The Paris Court of Appeals found on February 5, 2014, that a blogger, who had accessed documents published on the extranet of the French food safety agency following a link found through a Google research result, was guilty of having remained fraudulently in an automatic data processing system. He was also found guilty of having stolen information.
Under article 323-1 of the French criminal Code, fraudulently accessing or remaining within all or part of an automated data processing system is punishable by two years imprisonment and a €30,000 fine. Fraudulent access occurs when a person enters an automated data processing system without authorization, knowing that she has no authorization.
In this case, the blogger, Olivier Laurelli, found the documents by chance while doing a Google search. He downloaded 8,000 files, 7.7 gigaoctets worth of data, and used some of these documents to illustrate a blog post on the danger of nanomaterials.
But these documents were not meant to be public, and were accessible only because of a security failure, as the documents had been mistakenly set as being readable. Google had therefore been able to index them and this is why they had appeared in Laurelli’s search results.
The trial court found Laurelli not guilty in April 2013, but the prosecutor appealed. The agency chose not to appeal, perhaps not wanting to publicize further its extranet access security shortcomings.
Not Guilty of Fraudulent Access to Unsecure Intranet
The Paris Court of Appeals held that the evidence could not sufficiently establish that the blogger was guilty of fraudulent access in an automated data processing system, as he had only been able to access the data because the security failure.
But Guilty of Remaining Fraudulently in the System
However, the court noted that Laurelli admitted that, after stumbling upon the pages where the documents had been uploaded, he had traveled the extranet structure up to its entrance and had been able to see that it was protected by a password. The court noted that he was thus aware that the documents were not meant to be public. Therefore, he was found to have remained fraudulently in the agency’s system, and fined 3,000 Euros.
The trial court had reasoned differently when finding Mr. Laurelli not guilty, stating that he could have legitimately thought that, while some of the data on the site required an access code and a password, the data he had collected were free to access and that he could remain legitimately in the system.
Data Theft
As for data theft, the trial court had also found Mr. Laurelli not guilty, reasoning that the data had not been materially subtracted from the site. Even if Mr. Laurellli had indeed downloaded and saved it, it remained available and accessible to all on the server. Therefore the material element of the crime, taking someone else’s property, was not constituted.
However, the Court of Appeals, without elaborating, found that Mr. Laurelli had indeed stolen these files.
Laurelli has announced he will take the case to the French civil Supreme Court, the Cour de Cassation.
Image is courtesy of Flickr user Marcin Wichary pursuant to a CC BY 2.0 license.
by