Companies Are Selling Cops Access To Personal Data Harvested From Malicious Hacking And Data Breaches

from the chance-to-be-victimized-all-over-again dept

There's a new way for cops to get information about suspects and it involves people who've already been victimized by criminal acts and/or careless handling of personal data by corporations. As Joseph Cox reports for Motherboard, law enforcement agencies are using third-party services to gain access to personal info derived from data breaches.

Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.

Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more.

This is what SpyCloud offers to government agencies: one-stop shopping for a wealth of personal data -- including login info and passwords -- that agencies can't find anywhere else. SpyCloud says it's "empowering" investigators by giving them data they can "use against criminals."

That sounds very noble, but most of what's obtained from data breaches and malicious hacking is information about non-criminals. And it's unclear under what authority law enforcement agencies are searching SpyCloud's collection of data. Using a third party like SpyCloud allows law enforcement to bypass judicial review of warrants and subpoenas, which are normally used to obtain information directly from relevant companies once investigators have the reasonable suspicion needed to move ahead with this step. This new method of collecting information ignores all of that to give investigators a stock pond for fishing expeditions.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an email, "it's disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process."

"Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal processes. We impose those requirements on law enforcement for good reason," she added.

Tons of info is served up by SpyCloud, including email accounts, IP addresses, passwords, user names, and phone numbers. This may streamline things for investigators, but law enforcement isn't supposed to be easy. It's supposed to be reined in by checks and balances. SpyCloud says the hell with all of that, allowing agencies to get everything in one place without having to check with a judge first.

This stash could also give investigators a head-start when attempting to crack encrypted devices. Password reuse is common and a data storehouse full of passwords linked to suspects could give cops a way to crack open devices without having to worry too much about the Fifth Amendment. The Fourth Amendment, however, could prove more problematic. But the data obtained via SpyCloud is pretty much tailored for parallel construction, allowing investigators to get the info they want before working backwards to paper over the data's origin with subpoenas and warrants asking companies to provide information investigators already have.

SpyCloud itself poses an additional risk for everyone. Gathering up data from breaches and malicious hacking and putting it all in one place makes SpyCloud an attractive option for law enforcement agencies. It also makes it a very tempting target for criminals, who would also like a one-stop shop for personal info and passwords.

And then there's the problem of abuse, both by government employees and SpyCloud's own staff. This is an inevitability. Law enforcement's access is already somewhat abusive, as it appears to be occurring in a legal vacuum and involves the personal data of thousands (or millions) of non-suspects. But the potential for greater abuse -- the use of the data to collect information about anyone an officer has a non-professional interest in -- is omnipresent.

Finally, SpyCloud and its government users can't even argue these are all public domain records that anyone can access simply by tracking down publicly posted stashes obtained from hacking and data breaches. SpyCloud is compiling data from sources that aren't publicly available and selling this to cop shops as well.

[Co-founder Dave] Endler said that SpyCloud has a human intelligence team, whose work involves "developing relationships with sock puppets, alternate personas" to obtain data. Endler said SpyCloud also cracks passwords; datasets often only contain a hash, or a cryptographic fingerprint of a user's password. Once cracked, an investigator can see what a user's real password was; perhaps a useful clue in linking together accounts that share a password.

A lot of what's in this stash SpyCloud is cultivating and selling are third-party records. But in the legal sense, third-party records stand outside the Fourth Amendment's protection when they're obtained directly from the third party collecting them. Another party offering access to third-party records belonging to others isn't the kind of "third party" this doctrine pertains to. What courts will make of this is unknown. But law enforcement agencies already purchase third-party data from middlemen, suggesting these entities are aware they're operating in an area untouched by precedent and are willing to do things they probably shouldn't just because no judge has told them that they can't.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breaches, leaks, personal data, police
Companies: spycloud


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 14 Jul 2020 @ 4:02pm

    The effrontery

    First of all, if these are stolen records, the why the hell isn't law enforcement using the access to these files as leads to arrest those offering them.

    Secondly, given that these cases are likely to lead to parallel construction, what case number do they assign the cost to? I have some doubt that there is a line item in the budget for 'buying illicit stolen information'. I am not sure an illegal data broker could qualify as a CI.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2020 @ 5:18pm

      Re: The effrontery

      First of all, if these are stolen records, the why the hell isn't law enforcement using the access to these files as leads to arrest those offering them.

