0
Kennedy

Using Google and Saving Published Documents Now a Crime in France, too

Recommended Posts

Quote

French journalist "hacks" govt by inputting correct URL, later fined $4,000+
A Google search turned up public files that Olivier Laurelli is accused of publishing.

In 2012, French blogger, activist, and businessman Olivier Laurelli sat down at his computer. It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web.

Laurelli, who goes by the alias “Bluetouff” in most circles (including on Ars Technica), is something of a presence among the French tech-savvy community. Besides managing Toonux, he also co-founded the French-language activist news site Reflets.info, which describes itself as a “community project to connect journalists and computer networking specialists.” As such, Laurelli initiated a Google search on other subjects, but what he stumbled on was perhaps more interesting: a link that led to 7.7 Gb of internal documents from the French National Agency for Food Safety, Environment, and Labor (the acronym is ANSES in French).

Although the documents were openly indexed by Google, Laurelli would soon be in the French government’s crosshairs for publishing them. He eventually faced criminal charges, though he was later acquitted of those. However, a separate government agency pursued a civil appeal. And last Tuesday, a French appeals court fined Laurelli 3,000 Euros (or a little over $4,000), meaning he likely made one of the more expensive Google searches to date.

(Snip)


witty subliminal message
Guard your honor, let your reputation fall where it will, and outlast the bastards.
1*

Share this post


Link to post
Share on other sites
Quote

It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web.



Sounds completely legit :S
Owned by Remi #?

Share this post


Link to post
Share on other sites
[complete side note] What, you've never used a VPN? I have. In fact I run one at home that I only use for laptop and mobiles when using other wifi (unlike the ignorant, I prefer not to broadcast my passwords, emails, and other data in the open). I've also used foreign ones to see content that I don't see from home, or to see what happens when a foreign IP looks at a domestic project, and if I go overseas again, just using my home VPN will be "using a foreign IP" in that country's eyes.

Do you think krebs or anyone else in security work only use their local IP?

Add to that the fact that the guy wants to connect with journalists. Any journalist worth his notebook should know about establishing (relatively) safe and private communications.

Back to the point: do you think punishing someone for looking at data published to the internet and cached by Google should be a crime? Seems to me that the crime (I any) was commited by whatever dumbass published private or protected data to the internet.
witty subliminal message
Guard your honor, let your reputation fall where it will, and outlast the bastards.
1*

Share this post


Link to post
Share on other sites
Most everyone from the US that is stationed in Europe uses one. You can't watch netflix and other video from home unless you have one.
I know it just wouldnt be right to kill all the stupid people that we meet..

But do you think it would be appropriate to just remove all of the warning labels and let nature take its course.

Share this post


Link to post
Share on other sites
Sounds like the Government IT screwed up and now they're trying to save face (But looking even further like idiots).
When an author is too meticulous about his style, you may presume that his mind is frivolous and his content flimsy.
Lucius Annaeus Seneca

Share this post


Link to post
Share on other sites
Quote

do you think punishing someone for looking at data published to the internet and cached by Google should be a crime?



Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense.

Share this post


Link to post
Share on other sites
Granted. But at least in that case both server and client are involved in and charged with a crime. I really don't see how receiving can be a crime when sharing isn't.
witty subliminal message
Guard your honor, let your reputation fall where it will, and outlast the bastards.
1*

Share this post


Link to post
Share on other sites
Andy9o8

Quote

do you think punishing someone for looking at data published to the internet and cached by Google should be a crime?



Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense.



Is the criminal offense downloading the material though or possession of the material regardless of where you got it from? Just having leaked documents like in this story is not necessarily a crime, particularly if you've not previously entered into any kind of NDA that covers them.

If you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.)

The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous.

Share this post


Link to post
Share on other sites
champu

***

Quote

do you think punishing someone for looking at data published to the internet and cached by Google should be a crime?



Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense.



Is the criminal offense downloading the material though or possession of the material regardless of where you got it from? Just having leaked documents like in this story is not necessarily a crime, particularly if you've not previously entered into any kind of NDA that covers them.

In the very narrow example I mentioned, most statutes in the US I'm familiar with make even the mere possession (although it usually must be knowing possession) of child porn unlawful, regardless of the means or source by which you came to possess it. But that might be more of an exception to the broader points that the OP and you are each discussing. I don't want to distract too much from the point of that discussion.

Share this post


Link to post
Share on other sites
Quote

If you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.)

The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous.



Abandoned property is fair game in pretty much every jurisdiction. If it weren't, how could law enforcement ever use that exception to fourth amendment protections?

Coming back to data (not physical property), if it is published to public facing internet, there cannot be any reasonable argument that reading it is stealing. (courts have not caught up to this fact yet, but courts have been wrong before and will be again)
witty subliminal message
Guard your honor, let your reputation fall where it will, and outlast the bastards.
1*

Share this post


Link to post
Share on other sites
Kennedy

Quote

If you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.)

The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous.



Abandoned property is fair game in pretty much every jurisdiction. If it weren't, how could law enforcement ever use that exception to fourth amendment protections?



That's my take on it too, I just stated it very weakly. The parenthetical comment was just to say I'm not sure there aren't some corner cases where this would be a crime. I can't think of any examples though.

Kennedy

Coming back to data (not physical property), if it is published to public facing internet, there cannot be any reasonable argument that reading it is stealing. (courts have not caught up to this fact yet, but courts have been wrong before and will be again)



I agree with you here, and my three cases were meant to represent, respectively, actively breaking security (stolen credentials, exploiting a zero day vulnerability, etc.), taking advantage of lax security (using known broken software, wi-fi with no VPN, password is '12345', etc.), and simply accessing published files (even if they were published by mistake.)

As I said, I think the battle is between how much behavior to include in each of the last two categories.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

0