Is it legal to use data from data leaks?

5 points by jamesmurray ↗ HN
So, to what degree, if any, am I allowed to use data that is leaked or stolen?

Obviously, it's wrong to sell stolen information or exploit it to harm other people. It's also wrong to release personally identifiable information that could harm an individual.

However, wouldn't it be reasonable to use the stolen info to say, use the dataset to get aggregate statistics, and figure out how many migrants there were in a metropolitan area? Couldn't this be used in the public interest?

If this is not reasonable, here's a list of questions:

- Why isn't this reasonable? - When the NYTimes releases emails from leakers or hackers, why is it reasonable? It doesn't seem like anyone goes to jail for this.

4 comments

[ 2.6 ms ] story [ 20.9 ms ] thread
Shouldnt the title include "Ask HN: "?

I am not a lawyer, nor do I play one on TV.

If you obtained something that is stolen, would you feel comfortable explaining to law enforcement or a judge why you have it and how you obtained it? Do you have the time and resources to deal with the hassle? Newspapers have plenty resources and experience in this area.

I would consult a few lawyers prior to handling information that was intended to be private.

It depends on the legislation, but in general: NOPE.

You have to treat stolen data as a stolen object. Even if you get them by legal means (eg a robber sold you a "you didn't know" stolen object with a legal contract) it still remains a stolen object and as soon as you discover/know it is stolen you must return it to authorities or the proprietary.

In EU for the data you must get the consent even in third party "reselling" even if you already had it for your own use.

If stolen there is no way you could use that data legally because the property is both of the users and of the company/entity from which they were stolen and you are not authorized to treat it in any way.

It is different if the data is public domain/interest (eg for the case of the journals, they just release data that authorities made public). But, indeed, an authority must decide so

In the U.S. if the data has leaked to the public then the First Amendment protects you unless or until there's some intervening obligation, like for people who have government security clearances. But if there's any serious doubt about whether its already public then you should ask a lawyer. Unless it's already been disclosed by major media then you may want to at least think twice.

There are obvious analogies to stolen goods, but you have to be careful there. You could distinguish data similar to how the law distinguishes money. If a bank robber uses a $20 bill at the 7-Eleven for a 6-pack of beer, the 7-Eleven is NOT in possession of stolen property and therefore doesn't have to worry about the government seizing the $20.

Similar considerations can be made regarding data, especially on First Amendment grounds. Certainly journalists have some protection in this regard. But in general I think the law is rather murky in this area so either seek legal counsel or caveat emptor. Certainly if you could be considered to have any relationship to the person who stole the data or to whom it was stolen you would want to steer clear.