Tribunal hacker 'was in press agency building'Strip away the breathless talk of "hacking", "internet security measures", "rogue computer software", "spyware" and "secret web links" and we have the mundane reality that somebody messed up by posting the report on a public web site, hoping that nobody would find it. An equivalent would be a person placing a book on the shelves in a library, but believing that it is "secret" because it does not appear in the library catalogue. The talk of "hacking" is a smokescreen.
THE Press Association of Ireland was threatened with heavy fines and jail sentences by Justice Frederick Morris last week after revealing that it had gained access to his report on garda corruption in Co Donegal before the official launch.
The wire service, the Irish arm of the London-based Press Association (PA), was suspected of hacking into the tribunal’s website to obtain the report. Michael McDowell, the justice minister, claimed that more than 350 separate attempts were made to overcome internet security measures guarding a web version of the report, forcing the authorities to release it earlier than planned.
McDowell did not say who was responsible, but The Sunday Times has established that the “hacking” was traced to PA’s building in Harcourt Street, central Dublin.
Morris, a former High Court president, told journalists at the wire service that he would prosecute anyone who published his report before its official release for obstructing or hindering the work of the tribunal, an offence carrying up to €12,700 in fines and up to two years in prison.
The judge wrote personally to PA in an urgently faxed letter on Tuesday, after staff at the agency contacted the tribunal to verify the authenticity of the report they had found on the web. PA, Britain and Ireland’s largest news agency, immediately agreed to observe the embargo on publication.
PA declined to comment this weekend, but a source at the agency confirmed that the Dublin office got a phone call from a source who explained how to get the report from the website.
“Personally, I think it was a bit of a security cock-up by the tribunal,” the PA source said. “The web link was morristribunal.ie/ and then a series of numbers.”
A government source, however, said the computer used to attack the web security around the report was in the same Dublin building as the PA office. Rogue computer software known as spyware was attached to the server used to “air” the Morris tribunal website.
This spyware then uncovered the secret web link to the tribunal’s report when it was being stored in a supposedly secure location before the official government release.
The spyware notified the hacker when the report was put on the web at 10am on Tuesday, the source said. Over the 70 minutes, 350 attempts were made to access it.
The release of the report was brought forward several days by McDowell after discussions with the tribunal over the compromised security. No complaint has been made to gardai by the tribunal, although experts were able to trace the unique identification number of the computer used to hack into the tribunal site.
So did reading the report amount to an offence? Unlikely. Under Irish law, the relevant offence would be access without lawful excuse. However, material published on the public web carries with it an implied permission to access that material. Where a publisher hasn't taken steps to limit that permission, then it will be difficult if not impossible to show, beyond a reasonable doubt, that (a) the reader acted without permission, and (b) the reader knew (or perhaps should have known) that they were acting without permission.
A similar issue arose three years ago when Reuters accessed an earnings report, posted on the public website of Swedish IT group Intentia, before its official release. Intentia filed a complaint with the Swedish police. The public prosecutor, however, found that no crime had been committed:
The prosecutor Mr Hakan Roswall chose to do nothing with Intentia's complaint. Mr Roswall concludes that it is illegal to access information stored in a computer that the proprietor deems to be secret and the proprietor protects. Mr Roswall states that Intentia did not clearly state that the information should be secret and did not protect the information. On the contrary it was very easy to access the information. Intentia stated that the report would be available at a certain time, and you only had to slightly change the URL (web address) from the report of the previous quarter in order to obtain the current report. Hence, Mr Roswall will not initiate proceedings against Reuters or any of its reporters.Update: I've just found a post by Feargal McKay at the Sigla Blog which beats me to the punch on this issue.