Saturday, January 4, 2020

2019: Date for decision in FCS breach expected next month.




FINAL DEFENCE SUBMISSIONS PDF COMING SOON.


https://unpublishedottawa.com/sites/unpublishedottawa.com/files/letter/118289/Defence-Submissions-R.-v.-Denham.pdf

2019: Date for decision in FCS breach expected next month.

By Sabrina Bedford. Published on: December 19, 2019 | Last Updated: December 20, 2019 1:30 PM EST.



A woman charged after she posted an image of a hyperlink to the location of a confidential list of local children’s aid clients to Facebook will learn her fate next month.


https://youtu.be/kLOgGC8k-5o

2011: Hyperlinks not considered ‘publications,’ rules Supreme Court

“A hyperlink, by itself, should never be seen as 'publication' of the content to which it refers. When a person follows a hyperlink to a secondary source that contains defamatory words, the actual creator or poster of the defamatory words in the secondary material is the person who is publishing the libel.

At both the trial and appellate level, the courts ruled the hyperlinks did not constitute publication of the impugned content.

Abella notes in her analysis that hyperlinks are essentially references. “Hyperlinks thus share the same relationship with the content to which they refer as do references. Both communicate that something exists, but do not, by themselves, communicate its content,” she writes.

https://www.canadianlawyermag.com/news/general/hyperlinks-not-considered-publications-rules-supreme-court/271051

The defence argued what Denham did does not constitute publishing. They say the publication occurred when the agency put the information on its website, which they say was accessible to the anybody in the public sphere.

“All she did was tell people they (FCS) published it,” defense lawyer Fady Mansour told the judge on Thursday.

“Reiterating is not publishing.”

They said if anybody has committed an offence, it was FCS since they were the ones that published it originally.

The Crown argued that FCS had no intent to publish the information and that it was always their goal to keep it private.

“They did not publish. It was always their intention to keep it private,” Crown attorney Roberto Corbella said.

“They made a mistake. They did not intend to publish this material and it was not published by them.”


The defence lawyers argued, however, that it doesn’t matter if they intended to publish it, it just matters if they did.

The data could have been reached by anybody, the defence claimed.

They argued simply putting something on Facebook does not constitute publishing, but the Crown said it “makes no sense” to suggest that.

If posting something to Facebook isn’t publishing, nothing is, Corbella said.

According to a separate class-action lawsuit against FCS still before the courts, the personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s network.

According to court records relating to the civil suit against FCS, Denham said she found and clicked on an unrelated document on the website intended for the public. She deleted a portion of the URL, and she was taken to a directory of folders with documents, within which she found the document with the names of local families.

She said she was never asked a user name or password and was never faced with any security measures that impeded her ability to gain access to the documents.

She said she attempted multiple times to advise the agency the confidential documents were available on the public website, beginning in February 2016, but the documents were still publicly available by late April 2016.

This is when she decided to post the location of the report on the Facebook group where she claims she posted an image of a hyperlink, which was deleted by the group’s administrator within hours.

She did not hack any secure portals, she said, rather the site was completely unsecured and she was able to get to the files unimpeded.

Denham has since been dropped as a defendant in the civil case.

She was, however, disciplined by her employer according to court documents.

She is a registered social service worker (not employed by FCS) and court documents say she went before a discipline committee of the Ontario College of Social Workers and Social Service Workers where she was found to have committed professional misconduct related to the Facebook post.

She appealed the decision and is awaiting a hearing.

Denham told The Recorder and Times in an email that her role in this matter was in no way related to her job as a social worker. She said she was not acting in a professional capacity when she made the Facebook post, but did so as a client of FCS who felt her personal information was being published online “illegally.”

Denham will appear in court on Jan. 13 to receive her judgment on the criminal charges.

(This story has been edited to clarify that Denham did not act in her capacity as a social worker when she made the Facebook post, and that she is appealing the decision of the discipline committee. It also clarifies she is not employed by FCS.)

Kelley Denham was charged in 2016 after she discovered a list of 285 clients she found on the website of Family and Children’s Services (FCS) of Lanark Leeds and Grenville and posted an image of a hyperlink to the list’s location on a popular local Facebook page called Smiths Falls Swapshop.

Denham does not deny gaining access to the confidential list and posting the image of the hyperlink to the social media site. She told the court in an ongoing civil suit the FCS website lacked proper security and she was able to get her hands on the list of clients easily, but the Crown attorney said it was never the organization’s intent for such private information to be seen by the public.

Denham is being charged with mischief over $5,000, mischief to data, unauthorized use of a computer, and publication of identifying information. She pleaded not guilty to all charges.

A judgment on the criminal charges was scheduled for Thursday morning at the Perth courthouse, but it was put over until Jan. 13.

Smiths Falls Police charged Denham in 2016 after a four-month investigation into the release of the private files after a security breach was discovered by FCS staff in April of that year.

The Child Youth and Family Services Act prohibits the publication of information that “has the effect of identifying a child” who is the subject of a child protection proceeding. Being convicted of this carries fines of up to $10,000 and three years in jail.

https://www.recorder.ca/news/local-news/decision-in-fcs-breach-expected-next-month

sbedford@postmedia.com

:::

CAS calls Mom a hacker after she publicly speaks out, $75 million dollar lawsuit and charges pending TRIAL SUMMER 2019.

Kelley Denham, while doing research on FCSLLG's internal complaint process on the agency's privately operated public information website that also serves as an advertising platform for the agency, Kelley manually typed an address to information she was referencing in her complaint but left off the filename of the precise document she wanted, which took her to a directory on the site's uploads page where she stumbled across internal agency financial documents, minutes of meetings, client files and the personal information of a large number of people looking for a six figure salary.

According to Raymond Lemay the agency's website had multiple layers of security protecting it though he failed to mention that FCSLLG's website is hosted on a U.S. server in Michigan that coincidentally deletes all log files every 30 days and keeps no backups..

The agency has stated in the courts it doesn't matter if they wrongful accused Kelley of hacking them and their site wasn't protected by multiple layers of security or that the Supreme Court has ruled posting a link to something that was published by (FCSLLG) isn't publishing because FCSLLG has claimed Kelley is just another disgruntled client who was just out to get them after she forced them to withdraw a request for a supervision order from court and then after FCSLLG referred our family to another agency - the judge awarded Kelley legals costs of $750 dollars after she forced Kingston's CAS lawyer to withdraw a motion and a request for a supervision order.. FCSLLG now denies Kingston's claim they were only acting as an agent for FCSLLG based on the information FCSLLG gave them.

The news report also fails to mention the outside internet expert they hired is project manager Margret Row's son in law who lives or lived in her basement.. The "expert" was hired after Kelley copied the documents as evidence of what see'd seen and made a video featuring the agency's internal financial documents and ministry directives which she sent to the agency. He made recommendations not to improve the agency's security but instead to remove documents from the site to protect themselves (which they did) only from some reason the client files weren't removed.

In a state of desperation to have not just her own information removed but all the other families information removed as well she informed the pubic of the problem by posting a picture of a link to a document published (in secret) on FCSLLG's site.

FCSLLG has stated that there was nothing wrong with there website operations until Kelley ratted them out...

Kelley speaking to TV news reporter after FCSLLG alleged their privately operated public information website that also doubles as an advertising platform for their services..

https://youtu.be/kLOgGC8k-5o

:::

Here are the top 5 reasons for which you shouldn’t opt for a WordPress site if your part of a government funded multi-billion dollar private corporation with a legal obligation to protect client information:

Website builders are a perfect solution for - individuals and small businesses - to start a website without hiring a developer. However, finding the best website builder can be tricky for beginners.

WordPress is an open source software. It is free in the sense of freedom not in the sense of free beer. ... Open source software comes with the freedom for you to use, modify, build upon, and redistribute the software in any way you like without paying any fees.

What are the disadvantages of using WordPress?

WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide. (Talk about putting children and clients at risk...)

Disadvantages of A WordPress Website.

Without a doubt, WordPress is the most used Content management system (CMS) in the world. With millions of users, it is widely praised and appreciated for its advantages. But, while the hype is still strong, many people overlook or are not aware that WordPress has certain weak points that might make them reconsider their decisions or options.

1. Vulnerability

Unquestionably the biggest disadvantage of WordPress is its security. WordPress is an Open Source platform, and it relies heavily on plugins and themes for customization. Both the plugins and the themes are developed by different people and companies and since there isn’t anyone monitoring them, they can easily contain bugs or malicious code lines. On top of this, as stated above, today, WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide.

2. Can be expensive

While the WordPress itself is free, when looking at the whole picture there are significant costs. WordPress relies on plugins and themes for customization, and while there are some that are free, they are not always reliable or safe. Furthermore, if you want your website to stand out and your visitors to have a great you have to buy a theme, as the free ones are overused. With numerous updates coming out constantly, it can become quite expensive to keep your website up to date. Naturally, if you’re a WordPress designer, or have the knowledge you can make a lot of adjustments yourself, but most people need to use a plugin or a well-developed theme.

3. Needs frequent updates

Simply installing WordPress, is going to help you very much as this platform requires a theme and at least several plugins to work properly. WordPress updates can often render parts of your theme or some plugins usable. The more plugins you use, the more likely it is for you to encounter more compatibility problems. The whole maintenance process in WordPress can be quite challenging, and you have to be ready to make adjustments to your plugins and theme in order to have a functional website. If you don’t have the budget or the knowledge (design, programming), giving the fact that in general WordPress doesn’t offer support, and solutions can only be found on WordPress forums, chances are that you should choose another website solution for you.

4. SEO friendliness

WordPress is definitely an SEO friendly platform, but so is virtually any open source CMS. However, for the people with little to no SEO experience and knowledge, WordPress can create quite a few problems. Probably the most known one is caused by the WordPress’ category and tagging system. If the content is over-tagged or marked into many categories, Google will flag it as duplicate content, a fact that will affect your SEO rankings.

5. Customization needs Coding

To make certain change your WordPress site, you have to possess HTML, CSS and PHP knowledge. If you want to personalize in a unique way, or to enhance its design, you may find yourself needing to write numerous complicated code lines. If you’re in the category of people which possess the knowledge, things can go down smoothly, but if you try to write code without having the right expertise — most people in this category, you can make a lot of damage to your website.

https://www.websitetooltester.com/en/blog/wordpress-alternatives/

https://www.wpbeginner.com/beginners-guide/how-to-choose-the-best-website-builder/

:::

IS THERE ANYWAY TO USE WORDPRESS AND GUARANTEE THE INTEGRITY OF THE SECURITY USED BY THE FREE PROGRAM/APP AND WHAT DOES PROPER INTERNET SECURITY ACTUALLY LOOK LIKE?

The ISG Series Integrated Security Gateways.

(estimated cost $40 000 AND UP)

The ISG Series Integrated Security Gateways are ideally suited for securing enterprise, carrier, and data center environments where advanced applications, such as VoIP and streaming media, demand consistent, scalable performance. The Juniper Networks ISG1000 and ISG2000 Integrated Security Gateways are purpose-built security solutions that leverage a fourth-generation security ASIC, along with high speed microprocessors to deliver unmatched firewall and VPN performance. Integrating best-inclass firewall, VPN, and optional Intrusion Detection and Prevention, the ISG1000 and ISG2000 enable secure, reliable connectivity along with network-and application-level protection for critical, high-traffic network segments.

Network segmentation: Security zones, virtual systems, virtual LANS and virtual routers allow administrators to deploy security policies to isolate guests and regional servers or databases.

Optional Integrated IDP:

The ISG Series firewall/VPN with IDP uses the same award-winning software found on Juniper Networks IDP Series appliances.

