Article content continued

“If this is all that there is to it, he found a server that was configured for public access and downloaded the contents, I find it hard to see what the issue is,” said Dan O’Sullivan, cyber risk analyst at UpGuard, a cybersecurity company that works with organizations like NASA and the New York Stock Exchange.

“The question to me should be, why was it configured that way?” he said.

There’s also a fear in the cybersecurity community that prosecuting benign incidents can be counterproductive. Some organizations encourage researchers and hackers to report vulnerabilities and even offer “bug bounties” of thousands of dollars.

This wasn’t a hack. This wasn’t someone stealing a password. Brenda McPhail, a director at the Canadian Civil Liberties Association

“There’s certainly a chilling effect anytime something like this happens, because it makes legitimate researchers afraid of finding potentially critical data exposures,” said O’Sullivan.

It will also do nothing to discourage the actual malicious actors out there, he said.

Unless there’s more to the story, “it’s hard to see what he did wrong,” said Brenda McPhail, a director at the Canadian Civil Liberties Association.

“This wasn’t a hack. This wasn’t someone stealing a password,” McPhail said. “This was just someone changing a number at the end of a URL to go through it and download a batch of documents.”

It is fairly common for governments and corporations to have some kind of reporting system for anyone who finds these flaws. In the Nova Scotia case, the teen says he wasn’t even aware the files were supposed to be private, and so couldn’t have reported it either way. The files containing personal information were mixed in with the publicly released ones.