Managed IT Services, IT Security Services, Vulnerability Management and Remediation, Help Desk Support, IT Maintenance Services, Network Administration, Business Continuity Planning, Disaster Recovery Planning, Onsite and Offsite Data Backup, and Information Security Assessment
$4000 Fine For Downloading Files Found by Google
10 February 2014
The inherent difficulties in anti-hacking laws – and part of the arguments behind ‘Aaron’s Law’ designed to amend the Computer Fraud and Abuse Act – have been highlighted in a $4000 fine levied against a French businessman for downloading and republishing health documents he found on the internet via Google.
Admittedly this businessman is also a blogger and internet activist who likes to call himself a ‘hacker,’ but that should not alter the facts – and he uses the term in the original sense (advanced geek) rather than the newer criminal sense.
The facts are these. Olivier Laurelli owns a small security services company that uses VPNs. His own computer automatically accesses the internet via a VPN using an IP address in Panama. While surfing the internet on other subjects, “what he stumbled on was perhaps more interesting,” writes Ars Tecnica: “a link that led to 7.7 Gb of internal documents from the French National Agency for Food Safety, Environment, and Labor (the acronym is ANSES in French).”
Laurelli had earlier written that it was a no-brainer to download the files. Many of the files were publicly available, they were about public health from a public body. So should they be public? “Obvious at the time: yes:” but he added, “I got it wrong.”
He was subsequently prosecuted. ANSES discovered a republished document on the internet, and according to PCinpact, reported him to the police for “intrusion into a computer system and data theft from a computer.” ANSES’ argument was based on the authentication requirements on the home page – had Laurelli accessed the site this way, he would not have been able to download the files. He therefore circumvented the system’s security. Laurelli’s defense was that he was directed to the files by Google, and saw nothing to indicate that he needed to be authorized to download them: he therefore circumvented nothing.
In the event, a court decided that he could not be prosecuted for accessing insecure data. The French Central Directorate of Interior Intelligence (DCRI) however appealed this decision. It would seem that an activist who calls himself a hacker (with the handle ‘bluetouff’) and uses a VPN connecting to an IP address in Panama who downloads files he should not have (however innocently) must, of necessity, be a criminal. Some surface similarities to Aaron Swartz are clear.
During the appeal, the public prosecutor stated, “Half of the words I heard today, I did not even understand,” further highlighting the difficulties between technology and law (Reflets.info). Nevertheless, DCRI’s appeal was successful, and Bluetouff was fined in excess of $4000. Last week he tweeted, “It’s huge 🙂 I am officially a cybercriminal.” What isn’t entirely clear is whether he is being punished for downloading files found via Google or for being an outspoken activist.