I'm glad they released this and made it clear that there is a legal and safe way to collect this sort of information.
From my reading, as long as you're not furthering any crimes the community is engaged in, or impersonating a real person to gain their trust (as opposed to a fictional false identity), or breaching any systems they use, then it's generally okay to gather information. Purchasing stolen data (that you own/are authorized to possess) and vulnerabilities is more complicated, but they explain some legal ways of doing it.
One thing to keep in mine. They specifically call out anything involving child pornography isn't covered by this document. The gist I got was, "Don't be a dipshit, run screaming in the other direction if you get even a whiff of it," which is my policy on the subject irregardless of this document.
Yes, agreed. Credit cards and hacking discussions are one thing (partly because they can directly affect your company or customers), but child abuse is a totally different matter. In those cases I imagine you should just report whatever you accidentally stumble upon to law enforcement and stay far away afterwards.
For a class I took on cybersecurity law, one of the readings mentioned procedures involved for LEOs investigating crimes of that nature. Among other things, the agent was required to use a specific locked-down computer with a custom web browser which would not request image files, because requesting, receiving, or storing (much less displaying) said files would be a criminal act. That work is best left to specialists (and even then, they rotate out regularly for mental health reasons).
There are several situations where you, by nature of your employment and/or the discovery, may be legally required to disclose finding it to certain parties. Running away as you suggest can create legal liability in a few circumstances. Speak with your corporate lawyer and someone at NCMEC if you are based in the United States and come across this situation, especially if it is UGC that your network touched in any way.
Any U.S. organization that handles UGC MUST be aware of this, because failure to follow the process can clap back rapidly. IANAL, so ask yours, and I’m only familiar with the U.S. If you accept and transmit UGC, it will happen. Be ready and train your people, and be ready to support them when they collapse mentally from dealing with it (not even to mention the impact to the children).
I still have very specific nightmares and refuse to work in UGC/hosting due to this.
I used to work as in-house counsel at a machine learning company and we had exactly the system you describe set up: a standard set of procedures for immediate reporting of child pornography found in image batches sent to us by customers, NCMEC notification, quarantining and isolated storage of the data, and offering counseling for affected employees. It didn't happen often, thankfully, but was pretty eye-opening about what's out there.
My plan is to report to the police, report to the company (in that order), and then get a lawyer and touch nothing else of the companies systems until the issue is resolved.
I don't give a damn what the company policy is, that shit is so corrosive that I'm not doing anything with it beyond reporting it to the authorities and then protecting myself.
To me, the big question underneath all of this is password dumps. I don't know that there was much uncertainty about buying vulnerabilities. But password dumps are almost always per se stolen data, and it's a bit of an open secret that there are anti-ATO teams using those dumps to create better versions of HIBP. I read this looking for clear guidance on whether it was safe to buy a password dump if you're only using it to force password resets for your users, and didn't come away with much certainty in either direction.
>As noted above, many of the federal criminal statutes associated with the type of stolen data that tends to be sold in Dark Markets—e.g., passwords, account numbers, and other personally identifiable information—only apply if there is intent to further another crime: for instance, an intent to use the information to defraud.33 For this reason, a purchaser of the stolen data who lacks a criminal motive is unlikely to face prosecution under those statutes.
The part where it goes on to say that the data should be sequestered and surrendered immediately to law enforcement, and that you might still be subject to an investigation.
If motive is the defense against prosecution, then clearly you should be potentially subject to investigation. How else should we check that you're not actually lying about your motive?
> knowingly purchasing another party’s stolen data without that party’s authorization can pose some legal risk. It is much more likely to raise questions about the purchaser’s motives and result in scrutiny from law enforcement and the legitimate data owner, particularly if a trade secret is involved.
So if you're buying password dumps only to protect your own users from account takeover then you're unlikely to face legal consequences? However, that's not ironclad and not explicitly protected by the law. No promises.
I know some large sites will use illicit passwords dumps to revoke re-used passwords for their own users. Though they'll be very obtuse and just tell users something like "your password has expired". Given the fuzzy legality of this practice, I can understand why.
Also, there's a potential gap between "protecting your users" and "selling protection for users to other companies" that you'd really like to see clarified, if you're a vendor who buys password dumps to provide a commercial ATO service.
Most lawyers would still say not to do this to a small client with limited resources to defend themselves. A more well funded client would be walked through a process that combines obfuscation with plausible deniability. Being scrutinized is just as bad as being put on trial when the alternative is a zero risk position. So when you collect the data you need a strategy that minimizes being noticed (or being noticed by a party that is allowed to act), executes in a way that produces minimal evidence (or the kinds of evidence a lawyer can't have dismissed), and which might violate the spirit of the law but not its letter (unless you're European because they find writing real laws cumbersome).
It's copied not taken therefore is no theft. Unless the password is copyrighted I don't see what law the receiver is breaking, I think the gray area is when you pair usernames with the password but a password only list I don't see the issue. The only possible crimes I think are ones that have to do with either facilitating or conspiring to facilitate a criminal enterprise.
18 comments
[ 3.5 ms ] story [ 57.1 ms ] threadFrom my reading, as long as you're not furthering any crimes the community is engaged in, or impersonating a real person to gain their trust (as opposed to a fictional false identity), or breaching any systems they use, then it's generally okay to gather information. Purchasing stolen data (that you own/are authorized to possess) and vulnerabilities is more complicated, but they explain some legal ways of doing it.
Any U.S. organization that handles UGC MUST be aware of this, because failure to follow the process can clap back rapidly. IANAL, so ask yours, and I’m only familiar with the U.S. If you accept and transmit UGC, it will happen. Be ready and train your people, and be ready to support them when they collapse mentally from dealing with it (not even to mention the impact to the children).
I still have very specific nightmares and refuse to work in UGC/hosting due to this.
I don't give a damn what the company policy is, that shit is so corrosive that I'm not doing anything with it beyond reporting it to the authorities and then protecting myself.
edit: What is UGC/NCMEC? Acronym soup.
Which part is unclear?
So if you're buying password dumps only to protect your own users from account takeover then you're unlikely to face legal consequences? However, that's not ironclad and not explicitly protected by the law. No promises.
I know some large sites will use illicit passwords dumps to revoke re-used passwords for their own users. Though they'll be very obtuse and just tell users something like "your password has expired". Given the fuzzy legality of this practice, I can understand why.