> The raid by four Metropolitan Police constables took place after Southwark campaigner Robert Hutchinson was reportedly accused of illegally entering a password-protected area of a website.
> "I was searching in Google and found links to board meeting minutes," he told The Register. "Board reports, none of which were marked confidential. So I have no question that it was in the public domain."
So they're name dropping Google in the title for clickbait when the core issue is that the website didn't properly protect its data.
> So they're name dropping Google in the title for clickbait
No, Hutchinson found the documents by searching on Google for the meeting minutes. The website might have protected the place where you found the link to the meeting minutes, but the meeting minutes themselves were hosted in a directory that not only was publicly accessible if you had the URL, but also allowed Google's crawler to access it and store it.
There is a slippery slope here, either way (if he gets free or if he gets sentenced), but none the less, Google is relevant to the case.
He was taken into custody and later released under investigation. Following a review of all available evidence, it was determined no offences had been committed and no further action was taken
That doesn’t make it okay. Being taken into custody is something I’d consider an overreaction and frightening for a person to endure. They should’ve looked into it before moving to pick them up in the first place. If the shoe was on the other foot- an activist claiming a developer broke in to obtain info- I bet police would’ve done more research.
>That doesn’t make it okay. Being taken into custody is something I’d consider an overreaction and frightening for a person to endure.
Fully agreed. And not just that, the law enforcement officers seized his personal devices (phone + laptop) for 4 weeks and went through them.
Note: I am not sure if both phone+laptop were taken away for 4 weeks, but the article states that both were seized at one point, and explicitly mentions that the laptop was held for 4 weeks before being returned.
I don’t know mate, even if there is only the potential for a dangerous crime, we need to keep these criminals off our communication infrastructure until we know for certain. Perhaps a better idea is a public/private partnership between all the big search engines, social media companies and police organizations who want to join and can pay dues.
Information sharing between members of the federation would reduce crime and spread of violent content. For example, when Google links a visitor to a harmful website, they can ping the local police with basic metadata about that user (could reuse the code from GDPR export). Google can lend its AI to categorize the alerts so local police know to be on the lookout for e.g. support for “The Big Lie” or local militia groups.
This way, the officers can stay aware of any potential threats to the safety of the children in their town, but maintain the ability to act proportionally and in context. Continuing with the example of a violent Google search, the alert might be a “P0”, but the police live in the same community as the suspect. If they’re not familiar with the data subject yet, they can use the alert to get a warrant for more information from Google. Or maybe they know the alert is a false alarm because the suspect is actually a government worker researching misinformation networks, so they instruct the AI to ignore alerts like it in the future.
We need to be on alert. With the proliferation of encryption, protecting citizens from harmful and increasingly dangerous information has never been more critical.
Would you still hold this opinion if all your personal computing devices are held for multiple weeks based on any arbitrary allegation and the record of your false arrest is available to all future employers ?
I personally think it's fair enough, the company probably claimed it was secure, therefore he must have hacked them. The police reacted, but when he could show it clearly wasn't secure and exposed to the public, they dropped it. And hopefully gave the company a private ticking off about wasting police time.
In the UK, an arrest under reasonable suspicion gives them the right to search your property for evidence, and to be honest they had reasonable suspicion, he had private company documents.
It's not like that company can cry wolf again, the police will be far more skeptical next time of their claims, having dealt with them before.
>I personally think it's fair enough, the company claimed it was secure, therefore he hacked them. The police reacted, but when he could show it clearly
it is absolutely not fair. The fair would be if the company had to show before the arrest that it was minimally secure. I mean they for sure had the HTTP transaction in their own logs - like GET document, response 200. They couldn't have reasonably in good faith claim "secure" and "hacking". What the company did is bordering on the false police report, and it would be fair if there were a recourse for the falsely arrested to use against the company.
Firstly, all those logs can be easily falsified and you're got absolutely no clue at all what that company showed to the police to convince them.
So get off your extremely manufactured high horse.
Secondly, even if you could somehow wave a magic wand and know the logs were real, you're approaching this as an expert and not as a layman.
A crime was reported, it was followed up, an arrest was made (maybe that means something different in America? It's just an arrest). No charges were levied, now the company that reported it look like fools in national news.