The IDP security module combines eight detection mechanisms, including stateful signatures and protocol anomaly detection.

The ISG with IDP defends against security threats such as worms, trojans, malware, spyware, unauthorized users and hackers and can provide information on rogue servers and data on applications and operating systems that were inadvertently added to the network. Application signatures enable administrators to maintain compliance and enforce corporate business policies with accurate detection of application traffic.

https://www.terabitsystems.com/juniper/integrated-security-gateways/ns-isg-2000-sk1

https://netpoint-dc.com/blog/wp-content/uploads/2015/11/1100036-en.pdf

:::

CYBER-CRIME OR $75 MILLION SHADES OF BULLSHIT :::

Testimony from the alleged CAS hacker trial transcript: PAGE 29/30 -

2019: EXECUTIVE DIRECTOR RAYMOND LEMAY. I was just repeating what had been explained to me. That the security features of the website, when it was first installed, had not been turned on. That’s what was explained to me, and I am just repeating what I heard.

Q. So, all you know is whoever C.A.S. retained for you working in your position did something incorrectly with respect to the website that caused this issue?

A. That’s what, that’s what I understand, yes.

:::

2016: ‘Disgruntled client’ posts names of 285 children’s aid families on Facebook.

A Brockville-area children’s aid society reels after names of 285 clients were posted on Facebook. (did the alleged hacker copy and paste all 285 names and codes in one post or did she post a picture of a hyperlink?)

Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.

"You have to go through the back door. You have to be looking for this," he says.

A link to the report was obtained by someone — "likely a disgruntled client" — who hacked the secure portal for board members on the society's website, he said. No staff or board members are suspected of the breach, he said.

"Our suspicion, which is a fairly firm suspicion, is that it is a current client who is very disgruntled, very unhappy with us," he said. "We have contacted the police. Our lawyer has sent a letter to the website owner as well as to this individual telling them what they are doing is, we think, illegal."

This is the second time in about three months that the organization has had to take down its website because of security concerns. An outside expert was brought in after a February scare to better secure the website. No sensitive information was revealed or even in danger in the first breach, Lemay says. He says they made the changes and were told the website was secure.

Then in 2018 Family and Children’s Services of Lanark, Leeds and Grenville — claim to have seen an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.

Read more here:
https://www.thestar.com/news/insight/2018/02/22/ransomware-attacks-hit-two-ontario-childrens-aid-societies.html

The website has been taken down while experts help the FCSLLG improve its security. This branch of children's aid says it is reviewing its policies when it comes to sensitive information and how it handles such documents.

https://www.thespec.com/news-story/6503453--disgruntled-client-posts-names-of-285-children-s-aid-families-on-facebook/

https://ottawa.ctvnews.ca/names-of-285-people-referred-to-children-s-aid-in-lanark-leeds-and-grenville-posted-online-1.2865944

2019: Dealing with a Ransomware Attack: A full guide.

Help! Infected by Ransowmare? This video is a full guide on how to deal with a ransomware attack, how to decrypt your encrypted files, lockdown your network contain damage, recover data and so on. All the steps included here are free and can be performed by anyone before consulting professional help.

For advice about prevention, check out: https://www.thepcsecuritychannel.com/

https://youtu.be/g0yXmQx89x4

:::

Former Privacy Commissioner Ann Cavoukian wrote:

“I am disheartened by the complete lack of action to ensure transparency and accountability by these organizations that received significant public funding. As part of the modernization of the Acts, I call on the government to finally address this glaring omission and ensure that Children’s Aid Societies are added to the list of institutions covered.”

The only oversight for the province’s children’s aid agencies comes from Ontario’s Ministry of Children and Youth Services.

"As the law stands now clients of the Ontario Children's Aid Society under Wynne's liberals are routinely denied a timely (often heavily censored) file disclosure before the court begins making decisions and the clients can not request files/disclosure under the Freedom of Information Act nor can censored information reviewed by the Privacy Commissioner of Ontario or the federal counterpart."

In her 2004 annual report, which was released on June 22, 2005, the Commissioner called for amendments that would bring virtually all organizations that are primarily funded by government dollars under FOI for the purposes of transparency and accountability: This would include the various children’s aid agencies in the Province of Ontario. Many parents and families complain about how difficult it is, if not impossible, to obtain information from children’s aid agencies. Many citizens complain that CAS agencies appear to operate under a veil of secrecy. Unlicensed and untrained CAS workers are making decisions which are literally destroying families, yet there is little or no accountability for their actions short of a lawsuit after the damage has been done.

“Hundreds of organizations that are recipients of large transfer payments from the government are not subject to the provincial or municipal Freedom of Information and Protection of Privacy Acts,” said the Commissioner, “which means they are not subject to public scrutiny.” Among the examples she cites are hospitals and Children’s Aid Societies. “Openness and transparency of all publicly funded bodies is essential – they should be publicly accountable.”

In her annual report for 2013 released on June 17 there is just one paragraph on children's aid on page 12:

In my 2004, 2009, and 2012 Annual Reports I recommended that Children’s Aid Societies, which provide services for some of our most vulnerable citizens – children and youth in government care, be brought under FIPPA. I am disheartened by the complete lack of action to ensure transparency and accountability by these organizations that received significant public funding. As part of the modernization of the Acts, I call on the government to finally address this glaring omission and ensure that Children’s Aid Societies are added to the list of institutions covered.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and commenting on other access and privacy issues.

http://www.theglobeandmail.com/news/national/beef-up-information-laws-ontario-privacy-czar-says/article1120573/

http://www.newswire.ca/news-releases/commissioner-cavoukian-calls-on-government-to-preserve-freedom-and-liberty-514463911.html

:::

2016: INTERVIEW with Director of Service for Family and Children's Services of Lanark Leeds and Grenville.

https://youtu.be/kq6JCx5FlfA?list=PLsYhw09i3If44rMBDuZQ0ztayzSQU35Fy

:::

FCSLLG'S SELF TAUGHT INTERNET SECURITY EXPERT TESTIMONY

From the cross examination: PAGE 98

DAVID SCHMIDT (SELF EMPLOYED INTERNET SECURITY EXPERT AND PROJECT MANAGER MARGRET ROW'S SON-IN-LAW AND FORMER EMPLOYEE)

Q. You – in the past – okay, first of all, I don’t think

if you explained, or if you did I don’t remember, you mentioned

WordPress, what’s WordPress?

A. WordPress is something called a content management

system. It is a piece of software that runs on a web server that

people can use to create a website.

Q. Okay.

A. Okay? It’s the most commonly used such tool on the

internet. It commands, I think, thirty five percent of all

internet websites use WordPress.

Q. And, back in February- sorry, yes, February to April

2016, Family and Child Services was using WordPress?

PAGE 103/4

Q. Okay. In the background, the website has to save all

the documents – or the webmaster has to save the documents

somewhere?

A. Correct.

Q. They are saved in the directory?

A. Correct.

Q. Now, if this was properly set up you would have a

directory for the non-confidential information to the public

stuff?

A. Yes.

Q. And, you would have a directory for the confidential

information?

A. Correct.

Q. And, they’d be separate?

A. Yes.

Q. Okay. In this case they were not?

A. That is correct.

Q. Okay. And, if you were going to have a directory for

confidential information, one; it would be password protected?

A. Absolutely.

Q. It would be non-browseable?

A. Correct.

Q. And, nothing in it would be non-confidential?

A. Correct.

Q. Right

A. Unless, unless you were – so, for example, in the case

of a Board Portal, you might have a non-confidential document a board member could see.

Q. That’s the thing...

A. But, realistically you would want a segregation

between that which should be public, and that which should not be

public.

Q. And, all those things that I listed, all of those

things did not occur back in 2016 when you were retained?

A. That is, that is correct.

105/6

Q. All lot of the time, or some times when information

gets out it gets out because someone has done something – I’m

going to call it dishonest, or nefarious...

A. Mm-hmm.

Q. And, what I mean by that is this, I will define it for

you; it’s like hacking. So, for example, you download a program,

or use certain code, or you do something to get past a username

and a password.

A. Breaching passwords, finding an exploit, or something

like that, yeah.

Q. Right. But, it requires, one; a certain level of

knowledge, right?

A. Mm-hmm.

Q. Yes.

A. Yes.

Q. I know you are nodding, but...

A. Sorry, yes. For the record, yes.

Q. And two; it would require excessive knowledge of a

certain amount of dishonesty on your part to try and get past a

username and password that is clearly intended to block you?

A. Dishonesty, interest in what’s behind it, yes,

absolutely.

Q. I’m not talking from a moral sense...

A. Yep.

Q. ...I’m talking from a computer sense, you are trying

to get past something that’s intended to stop you?

A. That’s intended not to be, not to be accessed, yeah.

Q. Right. In this case the directory had no password,

nothing in it was intended to stop you from getting to it?

A. That’s correct.

PAGE 107

Q. Right. It doesn’t require a special knowledge to use

WordPress?

A. Not particularly.

Q. Right. And, because of that, it’s not actually, as

it’s set out by default, not intended for confidential documents

at all?

A. I guess not.

Q. Well, and the reason I say this is from what you said

which is that by default it has a browseable directory...

A. Yep, absolutely.

Q. ...that you could go to that doesn’t lock. So, by

default, a logical inference is, if you have a directory that’s

browseable where you can get to every document with no password,

that’s the default settings.

A. Absolutely.

Q. By default, it is not intended for confidential

documents?

A. That is true.

PAGE 108/9/10

Q. ...etcetera. When you were retained in February you

made a list of all of the problems with the website, right?

A. Yes.

Q. Okay. So, I am going to go through that list with

you, okay?

A. Absolutely.

Q. So, number one; if you are going to put confidential

information, like a Board Portal, the most secure way to do it is

you don’t even put it online. You put it in an intranet system,

like an internal system...

A. Absolutely, that’s right.

Q. Sorry, just let me finish...

A. Sorry.

Q. ...because the transcript becomes really difficult to

follow. So, there is an intranet, an internal system, yes?

A. Yes.

Q. And, you then use what’s called a V.P.N to access that

intranet if you are not on that network, right?

A. Yes.

Q. So, for example, the intranet would be accessible from

your work place only?

A. Typically, yes.

Q. And, if you wanted access from home the board members

would then have access via a V.P.N., yes?

A. Correct.

Q. Which requires a username and password, yes?

A. Yes.

Q. To get in?

A. Yes.

Q. That’s the most secure?

A. That is.

Q. Very difficult to hack?

A. Correct.

Q. You don’t come into any of these problems, right?

A. Correct

Q. And, it is very clear, this is confidential, no one

can get into it?

A. Absolutely.

Q. Okay. If you are one step worse than that, which is not quite as secure...

A. Yep.

Q. You are going to put it on its own separate website,

yes?

A. Yes.

Q. Aside from non-confidential information?

A. Correct.

Q. You are going to require a username and password?

A. For everything.

Q. Well. So the one, you are going to require a username

and password for the website?

A. Correct.

Q. Then, you will make sure that the directory is not

browseable?

A. Correct.

Q. Then, you would make the documents password protected

in the event that for some reason something went wrong, it makes

it very clear that you can’t get here?

A. Yes, that is correct.

Q. None of those things happened in this case?

A. My understanding is that you are right.

Q. Right. We are here for your understanding.

A. Yes, absolutely.

Q. Okay.

A. I mean, I know that they did post some documents that

were passworded, but by and large the documents that they posted

for the board members were not password protected.

Q. So, I was about to go there next. Obviously the

person who did this had the ability to password protect because

some of the P.D.F. documents were password protected?

A. That is correct.

Q. But, the document in question, or one of them, which

is this Excel spreadsheet...

