But there is no API here. The article makes it clear that you were intercepting client-server communication not meant to be used by third parties in order to write your own client. That it could be used as an API doesn't matter since the intent wasn't to create an API.
I could do the same thing and write an app for, say, the tax agency by scraping its website but it would be a legal gray area.
I'm not sure I follow why that would matter. Their constitution says once data has been released, it is no longer their property (because it's a public institution). They created a way to access the data, so the data has been released to the parents and so the data now belongs to the parents. The parents own the data and as such it would seem to follow they can access it anyway they want.
It matters because the definition of data breach is very broad. For example, if I run a website and tell you that you may not browse my website but you continue to browse my website you may be guilty of data breach. If I tell you not to login to my website but you still login because I forgot to disable your account you very likely is guilty of data breach. Since the city didn't publish their information through an API, nor intended the information to be used by third parties, and also explicitly stated that they did not want Christian's app to access their information, it's quite possible that the app facilitated data breach.
See the Aaron Schwartz trial which was about essentially the same thing.
No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.
> the city didn't publish their information through an API
Yes, they did.
> and also explicitly stated that they did not want Christian's app to access their information
If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach. In that case, it is just you consuming what is there for everyone (like unencrypted wifi - harvesting those signals using SDRs is not an issue because you are not bypassing any security), which is okay.
Edit: Legally okay, that is. How you feel about it ethically is up to you, I'm not talking about that.
> No, you may not in this case :) That is why people keep emphasising the way in which the data was published. This is Sweden, not the US.
Here is the relevant paragraph:
"För dataintrång döms den som olovligen bereder sig tillgång till en uppgift som är avsedd för automatisk behandling eller olovligen ändrar, utplånar, blockerar eller i register för in sådan uppgift"
The requisites are: "olovligen", "bereder sig tillgång till", and "uppgift som är avsedd för automatisk behandling". Christian's app full fills the requisites.
API means "Application Programming Interface" and if you think the city created or intended to create such a thing you don't know what an API is.
> If you cannot reasonably be said to have circumvented any technical measures to secure the data (cryptographic keys, some sort of login, IP range blocks, etc) it is not a breach.
You have no idea what you are talking about. There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.
They for sure intended to make an API, but also intended it only to be used between the two contractors involved in the application development. There was a requirement in the RFQ for the backend to have a well documented API. Almost all of the RFQ was about making an API.
In this case the indended user e.g. the parrent is using the API to get the data they are supposed to get. Thou using a different webb-app than the intended one from the city. I have a hard time seeing how the parent by accessing the same data they are supposed to get are doing any crime. The police investigation came to the same comclusion, and the internal investigation at stockholm city also came to this comclusion. That the police cited stockholms internal investigations i think is a nice little detail here.
Thou if the app would have given the parents access to data they ware not supposed to get over the API they situations might been an other. Now it's just the same information but persented in a user-friendlier way.
>For data intrusion, a person who illegally prepares access to information that is intended for automatic processing or illegally changes, deletes, blocks or registers such information is sentenced
This app does not appear to meet this definition as the data they are exposing is not intended for automatic processing, but it is exposing manually consumed data (i.e. the parents were already consuming this data manually) in a different, more accessible way.
I agree the city obviously wasn't intending to expose an API.
Which precedents are you talking about. I don't know much of anything about Swedish law so any precedent you can show would be educational for me.
> There are several precedents that show that circumventing technical measures is not required for data breach to have occurred.
Given that you know significantly more than me perhaps you could give me some examples. I'm always interested to see countries in which such jurisprudence is different from the norm, especially in Europe. Thanks :)
There is clearly an API in play here. The article mentions it numerous times. The client app has to use an API to get its data, that's a downside of deploying a SPA. You need to make an API for it to get data from.
If you don't want to make an API that exposes raw data just write a SSR app. If you want to deploy a SPA, well, you have to deploy an API as well and you need to plan around the fact that when you throw an API out into the wild and authorize people to use it (by handing out auth tokens), well, people are gonna use it.
Using SPA vs SSR as the sole factor in determining "published" status rings hollow for me, because it completely excludes any analysis based on intent, and intent usually matters in law! (Though I admit I'm not familiar in this case and this country.)
Also it's easy to poke holes: does this mean that scraping data from html is always hacking, regardless of the expressed intent? (See recent Missouri case for what that might degenerate into.) What if it's "semantic web" and the html contains metadata specifically designed to aid data extraction?
I think the parents should own the data, and that's why it should be open. But I don't think drawing the line based on which kind of technology is used to deliver the content is a good method of adjudicating published intent.
Q) Are you able to retrieve a document using the credentials issued to you by the API?
A) Yes: Then you're authorized to view it. No: You're not authorized to view it.
An API is the encoding of business rules around data access and modification. If your API is allowing access that you don't intend a user to have, fix your authorizations.
See I like this argument better because it has nothing to do with being an API or HTML and everything to do with access authorization. It doesn't make sense for the government to have the power to control how the data the parents are authorized to view is displayed, or what tool they use to display it.
It might technically look like an API - but it could still not count as an API legally (for the constitutional trick) if the interface was not intended to be public.
