What we know about the security failure

I’m a panelist at the Media and the Law Conference this morning, and as usual I’m having to spend the last hours before the conference to prep. So this is a short Morning File.

News

1. We’ve published the search warrant documents

On Tuesday, the Halifax Examiner and Cape Breton Spectator obtained court documents related to the security failure of the province’s Freedom of Information and Protection of Privacy (FOIPOP) website.

Let’s review what happened.

The specific failure was that provincial employees mistakenly uploaded thousands of pages of documents onto the FOIPOP site. Those documents contained the personal information of citizens, including in some cases their social insurance numbers and birth dates. (Full disclosure: I’ve been notified that my own personal information was mistakenly loaded to the site, although I think that is merely my email and mailing addresses.)

The main page of the FOIPOP site did not link to the documents, nor was there a published index of the documents, but they were publicly available all the same — anyone could type in the right URL and one of the documents would pop up on their computer screen. As it turns out, the documents were numbered sequentially, so all you had to do is add one to each URL to get the next document. See Brett Ruskin’s excellent explanation of how you could that:

VIDEO: Nova Scotia’s government is accusing a 19-year-old of breaching their government website’s security ~ Privacy experts disagree.
Oh, and here’s how the teen did it: pic.twitter.com/FQ2qXJoP89

— Brett Ruskin (@Brett_CBC) April 13, 2018

When provincial employees learned that they had mistakenly placed citizens’ personal information on a public-facing website, they wanted to know if someone had accessed that information. They determined that someone had. They had the IP address of someone who had accessed the FOIPOP site, and they saw that that person had come to the site several times, and at 1:11pm on March 3 commenced to download all the public-facing pages. It took about 34 hours for the download to complete.

We now know that the provincial employees knew something else: someone using the same IP address that was later used to download the documents had a few days before made a payment to the FOIPOP site. That’s right: the person first used a credit card on the site. That means the province had the person’s name and credit card information.

When the provincial employees learned of their screw-up, the correct thing to do would have been to own up to it, issue a bunch of mea culpas, contact the people whose information had been improperly secured and apologize to them, and contact the person who downloaded the information and ask them to delete it. That last wouldn’t have been hard to do — they had his credit card information, after all.

Instead, they went on the attack. They contacted Halifax police and told them the website had been “hacked,” the provincial computer system had been “compromised,” and that the documents had been “taken.”

None of that was true.

Unfortunately, the police investigators assigned to the case appear not to have had even a rudimentary understanding of how internet security works, and they didn’t ask for the assistance of anyone who did. This should worry us. The police are increasingly investigating cyber crime and issues like child porn on the internet; perhaps there should be more in-house IT expertise.

And police didn’t step back and ask simple questions. Like, Why would a hacker first give the target of a hack their credit card information? And, Why wouldn’t a hacker use a virtual private network (VPN) to mask their identity?

The police would go on to portray the supposed hacker as an IT mastermind — with presumed “knowledge of data Science, Network Penetration, Network Security and/or Machine Learning” — and yet was stupid enough to use their credit card and openly use their home IP address to conduct this masterful “hack”? That’s absurd on the face of it.

In any event, the police accepted the provincial employees’ statements as simply true: the provincial computer system had been hacked, and some devious person had stolen private citizens’ information.

Even with that, there’s another failure in the investigation. Police at this point knew that the province had the credit card information of the supposed hacker, but they didn’t ask for it.

Instead they wanted to identify the supposed hacker via their IP address. And so they applied to Justice of the Peace Judith Gass for a production order that would require Eastlink to identify the owner of the IP address. The police application to Gass came in the form of an “Information to Obtain” (ITO), which spells out the details police had gathered through their investigation and why they felt they needed the production order.

Gass granted the order. It seems Eastlink quickly provided police with the name of the owner of the IP address, and the home address of that person. It turns out the owner was a 19-year-old man living with his parents and 13-year-old sister in Halifax’s north end. Police then went back to a justice of the peace (I’m guessing, probably Gass again) and applied for a search warrant of the teenager’s house. The application for the search warrant would have included a second ITO, probably containing much the same information included in the ITO for the production order. The justice of the peace granted the search warrant.

