Is it legal to use data from data leaks?
So, to what degree, if any, am I allowed to use data that is leaked or stolen?
Obviously, it's wrong to sell stolen information or exploit it to harm other people. It's also wrong to release personally identifiable information that could harm an individual.
However, wouldn't it be reasonable to use the stolen info to say, use the dataset to get aggregate statistics, and figure out how many migrants there were in a metropolitan area? Couldn't this be used in the public interest?
If this is not reasonable, here's a list of questions:
- Why isn't this reasonable? - When the NYTimes releases emails from leakers or hackers, why is it reasonable? It doesn't seem like anyone goes to jail for this.
4 comments
[ 2.6 ms ] story [ 20.9 ms ] threadI am not a lawyer, nor do I play one on TV.
If you obtained something that is stolen, would you feel comfortable explaining to law enforcement or a judge why you have it and how you obtained it? Do you have the time and resources to deal with the hassle? Newspapers have plenty resources and experience in this area.
I would consult a few lawyers prior to handling information that was intended to be private.
You have to treat stolen data as a stolen object. Even if you get them by legal means (eg a robber sold you a "you didn't know" stolen object with a legal contract) it still remains a stolen object and as soon as you discover/know it is stolen you must return it to authorities or the proprietary.
In EU for the data you must get the consent even in third party "reselling" even if you already had it for your own use.
If stolen there is no way you could use that data legally because the property is both of the users and of the company/entity from which they were stolen and you are not authorized to treat it in any way.
It is different if the data is public domain/interest (eg for the case of the journals, they just release data that authorities made public). But, indeed, an authority must decide so
There are obvious analogies to stolen goods, but you have to be careful there. You could distinguish data similar to how the law distinguishes money. If a bank robber uses a $20 bill at the 7-Eleven for a 6-pack of beer, the 7-Eleven is NOT in possession of stolen property and therefore doesn't have to worry about the government seizing the $20.
Similar considerations can be made regarding data, especially on First Amendment grounds. Certainly journalists have some protection in this regard. But in general I think the law is rather murky in this area so either seek legal counsel or caveat emptor. Certainly if you could be considered to have any relationship to the person who stole the data or to whom it was stolen you would want to steer clear.