If you want to stretch the terms, everything on and off the web that does communication is basically an API - it's just that some of those APIs use JSON to encode their data and make it really easy to access... and some of them bury it in mountains of HTML - but if the data is there the data is there. There really isn't a functional difference between a scraper that goes from TEXT => DATA and a json decoder that goes from TEXT => DATA except how easy it is to write and maintain it.
One outcome of this fight might be that government organizations are directed to use more proprietary communication methods which would be a poor outcome for everyone involved.
The law is not specific at all in regards to the format of the document. So to talk about an “API legally” has no meaning. In a private scenario it makes sense but what we are talking about here is public documents which are sent through an API. The city has responsibility to only send information I have (as a parent) legally right to see. How I parse it and present it is up to me as citizen (through an app or save it as json and upload to an excel file or such)
One implication of this project could be that government agencies in Sweden can not have private API:s.
To use more proprietary methods (private api:s) will have no effect on the constitutional law. You still have received a public document as a citizen.
> How I parse it and present it is up to me as citizen
I know technologists like to think that way but very often the law doesn't work like that. They will think about intent - was the intent to give you the raw data or was the intent to convey a specific representation of it that may omit some parts or further transform or presentation layer changes to achieve a different final result to what the raw data would have conveyed?
If it is the latter then that is the "public document" you have access to, not the raw data from the API.
Or even just print it out. Or put it in a binder. Or make it your desktop wallpaper. Or print it on your toilet paper rolls. Or make paper airplanes out of it. Hmmm it seems like this is a bit of a ridiculous argument. I highly doubt any free government would/could make it illegal for me to print the laws on toilet paper, downloaded via their API.
that would be a bit less clear I think .... perhaps it may make it more concrete to think about an example.
Say the education department has a requirement that where ever a student's grades are displayed, the legend to explain their meaning and a disclaimer about limitations is included. It could even be a hard requirement (like, they got sued once for not doing it so their lawyers have told them they must enforce this). So they are careful that in their app, that requirement is always satisfied, since failing to do that could lead to harmful confusion that could impact a student.
So in their view the "document" they made public is the fully rendered version of that. If you print it out you are effectively doing a transformation that preserves its form and essential characteristics. If you screen shot it, cut out the disclaimers and legend and then paste it on a public web site ... you could create the same problems that you are by taking raw data out of the API.
Here's one possible issue though - I asked (in another sibling comment) if `ls` could be considered a filesystem API - I strongly believe it is. That means we probably (for sanity's sake) need to differentiate internal vs. external APIs and provide a method for safely allowing this public document method to be well defined.
If a spy is filling out an expense report via secure email after an undercover mission to Norway (trying to figure out if Norway is hording lutefisk, I assume) which ends up resulting in a bombshell report to the public about international lutefisk accessibility then that report is clearly public - but the spy's expense report (including, I'd assume, their identity) is something that should logically be kept secret. There's some press secretary in the middle that takes the raw information and turns it into the scandal we all know it would be.
The data being transmitted over an API is not intended to be directly consumed by the public - there is, instead, an application that exists to take that raw data and transform it into something that is publicly viewable. That application is the corollary for our press secretary here.
I am concerned this might be a bigger rabbit hole than you expect. I totally agree that the town shouldn't flip out and be stupid calling in legal authorities like it currently is - but I think this might be more complex.
Possibly? Or maybe they use a web based expense reporting system like almost everybody in the modern world. I also think it's a pretty open argument whether the definition of what is and isn't an API relies on things being served on the web.
I don't disagree (though when it comes to this particular case it's a question of what the opinion of Swedish courts is) but there's just a lot of grey area there.
Would you consider `ls` an API for exposing your filesystem?
I would consider "ls" a presentation tool that uses an API to present information about a file system. I would consider stat/lstat/opendir/readdir/closedir the API that "ls" use to gather the information.
> One outcome of this fight might be that government organizations are directed to use more proprietary communication methods which would be a poor outcome for everyone involved.
I agree with the rest of your argument, but I think that this part is not necessarily a good example of the risks. Far easier would be to use a shared key between the app and the site, and thus use encryption to prevent reading the data, while still sending it in JSON over HTTPS. A pinned certificate would do the trick, at least on phones which prevent the user from inspecting app bundles.
I think it depends on the outcome of the case - I could see some possible resolution like the Swedish supreme court declaring that JSON counts as a public record and that forcing a block on prohibitive encryption of JSON endpoints offered by the government (assuming everything the OP said about constitutionality is correct).
We've seen such bizarre technical decisions from high courts before.
I don't know - I think all legal systems use precedents to a certain extent - they're just extremely formalized in America and Britain. Sorry but I'm not familiar enough with their system to reply with confidence but I would say that if a high court in a country rules a certain way, even if that isn't binding to future rulings, it will cause people to adjust their behavior to avoid falling into a trap that's been clearly called out already.
If you encrypt it, you have to, at some point, also send the keys to the user. The key has the same legal protection as the rest of the document so encrypting the data has no implication on the legal discussion.
> If you encrypt it, you have to, at some point, also send the keys to the user.
Not if you're using a public key cryptosystem and the user generates their own private key. Only the public part is communicated (from the user to the source of the information), and that isn't enough to decrypt the document.
No, because if those keys have to be extracted from elsewhere to bypass a security measure it becomes a breach. The way the documents are published and the way in which they are accessed are relevant to the discussion.
I could do the same thing and write an app for, say, the tax agency by scraping its website but it would be a legal gray area.