The Electronic Frontier Foundation has mocked the government of Nova Scotia and Halifax police for sending a police attack squad to criminally charge a teen who took advantage of a blunder to download thousands of documents from a provincial freedom of information website.
Then the charges were dropped.
The EFF gave the province its “What the SWAT?” award as part of its annual list of the worst in government transparency.
As ITWC reported last April, about 7,000 documents were accessed, 250 of which contained “highly sensitive material” including birth dates, social insurance numbers, addresses and government services client information.
In theory applicants for access to documents should have been restricted in what they could get. However, EFF says “at the heart of the ordeal was some seriously terrible security practices by Nova Scotia officials:” The URLs of the documents available on the website were separated only by a series of digits. Anyone who made an access to information request and got an online response could get more and unrelated documents just by changing the numbers.
“What Nova Scotian officials should have done upon learning about leaks in their own public records website’s problems was apologize to the public, thank the teen who found these gaping holes in their digital security practices, and implement proper restrictions to protect people’s private information. They didn’t do any of that,” Instead, the EFF complains, a criminal charge was laid.
It’s a slip that has embarrassed more than one organization.
In January the provincial privacy commissioner issued a report on the incident, saying a “serious lack of security testing” of the website was one of the main factors in the foul-up. The government department “failed to complete a timely and specific security threat and risk assessment after the clear recommendation to do so from Department Cyber Security staff” and the privacy commissioner herself, the report said in part.
“The whole episode—which thankfully ended with the government dropping the charges—was a chilling example of how officials will often overreact and blame innocent third parties when trying to cover up for their own failings,” said the EFF. “This horror show just happened to involve public records. Do better, Canada.”
Sponsor: Micro Focus
How GDPR can be a strategic driver for your business