- Evan d’Entremont is a local software developer and security researcher who spends his time solving complex problems. His background is in web application development and embedded hardware and he currently connects safety critical robots to the internet for fun and profit.
It’s been a few months now since a 19-year-old Nova Scotian’s family home was raided over a rarely used “unauthorised access to computer” charge, which is a federal offence carrying up to 10 years in prison.
There’s a hole in the middle of this whole story that needs to be addressed: civil servants lied to police to secure that arrest.
To use the Sagan standard: "Extraordinary claims require extraordinary evidence." The only way that anyone can entertain the idea that our provincial government lied to the police, is if the alternative—that they didn’t—was even more absurd.
I was invited to speak at AtlSecCon regarding the FOIPOP issue and walked through the NS Internal Services’ privacy breach response policy. The "breach response team" followed policy to the letter. Everything fell apart when it came to identifying the risk.
Say someone had simply emailed all the same documents to the 19-year-old:
“For a misdirected email, if you can, try to retract the email or contact the recipient and ask them to delete the email from their system and confirm that there was no further disclosure of the email” —Page 8, IAP Services Privacy Breach Protocol v 1.0 (July 2017)
By calling it an "intentional breach," by a "hacker" the risk assessment leads them down a very different path, one involving law enforcement.
It's clear that nothing was "hacked," and in fact, the province left the documents unprotected. I've read the "Privacy Impact Assessment" signed off on by Sandra Cascadden, CIO of Nova Scotia and Jeff Conrad, deputy minister of Internal Services, before launching the FOIPOP portal. The only technical safeguard in place was HTTPS encryption. (The same thing that protects your credit card number from third parties when you buy things online.)
The response team knew exactly what happened before they went to the police, as was confirmed by the CIO's comments in the media.
“Unfortunately, what had happened is someone went in through the URL and just sequentially went through every document available on the portal.” —Sandra Cascadden, P.Eng, April 12.
I’d love to know who actually lied, but the complainant's name was redacted from the warrant.
“But when [redacted] spoke with Halifax Regional Police, they stated ‘the province discovered that someone had "Hacked" into Province of Nova Scotia confidential files.’” —ITO #18-51500 filed by detective constable Steve Millaire, April 9.
And that’s the real problem; the Privacy Act protects advice from a deputy minister. Most of this will never come to light unless minister of Internal Services Patricia Arab releases it, and even then only with the premier’s permission.
The premier has been asked to apologize for his own comments. He hasn’t. Now that everything's coming out of the woodwork, the responsible thing to do would have been to admit he was wrong, and hold the right people accountable. Instead, the McNeil Liberals have doubled down at and taken every opportunity to shield the bureaucrats from responsibility.
What's more likely? That a certified information security professional, a professional engineer, and a career bureaucrat completely misunderstood how the internet works? Or that they actively lied to police, to the legislature, to the media and to the public to protect their careers?
The province is hoping this goes away, and if it does, nothing will change.
Welcome to Nova Scotia.