quote:

The Norwegian Public Roads Administration ruling:
- Obviously illegal to change URLs!
The Bergen ruling sets a wild precedent; now you can forget about tinkering with other people's APIs.

Jørgen Jacobsen
subject editor, code24

If you have not seen the recent Twitter storm among Norwegian developers:

An unnamed developer from Bergen has been convicted in Bergen District Court for data breach. The so-called data breach took place against the Norwegian Public Roads Administration's website, where the accused has been convicted of extracting public information.

That is, data that was available to everyone. And the burglary must have happened when the defendant changed the URL .

The case concerns section 204 of the Penal Code, which deals with burglary of computer systems, and was given 14 days in prison, with a probationary period of two years.

The verdict is out on rettspraksis.no , and I have read it.

It is reasonably hair-raising.


Be open about wanting data
The court's assessment mentions, among other things, that:

The accused has a master's degree in computer science from the University of Bergen. In 2017, he participated in «# hack4.no», a gathering under the auspices of the Mapping Authority, where a number of public and private participants were present, and where ideas and proposals for digital solutions for sharing public data. The court assumes that a number of public agencies were present and wanted help in finding good solutions for sharing such information. "

The text further describes that the defendant had an idea for an app to apply for motor vehicle ownership. For example, to get in touch with owners of incorrectly parked cars.

He was open about this, both at the # hack4.no event, and later when he described the idea for a senior engineer at the Norwegian Public Roads Administration. Which, incidentally, was positive to the idea, according to the court assessment.

But accessing the data should prove difficult. First, the developer was offered an SMS service, then an offer to buy the data on CD. Some defendants refused.

Later, the developer also applied for access to the Norwegian Public Roads Administration's database, through a form they themselves encouraged him to use. However, this application was later rejected.

That was when the developer is said to have taken the matter into his own hands.

« No data at the Norwegian Public Roads Administration was changed, and all data was therefore public. »
The court considers this to be hacking
The court assessment states that Bergenseren logged in to the Norwegian Public Roads Administration via "My Page", and got his own profile page.

The defendant then discovered that by changing an ID in the URL used by the website, one could retrieve other people's information. The accused then wrote a script that changed the ID continuously, and downloaded the Norwegian Public Roads Administration's customer register.

No data from the Norwegian Public Roads Administration was changed, and all data was therefore public.

On 9 January 2018, one year after the defendant first sought access to the data, the defendant told the chief engineer at the Norwegian Public Roads Administration that he had found a way to gain access to the data. Then, according to the legal assessment, "security holes were found in the data system".

On the same day, the accused was arrested, had his equipment confiscated and was searched.
The "bummer" that fell
Defendant acknowledged the circumstances. And why should he not have acknowledged?

He had been completely open about what he was doing. He had even contacted the chief engineer in the Norwegian Public Roads Administration .

But it does not matter for the Norwegian judiciary. The legal assessment further states:

"It is clear that the information the defendant obtained could have been legally acquired. The defendant has later, through a request for access under section 9 of the Public Access to Information Act, received a copy of more comprehensive data that has been handed over to other actors. personal data legislation or similar. "

Developer Hallvard Nygård , who has written several Tweets about the case from his Twitter account, says that he has also gained access to the data , based on section 9 of the Public Access to Information Act. He also refers to an API URL that is loaded on the Norwegian Public Roads Administration's website. which can be used to retrieve the data .


In other words: The indictment has nothing to do with that he acquired the data. The accused was then legally given access to the data later.

The mistake the defendant made was that he used the computer system, the website of the Norwegian Public Roads Administration, in a way that was not intended , by changing a URL. According to the court, this is considered "unjustified".

The accused was also not convicted of using the data for anything - only to obtain it in the wrong way.

" In other words: the indictment has nothing to do with him acquiring the data. »
Sets a wild precedent
This, ladies and gentlemen, boils down to one simple thing: it is clearly not allowed to change URLs on the internet to access data. Unless the service adds up to it.

If you should change the article ID in the URL for a top case on code24, code24.no/72165597 , and get another article, it is certainly not allowed.

Maybe you take a look at the network traffic for our site, too, and find that we use an API to retrieve related articles. Maybe you fiddle a bit with this API, which is open on our website.

Then, according to Bergen District Court, you are doing something illegal, as far as I can understand.

But unlike the Norwegian Public Roads Administration, I will not report you.