Man convicted of “extensive data breach” in Bergen District Court
Article from Digi / BT / NTB
A 30-year-old man in Bergen District Court has been sentenced to 14 days suspended prison for data breach by the Norwegian Public Roads Administration. The man says he wanted to develop an app.
In addition to the conditional prison sentence, the foreign man living in Bergen is sentenced to give up two hard drives and one SSD disk, writes Bergens Tidende.
The defendant wanted to develop an app that would allow contact with the owner of a motor vehicle without exchanging personal information, according to the judgment.
The man extracted information about Norwegian car owners from the Roads Administration’s website, but this went beyond what the Norwegian Public Roads Administration intended to offer of information through the service. Therefore, he is convicted of violation of section 207 of the Penal Code for burglary in computer systems.
The defendant understood that this was not how the service should be used, the court believes.
But the court also states that the information he obtained was legally obtained through a request for access.
The man’s defender, attorney Alexander Gonzalo Sele, says he and the client will go through the verdict and consider whether to appeal.
– We believe the judgment raises fundamental questions about what can be characterized as a data breach. He has retrieved information that was publicly available and that one could also find using a regular telephone directory, Sele says, pointing out that the client did not get any sensitive information.
Source: digi.no (Article in Norwegian)
The verdict (case number TBERG-2019-141281) is available online, in Norwegian (check Google Translate for an OK English translation).
According to the accusation (and verdict), the accused accessed publicly available web resources served by the Norwegian Public Roads Administration.
The accused then opened several browser tabs, and changed the individual URLs slightly, to see if the different http requests yielded individual, but still relevant results.
The accused allegedly then proceeded to collect the output of the respective web outputs provided by the site; storing them in a local database; one record for each http request.
Bergen District Court has ruled that even though the information gained and stored was already publicly available, nor did any damage or presented the server with a significant load of any kind – the action is still to be perceived as illegal.
Since the information from the Norwegian Public Roads Administration’s web site already was publicly available, it is obvious to think that this system behavior was intentional.
It is obvious to Improbus that what has been explained as misuse of a minor design flaw, has not been misused for evil purposes at all, but rather as a means for retrieving public data in an efficient, easy and convenient way.
If the data had been private or sensitive, the situation would have been quite different – maybe not technically or juridically, but at least ethically and morally.
It is sad to see that neither the courts nor the police able to keep up with current knowledge about the common usage of information systems.
If this really is a criminal act, it is nonetheless a victimless one.