A. Yep.

Q. ...that we went through the log sheet, the log lines

on, that one was not?

A. Correct.

Q. Right. Now, you gave us one way in which you can find

out that it’s open, okay?

A. Yes.

Q. And, that was the whole purpose of you creating this

fake website?

A. Yep. It was demonstration.

Q. Which is just to show us how someone could figure out

that, “Hey, this is open directory”?

A. Yes.

PAGE 112

Q. And, the result will be it’s Google searchable?

A. That is correct.

Q. Right. So, in this case we know it’s an open

directory?

A. Mm-hmm.

Q. We know that – yes?

A. Yes.

Q. We know that it’s not password protected?

A. That is correct.

PAGE 44/45/46/47/48

PROJECT MANAGER MARGRET ROW

Q. So, you know there is a breach in February, there is a

breach in April, you make the decision in April for the website

to eventually go back up. Do you know what the breach in

February was? What caused it?

A. We understood that board documents were posted,

interspersed in an interview that had been surreptitiously

recorded and posted to Facebook, YouTube, and Liveleaks.com.

(THIS IS THAT VIDEO AND IT WAS MISS DENHAM WHO MADE FCSLLG AWARE OF IT IN AN EMAIL SENT TO KIM MORROW MOMENTS AFTER POSTING THE VIDEO TO YOUTUBE https://www.youtube.com/watch?v=kq6JCx5FlfA&t=1281s)

Q. Okay. So, I think my question wasn’t clear. I know

that’s how it came to light for C.A.S, but my question more is,

were you, did you ever become aware as to how that individual got

that information, got that document?

A. No.

Q. So, you’ve never been aware in your roll what the

security breach of your website was, like, what caused it

technically?

A. Oh, I beg your pardon, the technical issue was that

directory tree that lists what files are on the website was

visible.

Q. So, it’s actually a bit more than that. What happened

was you had two systems. One was all of the public documents that

were intended to be in the public’s view, correct?

A. Correct.

Q. And in that exact same spot, under the same months,

arranged by months, folders with months in them, were the

documents on the confidential site, correct?

A. That’s my understanding.

Q. Right. So, the intention was you go on the interface,

and you put in a username or password for the confidential site?

A. Yes.

Q. Correct. Or, you go to the public sphere and you have

access to those things, correct?

A. Correct.

Q. But, all somebody had to do was go to the address bar,

put in the address of a certain month, year, and date, and they

would get the directory of everything that C.A.S. had saved?

A. That’s correct.

Q. And, that included both public and private documents?

A. That’s correct.

Q. You didn’t have to put any password?

A. That’s correct.

Q. You didn’t have to do anything – of any dishonesty,

you just have to put in a link, anyone could have done it?

A. Anyone did

Q. Right. And, the problem is, whoever created your

website back whenever it was created, left that function open,

correct?

A. Correct.

Q. And, the function I am referring to is that ability to

put in any U.R.L. at the top, in the address bar, and be able to

browse whatever you want to browse?

A. That’s correct.

Q. Thereby putting it all in the public’s view?

MR. CORBELLA: Well, I guess that’s the whole issue of the

legal argument, Your Honour.

MR. MANSOUR: We can excuse the witness if my friend has

an issue, and I can explain why I am asking the question.

THE COURT: I think that would be – if you want to just

wait outside I’ll hear from the lawyers, and then we will

call you back in.

MR. MANSOUR: There isn’t much that turns on this. The

witness has said she (indiscernible) anyways, but my

point to the witness was, to the best of her knowledge,

anyone in the public could have accessed this with no

active dishonesty as far as she is aware. That is my

question. I’m not asking her to define what a publics

sphere is, my question was poorly worded. But, my point

to the witness, how I intended it is, to the best of your

knowledge, anyone could have done this, Ms. Denham, or

anybody else could have went online and browsed through

this, that’s it.

MR. CORBELLA: And, she’s answered that, Your Honour. I

think – but the next question was, and that put you into

the public’s sphere, and that’s where the whole point of

the legal argument we are having here. Again, there is

not much contention here, but I think her commenting on

what is or what isn’t in the publics sphere is for Your

Honour to decide.

MR. MANSOUR: I can reword. I’m not trying to tip the

witness or anything.

THE COURT: That’s fine. It seems to me that you are at

agreement in any event.

MR. MANSOUR: Yes. I’ll reword the question, that’s fine.

I think – my friend is right. I’ll reword. I only asked

the witness to be excused out of caution.

THE COURT: I wonder if she could be brought back in.

Q. I think my question was a little bit confusing. So,

let me re-ask you the question. I think you have already

answered it, but let me ask you again. As far as you are aware, at the time when the security breach existed, anybody could have gone on line and accessed those documents if they went to that directory?

A. If they understood the concept of backing out.

Q. Right. So, anybody that put in what was put in the

U.R.L, with that knowledge of how a U.R.L. works, or how folders work within a website, as far as you are aware, could have gone and accessed it?

A. That’s correct.

Q. Okay. Now, prior to this date, were you always in

charge of the website, or is this something that just when you

decided to launch a new website it became your purview?

A. No, it became my purview in November of 2015 when I

assumed the role, when I assumed the communications project. The

website redesign was one part of our communications project.

Q. And, during that time you wouldn’t have been involved

of the storing of the confidential documents?

A. That is correct. I was not.

Q. Okay. But, when you decided to take down the website,

you decided to take down the website because you weren’t sure what the security breach was, and so you wanted to make sure that – shutdown, and make sure you fixed whatever it was?

A. That’s correct.

Q. No, I’m assuming security is quite important to

C.A.S.?

A. Yes.

Q. If you had found out some other way about the same

security breach, or any security breach, you would have taken the same step, which is shut down the website?

A. Yes.

Q. So, if your I.T. department came to you and said, hey,

I think there is a problem, no one has accessed it, but there was a problem, you would have taken the same step of shutting it

down?

:

A. Our I.T. department had nothing to do with the

website.

:

Q. Ma’am, I’m putting to you a hypothetical. If your

I.T. department came to you and said there was a security breach on your website...

A. Yes.

Q. ...no one has accessed it yet. Would you have taken

it down still?

A. Yes.

MR. MANSOUR: Thank you. Those are all my questions.

MR. CORBELLA: No re-examination, Your Honour.

:::

2018: Ransomware attacks hit two Ontario children’s aid societies.

Ransomware attacks at two children’s aid societies have spurred the Ontario government to tighten cybersecurity around a new, $123-million provincial database for children in care.

One of the agencies — the Children’s Aid Society of Oxford County — paid a $5,000 ransom to regain access to their sensitive data after the malware attack on their local servers on Jan. 18, according to sources with knowledge of the incident.

Officials with the other agency — Family and Children’s Services of Lanark, Leeds and Grenville — claim to have seen an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.

“It encrypted most of our servers,” says the Lanark agency’s executive director, Raymond Lemay. “No data was taken out of our system. It was just an attempt by whatever you call these people to get a ransom.”

Lemay says his agency didn’t pay up. He says it used an offline backup of computer files to get the agency up and running again in about eight hours.

Cybersecurity experts from the province’s Ministry of Children and Youth Services, along with a private internet security firm, swooped into the agency to neutralize the malware in the infected servers.

“It took them about three weeks to find the needle in the haystack,” Lemay says.

The ransomware attack locked the agencies out of local online files that contained private information on the children and families they serve.

The computer virus attacked while the Lanark agency was uploading its data to a centralized database known as CPIN. It will allow societies across Ontario to share information more easily and better track how children in foster care and group homes are doing.

“They might have taken advantage of vulnerabilities that occurred because we were changing over to a new system,” Lemay says of CPIN. That’s one of the hypotheses, but we don’t know for sure.”

Due to the attack, Lemay says the ministry “tightened up” the security protocol used when data is transferred from local societies to the provincial database. “That was one of the lessons learned,” he adds.

About half of Ontario’s 47 children’s aid societies have transferred their data to CPIN. The rest are expected to do so by 2020.

“There have been two recent cyberattacks on children’s aid societies but CPIN has not been compromised in any of these attacks,” the children’s ministry said in a statement to the Star.

“Following these incidents the ministry and Ontario Association of Children’s Aid Societies have reinforced cyber security best practices and protocols with all societies across the province to help prevent similar incidents from happening,” the ministry added.

The children’s ministry spends $1.5 billion annually on a child protection system that serves some 14,000 kids taken from abusive or neglectful parents.

Lemay says the ransomware attack cost his agency $100,000 to fix, an expense covered by his agency’s “cyber insurance.”

Bruce Burbank, executive director at the Oxford agency, confirmed ransomware made data on the agency’s computers inaccessible. He declined a request for an interview and didn’t respond to written questions about the ransom his agency paid.

“Fortunately we were able to restore our computer system the following day and I can confirm that no data was stolen,” Burbank said in an email. “We cannot provide further details of this incident as we do not want to make other agencies (and) organizations vulnerable to similar attacks.”

Aleem Punja, who heads the CPIN effort for the Ontario Association of Children’s Aid Societies, said Oxford was “quarantined” from using the CPIN system for “a couple of weeks” while ministry cyber-experts made sure the provincial database would not get infected.

Punja says he doesn’t know if the agencies were specifically targeted.

Reza Kopaee, director of Toronto-based RiskView cybersecurity firm, describes ransomware as a fast-growing problem. In the last month alone, he says his company was called to help on six ransomware attacks against public or private agencies in Ontario.

“Often they end up paying the ransom,” Kopaee says, adding that the largest amount an Ontario company that he’s attended to has paid was $40,000 (U.S.). Ransoms to unlock computer data are almost always demanded in Bitcoin or other untraceable cryptocurrency, he adds.

“Obviously, there are ethical questions that need to be answered before paying ransom,” he says in a phone interview. “Is it the right thing to do to pay money to someone who is pirating the whole internet? And where does it stop?”

Hackers behind the scams rarely know what agencies or companies they’re attacking, Kopaee adds. They use automated tools that search the internet for weak entry points, grab whatever money they can and move on.

As companies get better at cybersecurity, and opportunities for random attacks diminish, Kopaee expects the attacks to become more targeted and ransom amounts demanded to increase.

https://www.thestar.com/news/insight/2018/02/22/ransomware-attacks-hit-two-ontario-childrens-aid-societies.html


Dealing with a Ransomware Attack: A full guide



Help! Infected by Ransowmare? This video is a full guide on how to deal with a ransomware attack, how to decrypt your encrypted files, lockdown your network contain damage, recover data and so on. All the steps included here are free and can be performed by anyone before consulting professional help.



For advice about prevention, check out: https://www.thepcsecuritychannel.com/

:::


PART I — OVERVIEW

  1. The Family and Child Services of Lanark Leeds and Grenville (FCSLLG) is responsible for providing Children's Aid Society services, including investigating complaints and, where necessary, initiating proceedings to ensure the protection of children.
  2. As part of their outreach, the FCSLLG maintained a website which they believed had a public side, where community members could access basic information, and a members' only Board Portal, where confidential FCSLLG materials where kept.
  3. However, the FCSLLG did not properly secure the Board Portal. This meant that any member of the public could access confidential documents without needing to enter a username or password. All that was needed to access the confidential documents was to delete the name of a given file and the user would be taken to an open file directory.
  4. Among the confidential files accessible to the public on the FCSLLG website was an Excel spreadsheet which contained the names of mothers whose families had been referred to the FCSLLG.
  5. This security flaw was uncovered when the accused, Ms. Denham, posted a YouTube video which contained confidential board documents. In response, the FCSLLG shut down their website and hired David Schmidt, a website security expert, to review the website's security.
  6. The FCSLLG implemented some but not all of Mr. Schmidt's recommendations before putting the website back online. The file directory was closed from the public, however Board documents had not been removed from the website, contrary to Mr. Schmidt's recommendation.
  7. On April 18, 2016 Ms. Denham posted a picture of a hyperlink or hyperlink of the spreadsheet in the private Facebook group Smiths Falls Swap Shop. Members of that Facebook group accessed the spreadsheet.
  8. The FCSLLG took down their website and called police to investigate the security breach. The website would have been taken down regardless of how it came to the FCSLLG's attention.
  9. As a result of the Facebook post, Ms. Denham is charged with two counts of mischief in relation to computer data, contrary to ss. 430(1.1)(c) and (d) of the Criminal Code.
  10. Ms. Denham faces further charges under the Child and Family Services Act (CFSA) of identifying a child (s. 45(8)) and publishing (s. 76(11)).
  11. In order to prove that Ms. Denham committed the offences under s. 45(8) of the CFSA, the Crown must make out the following elements:

a. Publication or making publish;

-2-

  1. Of information that identifies a child, a child's parent or a member of the child's family;
  2. Who is the subject of a hearing or proceeding.