Police then executed the search, sending 15 officers to seize all the computers and other devices in the teenager’s house, and to arrest the teenager. Read CBC reporter Jack Julian’s account of the search here.

That police response was over the top. Fifteen cops aren’t often sent to arrest murder suspects. I can’t say why police felt such a large operation was needed to execute a simple search warrant related to suspicion of a nonviolent crime.

After considerable public outcry, police announced on Monday that they were not pursuing charges against the teenager.

In the meanwhile, however, the Examiner and Spectator had been working to obtain the ITO used in the application for the search of the teenager’s home. We had hired lawyer David Coles to represent us, and after about a week of back-and-forth with the city’s lawyer, Marty Ward (representing the police department), we appeared in court on Tuesday to ask Judge Gregory Lenehan to unseal the ITO. This was coincidentally the morning after police announced they weren’t pursuing charges against the teenager. Lenehan agreed to our request and ordered the ITO unsealed.

Unfortunately, however, we were given the wrong ITO. We received the ITO for the production order to Eastlink and not the ITO for the search warrant of the teenager’s house. I can’t explain how that mix-up happened. We could go to court again and ask for the right ITO, but we’re not exactly made of money — Coles doesn’t come cheap — and I suspect that the second ITO pretty much contains the same narrative as the first ITO, so I doubt we’d get much new information in any event.

Anyway, the ITO in hand, we published two articles Tuesday afternoon. The first details the information in the ITO. The second is an explainer of how the search warrant process works, and is an insider look at how we decided to report on these issues.

On Tuesday, we did not publish the actual ITO. There were two reasons for this.

First, while the name of the teenager was redacted from the ITO we received, the document had enough information — including his home address — such that anyone could easily figure out who he is. We had no desire to out the guy, who has asked for his privacy to be protected. I view him as a hapless victim in this case.

Second, this was our story and we didn’t want to simply give it away to other reporters. They could at least walk down to the courthouse and get the document themselves. Call that petty if you will, but it was our initiative and our money that got the ITO unsealed, and we wanted to own the story for as long as we could.

Yesterday, however, I got wind that other reporters were re-reporting the story, so I decided to publish the ITO. What I published has two levels of redaction. The first are empty white spaces that are the court-ordered redactions of people named in the ITO. The second (black lines) are my own redactions, removing other information that could be used to identify the teenager.

Click here to read the ITO.

And those other reporters have now written their articles. Click here to read Jack Julian’s take on the ITO, and click here to read CP reporter Michael Tutton’s account. Both credited the Halifax Examiner for unsealing the document, and that’s appreciated.

There’s more reporting to do on this story, and I hope to follow up on lots of loose ends. This isn’t over.

Views

1. Inglis Street fire

“It was sad to get up the other morning and learn that the Knightsbridge apartment building on Inglis Street was on fire,” writes Stephen Archibald:

I don’t know anything about the fire or the fate of the unfortunate residents who have lost their homes, but I do have a few thoughts about the building, because in the 80s we lived just across the street.

This is a view from our kitchen window of the building about 1980. Built around 1900 as three attached houses, it had become a rooming house for working poor people. On summer evenings, residents would sit on the front steps and banter back and forth.

This is a pretty amazing post from Archibald, but I don’t want to over-quote from it. It’s short; go read it yourself.

Government

No public meetings.

On campus

Dalhousie

Nada.

In the harbour

1am: Atlantic Star, container ship, sails from Fairview Cove for Liverpool, England
5:30am: Undine, car carrier, arrives at Autoport from Southampton, England
7am: Nolhanava, ro-ro cargo, arrives at Pier 36 from Halifax to Saint-Pierre
4:30pm: Nolhanava, ro-ro cargo, sails from Pier 36 for Saint-Pierre
8pm: Oceanex Sanderling, ro-ro container, sails from Pier 41 for St. John’s

Footnotes

We’ll be publishing the Examineradio podcast later today.