner and the Cape Breton Spectator — thank you for a few factual facts — the criminal had even “made a payment to access information on the FOIPOP website before he downloaded the private information that had been mistakenly placed on the public-facing website, which means provincial authorities had his name and address before going to police.”
Asked Bousquet: “What kind of hacker gives the target of the hacking their name and credit card info first?”
And here’s Bousquet’s even better follow-up: “Will anyone apologize to the 19-year-old and his family?”
The answer to that last question is almost certainly no. The arrogance begins at the top.
Premier Stephen McNeil, who has never done anything for which he feels the need to apologize, or even explain, was his usual dismissive self.
Would he apologize, reporters asked?
Who me, he asked, why would I take responsibility for falsely calling the young man a thief?… Or words to that effect.
“The information was taken outside our system,” were his actual words, failing to mention that his bureaucrats had opened the door, invited the perpetrator in and waved the information goodbye. “We had a responsibility … to turn that over to police,” insisted McNeil. “They did their due diligence and determined the course of action that they’ve taken.”
Nothing to see here folks. Just Stephen McNeil being Stephen McNeil. Again. Still. Always.
That’s why I am not surprised. Again. Still. Always.
The business news website allnovascotia.com reported last week that Neil Pittman, a McInnes Cooper senior corporate lawyer in the firm’s Newfoundland office, had resigned as the result of a workplace harassment complaint by a female employee.
“As soon as we were notified,” the firm’s managing partner, Hugh Wright, told allnovascotia, “we took immediate steps and hired an outside investigator… which resulted in the partner leaving the firm.”
How times have changed.
Back in 1998 — before Harvey Weinstein, before Bill Cosby, before #Metoo — former Nova Scotia Premier Gerald Regan was found not guilty of sexual assault. Given that three dozen women, most of whom did not know one another, had come forward to describe remarkably similar attacks that had taken place over the course of 40 years, the official legal verdict persuaded few.
Despite that, Regan’s reputation did not appear to suffer. In fact, the then-Halifax law firm Patterson Kitz soon rehabilitated him, naming him counsel to the firm. Then Patterson Kitz begat Patterson Palmer, which merged with McInnes Cooper, making Regan part of McInnes Cooper.
When I asked Managing Partner Wright about Regan’s status, he was careful to make that distinction. “Mr. Regan does not have an affiliation with the firm, and hasn’t for several years,” Wright wrote in an email. “He joined the firm as part of the Patterson Palmer merger [in 2005] and served as counsel until he retired in 2015” at the age of 86.
Times have changed. A little. For the better.