12. Similarly, the Crown must prove under s. 76(11) of the CFSA the elements below:

  1. Publication or making public;
  2. Of information that identifies a witness, participant, or party;
  3. Who is the subject of a hearing.

13. Ms. Denham's post does not make out an offence under ss. 45(8) or 76(11) because

  1. There is no publication; and
  2. The information in the spreadsheet does not identify children or parties to hearings or proceedings.

14. First, the posting of a hyperlink or picture of a hyperlink is not publishing as Ms. Denham neither created nor had control over the content of the hyperlink. Further, posting in a private Facebook group with membership criteria is not a public post.

15. Second, the spreadsheet posted did not identify children or witnesses part of a hearing or proceeding. In order to determine which names on the list corresponded to a hearing or proceeding, Ms. Von Cramon, the FCSLLG lawyer, had to look through and correlate the spreadsheet with an internal client list. Not only that, Mr. Lemay, the executive director of the FCSLLG, and Ms. Row, a project manager with the FCSLLG, also testified that they had to rely on Ms. Von Cramon's examination of client files to determine which names on the spreadsheet had ongoing proceedings. Thus, a lay person viewing the list of names would not be able to determine which names on the list corresponded to ongoing hearings of proceedings.

16. Furthermore, even when identifying the names on the spreadsheet Ms. Von Cramon could not say whether the ongoing proceeding arose from the incident on the spreadsheet, or whether it was unrelated.

17. In the absence of a link between the names on the list and an ongoing hearing or proceeding, there is no contravention of the CFSA.

18. The elements of the offence of mischief to data under s. 430(1.1) are that:

  1. the accused wilfully
  2. obstructs, interrupts, or interferes
  3. with lawful use of computer data or
  4. denies access to computer data to a person who is entitled to access it

-3-

19. Ms. Denham has not committed the above offence because the post did not obstruct, interrupt, or interfere with the computer data. According to the testimony from Mr. Lemay and Ms. Row, the FCSLLG would have taken down the website regardless of how the security flaws were brought to the FCSLLG's attention. Furthermore, Mr. Schmidt testified that his recommendation was to shut down the website. Therefore, Ms. Denham's post made the FCSLLG make changes to their website they would have done at any point where the issue had been uncovered. There was no additional loss created by Ms. Denham's post.

20. The elements of the offence for unauthorized use of a computer are that:

  1. the accused fraudulently
  2. and without colour of right
  3. uses or causes to be used a computer system
  4. with intent to commit an offence under s. 430 in relation to computer data or a computer system

21. Ms. Denham has not committed this offence because her accessing the spreadsheet did not require any fraudulent means. Ms. Denham did not hack the website or impersonate another user to access the information. This information was accessible to any member of the public as no username or password was required to access the spreadsheet or other confidential documents. In the absence of deceit, falsehood, or any other fraudulent means Ms. Denham did not commit the offence of unauthorized use of a computer.

PART II EVIDENCE AT TRIAL

22. The court heard evidence from four Crown witnesses, Raymond Lemay, Margaret Row, David Rakobowchuk, and David Schmidt.

A. The Agreed Statement of Facts

23. Sometime before early February 2016, Ms. Denham accessed and downloaded 252

documents from the FCSLLG website, including spreadsheet 0-5intake-stats.xslsx.

24. The spreadsheet contained the names of 285 mothers of children who had interactions with the FCSLLG.

25. The spreadsheet was located in what the FCSLLG thought was a member's only Board portal but which was at the time publicly accessible through the open website directory.

26. In February 2016, the FCSLLG became aware that Ms. Denham had accessed documents from the Board portal after she posted a YouTube video with FCSLLG documents appearing on the video.

27. As a result of the YouTube video, the FCSLLG hired David Schmidt to assess the website's security and temporarily took down the website.

-4-

  1. On April 18, 2016 Ms. Denham posted a hyperlink or picture of a hyperlink of the spreadsheet in the private Facebook group Smiths Falls Swap Shop.
  2. Shortly after the hyperlink was posted, it was removed from the Smiths Falls Swap Shop website.
  3. In response to the hyperlink being posted, the FCSLLG shut down their website and deleted all documents therein.

B. Raymond Lemay

  1. Mr. Lemay holds the highest position as the executive director of the FCSLLG and has been in that position since December 2015.
  2. Mr. Lemay's understanding of the website was that there was supposed to be a public part of the website and a secured board members' only portal which was not publicly accessible.'
  3. Mr. Lemay testified that the spreadsheet in question, 0-5intake-stats.xslsx, was created by the FCSLLG and intended to be kept private. Mr. Lemay was aware of the duty the FCSLLG had under the CFSA to keep confidential the information of persons who received services from the FCSLLG.2
  4. In February 2016, Mr. Lemay became aware that there was an issue with the FCSLLG website and immediately took down the website.3 In order to fix the security issue, the FCSLLG hired a security consultant to look at the website. The FCSLLG did not incorporate all of the consultant's recommendations. Because of this, in April 2016 Mr. Lemay was made aware of a similar issue with the website and the website was taken down as a precaution.4
  5. Mr. Lemay did not know there were issues with the FCSLLG website until the breaches were brought to his attention. Mr. Lemay testified that regardless of how he found out about the breaches he would have taken the step of taking down the website to fix the security issues.5
  6. Mr. Lemay testified that in order to determine which cases on the spreadsheet were before the courts, the FCSLLG had to compare the names on the spreadsheet to their computer records. Without comparing the names from the spreadsheet to internal client lists, Mr. Lemay would be unable to say which of the names on the spreadsheet correspond to proceedings:6

'Trial Transcript, at pp. 11-12 [Transcript].

2 Mid, at pp. 20, 22-23.

3 Ibid, at pp. 12-13. Mid, at pp. 27-28. Mid, at pp. 25-26. Ibid, at pp. 31-32.

-5-

Q. Right. My friend put to you these spreadsheets, which is tab four of the multi-volume exhibit?

A. Yes, he did

Q. So, you took us to kind of what these things mean, and then you told us that ten of those names were individuals that were involved in proceedings, participants in a proceeding?

A. Yes.

Q. You must have done something outside of looking at this to determine that?

A. Yes, we — at some point we compared the list to our computer records, and determined which of the cases in fact had been before the courts

Q. Okay. Without comparing that, you can't tell me today which of these people are parts of proceedings?

A. I can't tell you, no.

Q. And, you can't tell me today, looking at this list, if a proceeding — if I was to identify for you the ten names, you couldn't tell me when the proceedings started or ended?

A. You are asking me and I don't know that.

C. Margaret Row

37. Ms. Row testified that the FCSLLG website was only taken down after the April 2016 breach. Her recollection was that the website was taken down based on Mr. Lemay's recommendation and that it had been taken down as a precaution to determine the security

issue.
7




  1. Mr. Row was advised that the security issue was that the website's file directory was visible. This meant that a person did not need to enter a board username or password to access confidential documents. All a person had to do was go to the address bar of the website and change what was in that address bar. 8
  2. Ms. Row acknowledged that she would have taken the website down if the IT department had disclosed the same security breach on their own:9

Q. Okay. But, when you decided to take down the website, you decided to take down the website because you weren't sure what the security breach was, and so you wanted to make sure that — shutdown, and make sure you fixed whatever it was?

7 Ibid, at pp. 40-42. Ibid, at pp. 44-45. 91bid, at p. 48.

-6-

A. That's correct.

Q. No, I'm assuming security is quite important to C.A.S.? A. Yes.

Q. If you had found out some other way about the same security breach, or any security breach, you would have taken the same step, which is shut down the website?

A. Yes.

Q. So, if your I.T. department came to you and said, hey, I think there is a problem, no one has accessed it, but there was a problem, you would have taken the same step of shutting it down?

A. Our I.T. department had nothing to do with the website.

Q. Ma'am, I'm putting to you a hypothetical. If your I.T. department came to you and said there was a security breach on your website...

A. Yes.

Q. ...no one has accessed it yet. Would you have taken it down still? A. Yes.

40. With regards to the spreadsheet, Ms. Row testified that it contained names of clients who had received service from the FCSLLG in a 5-month period.10 Ms. Row could not say, simply by looking at the list which names on that list were part of proceedings: )1

Q. Okay. My friend put to you exhibit four, tab four, that's that spreadsheet, and you identified I believe six families, seven children, one family with two children?

A. Correct.

Q. Right. Are you the one that determined that?

A. No, that was done by the manager of legal services.

Q. Who is that?

A. Karynn VonCramon.

Q. Okay. Can you spell that for me?

A. Karen, K-A-R-Y-N-N, Von, V-O-N, Cramon, C-R-A-M-O-N.

Q. Okay, and Ms. VonCramon, do you know what she did in order to come up with that list of names?

-7-

A. She would have consulted with the service managers who are responsible for the clients.

Q. Okay. And so, they would have looked at some other internal document that we don't have — that you don't have access to to determine who on this list was involved in a proceeding?

A. Correct.

Q. Okay. You can't tell me, looking at this list today who is involved in a proceeding if the names were visible?

A. No, I cannot.

41. Ms. Row added she knew there was a duty to keep confidential information of clients receiving the FCSLLG's services and that the spreadsheet, because it contained such information, was supposed to be kept confidential.

Q. Okay. What was the purpose of that document?

A. It was a report to the board. The graphs and the statistics on the first tabs of that report were for — well, for management, but also to the board to determine how well, in fact, we were doing in respecting the time frames for intervention with children and families.

Q. Okay. And, was it your organizations intention that that document be public or private?

A. Oh, private. It's — well, the graphs at the beginning are the kind of information we could put on a website and that people could see how well we are performing in terms of government standards and so on. The information further into the document at the last tabs, the client information, that is strictly confidential.

Q. All right. And, why is that?

A. Because — well, first of all there is a general duty to keep confidential the information of clients receiving services, over and but the child welfare, there is a prohibition in the legislation about publishing information that could identify children receiving services from Children's Aid Societies.

D. David Rakobowchuk

-8-

43. Det. Rakobowchuk is himself a member of the above Facebook group. He testified that to join the group, a Facebook user had to request approval from a group administrator.12

44. Det. Rakobowchuk testified that there was no breach of password or anything similar used to gain access to the spreadsheet in question:13

Q. And, just for the purpose of the record, you have referred to — the information you got there was a hack, I guess?

A. Yes.

Q. But, as the investigation went on it was very — it became clear that there was no actual, I guess, a breach of a password, or anything like that used to gain this information?

