Queensland Police is investigating whether to file charges against IT security expert Christian Heinrich after a presentation leading up to Australian information security conference, AusCERT.
In the "B Sides" presentation, Heinrich showed how he exploited a vulnerability in a Facebook URL to obtain a personal photograph held in a private profile.
Consent to extract the photo was not obtained from the owner of the photograph.
It was extracted through a brute-force attack in which hundreds of thousands of web links were guessed at over the space of a week until the photo was revealed.
Details of the exploit were published today by Sydney Morning Herald journalist Ben Grubb.
Queensland Police - on site at the conference - detained Grubb and seized an Apple iPad used to report the story. Grubb later tweeted that he was "arrested".
Police media said it had no knowledge of a journalist being arrested.
The scraped photos on Grubb's story in The Brisbane Times were later removed.
Heinrich left the conference and took a flight to NSW minutes before the story was published.
He said his flight was booked in January; he had not been contacted by Queensland Police.
The presentation raised questions for law enforcement officials with regards to whether intent was as important as authorisation under the Crimes Act.
Under Section 308D of the Act "unauthorised modification of data with intent to cause impairment" required that a person "caused unauthorised modification of data held in a computer ... knows that the modification is unauthorised [and] intends by the modification to impair access to, or to impair the reliability, security and operation of, any data held in a computer, or who is reckless as to any such impairment".