[bjourne]

It matters because the definition of data breach is very broad. For example, if I run a website and tell you that you may not browse my website but you continue to browse my website you may be guilty of data breach. If I tell you not to login to my website but you still login because I forgot to disable your account you very likely is guilty of data breach. Since the city didn't publish their information through an API, nor intended the information to be used by third parties, and also explicitly stated that they did not want Christian's app to access their information, it's quite possible that the app facilitated data breach.

See the Aaron Schwartz trial which was about essentially the same thing.

[krageon]

> you may be guilty of data breach.

No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.

> the city didn't publish their information through an API

Yes, they did.

> and also explicitly stated that they did not want Christian's app to access their information

If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach. In that case, it is just you consuming what is there for everyone (like unencrypted wifi - harvesting those signals using SDRs is not an issue because you are not bypassing any security), which is okay.

Edit: Legally okay, that is. How you feel about it ethically is up to you, I'm not talking about that.

[bjourne]

> No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.

Here is the relevant paragraph:

"För dataintrång döms den som olovligen bereder sig tillgång till en uppgift som är avsedd för automatisk behandling eller olovligen ändrar, utplånar, blockerar eller i register för in sådan uppgift"

The requisites are: "olovligen", "bereder sig tillgång till", and "uppgift som är avsedd för automatisk behandling". Christian's app full fills the requisites.

API means "Application Programming Interface" and if you think the city created or intended to create such a thing you don't know what an API is.

> If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach.

You have no idea what you are talking about. There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.

[balp]

They for sure intended to make an API, but also intended it only to be used between the two contractors involved in the application development. There was a requirement in the RFQ for the backend to have a well documented API. Almost all of the RFQ was about making an API. In this case the indended user e.g. the parrent is using the API to get the data they are supposed to get. Thou using a different webb-app than the intended one from the city. I have a hard time seeing how the parent by accessing the same data they are supposed to get are doing any crime. The police investigation came to the same comclusion, and the internal investigation at stockholm city also came to this comclusion. That the police cited stockholms internal investigations i think is a nice little detail here. Thou if the app would have given the parents access to data they ware not supposed to get over the API they situations might been an other. Now it's just the same information but persented in a user-friendlier way.

[toolz]

(translated to english)

>For data intrusion, a person who illegally prepares access to information that is intended for automatic processing or illegally changes, deletes, blocks or registers such information is sentenced

This app does not appear to meet this definition as the data they are exposing is not intended for automatic processing, but it is exposing manually consumed data (i.e. the parents were already consuming this data manually) in a different, more accessible way.

I agree the city obviously wasn't intending to expose an API.

Which precedents are you talking about. I don't know much of anything about Swedish law so any precedent you can show would be educational for me.

[krageon]

> There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.

Given that you know significantly more than me perhaps you could give me some examples. I'm always interested to see countries in which such jurisprudence is different from the norm, especially in Europe. Thanks :)