A French appeals court has fined an activist 3,000 euros for publishing documents accessed via an open hyperlink in a Google search. The “hacker” was prosecuted despite the fact that the government agency owning the files didn’t pursue a case against him.
For the French blogger, Olivier Laurelli, nicknamed “Bluetouff,” it all started with a simple Google search. While browsing the web for what he claims was an irrelevant subject, the co-founder of the tech-savvy activist news site Reflets.info came across a link to an online documents archive of the French National Agency for Food Safety, Environment, and Labor (ANSES).
The link led to a trove of 7.7 Gigabytes of files on public health, and Laurelli decided they might be worth looking through. For what he later said was for more convenient reading, the activist downloaded the entire online directory with a common Linux tool, and then transferred them to his desktop.
At the time, the blogger judged that the freely available documents of a public establishment “ought to be” legally available for the public to see, quotes the Ars Technica blog.
But soon after posting some scientific slides from the archives
on his website, Laurelli realized that he was wrong.
ANSES discovered their archive was accessed only after the slides on “nano-substances” went public on Reflets.info, French media said. Citing possible “intrusion into a computer system and data theft from a computer,” the agency filed a report with the police, also prompting the French Central Directorate of Interior Intelligence (DCRI) to launch a case.
According to the activist himself, the investigators’ decision to pursue a criminal case against him was fueled by the fact he used a Virtual Private Network (VPN) service that masked his IP address as a Panamanian one. The VPN was actually provided by a security company he owned called Toonux.
Laurelli was then indicted with fraudulently accessing and keeping data, which, according to the French Criminal Code carries up to 2 years in prison and a maximum fine of 30,000 euro (about $41,000).
While testifying, Laurelli admitted he did spot a requirement for login and password at an upper level directory when he tried browsing the ANSES resource further, but there was no explicit indication that the directly accessible files he stumbled on required authorization and were illegal to obtain.
To its own embarrassment, ANSES then discovered the suspected “hacker” did not need to do any hacking as such, because “it was sufficient to have the full URL to access the resource on the extranet in order to bypass the authentication rules on this server.”
The criminal court eventually ruled that Laurelli could not be penalized for accessing data that was not secure. ANSES decided not to pursue any further civil action.
However, the case did not end there as the DCRI decided to appeal the decision and punish the “hacktivist.”
A French court of appeals last week stated that Laurelli was “conscious of his irregular retention of automated data processing,” and still “disseminated” the data to others, and made copies of it “without the knowledge and against the will of its owner.” For this, the court decided to fine the blogger 3,000 euros ($4,100).
The precedent, branded one of the most expensive Google searches in history, caused outrage and concern not only inside France’s tech community, but also among some of the media outlets.
“You can be called a hacker if you search something in Google and accidentally stumble upon documents that shouldn’t have been there in the first place,” Laurelli’s lawyer, Maitre Iteanu, was quoted as saying, calling the accusations “deplorable.”
Le Point has warned that any French citizen can now find oneself in Laurelli’s shoes: “This decision should unsettle all citizens, in particular journalists, who could themselves to be convicted much more heavily when they publish documents with the same motive: that of informing.”
Details of the hearing, which have recently emerged in local media, also offered internet users some food for ridicule, but also highlighted a “hugely troubling” situation in French courts.
French media outlets widely quoted the presiding judge as pronouncing Google as “gogleu” and not being able to comprehend what login is, which the judge allegedly referred to as “lojin.” Even more ridiculous appeared to be the statement attributed to the prosecutor, who is said to have uttered: “half the words I heard today, I did not even understand.”
— Julien G (@Sphinx_Twitt) January 17, 2014
Laurelli himself addressed the issue with humor, tweeting that he is now “officially a cybercriminal.” A sarcastic page on a “public extranet” was also created on Reflets.info, redirecting those who “have the courage” to click a hyperlink to a hidden directory to a site which reads in French:
“Lost on the Internet?
Do not worry, we’ll help you
* <----- You are here”