      This. Or investigate SpyCloud, since they are probably buying data from criminal brokers in the "Dark Web", thereby also supporting organized crime. But this company is just another version of what authoritarians like, so...

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jul 2020 @ 6:10pm

        Re: Re: The effrontery

        Receipt of stolen goods. Pretty sure that is a crime.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 14 Jul 2020 @ 6:19pm

          'Crime? Oh not at all, it just fell off the back of a truck.'

          Yeah, but it's one that helps the police do something they want to do anyway, and they're fine with looking the other way in those cases.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 15 Jul 2020 @ 11:16am

            Re: 'Crime? Oh not at all, it just fell off the back of a truck.

            Paying (and frequently protecting) for years "informants" who regularly commit serious crimes - fine.

            Paying a broker for large caches of dirt, and who cares where it came from? Even better.

            reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 15 Jul 2020 @ 2:53am

      Re: The effrontery

      Simple. It's only illegal for peasants to receive stolen property.

      Cops are nobles.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 14 Jul 2020 @ 5:13pm

    Taste that poison fruit...

    It's a good thing that there's absolutely nothing wrong with making use of evidence attained through illegal means to further/justify an investigation, otherwise I could foresee police engaging in some heavy evidence laundering any time they make use of anything accessed thanks to buying those records, a practice which incentivizes even more hacking because now the hackers know they have yet another eager customer.

    Seriously US police, people already know you're corrupt top to bottom and only see the law as something for other people to follow, you don't need to constantly remind us.

    reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 14 Jul 2020 @ 6:27pm

    Parallel construction

    is also known as evidence laundering, which is a much more accurate and less euphemistic term. "Parallel construction" sounds innocuous, or maybe even like something positive, and laundering of illegally obtained evidence is anything but. We should try to avoid using the terms coined by law enforcement to give cover for their criminal activities. These terms are misleading and should not be propagated. When such a term has already taken hold, as 'parallel construction' has, it can always be expanded to 'parallel construction, also known as evidence laundering.' A bit wordy, perhaps, but it clarifies what it really is, and indicates that we are not being fooled by their methods or their terminology. Just because they use doublespeak does not mean we must use it also.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 15 Jul 2020 @ 12:12am

      Re: Parallel construction

      Absolutely, I would love to see the term 'parallel construction' tossed and replaced with the much more descriptive and accurate term 'evidence laundering' for the reasons you noted.

      Tell someone that the police have been accused of 'parallel construction' in a case and odds are good most people are either not going to have any idea what that is or brush it aside because it sounds relatively innocent, but tell people that they've been accused of 'evidence laundering' and even if they don't know exactly what that is the knowledge of money laundering is likely to give them a good idea both of what it is and the seriousness of the action.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 14 Jul 2020 @ 9:18pm

    Techdirt Does The Same Thing, selling your records to the CIA

    I heard there is an FBI investigation ongoing right now about where Techdirt makes it's money, and they have already tracked down Techdirt financial records to document their sales of personal information to Government agencies. Lots of people are interested in capturing your personal information when you go to the trouble of posting as an anonymous coward or even browsing a controversial web site like this one. If you think you're not the "product", you haven't been reading Masnick's marketing materials. They know the identities of everyone who posts and everyone who reads here, at a detailed level, and they sell it. The reason there has been a delay of Techdirt's prosecution so long is because the FBI was also a customer of Techdirt, as was the CIA. It's been clear a long time that Techdirt does not make it's money from T-Shirts. Just read their own materials, it's very telling. Mike makes Facebook look fairly innocent. It's all a sham to gather information about you, reading this right now, information gathered surreptitiously, without your knowledge, that they can sell, and I heard many charges will soon be brought.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2020 @ 11:03pm

      Re: Techdirt Does The Same Thing, selling your records to the CI

      I highly doubt that. You're just making up mumbo-jumbo.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 14 Jul 2020 @ 11:12pm

        Re: Re: Techdirt Does The Same Thing, selling your records to th

        Read Mike's marketing materials, he lays it all out very clearly. Do you really think Techdirt does what it does for free? They have no obvious means of support, and NO ONE at Techdirt is denying any of it. Why is that? Why is no one denying it? BECAUSE IT'S ALL TRUE, that's pretty obvious to anyone with half a brain. READ MIKE'S OWN MATERIALS! He admits it!