A. Exactly.

E. Karynn Von Cramon

45. An agreed statement of facts was prepared for Ms. Von Cramon.

46. In order to determine which names on the spreadsheet were part of a FCSLLG proceeding, Ms. Von Cramon had to manually compare the names on the spreadsheet to an internal list of open files accessible only to the FCSLLG legal department. Without consulting the list, Ms. Von Cramon would be unable to identify if anyone was part of a proceeding.14

47. Ms. Von Cramon determined that 6 mothers named in the spreadsheet were part of a proceeding. She could not say if the referral that caused them to be on the spreadsheet was the cause of the proceeding, as some of the proceedings predated the referral to FCSLLG.15

F. David Schmidt

48. Mr. Schmidt was the computer expert hired by the FCSLLG to review their website security and make recommendations.

L Server logs

49. Mr. Schmidt testified that server logs essentially keep track of who visits a webpage: 16

50. A server logs provides information about the Internet Protocol (IP) address, the date, the time, the web browser used and information on whether the request was successful. Based on the server logs, Mr. Schmidt was able to determine that the document 0-5intake stats.xslsx had been accessed by IP address 72.39.243.162.

12 Aid, at p. 54.

13 Ibid at p. 50.

14 Ibid, at p. 63.

15 Ibid, at pp.63-64.

16 'bid, at p. 71.

-9-

  1. IP address 72.39.243.162 was admitted as belonging to Ms. Denham.'? ii. Structure of the FCSLLG website
  2. In 2016 the FCSLLG used WordPress to design their website. WordPress is the most commonly used software people use to create websites.'8 Mr. Schmidt testified that WordPress does not require a special knowledge and that it is not intended for confidential documents:19

Q. So, you talked about WordPress, right? And, WordPress is used by about sixty million websites worldwide, right?

A. Correct.

Q. It's the most widely used...

A. Yep. Over thirty five percent of public websites use WordPress.

Q. Right. It's open source?

A. Correct.

Q. And, open source just means anybody can use it, you don't need a licence, you don't need to buy anything?

A. Correct.

Q. Anyone can use...

A. And, all the source code is available for viewing by anybody. There is nothing proprietary behind it.

Q. Right. And, it's intended to be pretty user friendly? A. Mm-hmm.

Q. Right?

A. Yes.

Q. Yes. There is quadrants made for it, there is other themes for it. It's intended for the average person to be able to build the website for their home business, or just for fun, or for a blog, or for whatever?

A. Absolutely.

Q. Right. It doesn't require a special knowledge to use WordPress? A. Not particularly.

17 Exhibit 1, agreed statement of facts.

18 Transcript, supra note 1 at p. 98.

19 Mid, at pp. 106-107.

-10-

Q. Right. And, because of that, it's not actually, as it's set out by default, not intended for confidential documents at all?

A. I guess not.

Q. Well, and the reason I say this is from what you said which is that by default it has a browseable directory...

A. Yep, absolutely.

Q. ...that you could go to that doesn't lock. So, by default, a logical inference is, if you have a directory that's browseable where you can get to every document with no password, that's the default settings.

A. Absolutely.

Q. By default, it is not intended for confidential documents? A. That is true.

  1. The FCSLLG had a website that was intended for the public but that also had a Board Portal for members to access internal FCSLLG documents.
  2. The private information was supposed to be kept confidential by requiring the use of a username and password to access a Board members' only portal. However, this was not the case. A person could access confidential board documents without needing to enter a username or password.
  3. This access was possible because the FCSLLG kept both public and private documents in the same directory.2I This meant that all documents, whether public or private, which had been uploaded onto the website were visible in the website's directory.
  4. Mr. Schmidt testified that where a directory is browseable, as it was with the FCSLLG website in February 2016, all documents in the uploads folder were visible when the directory was accessed:22

Q. So, if you know what the word uploads means, which is you upload something to the internet, you put something online, right?

A. Yep, yes.

Q. You would be able to look at uploads, and then after that is a year, a month, and a date?

A. A year and a month, in this case.

20 Transcript, supra note 1 at p. 103.

21 Ibid, at p. 103.

22 Ibid, at p. 108.

Q. So, the logical inference is that's where things are stored based on year, month, and date?

A. Yep, and that's how WordPress operates. Q. Right

A. That is how WordPress, that is the, the methodology that WordPress uses to store documents that people upload using the content management system.

Q. Correct. Now, once you get there you can go behind the scenes, so to say, and just look at every document, which is what makes it browseable. You can just start clicking...

A. If it is browseable, then yes, you can view it openly. That's correct.

Q. So, you can just start clicking on the different folders, the different months, the different years...

A. Correct.

iii. How the spreadsheet was accessed on the FCSLLG website

  1. Mr. Schmidt set up a mock website and did a demonstration of how the spreadsheet could have been accessed. In Mr. Schmidt's example, the mock website's address was environet.ca:23

A. So, up at the top where the web address is you would see the name of the business. This is a mock up called Environet.ca.

Q. Right.

A. You would have seen FCSLLG.ca up there.

Q. Okay.

  1. The environet.ca website was set up with a mock hyperlink which, when clicked on, opened an example document. Clicking on the hyperlink sent the user to the page environet.ca/wp content/uploads/20 1 8/07/basicdocument.txt:24

A. So, I've created a dummy link here to what we are calling a download this example basic document. So, you see where the mouse pointer is, and this is what's called a hyper link.

Q. Yes.

A. And so, when we click on it it takes us to that example document. So, a
couple of details; number one, in the server log, we would see a 200 status

-12-

message saying that this had been downloaded, and we would see the referrer of the main webpage showing us this. If you look up at the top bar where it says environet.ca/wp-content/uploads/2018/07/basicdocument.txt...

Q. Yes.

A. ...that is the exact address of that document.

  1. The analogy on the FCSLLG website would have been to click on any PDF document from the website's home page:25

Q. Again, just to keep it related to our case... A. Yes.

Q. Back in 2016, on the Family and Child Services website, if you clicked on a link on their website just as you showed us here...

A. Yep.

Q. ...correct me if I'm wrong, but you would — instead of saying environet.ca, it would say Family and Child Services...

A. Yep.

Q. Right? Would you also see — \wtconent...

A. Only if, only if you accessed, like, a P.D.F. document that they had posted for people to see. If you were just clicking on regular links...

Q. Right.

A. ...you would never see the wp-content show up.

Q. Okay.

A. So, that would show up when, let's say, they posted their brochure, and it's an acrobat P.D.F. document, or something like that.

Q. Right. So, you would see the same thing we have up now only it would be relating to Family and Child Services?

A. Correct.

  1. In order to access the uploads folder from the basic document at environet.ca/wp contentJuploads/2018/07/basicdocument.txt, a person would simply have to remove the

-13-

name of the document "basicdocument.txt.", thus leaving "environet.ca/wp content/uploads/2018/07P:26

A. Okay. So, we talked about how, how the visitor could have, could have found the uploads folder.

Q. Yes.

A. And so, if we take our pointer up here to where the address bar is...

Q. Yes.

A. ...we click in it and we remove the name of the document — so, if we remove basicdocument.txt...

Q. Yes.

A. ...which takes us back to, essentially, specifying a folder name, and we hit enter, what we have is a directory listing. So, this is, this is everything that sits on the web server in the wp/content/uploads/2018/07 folder. And, we will see there are a whole bunch of picture files there referring to various photos that are used on the website, and as we scroll down, down into the B's for our basic document example, there is that basicdocument.txt, and this would be a way that we could go to it a different way.

Q. Okay.

A. But, the example I want to show is is if we go down into the S's, where I've just put a dummy sensitive document — sorry, too far — a sensitivedocument.txt, we see the name of it, we are interested in it, we click on it, we now see an example of a document that has content that might be deemed sensitive. So, this would be an example of that 05-intake.xls file, or one of the other documents that the F.C.S. believed was secured with their Board Portal.

Q. Okay.

A. So, that's just a very simple — this is, this is how it would have been seen.

  1. Thus, by removing the name of the document, a user would "zoom out" from a specific document to the folder where the document was being kept. Any other documents in that folder would be visible to the user.
  2. From environet.ca/wp-content/uploads/2018/07/, removing "2018/07/" would bring a user to the uploads folder, showing the entire upload directory and folders within.

26 Ibid, at pp. 95-96.

-14-

Q. All right. What if you back up all the way to uploads?

A. Yep. So, off we go. Up here to the web address bar, and back up all the way up to uploads, again because there is no extra protection put in place to stop this listing, we are essentially looking through, as it were, a clear pane of glass to see that there are multiple folders there, 2018, 2019, and some other folders relating to the WordPress setup. So, we could then choose a folder, like, 2018. We could then choose a month, like, 0-7, or 0-8, and you see some of these folders are empty because there is not anything in them, but if we go into the, for example, the 0-7 one, we see again the images that make up the website, as well as anything else that's been uploaded, and that's where our two example documents are that I put there as a demonstration.

63. In February 2016, when Mr. Schmidt was retained by the FCSLLG to determine the cause of the breach, he accessed the FCSLLG's directory in the manner demonstrated above.27

Q. In February, 2016, you actually went to the website... A. And, I checked the uploads.

Q. Right. But, you went to the Board Portal?

A. Well, I, I visited the website. I also visited the Board Portal just to see whether anything in the Board Portal itself was open.

Q. And, what did you try doing to get through there?

A. I tried, sort of, random user names and passwords to see if anything, sort of, default would be enabled.

Q. And, when you tried that what happened?

A. The usernames and passwords were incorrect.

Q. And, what did you see on the screen?

A. An error telling me that the password was not, was not valid. Q. So then what did you decide to do?

A. Well, then, then I decided to check whether this particular hole existed.

Q. Right.

27 Mid, at pp. 99-100.

-15-

A. Right? And, I went to the wpcontent/uploads folder and I was then able to browse a directory like we are looking at right now.

Q. Okay. And, it was as simple as backing up the U.R.L...

A. Correct.

Q. ...to...

A. Essentially, we are moving something from the end of it to make it a more generic request.

iv. Mr. Schmidt's recommendations in February 2016

64. Mr. Schmidt testified that it was a foolish practice to keep a website's directory browseable.28

65 He also testified that better practices for websites where confidential information was

stored would be to use an intranet system, to use a VPN access with a username and password, or to put the materials on a separate website requiring a username and password. None of these steps were in place in 2016 with the FCSLLG website.29

66 One of Mr. Schmidt's core recommendations was to take everything from the Board Portal off the public internet.30 After the breach in April, Mr. Schmidt re-iterated the above

recommendation. While the FCSLLG directory was no longer browseable, the FCSLLG had not removed documents from the Board Portal as he had directed.31

Q. And in fact, your second recommendation is — you use the vehemently, you say; "I'm telling you this again, like, you have to do this, you have to take this stuff down".

A. Yep, yep. In April essentially I revisited my original recommendations saying; "The only reason we are here is that the original recommendations weren't followed".

Q. Right. It didn't make any sense because in February you are telling them; "Anyone can access this. Here is why. Fix this".

A. Yep.

Q. In April, some of the same problems existing allowing anyone to still access the documents.

zs Ibid, at p. 101.

Mid, at p. 110. " Ibid, at p. 116. 31 'bid, at pp. 116-117.

-16-

A. Correct. The difference in April was that the person would have had to know the exact location of that document.

Q. Right.

A. Whereas previously it was an open book, as it were.

  1. Mr. Schmidt also advised the FCSLLG was to keep their website offline until the Board Portal documents were all taken down.32
  2. Mr. Schmidt's recommendation to keep the website offline was independent of the number of documents that needed to be removed from the website.33

Q. You did not recommend — did you recommend that they take down the website, or did you recommend that they just turn off the browsing function? Did you say it was recommend to do this, you didn't have to take it down? What was your ultimate recommendation in February?

