While he obviously behaved rather irresponsibly, talking openly about a hack he did, the word steal is probably a bit strong.
Odds are the insurance numbers are just some of the things that passed through while he performed the hack, or the first thing he saw when he got in. Not something he intentionally took for his own gain.
Intent should count, but if someone broke into a company's building at night, picked the lock to a manager's desk, and stole all the papers he could see and ran out...obviously a theft has occurred.
Even if he was not looking for anything in particular, or did not plan on using any of the information found in the papers, he's committed a felony.
In this case I don't think it's clear whether or not he went ahead to parse out the insurance numbers and save those separately, and if so if he planned to do anything further with those (like sell them).
Yeah uh, your analogy is terribly wrong and just serves to perpetuate life-destroying punishments for innocuous actions. It's more like a street-level window was left open, and this guy stuck his head in and saw a bunch of papers strewn out on a desk, all while wearing a commonly-worn head-mounted camera. Any seriousness of the situation is related to his ultimate intent, not the hacking itself.
I like your analogy in that it portrays the fact that nothing was physically stolen, much similar to arguments used in piracy issues.
However, my understanding of heartbleed is it can take many thousands of requests before interesting / meaningful data is returned. I doubt 900 SINs were returned in a single response (I could be wrong). So I suppose this is analogous to repeatedly sticking your head in & out of the wide open window at street-level.
So what I am curious about is where the line is drawn. Is one malicious packet considered enough for an arrest? 1 million?
Well the standard way of answering that question is that it has nothing to do with the number of packets, but with the ultimate intent and actual damages caused. Unfortunately the legal system considers basically any hacking to be witchcraft and is horribly miscalibrated as to what should be considered serious or not.
I think it depends on exactly what he did here. I don't know the details of the case.
If he simply ran the Heartbleed script for an hour or 2 and did literally nothing else after it finished running, then yes, your analogy is the correct one and mine is wrong. In that case he should probably only be liable for the money spent by the agency in investigating the attack.
If he scraped out the SSL private key from the results, that's clearly worse.
If he additionally scraped out everything that fit the format of an insurance number, then it's quite a bit worse.
If he planned on publicizing or personally using any of these, then it's far worse.
I would also argue that it's less like a window being left open, but rather a door located around the back of the building where no one goes accidentally being left unlocked.
What he achieved should only be relevant in how it demonstrates intent. Deducing the SSL key could be done as a proof-of-concept, and should only matter if it can be used to show that he was planning on impersonating the site in furtherance of some other crime.
I do concede that the proper analogy isn't something so plainly visible to all as an open window, but it does have to incorporate an external motivating factor to try the door (perhaps a rumor floating around town that they tend to leave it unlocked and oh boy you wouldn't believe what's on the other side..)
Wow, you seem to be condoning theft here. The CRA website was hacked, using a hacking technique just discovered. It is not like "leaving a street-level window open". It's more like, a new way to pick a lock was discovered that no one knew existed, and he went around picking locks to see what he could find.
He knew he was hacking the CRA when he did it. He can't claim to have done it accidentally. The CRA did everything reasonable to secure their servers.
That said, he's a smart teenager playing with technology and did something he shouldn't have. As long as no one was harmed, and his intentions were just curiosity, I think he should get off pretty light. Hate to see his life ruined.
An open window is easily spotted, so it probably is more appropriate to say an unlocked window. I didn't deny that he hacked the CRA, or even that those actions are wrong in a sense (on a different day/topic I might make that argument..), but am just pointing out the draconian binary punishment for computer crimes that you're also referencing when you say "Hate to see his life ruined".
Let's say on a lark you go walking down the street trying doorknobs, open the first unlocked one, and sit down on the couch and watch TV until the owner gets home. You have trespassed, and if the owner presses charges you will most likely be punished. However, that punishment will most likely be commensurate with the severity of the crime, not life-altering years in prison.
Odds are the insurance numbers are just some of the things that passed through while he performed the hack, or the first thing he saw when he got in. Not something he intentionally took for his own gain.