The Ethics of Handling Stolen Data from the Dark Web
We were asked recently about the ethics and legality of Dark Web searches, increasingly part of many investigations. I realized we had never posted on this issue and it’s about time.
Since a lot of what we use from the Dark Web is stolen information, can we make use of it?
In short, the answer is yes as long as we have the right reasons.
Firstly, a few terms. The Dark Web is a subset of what’s known as the Deep Web. That’s everything on the internet that you can’t get to by using a search engine such as Google. Think not only about all the proceeds of crime on the dark web, but useful legal things including your credit card statement or your medical test results. You can’t get the results for such pages from Google because we don’t want just anyone looking at confidential banking, medical and other information that is on the internet but is private. The Deep Web is vastly larger than the Web you can get to with a search engine.
The Dark Web refers mostly (but not entirely) to illicit activity that includes human trafficking, drug dealing and all sorts of other criminal activity including the theft of personal data. In some authoritarian countries, political dissidents exchange information on the Dark Web that would get them arrested at home if they did so out in the open.
Is it Legal?
In many cases, handling Dark Web material is forbidden by law. If they find child pornography on your computer, you’re probably going to prison. But what about stolen information?
In January 2020, the U.S. seized a web domain weleakinfo.com, which provided “a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records,” according to the government release. These included names, email addresses, usernames, phone numbers, and passwords for online accounts. The seizure was part of an international operation that involved U.K., Dutch and German law enforcement.
You would think that any remaining such business in the U.S. would be rolled up, but that would be wrong. What’s the difference?
One obvious case is that it should always be OK to research your own information. Many people pay for Dark Web monitoring, so that someone with access to the Dark Web itself or databases derived from the Dark Web can let you know if any of your personal information has been hacked and publicized.
But what about looking at someone else’s information? You didn’t steal it, you didn’t pay anyone to steal it or tell them how to do it. You’re just getting access to something already published.
In the United States newspapers have had the right to publish stolen information since the famed Pentagon Papers case, New York Times v. U.S., 403 US 713 (1971). When newspapers publish private company information such as the Panama Papers they are publishing the fruits of stolen property. The decision of what to publish and what to withhold belongs to the publisher, not to the victim of the theft.[1]
If the authorities catch the party that engineered the theft, they go after that party. Chelsea Manning and now Julian Assange have been in trouble not for publishing but for stealing. But the publishers are legally in the clear. It’s explained in a helpful article by the Nieman Foundation. The big discussion among journalists is not whether it’s legal to publish certain material, but whether it’s ethical in some cases.
Since the United States does not license journalists, anyone can “publish” anything they want and be subject to the same First Amendment protections as well as limits (the First Amendment makes no exception for libel, for instance).
And yet, some websites get rolled up and others don’t, even though they operate in the open.
Justice Department Guidance
A month after they seized weleakinfo.com, the Justice Department issued a guidance memo in February 2020 called “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.” You can get it here.
Remember, this is a group of prosecutors (not a court or a legislature) opining about what’s legal. The salient part of the guidance for our purposes:
… many of the federal criminal statutes associated with the type of stolen data that tends to be sold in Dark Markets—e.g., passwords, account numbers, and other personally identifiable information—only apply if there is intent to further another crime: for instance, an intent to use the information to defraud. For this reason, a purchaser of the stolen data who lacks a criminal motive is unlikely to face prosecution under those statutes.
So, if we are using the data we buy to find a witness in a case, to track down someone defaming our client, or just doing regular anti-fraud due diligence on a prospective borrower who wants $50 million of our client’s funds, we feel as if we are on solid ground.
But the DOJ cautions that when you buy someone else’s stolen data, it’s much more likely to “raise questions about the purchaser’s motives and result in scrutiny from law enforcement and the legitimate data owner, particularly if a trade secret is involved.”
So for anyone buying this data, you need to ask, “Why do you need it?”
Things We Will Do with Dark Web Data
We have used Dark Web data to try to figure out who is behind a website defaming one of our clients. In another case a client was being harassed and there was no way to know who had bought the throwaway (“burner”) phone making the calls.
In both cases, we went to the databases of information gathered from data breaches. We hoped to find numbers and email addresses that we could link to physical addresses in order to identify who was behind the suspect activity.
Sometimes, you can take a “handle” from an email address (say paulb3222) and see if that prefix is associated with any individuals. You then need to do more work to make sure the paulb3222 you are looking for is the same person as the guy in Australia who goes by paulb3222. Believe it or not, such handles are more common than you would think.
We think this kind of work is permissible and ethical because we are not engaged in fraudulent activity. Indeed, we are trying to stop what is allegedly criminal or tortious activity, and we are using data that has already been published.
Things We Will Not Do with Dark Web Data
Beyond the obvious – reselling illegal images, dealing in drugs, violating medical privacy – there are uses of the data we can find on the Dark Web that are illegal. If you find out what someone’s password used to be when their Target account was hacked and dumped on the Dark Web, it would be illegal to use that password to hack into other accounts they may have. And as the DOJ makes clear, you shouldn’t be in the business of stealing trade secrets.
Post-Breach Security Tips
If you want to find out if your email address was part of a data breach, you can do so for free at https://haveibeenpwned.com/ The site has no specifics beyond where the breach took place, but if you see your breach happened with Target, it would be a good idea to change your Target password — if you haven’t already — and to change all other passwords that are identical or very similar.
Our recommendation: get a password keeper that assigns a different, long, randomly generated password for every site you use. You only need to remember the one password for the password keeper. That way if there is a breach, they only have the one password they stole which won’t resemble any of your other ones.
[1]One caveat: All of the law referred to in this article is American law, and American law is probably the most permissive when it comes to what you can publish without worrying about state intervention.