>maybe that means something different in America? It's just an arrest
From what I see on Wikipedia, there is restricted access to someone's criminal record in the UK, but on the other hand, you can't get a complete version of your own record, and arrests may be obtainable by prospective employers in some circumstances.
"Arrests that do not lead to an official finding of guilt, i.e. a conviction or the acceptance of a caution, are not considered part of a person's criminal record and are not typically disclosed as part of the process. However, an enhanced disclosure may include such additional information, which is supplied at the chief police officer's discretion. Enhanced disclosures are typically used to screen applicants for positions such as police officer, social worker, and teacher, which involve contact with vulnerable groups and children.
Individuals and the self-employed cannot apply for a DBS check of their own criminal record, as they cannot ask an exempted question (a valid request for a person to reveal their full criminal history, including spent convictions) of themselves. Only organisations registered with the DBS can ask an exempted question and submit applications for criminal records checks. There are two types of registered organisation: a registered body, which is the employer; and an umbrella body, a registered body that processes criminal record checks for non-registered organisations who can ask the exempted question."
>maybe that means something different in America? It's just an arrest
an arrest record searchable by all the prospective employers (until you spend an effort/money to seal it in jurisdictions where it is possible, and even then you still would have to disclose it any time you deal with federals). Good luck finding a job anywhere where computers are present with an arrest for hacking.
I don't believe you can get arrest records for a background screening on a employee like that in the UK (or the rest of Europe). You'd need a damn good reason why you want one so thorough and last I checked, in my country that means you're going for teacher, social worker, government office, etc. And even then this wouldn't be reason for denial if the arrest is not related to your job or you can reasonably explain the matter.
Don't you agree that's totally irrelevant? Being arrested for downloading a random doc from the internet is a real problem, so as monitoring dissidents to persecute them for any reason at all.
Google is super relevant to the case if they identified someone who downloaded a non-protected file in response to a police request. Not sure there is any slope left to slip on, this is basically the worst case scenario already I think.
I beg to differ. I don't think Google is relevant.
As far as I can see, Google provided a search-result, which eventually (after Google's batted it around internally a few times) turns into an HTTP request to the CBS website, which resulted in password-free access to a public document.
So that will show up in the CBS webserver's access log; that's how they got the IP address. Nothing to do with Google.
Getting from the IP address to the person is messier; websearches, requests to ISPs, and presumably searches of activist databases the cops no doubt maintain might all have played a part.
My guess is the cops knew there was no case against him, because they tried the URL, and saw that there was no password challenge; but charged him anyway, because he was an activist, and they wanted to intimidate him.
I did not get that impression. The defendant said he used google to find these things, google did not snitch on him. He was in turn discovered by sharing them on social media.
But we know from the article that's not how he was identified. Instead it was from the access logs of the company that he downloaded the file from.
> Hutchinson said his identification by Leathermarket and subsequent arrest raised questions in his mind, saying police confirmed to him that the company had handed over an access log containing IP addresses:
The law must have a different definition of "password protected area" if it can be accessed without entering a password. It's like the people who get tickets for speeding or for going through a red light while their car is parked, because their street-side parking in front of their house is in the field of view of the license plate reader.
They're denying a tautology! A document is not password protected if you can access it without a password. A person not in a vehicle cannot commit a moving traffic violation. However, the automated computer system which issues those tickets does not actually comprehend those concepts, or any concepts at all. It merely follows rigid rules to send an alert on access to a particular file, or to issue a ticket with to the owner of the license plate number identified by the camera when a speed sensor returns a value not less than the speed limit (eg. NaN).
But who is the "they" who are denying those tautologies? As we abstract more and more to automated systems, it's important to remember that these systems are as dumb as a brick. A brick connected to the Internet and with very complicated melted sand inside, but a brick nonetheless. When decisions recommended by these bricks have significant consequences, it's important to keep a human in the loop.
> ... the core issue is that the website didn't properly protect its data.
It seems that the bigger issue is that the activist was arrested by the police on supposedly only IP address evidence presented by the company/society.
Somehow the IP had to be linked to the person, probably a warrant should be needed for that too.
