Police Buy Hacked Data, to Fish for Evidence—Is That Even Legal?

A firm called SpyCloud is selling your data to law enforcement. What’s worse is that the sources of that data are hackers.

That’s right: A company is selling data it says is stolen to the police so they can decide if you’re guilty of something. There are no words.

Of course, there’s the small matter of federal law: 18 U.S.C. § 2315—Receipt of Stolen Property—applies if a person willfully receives valuable stolen property that’s been moved across state lines.

Is law enforcement above the law? And if not, who enforces the law in that case? In today’s SB Blogwatch, stop the world—we want to get off.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: the black hole in your yard.

Quis Custodiet Ipsos Custodes?

What’s the craic? Joseph Cox reports—“Police Are Buying Access to Hacked Website Data”:

 Breached data now has another customer: law enforcement. … Companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads.

[In] webinar slides by a company called SpyCloud, presented to prospective customers … the company claimed to “empower investigators from law enforcement agencies and enterprises.” … The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data.

[It] raises questions about whether law enforcement agencies should be leveraging information originally stolen by hackers. [They] would also be obtaining access to hacked data on people who are not associated with any crimes … and would not need to follow the usual mechanisms.

SpyCloud confirmed the slides were authentic. “We’re turning the criminals’ data against them, or at least we’re empowering law enforcement to do that,” Dave Endler, co-founder … of SpyCloud, [said]. “The data that we’re providing to law enforcement, tends to be data that’s already in the hands of criminals, and in our mindset it tends to be already public.”

That may be the case for some particularly widely traded breaches, but others are not as simple to obtain. Data trading forums often ask users to pay for datasets.

Should I be worried? Shoshana Wodinsky adds—“Law Enforcement Is Buying Its Way Into Our Breaches”:

 Right now, there’s a good chance your digital life is multitudes bigger than it was just a few months ago. … There’s also a good chance that you (again, like everyone I kn0w), are rightfully concerned about the digital paper trail you’re now leaving behind, either for data-hungry brokers or for national authorities.

Because Spycloud is a private company, these agencies can fudge the Fourth Amendment to get their hands on that data wherever they want, whenever they want, no warrant required. … Look, I don’t doubt that [this] pretty unassuming company … has its heart in the right place here … but there’s still something about this service that makes me … uncomfortable.

Maybe it’s because … the Spycloud website boasts about how they could … be handing these cops “highly enriched PII” like “first and last names, addresses, phone numbers, dates of birth, SSNs,” and 150 other types of data. Maybe it’s because I’ve seen firsthand how easy it is for these sorts of data breaches to ruin someone’s life.

Agencies like the DOJ—a confirmed Spycloud customer—can get this data behind our backs. While warrantless collection of this sort of data is typically a major slap in the face to the Fourth Amendment, federal authorities in our country have a storied history of bypassing those pesky legal requirements.

How is that even legal? Tyler Sonnemaker shines more light from above: [You’re fired—Ed.]

 Law enforcement agencies have been buying up data originally obtained by hackers, including people’s emails, usernames, passwords, internet addresses, and phone numbers, from a cybersecurity company called SpyCloud, allowing them to bypass normal legal processes. … While SpyCloud presents its tools as a way to help law enforcement investigators (and companies) catch cybercriminals, it also raises concerns about enabling them to collect information on innocent people.

Investigators often need permission from a court to obtain certain types of digital information, but buying breach data from a private company gives them a more efficient — and less accountable — way to scoop up data. … More than 15 billion records were exposed in nearly 8,000 breaches in 2019, according to Risk Based Security, giving law enforcement a treasure trove of personal data.

While companies argue their products play a vital role in helping the government track down criminals and terrorists, they’ve also sparked backlash from civil rights and privacy advocates — and increasingly, from employees.

Wait, so is it legal? Ilia Kolochenko thinks not:

 As a matter of practice, some law enforcement organisations and police units indeed occasionally buy stolen data from various sources. The data may then be used for a wide spectrum of monitoring, preventive or investigative purposes.

Its usage, however, rarely becomes official and mostly serves different “in-house” purposes. … The use of stolen, or otherwise unlawfully obtained data or evidence, is expressly prohibited by law.

Moreover, subpoenaed data will likely be more recent, relevant, and complete, and won’t pose problems for law enforcement officers later if a defendant … can afford skilled criminal defense lawyers.

So it’s illegal, right? Luthair agrees, but thinks around the problem:

 One wonders the general legality in accessing this data for other purposes, and its admissibility in court – or are they simply creating [a] parallel construction … about how they might have otherwise arrived at some knowledge?

But won’t somebody think of the children? Here’s the National Child Protection Task Force CEO Kevin Metcalf:

 Breach data is used by criminals every day. Together SpyCloud and NCPTF are using that data against them. We’re proud to partner with SpyCloud to aid child trafficking investigators in solving important, time-sensitive cases.

In summary? ShanghaiBill cuts to the chase:

 [The police] paid for it, supplying profit to the criminals and incentivizing future crime. … They obtained, through criminal means, information that they would have never been allowed to collect with a legal warrant.

They should be fired. Their supervisors should be fired. The politicians that allowed this to happen should be named and … voted out of office.

And Kevin Beaumont—@GossiTheDog—doesn’t sound positive:

 Between cops routinely paying their own ransomware and now buying hacked data, we really are empowering police in the US to pay criminals, to keep their jobs.

Seriously though, guardrails need putting up internationally around use of stolen data — including security companies and authorities. It’s a wild west, and I’m not sure it’s healthy.

Meanwhile, it’s sauce for the goose, thinks knaapie:

 Interesting. If usage of information from hacks by law enforcement is legitimate, then the usage of information from hacks by, for instance, Wikileaks would be legitimate too.

And Finally:

The mystery of black hole entropy

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Anja/cocoparisienne (via Pixabay)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 399 posts and counting.See all posts by richi