Companies Are Selling Cops Access To Personal Data Harvested From Malicious Hacking And Data Breaches

from the chance-to-be-victimized-all-over-again dept

There’s a new way for cops to get information about suspects and it involves people who’ve already been victimized by criminal acts and/or careless handling of personal data by corporations. As Joseph Cox reports for Motherboard, law enforcement agencies are using third-party services to gain access to personal info derived from data breaches.

Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.

Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more.

This is what SpyCloud offers to government agencies: one-stop shopping for a wealth of personal data — including login info and passwords — that agencies can’t find anywhere else. SpyCloud says it’s “empowering” investigators by giving them data they can “use against criminals.”

That sounds very noble, but most of what’s obtained from data breaches and malicious hacking is information about non-criminals. And it’s unclear under what authority law enforcement agencies are searching SpyCloud’s collection of data. Using a third party like SpyCloud allows law enforcement to bypass judicial review of warrants and subpoenas, which are normally used to obtain information directly from relevant companies once investigators have the reasonable suspicion needed to move ahead with this step. This new method of collecting information ignores all of that to give investigators a stock pond for fishing expeditions.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an email, “it’s disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process.”

“Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal processes. We impose those requirements on law enforcement for good reason,” she added.

Tons of info is served up by SpyCloud, including email accounts, IP addresses, passwords, user names, and phone numbers. This may streamline things for investigators, but law enforcement isn’t supposed to be easy. It’s supposed to be reined in by checks and balances. SpyCloud says the hell with all of that, allowing agencies to get everything in one place without having to check with a judge first.

This stash could also give investigators a head-start when attempting to crack encrypted devices. Password reuse is common and a data storehouse full of passwords linked to suspects could give cops a way to crack open devices without having to worry too much about the Fifth Amendment. The Fourth Amendment, however, could prove more problematic. But the data obtained via SpyCloud is pretty much tailored for parallel construction, allowing investigators to get the info they want before working backwards to paper over the data’s origin with subpoenas and warrants asking companies to provide information investigators already have.

SpyCloud itself poses an additional risk for everyone. Gathering up data from breaches and malicious hacking and putting it all in one place makes SpyCloud an attractive option for law enforcement agencies. It also makes it a very tempting target for criminals, who would also like a one-stop shop for personal info and passwords.

And then there’s the problem of abuse, both by government employees and SpyCloud’s own staff. This is an inevitability. Law enforcement’s access is already somewhat abusive, as it appears to be occurring in a legal vacuum and involves the personal data of thousands (or millions) of non-suspects. But the potential for greater abuse — the use of the data to collect information about anyone an officer has a non-professional interest in — is omnipresent.

Finally, SpyCloud and its government users can’t even argue these are all public domain records that anyone can access simply by tracking down publicly posted stashes obtained from hacking and data breaches. SpyCloud is compiling data from sources that aren’t publicly available and selling this to cop shops as well.

[Co-founder Dave] Endler said that SpyCloud has a human intelligence team, whose work involves “developing relationships with sock puppets, alternate personas” to obtain data. Endler said SpyCloud also cracks passwords; datasets often only contain a hash, or a cryptographic fingerprint of a user’s password. Once cracked, an investigator can see what a user’s real password was; perhaps a useful clue in linking together accounts that share a password.

A lot of what’s in this stash SpyCloud is cultivating and selling are third-party records. But in the legal sense, third-party records stand outside the Fourth Amendment’s protection when they’re obtained directly from the third party collecting them. Another party offering access to third-party records belonging to others isn’t the kind of “third party” this doctrine pertains to. What courts will make of this is unknown. But law enforcement agencies already purchase third-party data from middlemen, suggesting these entities are aware they’re operating in an area untouched by precedent and are willing to do things they probably shouldn’t just because no judge has told them that they can’t.

Filed Under: , , ,
Companies: spycloud

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Companies Are Selling Cops Access To Personal Data Harvested From Malicious Hacking And Data Breaches”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

The effrontery

First of all, if these are stolen records, the why the hell isn’t law enforcement using the access to these files as leads to arrest those offering them.

Secondly, given that these cases are likely to lead to parallel construction, what case number do they assign the cost to? I have some doubt that there is a line item in the budget for ‘buying illicit stolen information’. I am not sure an illegal data broker could qualify as a CI.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: The effrontery

First of all, if these are stolen records, the why the hell isn’t law enforcement using the access to these files as leads to arrest those offering them.

This. Or investigate SpyCloud, since they are probably buying data from criminal brokers in the "Dark Web", thereby also supporting organized crime. But this company is just another version of what authoritarians like, so…

That One Guy (profile) says:

Taste that poison fruit...

