The danger of neglecting civil rights / absurd events in Canada

with 5 comments

I have seen a recent slew of news articles in Germany dealing with various restrictions of citizens’ rights and/or removal of protective restrictions on police (and whatnot) work, notably in Bavaria; and recently heard of a very similar negative development in Austria. I had planned to write a post on these (see also a few older discussions, e.g. [1], [2]), but yesterday I encountered a Canadian case so grotesque and Kafkaesque that I will refocus on it.

It appears* that a government server made a few thousand documents accessible to the public. In most cases, these documents were actually intended for public consumption; in a few hundred, due to gross negligence, they contained data that should have been kept secret**. A teenage boy went to this public server, having no idea (and no even semi-reasonable reason to assume) that there was sensitive information present, and automatically downloaded the complete set of documents, using the observation that their names were based on a trivial numbering scheme.*** The subsequent events included e.g. a 15-officer raid on his home, the seizure of several computers (only one of which belonged to him), and unacceptable actions towards his younger siblings by the police.

*I draw on a CBC article and several links in that article.

**Specifically, personal information relating to individual citizens.

***This type of automatic download is something that I have done repeatedly myself, be it either to allow my self off-line access or to circumvent a poor user interface. There is nothing remarkable about someone with the right knowledge doing something like that, it is a perfectly legitimate technique, and (unlike the apparent characterizations by the police in this case) it does not constitute any type of security breach/circumvention.

There are several troubling aspects involved, including:

1. A massive overreaction, even had something illegal taken place, with a complete disregard of the interests of the “criminal” and his family. I note in particular that the act of seizing computers is almost never acceptable (although often legal and commonly used), cf. [1]. The size of the operation and the treatment of the individuals, including several teenagers, the lack of access to lawyers, etc., speak for themselves.

   A particular issue is the (lack of) illegality of the downloads per se: There is nothing here that could have been deemed illegal by any reasonable third-party (barring the possibility of utterly absurd Canadian laws)—and this must have been obvious even at the beginning of the investigation.

   Another issue is the “mens rea”: There are no even semi-reasonable grounds to assume its presence and no reasonable possibility to prove it*—and this, too, must have been obvious even at the beginning of the investigation, meaning that even if the act had been criminal, this was the wrong way to retaliate.

   *There are cases when a “mens rea” is an almost given; there are cases where it might or might not have been present; and there are cases where it more-or-less can be ruled out in advance. This is one of the latter. A reasonable analogy would be if someone went to a public information stand, picked up one of each of the present brochures, and one of the brochures turned out to contain classified information that should never have been put there in the first place.

   At best, the events are proof of truly massive incompetence and lack of judgment on behalf of the police and other involved government agencies; at worst, it is a deliberate abuse of power. Someone or some group needs to be fired, possibly even prosecuted, over these events.

2. Even the fact that it was possible to track the events back to the individual are potentially troubling (depending on circumstances that are not described in the accounts I have seen). Most likely they involve a storage of IP addresses that would have been illegal in Germany, as well as a back-tracking of IP addresses in a manner that should be reserved for bigger crimes.

   Of course, if this “crime” had been perpetrated by a competent malicious entity, such back-tracking would not have been possible, or only possible with considerably more effort, seeing that such an entity would have used some type of anonymization, e.g. through multiple VPNs or Tor. Often, this entity would not even have been in a jurisdiction where it could have been touched. Regular local teenagers can be caught this manner; professional crackers working for the Russian government or a criminal organization can not. This is one of many examples of rules, regulation, technical counter-measures, …, that affect the innocent, the naive, the small-time criminal, whatnot, heavily—while leaving the big-timers merely inconvenienced. (Cf. e.g. a post on DRM.)

3. The original download of secret data was only possible due to gross negligence and/or incompetence on behalf of the government—again, the type where a firing, possibly even a criminal prosecution, is the correct measure: Personal, secret information was put on a public server without any type of protection, no password, no encryption, …

   Either the decision makers and/or developers* realized that this type of download was possible, were grossly negligent in not improving the setup, and need to be fired; or they failed to reach this absolutely obvious realization, implying such a lack of competence and judgment that they need to be fired. Take your pick: Either way, they need to be fired.

   *I am too far away from the issue to be more specific. For instance, if the decision maker(s) were told of the problem by a junior developer, and instructed the junior to ignore it, the junior might be forgiven. For instance, if a senior developer saw the problem and failed both to correct the matter and to discuss it with the decision maker(s), the decision maker(s) might be free from blame.

   In fact, the situation is so embarrassingly bad, that I am surprised that whoever is in charge did not prefer to hush it up… Then again, the understanding of how embarrassingly bad it was might have also been missing, considering the demonstrated incompetence…

   (The articles that I have read have been weak on technical details, but from context I would speculate that there was a scheme in place, where inquiries by the public were answered by uploading a file, giving the inquirer the URL to the file, and then relying on no-one else knowing the relevant URL for secrecy. This would be an inexcusably incompetent application of “security through obscurity”: Security through obscurity is not acceptable as more than an additional measure on top of the real security to begin with. Here, however, it was doomed to complete failure from the start because of the naming scheme used—there was no real “obscurity” present either, meaning that even the pseudo-security it could have given was absent.)

A highly disturbing part of these developments in general is that countries normally considered “highly civilized” (“progressive”, “democratic”, “modern”, whatnot; often ranking highly on e.g. the Human Development Index and the Where-to-be-born-Index) are surprisingly great offenders: The problems are not limited to dictatorships or countries lacking a “democratic tradition”. In at least some areas, the likes of Canada, Australia, and my native Sweden, are actually among the worst offenders, especially when it comes to issues of morality, orthodox thought, sexual behaviors, … (Possibly, due to a larger influence of PC groups. Canada, e.g., has repeatedly caused controversy in areas like human rights and free speech.)

I suspect that this is due to a mixture of two factors: Firstly, many of these countries have grown used to strong governments and massive government interference in daily life. Secondly, these countries are often far away from a period of massive “evil”* government and have forgotten that laws and regulation concerning the government and its agencies, especially law enforcement, must be written under the assumption of an “evil” government, in order to protect the rights of the citizens and to protect the core democratic values**. (I considered adding a factor of “politicians are convinced that they know best” or similar, cf. several older posts; however, I very much doubt that this is specific to this type of country.) My adopted Germany, sadly, provides a partial counter-example to this: Yes, I can see how people would be short-sighted and historically ignorant enough to overlook the relevance of the events in Nazi-Germany, with only a small fraction of the current population having a part of their adult lives in that period; however, the collapse of the GDR is only three decades back.

*There are many cases, including most dictatorships, where the government has been more-or-less an evil throughout. However, even in the absence of such “great evil”, there are countless “small evils” in basically any state, be it through self-serving and vote-fishing politicians, incompetent or lazy civil servants, corrupt judges, laws that are not sufficiently well thought-through or violate the constitution, … The core of civil rights is and must be protection against the government, not only to make it harder for a “great evil” to arise, but also to protect us against the daily “small evils”. Unfortunately, depressingly large parts of the population (let alone government…) seem to believe that the government is good through-out and will remains so ad eternam.

**I note that I consider such values to be more important that democracy it self, with democracy being merely a “least evil”. Cf. e.g. Democracy Lost.

Advertisement

Written by michaeleriksson

May 1, 2018 at 5:29 pm

Posted in Uncategorized

Tagged with Canada, civil rights, government, IT security, law enforcement