| Please write to CIPPIC [0] and the Members of Parliament [1] and Members of the Provincial Leglisation [2] for both your local jurisdiction if appropriate and Halifax, Nova Scotia to help protect this kid. The federal Minister of Justice [3] and Technology [4] may be good additions. Remember what happened last time we let a government go wild on a kid incrementing a number in a public URL. The fact is, it is the organization who published "personally identifiable information" on the public internet who should be punished - and, in any case, criminal law is not the tool to do it. The kid who incremented a number in a URL to download that information is not the bad guy. What if the kid was not Canadian? Are you going to try to extradite a Russian national over accessing information on a public web server? When a server announces to the world that it can answer HTTP requests, making a reasonable number of HTTP requests is, to me and most technologists I know, authorization (and thus, should be seen as with colour of right or non-fraudulent). The fact those HTTP requests released data he was apparently not entitled to is a security issue, a bug, a problem to be paid for by the actor who manages the HTTP server, not a problem of law. Unfortunately, this section of law has not been used often enough to clarify to me the interpretation of those words. Here are some follow on questions: - Why was there "personal information" in FOI releases? Surely a FOI release was intended for the public, as that is the intent of the act. Who's fault is it that there was undesired information in the releases? - How do we get this law changed? As the law is written, it hangs on the words "fraudulently and without colour of right" - the rest of the clause is incoherent babble of a 1985 technophobe. [0] https://cippic.ca/ [1] https://www.ourcommons.ca/Parliamentarians/en/members/Andy-F... [2] https://nslegislature.ca/members [3] http://www.justice.gc.ca/eng/contact/index.html [4] http://www.ic.gc.ca/eic/site/icgc.nsf/eng/h_00279.html |