It’s a good thing that there’s absolutely nothing wrong with making use of evidence attained through illegal means to further/justify an investigation, otherwise I could foresee police engaging in some heavy evidence laundering any time they make use of anything accessed thanks to buying those records, a practice which incentivizes even more hacking because now the hackers know they have yet another eager customer.

Seriously US police, people already know you’re corrupt top to bottom and only see the law as something for other people to follow, you don’t need to constantly remind us.

This comment has been deemed insightful by the community.
Upstream (profile) says:

Parallel construction

is also known as evidence laundering, which is a much more accurate and less euphemistic term. "Parallel construction" sounds innocuous, or maybe even like something positive, and laundering of illegally obtained evidence is anything but. We should try to avoid using the terms coined by law enforcement to give cover for their criminal activities. These terms are misleading and should not be propagated. When such a term has already taken hold, as ‘parallel construction’ has, it can always be expanded to ‘parallel construction, also known as evidence laundering.’ A bit wordy, perhaps, but it clarifies what it really is, and indicates that we are not being fooled by their methods or their terminology. Just because they use doublespeak does not mean we must use it also.

That One Guy (profile) says:

Re: Parallel construction

Absolutely, I would love to see the term ‘parallel construction’ tossed and replaced with the much more descriptive and accurate term ‘evidence laundering’ for the reasons you noted.

Tell someone that the police have been accused of ‘parallel construction’ in a case and odds are good most people are either not going to have any idea what that is or brush it aside because it sounds relatively innocent, but tell people that they’ve been accused of ‘evidence laundering’ and even if they don’t know exactly what that is the knowledge of money laundering is likely to give them a good idea both of what it is and the seriousness of the action.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Techdirt Does The Same Thing, selling your records to the CIA

I heard there is an FBI investigation ongoing right now about where Techdirt makes it’s money, and they have already tracked down Techdirt financial records to document their sales of personal information to Government agencies. Lots of people are interested in capturing your personal information when you go to the trouble of posting as an anonymous coward or even browsing a controversial web site like this one. If you think you’re not the "product", you haven’t been reading Masnick’s marketing materials. They know the identities of everyone who posts and everyone who reads here, at a detailed level, and they sell it. The reason there has been a delay of Techdirt’s prosecution so long is because the FBI was also a customer of Techdirt, as was the CIA. It’s been clear a long time that Techdirt does not make it’s money from T-Shirts. Just read their own materials, it’s very telling. Mike makes Facebook look fairly innocent. It’s all a sham to gather information about you, reading this right now, information gathered surreptitiously, without your knowledge, that they can sell, and I heard many charges will soon be brought.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: Re: Techdirt Does The Same Thing, selling your records to th

Read Mike’s marketing materials, he lays it all out very clearly. Do you really think Techdirt does what it does for free? They have no obvious means of support, and NO ONE at Techdirt is denying any of it. Why is that? Why is no one denying it? BECAUSE IT’S ALL TRUE, that’s pretty obvious to anyone with half a brain. READ MIKE’S OWN MATERIALS! He admits it!

Scary Devil Monastery (profile) says:

Re: Re: Re: Re:

"Well that’s one way to say ‘pulling stuff straight from their ass/demented mind’…"

Baghdad Bob/Jhon has been whining for years about how he’s been collecting "evidence" and "screenshots" of conversations here which would notably just end up showing him threatening other people with rape and murder.
The only surprising thing about him running that particular line of trolling, again, would be that it’d be obvious even to a blind dyslexic by now that not a single poster around here falls for any of his demented ramblings.

In summary that stuff he’s pulling from his ass today appears to be the exact stuff he pulled from his ass so many times before. It isn’t getting less smelly every time it passes his colon, I note.

That One Guy (profile) says:

Re: Re: Re:2 Re:

Baghdad Bob/Jhon has been whining for years about how he’s been collecting "evidence" and "screenshots" of conversations here which would notably just end up showing him threatening other people with rape and murder.

Other than the paranoid/delusional angle that is probably the funniest part of that assertion, in that if ‘the feds’ really were looking into TD comments they would be at the top of the list of ‘people to investigate/have a chat with’ thanks to their comments over the years, making for yet another self-defeating claim.

Scary Devil Monastery (profile) says:

Re: Re: Re:3 Re:

Well, Baghdad Bob has been his normal unhinged self for many years now, first on Torrentfreak and now here. It’s his regular cycle which has me wondering if whatever condition he’s afflicted with is a cyclical form of disorder.