That's not a bigger issue because the police simply had a warrant for the person who shared the documents. The first sentence of the article is:
> A man who viewed documents online for a controversial London property development and *shared them on social media* was raided by police after developers claimed there had been a break-in to their systems.
"...Hutchinson said his identification by Leathermarket and subsequent arrest raised questions in his mind, saying police confirmed to him that the company had handed over an access log containing IP addresses: "Now, how that ended up with me being in the frame, I don't know. There's part of this that doesn't add up..."
..."
They didn't even have that much evidence, google didn't participate in finding the defendant. He shared these docs on social media and was found that way.
I would change "raided" to "arrested". The word "raid" is only used by El Reg and not any primary source. The account the arrestee gives in the BBC is "four police officers turn[ed] up at [my] door at 8:30" which suggests to me they just served him with a warrant and he let them in. Perhaps some people might call any execution of a warrant a "raid" but to me it suggests a forced entry.
There’s no reason to blindly believe every report of crime. In this case there probably wasn’t sufficient evidence on the victim’s side that any crime had happened.
They charged him without any evidence. They were harrassing an activist. It wasn't incompetence.
[Edit: the article didn't say they charged him; I was wrong]
Well, that's how it looks to me, on the basis of a single report in a tech journal with a sort-of tabloid outlook. Maybe there will be more information in coming days.
A British term, means formally charged with an offence. Police compile evidence and/or arrest a person. If the Police think there is enough of a case, the Crown Prosecution Service (CPS) decide if there is enough evidence to support a 'charge'
There is no reason to take the guy into custard for downloading a file, he didn't do anything violent, and should be allowed to stay home as long as he cooperates with the investigation.
Cooperative people accused of non-violent crimes should NEVER be taken into custody until proven guilty in a court with fair trial.
>Cooperative people accused of non-violent crimes should NEVER be taken into custody until proven guilty in a court with fair trial.
Uh, so if someone set fire to a bunch of homes in a neighborhood, and there's video of them doing it, but they did it knowing the homes were empty, they should just be left free until the trial is over? I'm sorry but I feel like a lot of online comments on criminal justice are very shortsighted
A quick google search indicates arson is considered a violent crime in the US even though it is a property crime. I assume because of the high potential of injury or death. I do however agree with you that there are some property or financial crimes in which arresting a suspect would be warranted, especially if they had incentive to flee or intimidate potential witnesses.
Financial crimes, no. Holding them hostage isn't useful or productive. As long as they are cooperative with investigation, let them be until a verdict is reached.
It's too easy for governments to accuse people on a whim of financial "crimes" that aren't really crimes. That sets a very bad precedent for misuse of power. Next thing you know they'll be randomly arresting people from their bedroom for suspected tax evasion instead of auditing them. Not good for those who did follow the rules.
There are real crimes, yes, but there is too much grey area and there is no danger to people or property to let financial crime suspects be at home.
I don't think this is name dropping and obvious that it wasn't sufficiently protected. These cases seems trivial, but they are certainly governmental abuse. In a perfect world, there would be consequences. Not for the officers but for those requesting the raid.
This article leaves some really crucial parts of this timeline ambiguous. These things happened in some order:
1. Guy downloads stuff from website
2. Guy publishes stuff from website
3. Stuff becomes unavailable on the website
4. Website owners go to police, report “illegal access”
5. Police arrest guy
Either the police arrested him, and the company declined to inform the police that these illegally accessed files has been free to access, thus actively misleading the police, or company did inform the police and the police acted heinously by arresting him anyways. Maybe there’s a third option here that I’m not seeing. Seems pretty wild, and likely to me that the org should be criminally liable here (not that I know the laws or if they would be criminally liable.)
>> "He was taken into custody and later released under investigation. Following a review of all available evidence, it was determined no offences had been committed and no further action was taken."
> He was taken into custody and later released under investigation. Following a review of all available evidence, it was determined no offences had been committed and no further action was taken.
This could also be "he was taken into custody, someone with a few more brain cells than average searched his computer, looked at his browser history, concluded that case 2 was the case and let him go".
If the website owner didn't think it was a big deal, why would they call police in the first place? Police are not just sitting and eagerly waiting for the ridiculous calls and complaints they receive. Most likely the website owner made the story sound like sort of theft occurred.