A. My ultimate recommendation was to take down the website, make sure everything was scrubbed before anything went back online, because essentially doing, doing that scrubbing while the site is online isn't safe, right? You want to make sure it's not accessible by anybody while you are cleaning up.

-

Q. And so, the reason you have to take it down is only if the number is so large that you couldn't possibly do it in a safe enough time, or quick enough?

A. As a general precaution you would take it down anyway. Q. Okay.

A. Even if it was only ten you would want to make sure that you pulled those ten without anybody else accessing those documents.

Q. So that in those few minutes that you are doing your work no one else accesses them?

A. Correct.

32 Ibid, at p. 116.

Ibid, at pp. 118-119.

-17-

v. Indexing

  1. Ms. Schmidt testified that starting in 2004 Google started indexing websites. Indexing means that Google used an algorithm to go into open websites and download things on them to make them searchable.34
  2. Documents such as Excel spreadsheets are easily indexable by Google.35
  3. When a document is indexed by Google or another search engine, the content of the document becomes searcheable and could come up in a Google search:36

Q. I understand. And, if it was indexed, the content would then have been indexed too, because Google could actually read within the document?

A. Correct.

Q. Right. So, if you search a name of someone listed on the document, it could actually come up in the search results?

A. Correct.

Q. So, that's another way that if it was indexed you could actually come upon the documents?

A. Correct.

  1. Open directories, like the one the FCSLLG had, would be indexed unless the FCSLLG took an extra step to make sure this did not happen.37
  2. Although he was of the opinion that Google did not index the spreadsheet, Mr. Schmidt could not say whether the FCSLLG spreadsheet had been indexed by other search engines such as Bing or Yahoo:38

Q. Did you only check Google, or did you check other

search engines, like Bing, or Yahoo, or anybody else?

A. I did not check Bing, or Yahoo, I just checked Google.

Q. And, you can't tell us if those things indexed any of those?

A. That is correct, I cannot.

34 Ibid, at p. 112.

35 Ibid, at pp. 114-115.

36 Ibid, at p. 115.

37 Mid, at p. 112.

38 Mid, at p. 125.

-18-

PART III —LAW

A. Law

i. Child and Family Services Act offences

74. The CFSA, which has since been replaced by the Child, Youth and Family Services Act, governs the child protection regime in Ontario.

75. Section 45 of the CFSA sets rules related to child protection hearings and orders. As part of these rules, s. 45(8) provides that:39

No person shall publish or make public information that has the effect of identifying a child who is a witness at or a participant in a hearing or the subject of a proceeding, or the child's parent or foster parent or a member of the child's family.

76. The above section prohibits publishing or making public of information that identifies a child, the child's parents or a member of the child's family where that child is either participant in a hearing or the subject of a proceeding.

77. The elements of the offence are as follows:

  1. Publication or making publish;
  2. Of information that identifies a child, a child's parent or a member of the child's family;
  3. Who is the subject of a hearing or proceeding.

78. Similarly, section 76 of the CFSA states that:

No person shall publish or make public information that has the effect of identifying a witness at or a participant in a hearing, or a party to a hearing other than a society.

79. The elements of the offence are as follows:

  1. Publication or making public;
  2. Of information that identifies a witness, participant, or party;
  3. Who is the subject of a hearing.

80. Section 45(8) of the CFSA has been interpreted as requiring that the information published

or made public be linked with identifying participants in a hearing or proceeding:41

39 Child and Family Services Act, RSO 1990, c. C.11, s. 45(8) [CFSA].

4° CCFSA, s. 76(11).

41 Children's Aid Society of Hamilton-Wentworth v. D.-G. (F), [1995] 21 OR (3d) 643, OJ No. 148, at paras. 46-47 (Ont. Gen. Div.) [CAS Hamilton v D.-G.]

-19-

There are two possible interpretations of s. 45(8). One, that it is an absolute ban against identifying the child or the family who are participants in a hearing or the subject of a proceedings. Secondly, that it is not a ban against identifying anyone unless it is coupled with identifying them as people who are involved in the proceedings.

The second interpretation is the only logical one. The impugned publication must make reference to the proceedings or be contrary to some other rovisions of the Act to *usti an in'unction based on the Act. If the prohibition were against identifying any of the persons listed, then it would be an offence to publish anything about the mother even if no reference is made to the fact that she is involved in any proceedings. It must, to offend the Act, require disclosure that there are proceedings either directly or impliedly and couple the person identified with those proceedings. [emphasis added]

  1. In other words, the publication of a newspaper article that mentioned the name of a child part of a CAS proceeding in the context of a hockey tournament does not breach s. 45(8) because there is no link between the name of the child and a CAS proceeding. However, a newspaper article identifying that child's family members as part of a CAS proceeding would contravene s. 45(8).
  2. Section 76(11) has not been judicially interpreted. However, given the similarities in language between the two sections, it is logical that for a breach under s. 76(11) the same link between a witness and participation in a hearing is required.

1. The definition of publishing

  1. The CFSA offences under which Ms. Denham has been charged particularize that she published, rather than make public, identifying information under the act.
  2. The CFSA does not define "publish", however, courts have interpreted the word publish as having its plain language meaning.
  3. Generally, courts have cited dictionary definitions of publish:

Publish - To make public; to circulate; to make known to people in general . . . An advising of the public or making known of something to the public for a purpose. 42

Publish - 1 a: to declare publicly: make generally known ... 3a: to place before the public (as through a mass medium) ...43

42 Black's Law Dictionary, cited in Edmonton Journal v Alberta (Attorney General), [1985] AJ No. 1060 at para. 19 (ABQB).

43 Webster's Third New International Dictionary cited in Edmonton Journal v Alberta (Attorney General), [1985] AJ No. 1060 at para. 19 (ABQB).

Publish - to make generally known; to make public announcement of to place before the public; to produce or release for publication; to issue the work of (an author); to put out an edition; to have one's work accepted for publication.'

  1. In Re Orr, which considered the meaning of publication in what was then the section of the Criminal Code of publishing obscenity, the trial judge wrote:45

[Publication] has other special meanings in law; publication of a will, publication of an invention. But this does not involve the acceptance of those special meanings in connection with unrelated legal subjects and where the word "publication" is used in a penal statute without definition, and with no context which would assign to it a special meaning, it must be considered to bear the meaning it would bear in ordinary English speech or writing. Certainly, where crime is involved a court should not go out of its way to attribute to the word an extraordinary meaning involving the culpability of the accused, but should rather hew strictly to the line resolving any possible doubt in favour of the accused. [emphasis added]

  1. In the context of the CFSA, Masse J provided some guidance on the interpretation of s. 45(8) (or s. 41(8) as it then was). In finding that s. 41(8) was constitutional and did not breach the freedom of expression provision of the Charter, Masse J determined the meaning and scope of the section applying principles of statutory construction.
  2. First, he found that the prime objective of the CFSA was "to promote the best interests, protection and well-being of children."46 Second, the CFSA should be interpreted, where possible, in a manner consistent with the Charter.47 Third, all penal statutes should be strictly construed to minimize encroachment by the state upon an individual's freedom.48 Finally, the entire context of the statute should be looked at in determining the meaning of any section.49
  3. Masse J also briefly addressed the effect of the words "publish or make public" and "has the effect of identifying":

These words are very common and ordinary words which the courts will have to interpret depending on the circumstances of each case. Any ambiguity in the meaning of these words in the context of any particular case will be

" Webster's New Collegiate Dictionary cited in R v Daly, 2003 BCSC 1143 at para. 100.

45 Re Orr's Stated Case (sub nom Re R v Leong), [1961] 38 WWR 114 at para. 9.

46 R v Davies, [1991] 87 DLR (4th) 527 at para. 67 (ONSC) [Davies].

Ibid at paras. 68.

48 Ibid at para. 71.

49 Ibid at para. 72. Ibid at para. 74.

-21-

resolved by choosing that meaning that is most favourable to an accused person.

  1. The plain language meaning of publishing was adopted by the Child and Family Services Review Board (CFSRB) in J.M. v Family & Children's Services of the Waterloo Region, where the CFSRB considered whether the CAS adducing evidence of court proceedings at the board hearing constituted publication under s. 45(8). In finding that this was not publication, the board stated:51

The word "publish" is defined in the Canadian Oxford Dictionary as follows: "prepare and issue (a book, a newspaper, information in electronic form, computer software, etc.) for public consumption; make generally known".

In the Board's view, the Society is not "publishing or making public information" when it adduces evidence before the Board. The hearing before the Board is in camera and the evidence received is kept private. Thus, the Society is not making information "generally known" when it adduces evidence to support its jurisdiction motion. The Board does not believe the Society can avoid its evidentiary and legal burdens by relying upon section 45(8) of the Act.

In order to breach the requirements of section 45(8), the publication must identify the child who is the subject of the Board's proceeding and/or the child's parent. While the Board's decision is published (made generally known) when it is posted on the Board's website, there is no identification of the child who is the subject of the Board's proceeding or the child's parent because all identifying information is removed. Therefore, the posting of the Board's decision where the Society's evidence may be referred to does not breach section 45(8) of the Act.

  1. The Crown suggests that the definition of publish, as defined in s. 299 of the Criminal Code, should be used as the definition under the CFSA. Such a proposition is cited without any supporting case law. Further, Parliament, in enacting s. 299 saw fit to provide a specific definition of publishing for liable. Had Parliament wanted the same definition to apply in the CFSA or more broadly in the Criminal Code, it could easily have done so.
  2. The term "publish" should be given its plain language interpretation given the adoption of this interpretation in Davies, which is binding on this court.

2. What Constitutes Publishing

  1. The Supreme Court of Canada in Crookes v Newton considered whether the posting of a hyperlink, that is a reference to data which a user can follow by clicking, was publishing in the context of defamation. In that case, Mr. Crookes sued Mr. Newton on the basis that

-22-

two hyperlinks Mr. Newton used on his website connected to defamatory material and, by posting those hyperlinks, Mr. Newton was therefore publishing the defamatory information.

  1. The Court found that the posting of a hyperlink is not publishing. First, a hyperlink is a reference, meaning that the person posting the hyperlink has no control over its content:52

Hyperlinks are, in essence, references. By clicking on the link, readers are directed to other sources. Hyperlinks may be inserted with or without the knowledge of the operator of the site containing the secondary article. Because the content of the secondary article is often produced by someone other than the person who inserted the hyperlink in the primary article, the content on the other end of the link can be changed at any time by whoever controls the secondary page. Although the primary author controls whether there is a hyperlink and what article that word or phrase is linked to, inserting a hyperlink gives the primary author no control over the content in the secondary article to which he or she has linked.

These features - that a person who refers to other content generally does not participate in its creation or development - serve to insulate from liability those involved in Internet communications in the United States. [references omitted]

  1. Second, a person hyperlinking a document is not the publishing party, that falls to the creator of the content:53

A reference to other content is fundamentally different from other acts involved in publication. Referencing on its own does not involve exerting control over the content. Communicating something is very different from merely communicating that something exists or where it exists. The former involves dissemination of the content, and suggests control over both the content and whether the content will reach an audience at all, while the latter does not. Even where the goal of the person referring to a defamatory publication is to expand that publication's audience, his or her participation is merely ancillary to that of the initial publisher: with or without the reference, the allegedly defamatory information has already been made available to the public by the initial publisher or publishers' acts. These features of references distinguish them from acts in the publication process like creating or posting the defamatory publication, and from repetition.

  1. Thus, according to the Supreme Court, for a person to be publishing material two elements are required: creation and control over the material.

sz Crookes v Newton, 2011 SCC 47 at paras. 27-28 [Crookes] (Crown's Book of Authorities, Tab 4). 53 Ibid at para. 26.