First he’ll spend a lot of time dropping irrelevant one-liners completely divorced form any topic other than how much he hates Techdirt, liberals, commies, lefties, women, black people, foreigners, the intellectual elite (really, any form of book learning) etc. Bringing nothing to the table except an affirmation that he loathes everyone who isn’t specifically he himself or possibly Trump (before which he loved Cheney and his defense of Torture).

Then he’ll spend some time writing longer posts where he pretends to be a pirate, black lives matter activist, or anti-fascist the way he apparently believes they think. That’s always good for a laugh, especially when he can’t stop himself from obsessing over the Black Man in the White House or the Woman Candidate.

After that he pulls out his trusty old conspiracy theory about how any day now the FBI will come and haul all of us pirates – or techdirt commenters – off in chains to be sodomized by Vinnie and Mac in the maximum-security wing of some horrible hellhole prison. In tones suggesting he’s drooling at the thought. Utterly failing to realize that he himself consistently commits crimes of death threats and slander against the named editors of TD – thus making him the only dead sure suspect ripe for investigation.

Finally, once everyone’s managed to stop laughing and make it abundantly clear to him that to us he remains just that deranged clown no one takes seriously, he’ll lose his shit completely, shitting out numerous posts containing nothing but wordwalls of impotent fury and a LOT OF CAPS.

After which cathartic release he puts up a comment where he – in what he probably thinks is rational discourse – suggests he’s a long-time reader now leaving Techdirt forever because everyone else is being so mean.

If he wasn’t such a pathetic shitstick I’d consider him a ticking bomb one step shy of climbing a water tower with a rifle or walking into the nearest school with a bag full of guns.

Scary Devil Monastery (profile) says:

Re: Techdirt Does The Same Thing, selling your records to the CI

"I heard there is an FBI investigation ongoing right now about where Techdirt makes it’s money…"

Ah, Baghdad Bob, you never fail to disappoint. You’ve been going on about how Techdirt is a "criminal enterprise" for years, telling everybody that you’ve been saving every screenshot and soon, any day now, anyone posting here will get hauled off in chains for being mean enough to tell you upfront when you are being a gormless fuckwit.

And yet, despite the hundreds of times you’ve asserted that you’ve got the evidence of malfeasance apparently Mike hasn’t even received so much as a single lonely call from whatever cop or agent might have been bored enough to receive your alleged complaints.

We’re on what, now, five years worth of you whining impotently about how Mike and everyone else around here are all criminals and will go to jail – in tones and syntax which conjures visions of a frustrated child throwing a tantrum with tears of rage falling down his wobbling cheeks while he’s venting his feelings of powerless frustration and wishful thinking on his hapless keyboard.

"The reason there has been a delay of Techdirt’s prosecution so long is because the FBI was also a customer of Techdirt, as was the CIA."

Wow. And there we have it folks – Techdirt is the illuminati. The global conspiracy. In Baghdad Bob’s fevered imagination the Big Bad. The Last Boss. You heard it here first!

Seriously, Baghdad Bob – get help. No matter whether you’re trolling us for kicks, several years worth of it surely isn’t healthy.
If you’re for real I’m afraid there’s no helping you except having the nice guys in the white coats show you to a room with padded walls where you’ll stop hurting yourself.

Scary Devil Monastery (profile) says:

Re: Re: Re: Techdirt Does The Same Thing, selling your records t

"I only wish Techdirt had that much power. They certainly wouldn’t selling… tracking cookie info to the Feds? "

Baghdad Bob – or Jhon Smith, Bobmail, Out_of_the_blue, and a thousand other throwaway nicknames he’s gone under in the past – believes, very firmly, that a list of tracking cookies or email addresses is hard currency. He spent years on Torrentfreak whining about how "pirates" stole his mailing lists, ruining his latest scam by putting them up as torrents on The Pirate Bay. Those assumptions of his alone should tell you just how attached to reality he is.

His assumption that Techdirt is a criminal conspiracy hub followed closely by the FBI and CIA – with which they are, apparently, in close cahoots – is actually one of his tamer derangements. Usually he makes a fanatical flat earth zealot or a ranting tinfoil conspiracy theorist look like a model of sanity.

ROGS, for lack of a better world says:

When I watched the NSA steal codesets in France, via hand phones, Techdirts shitbag commenters called me a conspiracy theorist.

Then, after that, I saw 3M company, and its Cogent spy beaureau steal US persons data.

Sure, Techdirt is so ”fair and non -partisan, ” lol.

But real scoops still elude you. “for some reason ” or other, lol

Open your eyes /ears /Panoptical recievers, lol

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...