This is why people say that the police are an agent of the wealthy to oppress the common people. The wealthy "file a report", and the police "take the report seriously", trampling the rights and stealing precious time of people's lives (and sometimes much worse), but the common people can not do the same to their oppressors.
Considering the amount of SWATing we've seen in the news, the police are an agent of anyone capable of dialing 911, not just the wealthy.
Actually, one could argue the police are more likely to respond with greater exuberance when responding to a reported hostage situation in a mansion vs. trap house.
Except the man arrested in this case was opposed to social housing for low income residents. What the police did was obviously wrong, but it doesn't really fit your narrative.
I'm not sure it's resaonable to sum up someone from a "Campaign to stop Leathermarket CBS building on the popular ballcourt, removing children's outdoor sports space and green spaces" as "opposed to social housing".
This is factually wrong. They are doing it based on the principles of equality and freedom. This is exactly what those terms mean. Your freedom is only limited if its execution limits the freedom of others. In this case he was free to browser the documents, but he was also impeding on the freedom of that corporation. Same with equality, it seems immoral when the rich always win. But morality is just a WAY OF DEALING with the contradictions of that are inherent to our economic system. People need to understand that freedom and equality can only be enforced by the state and people actually WANT the state to have the monopoly on the use of force. Separation of power and being democratic can be deduced from that too.
Several revolutions along the history of mankind show that freedom will frequently be enforced only by the revolutionary acts of the people.
The government is only an agent of the dominant class.
I haven't studied revolutions much but I know they are the ultimate form of authoritarianism. The last one actually enforced freedom.
There is no opressor class in capitalism, both want the state and most even confirm it every 4 years. In a democracy the government is exchangeable but the economic conditions remain. That's why Democrats will always increase the mil budget and the Reps will always leave some social welfare.
If they checked, who did access the files, don't the police should have seen, there was no password protection? Very strange. And the police nedded al his devices for 4 weeks to check that ..
You're thinking it's ridiculous, but this is exactly what happened to Weev.
He found URLs that were not 'supposed' to be exposed, which apparently constitutes unauthorized access... You know like typing in a URL to the browser instead of clicking a link.
El Reg doesn't say in so many words that Hutchinson didn't know he was in a password-protected area (sorry, double-negative).
I mean: I believe that if he knew the material he accessed was behind a password wall, and that the search-result had pierced it, then he would be in violation of the CMA. That is: I think the Act doesn't require any kind of "breaking in" to create an offense; you just have to believe you're not supposed to be there.
I'd like to think so, on the basis of negligence both from the police and from the accuser.
The accuser, because they were negligent in 1) securing their files; and 2) making allegations against the victim without appropriate confirmation.
The police, because they were negligent in that they did nothing to verify the allegation before taking some pretty drastic steps (arrest, device seizure) to the detriment of the victim.
However, I'm not aware of any success in this area before. It'd be new legal ground. I'd like to think that there should be some bar of reasonableness in the handling of a "computer crime" where anything below does qualify as negligence - along the same lines as unlawful arrest for any other reason. However I don't think the courts have ever considered such a case. It's impossible to make any claim as to whether compensation is due or not because there's never been an appropriate test case that can be referred to.
The power of arrest has and is abused to punish and harass people. Perhaps I'm mistaken and in the UK those accused of unauthorized downloading are subject to arbitrary arrest, but this all seemed very abnormal. The police only investigate a fraction of the crimes reported to them, even when there's evidence or they they think they could get a conviction.
If you called up the police, any police anywhere, right now and said "Officer arrest this man, he downloaded a pdf from my server and I have the log.txt file to prove it!", I would honestly be willing to wager the deed to my house that the police would not be banging my door at sunrise to forcibly take me away and interrogate me.
At best it was gross incompetence, at worst abuse of power.
The key bit is
> The raid by four Metropolitan Police constables took place after Southwark campaigner Robert Hutchinson was reportedly accused of illegally entering a password-protected area of a website.
> "I was searching in Google and found links to board meeting minutes," he told The Register. "Board reports, none of which were marked confidential. So I have no question that it was in the public domain."
So they're name dropping Google in the title for clickbait when the core issue is that the website didn't properly protect its data.