The RFC 2616 GET (anything you want) method
The use of GET without sanitisation, validation or authentication is so appallingly common that this is just another example. Brilliant that it's being prosecuted though even if only at state level. Interesting that it's under "cybersecurty" and not "data protection" or "privacy". Maybe we in the UK would do well to follow this lead, seeing how toothless our data protection regulation seems to be (and it can only get worse from 2021 on).