-23-

3. Procedures and Practices for Child Protection Cases

  1. Regulation 206/00 of the CFSA, sets out the procedures, practices and standards of service for child protection cases which outline how complaints and files move through the CAS.
  2. The first step requires that, where the CAS receives information that a child may be in need of protection, that they assess the information received in accordance with the Child Protection Standards (CPS) and ultimately determine whether or not a child protection investigation should be initiated.54
  3. The CPS set out the expectations of CASs when they receive new referral, reports of information that a child may be in need of protection. A referral is defined in the practice notes as including "any report or information received from any source (e.g. a child, community member, the police, etc.), and through any method (e.g. by phone, in person, in writing) that a child may be in need of protection."55
  4. The CPS then list criteria and research CAS workers must complete (e.g. determining whether the child is in the CAS' jurisdiction, obtaining a full report of the incident, checking the Ontario Child Abuse registry, etc.) in order to come to determine the appropriate response. At this stage, the possible referral dispositions are: (1) the referral is opened for child protection or open for other child welfare services; (2) a "community link" is established for families in the community, or (3) no direct contact/ information only.
  5. A referral will be open for child protection or for other child welfare services where there are reasonable and probably grounds that a child may be in need of protection.56 A community link may be chosen for less serious matters or cases where there is no indication that a parent has failed to protect the child from an alleged perpetrator.
  6. The no direct contact/ information disposition "is chosen for cases which do not require a protection investigation or a "community link" service and which do not receive any direct contact from the CAS. This also includes situations where a CAS provides information only (e.g. about appropriate discipline, or at what age a child may be left at home alone)."57
  7. Thus, not all CAS referrals will lead to a matter being opened for child protection. For example, the CAS could receive a referral and upon investigation, could find the matter to be unfounded and disposed as no direct contact/ information disposition.

sa CFSA, 0. Reg. 206/00: Procedures, Practices and Standards of Service for Child Protection Cases, s. 2.

ss Child Protection Standards 2016 at p .25.

56 Child Protection Standards 2016 at p .24.

57 Child Protection Standards 2016 at p .32.

-24-

ii. Mischief to computer data

104. Under s. 430(1.1), there are several ways that a person can commit mischief to

computer data:

Everyone commits mischief who wilfully

  1. destroys or alters computer data;
  2. renders computer data meaningless, useless or ineffective;
  3. obstructs, interrupts or interferes with the lawful use of computer data; or
  4. obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it.

105. Sections 430(1.1)(c) and (d) require that the interference be of lawful use of

computer data. The elements of the offence of s. 430(1.1)(c) are:

  1. the accused wilfully
  2. obstructs, interrupts, or interferes
  3. with lawful use of computer data

106. Section (d) provides an alternative route of liability, which is that a person deny

access to computer data that another is entitled to access. The elements of the offence of s. 430(1.1)(d) are:

  1. the accused wilfully
  2. obstructs, interrupts, or interferes
  3. with lawful use of computer data or
  4. denies access to computer data to a person who is entitled to access it

107. The mens rea requirement for wilfulness encompasses recklessness on the part of

the accused.

ill. Unauthorized use of a computer

108. Under section 342.1(1)(c) of the Criminal Code:

Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service;

-25-

  1. by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
  2. uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system

109. The elements of the offence are that:

  1. the accused fraudulently
  2. and without colour of right
  3. uses or causes to be used a computer system
  4. with intent to commit an offence under s. 430 in relation to computer data or a computer system

110. The fraudulently requirement is "an independent part of the actus reus of the

offence and requires behaviour that a reasonable person in the circumstances of the defendant could consider a 'dishonest activity'".58

111. The term fraud is defined in section 380 of the Criminal Code as consisting of any

"deceit, falsehood or other fraudulent means."

112. These words have been interpreted in the case law. Deceit "involves an untrue

statement made by a person who knows that it is untrue, or has reason to believe that it is untrue and makes the statement despite the risk."59

113. A falsehood is "a deliberate lie" and other fraudulent means is "conduct that is

neither a falsehood nor deceitful but can be objectively considered to be dishonest because an average, reasonable person would see it as being at variance with straightforward or honourable dealings."60

B. Application of the Law of the Facts

i. CFSA offences

1. There was no publication

114. Ms. Denham's posting of a link or picture of a link to the spreadsheet does not meet

the definition of publishing for two reasons. First, posting a hyperlink has been determined by the Supreme Court of Canada not to constitute publishing. Second, by making the post in a private members' only Facebook group, the post was not made public.

58 R v Parent, 2012 QCCA 1653 at para. 37.

59 R v Fast, 2018 ONSC 2821 at para. 47. 6° Ibid.

-26-

  1. According to the Supreme Court, in Crookes v Newton for a person to be publishing material two elements are required: creation and control over the material. Ms. Denham does not meet either criteria.
  2. The spreadsheet was created by the FCSLLG, that is not in dispute.
  3. Control over the spreadsheet also resided with the FCSLLG. While Ms. Denham could view and download the file by clicking on the hyperlink, she could not control whether the spreadsheet was on the website or not.
  4. For example, the FCSLLG could have removed the spreadsheet from their website, as they did, following the recommendation by Mr. Schmidt.
  5. The FCSLLG also could have changed what the content was at the end of the hyperlink, replacing the spreadsheet with another document or photo.
  6. Furthermore, Ms. Denham posting of the hyperlink in a private Facebook group does not constitute publishing. For publication to occur, information must be made public. Ms. Denham did not make the spreadsheet public by posting in the Smiths Falls Swap Shop (SFSS) Facebook group.
  7. The fact that the SFSS is a Facebook group means that only Facebook users can access the group. Not all persons have a Facebook account, therefore, from the start, information available on Facebook is not available to all members of the public.
  8. Further restricting the audience of the post is that the SFSS is a private Facebook group. A private Facebook group means that only Facebook users who are members of that group can view and add to the group's content. Thus, even though a person is a Facebook user, they would not have access to content posted in SFSS.
  9. Membership in the SFSS group requires that a Facebook user live two hours from Smiths Falls and agree to follow the group rules.61
  10. Det. Rakobowchuk testified that he was a member of the SFSS Facebook group. He testified that the permission must be requested and given for a person to have access to the group:62

Q. The next thing I want to ask you, sir, our agreed statement of fact makes reference to the Smiths Falls Swap Shop website.

A. Yes.

Q. Or, a Facebook group actually. I understand, sir, that you are a member of that?

61 Exhibit 1, Agreed Statement of Facts

62 Transcript, supra note 1 at p. 54.

-27-

A. I am. Along with a number of other Swap Shop and selling Facebook pages. I actually monitor them for stolen goods that might be reported to us on occasion.

Q. All right. So, can you tell us, sir, what is it?

A. Individuals will post things that they have for sale, or looking for advice and recommendations on products and services, that sort of thing.

Q. Okay. How long have you been a member?

A. Oh goodness, I've been assigned to our Crime Unit since January of 2014, and I think about that time I decided to start joining some various groups in and around the Smiths Falls area

Q. Do you remember what it took to join back then?

A. You click on a banner that says join group. You may have to wait a little bit for an administrator to verify who you are, and then you get a notice saying you are now a member of this group.

  1. Only persons who have been approved by the SFSS administrators will be invited to the group and be able to view the group's content.
  2. Far from posting the hyperlink on a public website, which would be visible to any internet user, Ms. Denham posted the link to a private Facebook group. Not only is a Facebook account required to participate in the group, membership is also restricted to persons living within 2 hours of Smiths Falls who have been approved by the group's administrators.
  3. The number of members in the SFSS group when Ms. Denham posted the hyperlink is not known.

2. Information does not identify persons subject of a hearing or proceeding

  1. Setting aside the question of publication, the information published does not identify persons subject of a CAS hearing or proceeding as required by ss. 45(8) and 76(11).
  2. The prohibition on publication in these sections must link a person's name with a CAS hearing or proceeding. Rosenburg J's comments in Children's Aid Society of Hamilton-Wentworth v D.-G. E bear repeating:63

The impugned publication must make reference to the proceedings or be contrary to some other provisions of the Act to justify an injunction based on the Act. If the prohibition were against identifying any of the persons listed,

63 CAS Hamilton v D.-G., supra note 41 at para. 41.

-28-

then it would be an offence to publish anything about the mother even if no reference is made to the fact that she is involved in any proceedings. It must, to offend the Act, require disclosure that there are proceedings either directly or impliedly and couple the person identified with those proceedings.

  1. It is not enough that a person named on the list be a client of the FCSLLG or have been referred to the CAS. For example, a referral could have been made about a mother and that complaint, upon further investigation was unfounded. The inclusion of that mother's name on the spreadsheet does not necessarily mean that there was a hearing or proceeding.
  2. Mr. Lemay testified that the names on the spreadsheet were CAS clients, which he defined as having being referred to the FCSLLG by others or by themselves:64

Q. And again, a client is a person who...

A. Has been referred to us, or has referred themselves because of child protection concerns.

Q. Okay. And so, it would be the name of — whose name would be here?

A. The parents name. The parents — most often the mother's name, but at least one of the parent's names would be here.

Q. Okay. Would there be a child's name there? A. No.

Q. Okay. And then maybe you could explain to us the rest of the headings, and what they all mean?

A. Well, subsequent there is whether or not we would have more than one referral. The child here is five years old — whether the child — one of the child in the case is if there is a child under five years of age. There are special requirements that are put in for those kids. The referral date, and the date assigned. The referral date is when we receive the referral, and the date assigned is when we assigned it to a worker to investigate. The codes are child protection codes. We have something called the eligibility spectrum. That determines whether or not a referral is eligible for further assistance. That would have been what that code was referring to. And, response time needed is the response time within which we needed to contact the family.

  1. Mr. Lemay and Ms. Row both testified that Ms. Von Cramon had to compare the names on the spreadsheet with the FCSLLG's own files to determine whether a name on

64 Transcript, supra note 1 at p. 22.

-29-

the list was part of a hearing or proceeding.65 Ms. Von Cramon's agreed statement of facts further stated that she could not, solely on the spreadsheet, tell which family had an ongoing CAS hearing or proceeding.66

  1. In other words, the fact that a mother's name appeared on the spreadsheet could not be linked to an ongoing CAS proceeding or hearing unless a person also had access to the FCSLLG's internal client list.
  2. Moreover, Ms. Von Cramon could not say whether the CAS event on the spreadsheet corresponded to the open hearing or proceeding as some of the CAS proceedings pre-dated the complaint on the spreadsheet.67 The complaint which caused the mother's name on the spreadsheet was not necessarily the complaint which resulted in an open proceeding or hearing.
  3. A lay person would not be able to determine whether a referral led to a hearing or proceeding.
  4. A lay person looking at the spreadsheet would be able to ascertain that the list comes from the FCSLLG and that a mother's name appeared on this list. A lay person could not tell, simply from the names, whether there was an ongoing hearing or proceeding. That information is not in the spreadsheet and required going through the FCSLLG's lawyer client list.
  5. A lay person would therefore not know that of the 285 persons named on the spreadsheet, only six families had ongoing hearings or proceedings and, moreover, would not be able to identify those six families.
  6. In the absence of information drawing a link between a mother's name on the list and an ongoing CAS hearing or proceeding there can be no contravention of ss. 45(8) or 76(11).
  7. The spreadsheet in the present case can be distinguished from the postings made by a father in Catholic Children's Aid Society of Toronto v N. B.-R. In N. B.- R., a father posted videoblogs on YouTube which identified his children as part of CAS proceedings:68

The judge identified 19 videoblogs which, in her opinion, contained identifying information. While it is the case that the father does not identify the three children by name in his video-blogs, the videoblogs have the effect of doing so indirectly: there are tag lines visible under the blogs containing the words "court", "family", "Toronto", the father's last name and the children's first names; the father refers to the Society, his caseworker, family court, the children's lawyer and court proceedings; and some episodes are

Ibid, at pp. 32, 55.

