Jeremy Kirk reports:
Security practitioners often tread a fine and not entirely well-defined legal line when conducting data breach research. This research can also pose ethical questions when commercial sources for stolen data fall into a gray area.
Kirk’s article on DataBreach Today provides a good overview of the issue. And I totally agree with Troy Hunt on this issue, who is quoted as saying:
“I can’t for the life of me understand how security companies paying for that data on a legal basis is any different than the hacker buying the data,” he says. “People justifying this practice are relying entirely on intent being the differentiating factor, but that doesn’t do anything to de-incentivize the market for stolen data.”
I know there are people who maintain that once a data dump has been made public, it’s fair game, and people can buy it and use it. But if you buy it — even if you pay for it in “tokens” on RF — you are encouraging more data theft and dumps, which harms consumer privacy. This applies even in those situations where a firm or individual is buying a data dump on behalf of the victim company who wants to find out what data the threat actors obtained. Their agent is not doing anything technically wrong or illegal (at least I don’t think they are) but by making the purchase for them, they are still rewarding the criminals with a payment and therefore still encouraging crime.
Even if you just download the data totally for free but then use it on your commercial site — like charging people to access the data that you did not have the owner’s consent to obtain or use — well, to me, that’s unethical if not actually illegal.