Police Buy Hacked Data, to Fish for EvidenceIs That Even Legal? – Security Boulevard

A firm called SpyCloud is selling your data to law enforcement.Whats worse is that the sources of that data are hackers.

Thats right: A company is selling data it says is stolen to the police so they can decide if youre guilty of something. There are no words.

Of course, theres the small matter of federal law: 18 U.S.C. 2315Receipt of Stolen Propertyapplies if a person willfully receives valuable stolen property thats been moved across state lines.

Is law enforcement above the law? And if not, who enforces the law in that case?In todays SBBlogwatch, stop the worldwe want to get off.

Your humble blogwatchercurated these bloggy bits for your entertainment. Not to mention:the black hole in your yard.

Whats the craic?Joseph Cox reportsPolice Are Buying Access to Hacked Website Data:

Breached data now has another customer: law enforcement. Companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads.[In] webinar slides by a company called SpyCloud, presented to prospective customersthe company claimed to empower investigators from law enforcement agencies and enterprises. The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data.[It] raises questions about whether law enforcement agencies should be leveraging information originally stolen by hackers. [They] would also be obtaining access to hacked data on people who are not associated with any crimesand would not need to follow the usual mechanisms.SpyCloud confirmed the slides were authentic. Were turning the criminals data against them, or at least were empowering law enforcement to do that, Dave Endler, co-founderof SpyCloud, [said]. The data that were providing to law enforcement, tends to be data thats already in the hands of criminals, and in our mindset it tends to be already public.That may be the case for some particularly widely traded breaches, but others are not as simple to obtain. Data trading forums often ask users to pay for datasets.

Should I be worried?Shoshana Wodinsky addsLaw Enforcement Is Buying Its Way Into Our Breaches:

Right now, theres a good chance your digital life is multitudes bigger than it was just a few months ago. Theres also a good chance that you (again, like everyone I kn0w), are rightfully concerned about the digital paper trail youre now leaving behind, either for data-hungry brokers or for national authorities.Because Spycloud is a private company, these agencies can fudge the Fourth Amendment to get their hands on that data wherever they want, whenever they want, no warrant required. Look, I dont doubt that [this] pretty unassuming companyhas its heart in the right place herebut theres still something about this service that makes meuncomfortable.Maybe its becausethe Spycloud website boasts about how they couldbe handing these cops highly enriched PII like first and last names, addresses, phone numbers, dates of birth, SSNs, and 150 other types of data. Maybe its because Ive seen firsthand how easy it is for these sorts of data breaches to ruin someones life.Agencies like the DOJa confirmed Spycloud customercan get this data behind our backs. While warrantless collection of this sort of data is typically a major slap in the face to the Fourth Amendment, federal authorities in our country have a storied history of bypassing those pesky legal requirements.

How is that even legal?Tyler Sonnemaker shines more light from above: [Youre firedEd.]

Law enforcement agencies have been buying up data originally obtained by hackers, including peoples emails, usernames, passwords, internet addresses, and phone numbers, from a cybersecurity company called SpyCloud, allowing them to bypass normal legal processes. While SpyCloud presents its tools as a way to help law enforcement investigators (and companies) catch cybercriminals, it also raises concerns about enabling them to collect information on innocent people.Investigators often need permission from a court to obtain certain types of digital information, but buying breach data from a private company gives them a more efficient and less accountable way to scoop up data. More than 15 billion records were exposed in nearly 8,000 breaches in 2019, according to Risk Based Security, giving law enforcement a treasure trove of personal data.While companies argue their products play a vital role in helping the government track down criminals and terrorists, theyve also sparked backlash from civil rights and privacy advocates and increasingly, from employees.

Wait, so is it legal?Ilia Kolochenko thinks not:

As a matter of practice, some law enforcement organisations and police units indeed occasionally buy stolen data from various sources. The data may then be used for a wide spectrum of monitoring, preventive or investigative purposes.Its usage, however, rarely becomes official and mostly serves different in-house purposes. The use of stolen, or otherwise unlawfully obtained data or evidence, is expressly prohibited by law.Moreover, subpoenaed data will likely be more recent, relevant, and complete, and wont pose problems for law enforcement officers later if a defendantcan afford skilled criminal defense lawyers.

So its illegal, right?Luthair agrees, but thinks around the problem:

One wonders the general legality in accessing this data for other purposes, and its admissibility in court or are they simply creating [a] parallel constructionabout how they might have otherwise arrived at some knowledge?

But wont somebody think of the children?Heres the National Child Protection Task Force CEO Kevin Metcalf:

Breach data is used by criminals every day. Together SpyCloud and NCPTF are using that data against them. Were proud to partner with SpyCloud to aid child trafficking investigators in solving important, time-sensitive cases.

In summary?ShanghaiBill cuts to the chase:

[The police] paid for it, supplying profit to the criminals and incentivizing future crime. They obtained, through criminal means, information that they would have never been allowed to collect with a legal warrant.They should be fired. Their supervisors should be fired. The politicians that allowed this to happen should be named andvoted out of office.

AndKevin Beaumont@GossiTheDogdoesnt sound positive:

Between cops routinely paying their own ransomware and now buying hacked data, we really are empowering police in the US to pay criminals, to keep their jobs.Seriously though, guardrails need putting up internationally around use of stolen data including security companies and authorities. Its a wild west, and Im not sure its healthy.

Meanwhile,its sauce for the goose, thinks knaapie:

Interesting. If usage of information from hacks by law enforcement is legitimate, then the usage of information from hacks by, for instance, Wikileaks would be legitimate too.

The mystery of black hole entropy

Previously in And Finally

You have been readingSBBlogwatchbyRichiJennings. Richi curates the best bloggy bits, finest forums, and weirdest websites so you dont have to. Hate mail may be directed to@RiCHiorsbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Anja/cocoparisienne (via Pixabay)