66 Ibid, at p. 63.

67 Ibid.

68 Catholic Children's Aid Society of Toronto v N. B.-R., [2013] OJ No. 1586 at para. 27 (Crown's Book of Authorities, Tab 5).

-30-

shot in front of family court or the Society's offices. Furthermore, if any of the children's names are typed into Google, the search connects the viewers with links to the father's videoblogs.

  1. The content in the above case was created by the children's father. Here, the spreadsheet was made by the FCSLLG. Setting that aside, the information on the spreadsheet could not be linked to children or families with ongoing hearings or proceedings without looking at internal FCSLLG client files. Having one's name on the spreadsheet was not a guarantee of ongoing CAS proceedings. In N. B. -R., because the father's posts referred specifically to his children and to court proceedings, a lay person would be able to conclude that the children were part of a CAS proceeding or hearing.

ii. Mischief to computer data

1. The post did not obstruct, interrupt or interfere with the computer data

  1. The security flaws in the FCSLLG website were not caused by Ms. Denham. They were the result of a poorly designed website where documents that were supposed to be private were actually browseable and viewable through the website itself.
  2. Mr. Lemay testified that regardless of how the security breach had been brought to his attention, he would have taken the website down to fix the problem as a precaution.69
  3. Ms. Row testified that had IT made her aware of the website security issue she would have taken down the website."
  4. Mr. Schmidt testified that his recommendation in fixing the security flaw was for the FCSLLG to take their website offline.71
  5. The disruption caused by the taking down of the website would have been the same if the security issue had been raised in another manner.
  6. In other words, the FCSLLG would have had to take their website down to address the security issues regardless of how they became aware of the issue.
  7. Further, had the FCSLLG properly implemented Mr. Schmidt's recommendations in February, they would not have had to take down the website in April.
  8. The disruption in the FCSLLG website was not caused by Ms. Denham, it was a necessary step in fixing the security issue.
  9. The Crown relies on Charania as an example of a case where there was obstruction, interruption, or interference with computer data. In Charania, the accused was the employee of a nursing home who remotely accessed the nursing home's computer system by using the Human Resources Coordinator's username and password to forward himself

69 Trial Transcript, supra note 1 at pp. 27-28. " Ibid, at p. 48.

Ibid, at p. 116.

-31-

information.72 The accused's access to then his co-worker's email prevented her from logging in and accessing her own email account at the time of his use.

  1. In Charania the only reason why the co-worker was unable to access her email was because of the accused's actions. In the present case, the website would have had to be shut down in the exact same manner regardless of how the security flaws were made known. Thus, although it was Ms. Denham's posting of the YouTube video and later post on Facebook that led to the website being taken offline, the very same steps would have been taken had the security issue been uncovered in another way. Ms. Denham's actions caused the FCSLLG to do sooner what they would have had to do regardless.
  2. Any loss of access to the FCSLLG website was inevitable in the fixing of the website. The website had to be taken down as a precaution, no matter how the security flaw got brought to the FCSLLG's attention.

2. The FCSLLG's use of the computer data was unlawful

  1. Should this Court find that Ms. Denham committed an offence under the CFSA, then the FCSLLG's use of the computer data is not lawful and this element of the offence cannot be made out.

iii. Unauthorized use of a computer

  1. In order to be found guilty of unauthorized use of a computer, a person must engage in some manner of fraud in their use of the computer system. Ms. Denham's access and downloading of the spreadsheet did not require any fraud.
  2. The FCSLLG website was designed to house both public and private FCSLLG documents. The FCSLLG intended that access to private documents be done through the Board Portal, which required a username and password.
  3. However, private documents were accessible by the general public. This is because the website's directory was left browseable:73

Q. So, we then go to the problem where we say the directory was browseable. I just want to define what that is, okay? What you showed us today is that you go to the U.R.L. at the top, which is the www.fcsllg, right? And, within that there is an address?

A. Correct.

Q. The first part is the F-C-S-L-L-G, which is the website? A. The domain.

R v Charania, 2012 ONCJ 637 (Crown's Book of Authorities, Tab 3). 73 Ibid, at p. 108.

-32-

Q. After that is says the word, "WP", which is for WordPress? A. Yep.

Q. Right?

A. "WP content"

Q. After that it says uploads, correct?

A. Correct.

Q. So, if you know what the word uploads means, which is you upload something to the internet, you put something online, right?

A. Yep, yes.

Q. You would be able to look at uploads, and then after that is a year, a month, and a date?

A. A year and a month, in this case.

Q. So, the logical inference is that's where things are stored based on year, month, and date?

A. Yep, and that's how WordPress operates. Q. Right

A. That is how WordPress, that is the, the methodology that WordPress uses to store documents that people upload using the content management system.

Q. Correct. Now, once you get there you can go behind the scenes, so to say, and just look at every document, which is what makes it browseable. You can just start clicking...

A. If it is browseable, then yes, you can view it openly. That's correct.

Q. So, you can just start clicking on the different folders, the different months, the different years...

A. Correct. Q. ...etcetera.

-33-

1 56. In other words, the private materials on the FCSLLG were publicly accessible. Mr.

Schmidt opined that there was no "hack", or any form of fraud used to access the spreadsheet:74

Q. And, at this point you don't know the cause of how this information got out?

A. Correct.

Q. All lot of the time, or some times when information gets out it gets out because someone has done something — I'm going to call it dishonest, or nefarious...

A. Mm-hmm.

Q. And, what I mean by that is this, I will define it for you; it's like hacking. So, for example, you download a program, or use certain code, or you do something to get past a username and a password.

A. Breaching passwords, finding an exploit, or something like that, yeah. Q. Right. But, it requires, one; a certain level of knowledge, right?

A. Mm-hmm.

Q. Yes.

A. Yes.

Q. I know you are nodding, but...

A. Sorry, yes. For the record, yes.

Q. And two; it would require excessive knowledge of a certain amount of

dishonesty on your part to try and get past a username and password that is clearly intended to block you?

A. Dishonesty, interest in what's behind it, yes, absolutely. Q. I'm not talking from a moral sense...

A. Yep.

Q. ...I'm talking from a computer sense, you are trying to get past something that's intended to stop you?

Ibid, at pp. 105-106.

-34-

A. That's intended not to be, not to be accessed, yeah.

Q. Right. In this case the directory had no password, nothing in it was intended to stop you from getting to it?

A. That's correct.

  1. In accessing the spreadsheet Ms. Denham did not engage in any act of fraud. She did not, for example, guess or obtain a Board member's username and password. She did not "hack" the website or get around any security features.
  2. It is the absence of hacking or other fraudulent access of the website which differentiates Ms. Denham's circumstances from the cases provided by the Crown.
  3. In Livingston, the Ontario Premier's chief of staff and deputy chief of staff enlisted another party, Mr. Faist, to erase data from the hard drives of computers of certain staff members and their own computers. The erased data related to the Premier's decision to cancel and relocate two gas plants. In order to erase the data, Mr. Faist purchased software designed to clean data and had the accused obtain administrative rights to each computer which would allow for installation of this software. The accused got the administrative rights from the Secretary of Cabinet without telling the Secretary the true purpose for needing administrative access to certain computer accounts.
  4. In finding the accused guilty of unauthorized use of a computer, Lipson J stated that:75

The Crown has presented a compelling circumstantial case against Mr. Livingston. The totality of evidence proves beyond a reasonable doubt that he was neither justified nor authorized nor had colour of right to arrange for the wiping of the hard drives of employees of the Office of the Premier, including his own. He was clearly aware of his obligation to retain records with respect to the gas plant issues.

Nevertheless, Mr. Livingston resorted to extreme and unauthorized measures to permanently delete records he and Ms. Miller believed existed on computers in the Office of the Premier. First, he dishonestly obtained administrative rights from the Secretary. Then, using Mr. Faist, a non-OPS consultant, he attempted to destroy data on the hard drives of colleagues who could have saved copies of e-mails or attachments on their computers at a time when FOI requests in relation to gas plant documents were still outstanding and when a Standing Committee Production Order was foreseeable in a new session of the Legislature. [emphasis added]

Mr. Faist's wiping of the OPO computers was not the careful and selective deletion of personal information that the Cabinet Office permitted. Mr.

R v Livingston, 2018 ONCJ 25 at paras. 174-176 (Crown's Book of Authorities, Tab 1).

-35-

Livingston's plan to eliminate sensitive and confidential work-related data, in my view, amounted to a "scorched earth" strategy, where information that could be potentially useful to adversaries, both within and outside of the Liberal Party, would be destroyed.

  1. The accused in Charania was also charged and found guilty of unauthorized use of a computer. The accused used a co-worker's email username and password without her permission. The trial judge found that the accused obtained and used without permission his co-worker's username and password.
  2. Ms. Denham's actions showed no such fraudulent actions. She did not gain access to the FCSLLG documents by requesting access under a false pretense. She did not purchase software to hack the website. She did not obtain the username and password of a Board member in order to access the FCSLLG website.
  3. Ms. Denham's access to the spreadsheet was due to the negligence of the FCSLLG in designing their website. The manner in which Ms. Denham accessed the documents could have been done by any internet user with a basic understanding of how a website address works. In fact, because the FCSLLG did not keep proper server logs, it is possible that other persons accessed the spreadsheet and other confidential information.
  4. There is no evidence that Ms. Denham engaged in any fraud to access the FCSLLG website and spreadsheet.

iv. The Crown's Analogy

  1. The Crown draws an analogy of Ms. Denham's conduct to a person who enters the FCSLLG's office through an unlocked backdoor, enters a private office, discovers a confidential document, takes a picture of it and posts it on the internet. In response to the information being posted, the building is temporarily closed.
  2. This analogy is an oversimplification of the elements needed to prove that Ms. Denham's actions were unlawful.
  3. Mischief to data requires wilful obstruction, interruption or interference with lawful use of computer data. In the Crown's analogy, the temporary closing of the building represents the obstruction, interruption or interference.
  4. The Crown's analogy relies on the assumption that "closing the building" was done because of Ms. Denham's actions and would not otherwise have to be done. This is not the case. The evidence of Mr. Lemay, and Ms. Row was that the website would have been taken down regardless of how the security flaw had been brought to the FCSLLG's attention while Mr. Schmidt added that this was his recommendation.
  5. Thus, there was no choice but to "temporarily close the building". This was not a situation where the FCSLLG would have followed a different course of action had they otherwise become aware of the security flaw.

-36-

  1. Unauthorized use of a computer requires fraudulent use of a computer system with the intention to commit mischief to data.
  2. In the Crown's analogy, the trespass onto the private offices by opening a backdoor is the fraudulent element. Fraud in this context means deceit, falsehood, or other fraudulent means. This element is both missing from the Crown's analogy and Ms. Denham's actions.
  3. The trespass on private property described by the Crown, while illegal, would not meet the definition of fraudulent. Access to the building was not gained by lying about one's identify or using another's key. There is no fraudulent activity in walking into an unlocked room. Similarly, Ms. Denham's access to the FCSLLG's confidential documents required no fraud. In the absence of a fraudulent element, the offence cannot be made out.

PART TV — ORDER REQUESTED

  1. That an acquittal be entered on all criminal and Child and Family Services Act offences.

All of which is submitted this 16th day of December 2019.

(7(,k)11.1,0,. Fady Mansour

Counsel for Ms. Denham

No comments:

Post a Comment