Menu

Topics

Connect

Comments

Want to discuss? Please read our Commenting Policy first.

N.S. relaunches FOIPOP site 1,024 days after pulling it down over data breach

Tue, Jan 15, 2019: After nearly a year, some of the answers surrounding the breach to the province’s FOIPOP website have finally come to light. But the situation isn't exactly sewn up. Jeremy Keefe reports – Jan 15, 2019

The saga of a major transparency tool came to an end on Thursday as the province relaunched an online platform more than 1,000 days after it was yanked offline and after multiple delays.

Story continues below advertisement

The website, now known as the IAPrequest site, facilitates online requests under Nova Scotia’s Freedom of Information and Protection of Privacy Act (FOIPOP), a piece of legislation that allows journalists, academics, businesses, activists and any other Canadians to obtain government information that is normally withheld from the public.

Some of the stories that were obtained through FOIPOP requests include the province’s decision to grant the majority of COVID-19 exemption requests earlier this year, details on inspections about a crane that would later collapse in downtown Halifax, and the decision by multiple ministers to use private email accounts for government business despite rules to the contrary.

The province once had a similar online system.

But 1,024 days ago it was pulled down after it was revealed that a data breach on the website had exposed 7,000 documents containing personal information such as social insurance numbers, personal addresses, child custody documents, medical information and proprietary business information.

Story continues below advertisement

The press release issued on Thursday by the Nova Scotia government does not mention that breach or the government’s role in it.

The data breach

The data breach of the original FOIPOP website was first detected by a worker at the Nova Scotia archives.

In an email sent on the evening of April 4, 2018, the employee attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal but mistyped the address.

Story continues below advertisement

“Rather than going to another redacted, released document, I ended up seeing an incoming FOIPOP request. … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there, seemingly unprotected, on the web,” the employee said.

READ MORE: N.S. Liberal leadership candidates agree on updating FOIPOP legislation but not specific changes

Provincial officials quickly jumped into action, scrambling through April 5 to find a solution.

One official wrote that the government should shut down the website “until we get a grip on things.”

With no immediate solution available, the government yanked down the website at 8:15 a.m. and it remained offline until it was partially restored 152 days later, allowing Nova Scotians to request previously completed requests.

Until Thursday, Nova Scotians were still forced to file requests by pen, paper and Canada Post mail.

Story continues below advertisement

A vulnerability, not a hack

Halifax Regional Police arrested a 19-year-old on April 11, 2018, after searching his home, but three weeks later issued a news release saying they would not charge the man, as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”

Halifax police said the young man was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.

The man later told CBC that his arrest had been carried out by approximately 15 officers.

Story continues below advertisement

The police’s initial decision to charge the 19-year-old drew heavy criticism from the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.

Search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom of information website.

However, internal government documents indicate that the province understood the problem to be an issue that made the website’s operating system vulnerable and that it wasn’t a malicious attack.

Reports from a pair of oversight bodies would later take the departments that oversee Nova Scotia’s IT infrastructure to task after determining “poor overall project management” and a “serious failure of due diligence” helped cause the data breach.

READ MORE: N.S. information commissioner says office legally hamstrung, short on resources

Repeated delays come to an end

The path to bringing the request website back online has faced repeated delays.

Story continues below advertisement

A tender for the new website was issued in May 2019, with the Nova Scotia government telling Global News at the start of 2020 that it would launch the site sometime in the spring.

That was then pushed back to the end of 2020 before eventually being pushed to this winter.

READ MORE: Nova Scotia re-launches FOIPOP website after 152 days of being offline

The province has previously told Global News that COVID-19 has delayed the implementation of the website and that it has been conducting rigorous security testing to ensure the website is secure.

On Thursday, those delays finally came to an end.

“The public can now use the FOIPOP online portal to access information knowing that additional safeguards have been put in place to support increased security and privacy protocols,” said Minister of internal services, Patricia Arab, in a press release.

Story continues below advertisement

“The new portal restores the ability for people to easily submit requests and receive responses online.”

After a meeting of cabinet on Thursday Arab said the province has a five-year contract worth $760,000 with two companies to operate the site.

Arab said it took time to set up the portal because the project was split into several parts. One portion involved receiving requests while another involved disclosing documents. Added security measures also required time, she said.

Story continues below advertisement

“We wanted to do as many security tests as we could and to come up with the right solutions, and we took seriously two reports given to us following the (security) breach,” Arab said.

Nearly 2,000 requests are filed annually in Nova Scotia.

With files from The Canadian Press

Advertisement

You are viewing an Accelerated Mobile Webpage.

View Original Article