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Jul 2020 @ 12:11am

          Re: Re: Re: Techdirt Does The Same Thing, selling your records t

          You are quite delusional. Get help.

          reply to this | link to this | view in chronology ]

          • icon
            That One Guy (profile), 15 Jul 2020 @ 12:14am

            People have been telling them that for years, at this point it's quite clear that they thoroughly enjoy what passes for their mind, and the best 'help' that can be given is to flag them and let them stew in their own delusions alone.

            reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 15 Jul 2020 @ 12:05am

        Well that's one way to say 'pulling stuff straight from their ass/demented mind'...

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 15 Jul 2020 @ 7:42am

          Re:

          "Well that's one way to say 'pulling stuff straight from their ass/demented mind'..."

          Baghdad Bob/Jhon has been whining for years about how he's been collecting "evidence" and "screenshots" of conversations here which would notably just end up showing him threatening other people with rape and murder.
          The only surprising thing about him running that particular line of trolling, again, would be that it'd be obvious even to a blind dyslexic by now that not a single poster around here falls for any of his demented ramblings.

          In summary that stuff he's pulling from his ass today appears to be the exact stuff he pulled from his ass so many times before. It isn't getting less smelly every time it passes his colon, I note.

          reply to this | link to this | view in chronology ]

          • icon
            That One Guy (profile), 15 Jul 2020 @ 1:58pm

            Re: Re:

            Baghdad Bob/Jhon has been whining for years about how he's been collecting "evidence" and "screenshots" of conversations here which would notably just end up showing him threatening other people with rape and murder.

            Other than the paranoid/delusional angle that is probably the funniest part of that assertion, in that if 'the feds' really were looking into TD comments they would be at the top of the list of 'people to investigate/have a chat with' thanks to their comments over the years, making for yet another self-defeating claim.

            reply to this | link to this | view in chronology ]

            • icon
              Scary Devil Monastery (profile), 16 Jul 2020 @ 12:20am

              Re: Re: Re:

              Well, Baghdad Bob has been his normal unhinged self for many years now, first on Torrentfreak and now here. It's his regular cycle which has me wondering if whatever condition he's afflicted with is a cyclical form of disorder.

              First he'll spend a lot of time dropping irrelevant one-liners completely divorced form any topic other than how much he hates Techdirt, liberals, commies, lefties, women, black people, foreigners, the intellectual elite (really, any form of book learning) etc. Bringing nothing to the table except an affirmation that he loathes everyone who isn't specifically he himself or possibly Trump (before which he loved Cheney and his defense of Torture).

              Then he'll spend some time writing longer posts where he pretends to be a pirate, black lives matter activist, or anti-fascist the way he apparently believes they think. That's always good for a laugh, especially when he can't stop himself from obsessing over the Black Man in the White House or the Woman Candidate.

              After that he pulls out his trusty old conspiracy theory about how any day now the FBI will come and haul all of us pirates - or techdirt commenters - off in chains to be sodomized by Vinnie and Mac in the maximum-security wing of some horrible hellhole prison. In tones suggesting he's drooling at the thought. Utterly failing to realize that he himself consistently commits crimes of death threats and slander against the named editors of TD - thus making him the only dead sure suspect ripe for investigation.

              Finally, once everyone's managed to stop laughing and make it abundantly clear to him that to us he remains just that deranged clown no one takes seriously, he'll lose his shit completely, shitting out numerous posts containing nothing but wordwalls of impotent fury and a LOT OF CAPS.

              After which cathartic release he puts up a comment where he - in what he probably thinks is rational discourse - suggests he's a long-time reader now leaving Techdirt forever because everyone else is being so mean.

              If he wasn't such a pathetic shitstick I'd consider him a ticking bomb one step shy of climbing a water tower with a rifle or walking into the nearest school with a bag full of guns.

              reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2020 @ 9:44am

        Re: Re: Techdirt Does The Same Thing, selling your records to th

        Why buy when they can just sit in the meet points, grab the traffic, and make their own maps of who's who?

        reply to this | link to this | view in chronology ]

    • icon
      Code Monkey (profile), 15 Jul 2020 @ 6:38am

      Re: Techdirt Does The Same Thing, selling your records to the CI

      Provide independently verifiable proof of you accusations, and maybe, maybe, someone might take you seriously.

