Policy —

French journalist "hacks" govt by inputting correct URL, later fined $4,000+

A Google search turned up public files that Olivier Laurelli is accused of publishing.

Bluetouff
Bluetouff
Numerama

In 2012, French blogger, activist, and businessman Olivier Laurelli sat down at his computer. It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web.

Laurelli, who goes by the alias “Bluetouff” in most circles (including on Ars Technica), is something of a presence among the French tech-savvy community. Besides managing Toonux, he also co-founded the French-language activist news site Reflets.info, which describes itself as a “community project to connect journalists and computer networking specialists.” As such, Laurelli initiated a Google search on other subjects, but what he stumbled on was perhaps more interesting: a link that led to 7.7 Gb of internal documents from the French National Agency for Food Safety, Environment, and Labor (the acronym is ANSES in French).

Although the documents were openly indexed by Google, Laurelli would soon be in the French government’s crosshairs for publishing them. He eventually faced criminal charges, though he was later acquitted of those. However, a separate government agency pursued a civil appeal. And last Tuesday, a French appeals court fined Laurelli 3,000 Euros (or a little over $4,000), meaning he likely made one of the more expensive Google searches to date.

On that fateful night, Laurelli merely used the Linux Wget tool to download all of the contents of the Web directory that he found. He left the files on his drive for a few days and then transferred them to his desktop for more convenient reading (which the French government would later spin as “the accused made backup copies of the documents he had stolen”). A few days later, Laurelli searched through the documents he downloaded and sent some to a fellow Reflets writer, Yovan Menkevick. About two weeks later, a few interesting scientific slides pertaining to nano-substances from the cache were published on Laurelli's site.

He later wrote about how he reacted when discovering the documents—that is, how he faced what at the time was a non-dilemma:

Through a Google search which strictly did not have anything to do with ANSES or with public health, I found myself in the ANSES extranet. Simply by clicking on a search result.

  • First observation: there are a lot of documents freely available here.
  • Second observation: they speak about public health.
  • Third observation: L’ANSES is a public establishment.
  • Question: Is it that this ought to be public?
  • Response: (too) obvious at the time: yes.

…I did it wrong.

According to French language site PC Inpact, when ANSES discovered the slides in question on Reflets.info, the agency filed a report with the police, “citing potential ‘intrusion into a computer system and data theft from a computer.’” At that point, France’s Central Directorate of Interior Intelligence (or DCRI in French) joined the case to investigate how the files had been “hacked."

The DCRI discovered that the files had been downloaded via a Panamanian IP address, and when they discovered that the address was used by a VPN service operated by a Reflets editor, they went after Laurelli. The activist claims that the involvement of the VPN was the tipping point in convincing the investigators that he was guilty or that he at least did something nefarious: “This VPN (in fact above all this Panamanian IP address) is probably one of the strongest elements which had driven the prosecution to pursue a criminal case,” he wrote. Laurelli was held in custody for 30 hours before officials indicted him.

Shortly after this, an excerpt from court documents (provided on Laurelli's personal website) shows that ANSES’ internal investigation led to an embarrassing discovery: “We [ANSES] have proceeded with internal technical investigations to attempt to identify the method used by the hackers to access and retrieve the documents. Following these analyses, we then found that it was sufficient to have the full URL to access to the resource on the extranet in order to bypass the authentication rules on this server.” In other words, the method of hacking was inputting the URL correctly.

Incredibly, although a lower criminal court ruled that Laurelli could not be penalized for accessing data that was not secure, the DCRI decided to appeal the decision. That's after ANSES, the organization from which the documents were “stolen” in the first place, decided not to pursue any civil action. Although the court documents are not yet available, French technology news site Numerama and the French-language version of Slate both quote a baffling scene from the first appeals-court hearing in December 2013, which Mediapart (paywalled link) attended. During those opening arguments, a presiding judge appeared unable to pronounce Google (saying “gogleu” instead) and demonstrated an ignorance of how logins occur. The prosecutor did not help this perception, saying at the hearing, "half the words I heard today, I did not even understand."

The appeals court acquitted Laurelli of fraudulently accessing an information system but saw fit to convict Bluetouff of theft of documents and fraudulent retention of information. The court wrote: "It is well demonstrated that he was conscious of his irregular retention in automated data processing, accessed where he downloaded protected evidence; and that investigations have shown that these data had been downloaded before being... disseminated to others; that it is, in any event, established that Olivier Laurelli made copies of computer files inaccessible to the public for personal use without the knowledge and against the will of its owner"

Although $4,000 may not be a huge amount, Le Point explains that the lack of technical knowledge by the courts is hugely troubling for the French public—especially journalists. "This decision should unsettle all citizens, in particular journalists, who could themselves be convicted much more heavily when they publish documents with the same motive: that of informing."

Laurelli, for his part, seems to be taking everything in stride. "It's huge :) I am officially a cybercriminal" he tweeted Wednesday morning.

UPDATE: Laurelli ended up admitting in testimony that when he found the documents, he traveled back to the homepage that they stemmed from and found an authentication page. This indicated that the documents were likely supposed to be protected. That admission played a part in his later conviction in the appeals court.

Channel Ars Technica