June 4, 2020
For an agency that prides itself on confidentiality, Family and Children’s Services of Lanark, Leeds and Grenville had a website in 2016 that was anything but private.
The website was two-fold: a public section about resources, and a private portal for “Board members’ eyes only.”
However, the “private portal” didn’t have any security. No firewall. No password, username or hacker skills required — just a simple click of a button and you could access its confidential client list and internal documents considered private for the children’s aid society.
It was Kelley Denham, 32, who blew the whistle on the website’s absence of security and in February 2016 posted some documents online that the board of the children’s aid agency considered confidential.
She wanted the children’s aid society to take it down, and for her trouble, the agency called Smiths Falls Police.
After a four-month investigation, Denham was charged with hacking and identifying children involved in court proceedings, when in fact she did neither, and earlier this week Ontario Court Justice Charles D. Anderson acquitted her of all charges and cleared her name after trial.
When Denham first publicized the absence of security on the child-welfare agency’s website, they shut it down and figured it was time to hire a computer security expert.
At the time, the agency’s program manager in charge of the website was Margaret Row. The child-welfare agency hired Margaret Row’s son-in-law, David Schmidt, to investigate what happened and fix any breach of security even though there wasn’t one, according to undisputed facts in the judge’s decision.
Schmidt’s investigation revealed that IP addresses linked to Denham had accessed the children’s aid society’s public website, just like anyone else could.
The case was never a Whodunit?
In fact, it was clear to anyone who saw the online posts that it was Denham.
“I never tried to hide myself,” she said on Wednesday.
Schmidt also reported about the website’s absence of security, something Denham, an adult-education teacher, had already exposed. Schmidt made several recommendations to boost security — notably for the child-welfare agency to have two separate websites: one for the public, and one exclusively for board members.
The agency went against the main recommendation and a few months later, Denham was able to access a spreadsheet that listed more than 250 names of clients of the children’s aid society. She posted a photograph of the hyperlink to access the files but did not post any names.
The judge noted that the CAS did not take appropriate measures to secure private information. The judge also noted there were no special computer skills or deception required to access the files, which were not marked as confidential and came with no warnings or disclaimers.
The information was publicly available, the judge ruled. He said there was no hacking and Denham didn’t break any Children’s Aid Society (CAS) laws about identifying children involved in court proceedings.
Denham’s life took a rapid turn in April 2016 when police broke through her garage door to execute a search warrant to seize phones, computers, a gaming system, and USB sticks — anything that could store evidence related to her access to the website.
In the early-morning raid, Denham said they put her husband in handcuffs.
“I woke up to police in my bedroom and after I yelled for them to take the ‘cuffs off of him, they did. They also wouldn’t let me call a lawyer.”
On her full acquittal, a relieved Denham said:
“I’m glad it’s over. It was four years of my life on hold.
“I thought it was ridiculous because they knew it wasn’t hacking. They knew what happened and that they (family and children’s services) framed it this way makes me upset.”
She said she wanted the child-welfare agency to take the easily-accessible files offline, and instead it turned into “four years of waiting” and court dates.
Fady Mansour, the lawyer who won the acquittals, said his client was pleased with the result.
“Ms. Denham has been vindicated and her conduct was not only not criminal but ultimately led to the (child-welfare agency) having to fix a very serious problem in their system.
“In our view, her conduct is that of a whistleblower,” said Mansour, who’s a partner with Friedman Mansour, one of Ottawa’s top law firms.
http://www.twitter.com/crimegarden