Companies Are Selling Cops Access To Personal Data Harvested From Malicious Hacking And Data Breaches
from the chance-to-be-victimized-all-over-again dept
There’s a new way for cops to get information about suspects and it involves people who’ve already been victimized by criminal acts and/or careless handling of personal data by corporations. As Joseph Cox reports for Motherboard, law enforcement agencies are using third-party services to gain access to personal info derived from data breaches.
Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.
Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more.
This is what SpyCloud offers to government agencies: one-stop shopping for a wealth of personal data — including login info and passwords — that agencies can’t find anywhere else. SpyCloud says it’s “empowering” investigators by giving them data they can “use against criminals.”
That sounds very noble, but most of what’s obtained from data breaches and malicious hacking is information about non-criminals. And it’s unclear under what authority law enforcement agencies are searching SpyCloud’s collection of data. Using a third party like SpyCloud allows law enforcement to bypass judicial review of warrants and subpoenas, which are normally used to obtain information directly from relevant companies once investigators have the reasonable suspicion needed to move ahead with this step. This new method of collecting information ignores all of that to give investigators a stock pond for fishing expeditions.
Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an email, “it’s disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process.”
“Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal processes. We impose those requirements on law enforcement for good reason,” she added.
Tons of info is served up by SpyCloud, including email accounts, IP addresses, passwords, user names, and phone numbers. This may streamline things for investigators, but law enforcement isn’t supposed to be easy. It’s supposed to be reined in by checks and balances. SpyCloud says the hell with all of that, allowing agencies to get everything in one place without having to check with a judge first.
This stash could also give investigators a head-start when attempting to crack encrypted devices. Password reuse is common and a data storehouse full of passwords linked to suspects could give cops a way to crack open devices without having to worry too much about the Fifth Amendment. The Fourth Amendment, however, could prove more problematic. But the data obtained via SpyCloud is pretty much tailored for parallel construction, allowing investigators to get the info they want before working backwards to paper over the data’s origin with subpoenas and warrants asking companies to provide information investigators already have.
SpyCloud itself poses an additional risk for everyone. Gathering up data from breaches and malicious hacking and putting it all in one place makes SpyCloud an attractive option for law enforcement agencies. It also makes it a very tempting target for criminals, who would also like a one-stop shop for personal info and passwords.
And then there’s the problem of abuse, both by government employees and SpyCloud’s own staff. This is an inevitability. Law enforcement’s access is already somewhat abusive, as it appears to be occurring in a legal vacuum and involves the personal data of thousands (or millions) of non-suspects. But the potential for greater abuse — the use of the data to collect information about anyone an officer has a non-professional interest in — is omnipresent.
Finally, SpyCloud and its government users can’t even argue these are all public domain records that anyone can access simply by tracking down publicly posted stashes obtained from hacking and data breaches. SpyCloud is compiling data from sources that aren’t publicly available and selling this to cop shops as well.
[Co-founder Dave] Endler said that SpyCloud has a human intelligence team, whose work involves “developing relationships with sock puppets, alternate personas” to obtain data. Endler said SpyCloud also cracks passwords; datasets often only contain a hash, or a cryptographic fingerprint of a user’s password. Once cracked, an investigator can see what a user’s real password was; perhaps a useful clue in linking together accounts that share a password.
A lot of what’s in this stash SpyCloud is cultivating and selling are third-party records. But in the legal sense, third-party records stand outside the Fourth Amendment’s protection when they’re obtained directly from the third party collecting them. Another party offering access to third-party records belonging to others isn’t the kind of “third party” this doctrine pertains to. What courts will make of this is unknown. But law enforcement agencies already purchase third-party data from middlemen, suggesting these entities are aware they’re operating in an area untouched by precedent and are willing to do things they probably shouldn’t just because no judge has told them that they can’t.