      Or, maybe just loosen your tinfoil hat and let the blood flow back into your brain.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 15 Jul 2020 @ 7:35am

      Re: Techdirt Does The Same Thing, selling your records to the CI

      "I heard there is an FBI investigation ongoing right now about where Techdirt makes it's money..."

      Ah, Baghdad Bob, you never fail to disappoint. You've been going on about how Techdirt is a "criminal enterprise" for years, telling everybody that you've been saving every screenshot and soon, any day now, anyone posting here will get hauled off in chains for being mean enough to tell you upfront when you are being a gormless fuckwit.

      And yet, despite the hundreds of times you've asserted that you've got the evidence of malfeasance apparently Mike hasn't even received so much as a single lonely call from whatever cop or agent might have been bored enough to receive your alleged complaints.

      We're on what, now, five years worth of you whining impotently about how Mike and everyone else around here are all criminals and will go to jail - in tones and syntax which conjures visions of a frustrated child throwing a tantrum with tears of rage falling down his wobbling cheeks while he's venting his feelings of powerless frustration and wishful thinking on his hapless keyboard.

      "The reason there has been a delay of Techdirt's prosecution so long is because the FBI was also a customer of Techdirt, as was the CIA."

      Wow. And there we have it folks - Techdirt is the illuminati. The global conspiracy. In Baghdad Bob's fevered imagination the Big Bad. The Last Boss. You heard it here first!

      Seriously, Baghdad Bob - get help. No matter whether you're trolling us for kicks, several years worth of it surely isn't healthy.
      If you're for real I'm afraid there's no helping you except having the nice guys in the white coats show you to a room with padded walls where you'll stop hurting yourself.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2020 @ 11:21am

        Re: Re: Techdirt Does The Same Thing, selling your records to th

        I only wish Techdirt had that much power. They certainly wouldn't selling... tracking cookie info to the Feds?

        (Conspiracynauts are just phoning it in these days.)

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 16 Jul 2020 @ 12:27am

          Re: Re: Re: Techdirt Does The Same Thing, selling your records t

          "I only wish Techdirt had that much power. They certainly wouldn't selling... tracking cookie info to the Feds? "

          Baghdad Bob - or Jhon Smith, Bobmail, Out_of_the_blue, and a thousand other throwaway nicknames he's gone under in the past - believes, very firmly, that a list of tracking cookies or email addresses is hard currency. He spent years on Torrentfreak whining about how "pirates" stole his mailing lists, ruining his latest scam by putting them up as torrents on The Pirate Bay. Those assumptions of his alone should tell you just how attached to reality he is.

          His assumption that Techdirt is a criminal conspiracy hub followed closely by the FBI and CIA - with which they are, apparently, in close cahoots - is actually one of his tamer derangements. Usually he makes a fanatical flat earth zealot or a ranting tinfoil conspiracy theorist look like a model of sanity.

          reply to this | link to this | view in chronology ]

    • icon
      Wyrm (profile), 15 Jul 2020 @ 2:27pm

      Re: Techdirt Does The Same Thing, selling your records to the CI

      Oh, juicy.
      I'm perfectly ready to believe you, as soon as you cite your sources.
      Just "I heard" doesn't quite convince me, but I promise I'll believe you when you provide some proper evidence.

      You'll excuse me if I don't hold my breath though.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2020 @ 5:43am

    How does this square with CCPA?

    So, if you are a resident of California, and your records are in here, couldn't SpyCloud be sued into oblivion with a state-sized class action lawsuit? This is literally selling personal information without consent ESPECIALLY since it was stolen in the first place!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2020 @ 10:14am

    Nothing to see here. They're Privacy Policy says "We will not sell or rent your personal information to anyone." There you have it. Everyone move along now.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2020 @ 10:39am

    Fruit of the poisonous tree.

    Fruit of the poisonous tree.

    reply to this | link to this | view in chronology ]

  • identicon
    ROGS, for lack of a better world, 23 Jul 2020 @ 12:07pm

    When I watched the NSA steal codesets in France, via hand phones, Techdirts shitbag commenters called me a conspiracy theorist.

    Then, after that, I saw 3M company, and its Cogent spy beaureau steal US persons data.

    Sure, Techdirt is so ”fair and non -partisan, ” lol.

    But real scoops still elude you. “for some reason ” or other, lol

    Open your eyes /ears /Panoptical recievers, lol

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.