In the past week a number of major media outlets have been running stories of law enforcement agencies purchasing illicit breach data, presumably for use in investigations. These stories track back to a report in Vice’s Motherboard magazine that names a firm called SpyCloud, which openly advertises collected breach data to these agencies.
SpyCloud has verified that it has (unspecified) law enforcement clients, and mention of the company in several press releases and interviews indicates that the Department of Justice has used it in at least one investigation.
The SpyCloud data story raises the specter of an “end run” around due legal process by these agencies, but also raises many more questions about what is actually happening than are answered.
What we know about the use of breach data by law enforcement
Motherboard names slides from an unspecified webinar hosted by SpyCloud as the source of the investigation, but did not publish the slides in question or specify exactly what they said.
The article does not make clear specifically what breach data SpyCloud has access to, or whether any of it is not currently available to the public. The article describes a phone conversation with SpyCloud co-founder and chief product officer Dave Endler, who said that ” … in our mindset (the data) tends to be already public.” Which is a pointedly different choice of words than simply saying that the data is public, but does not clarify exactly what the company uses. However, Endler did go on to state that SpyCloud has a “human intelligence team” that infiltrates underground forums and that the service also cracks hashed passwords included in breaches.
The Motherboard reporter describes creating an online account on the SpyCloud site and verifying ownership of their email addresses, at which point one can search data breach files for any mention of them. However, this is not substantially different than free services such as Have I Been Pwned? that allow the general public to find out if account credentials have been compromised in a breach. SpyCloud apparently uses legal hacking tools to expand insights into this data, but these are the same tools that are available to and used by journalists for the same purpose.
There is certainly general reason for wariness about what might be going on here. Given that the exact data that SpyCloud is selling cannot be pinpointed, however, it is difficult to evaluate how much of a public concern this actually is.
There are a number of legal restrictions that would prevent law enforcement agencies from simply purchasing stolen data from criminals and using it in investigations, as Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, points out: “These sales statements sound a bit exaggerated and overhyped. In courts of many jurisdictions, use of stolen, or otherwise unlawfully obtained data or evidence, is expressly prohibited by law … As a matter of practice, some law enforcement organizations and police units indeed occasionally buy stolen data from various sources. The data may then be used for a wide spectrum of monitoring, preventive or investigative purposes. Its usage, however, rarely becomes official and mostly serves different “in-house” purposes. Therefore, I doubt that Western law enforcement agencies would buy this stolen data from commercial companies or vendors … normally much of this data may be easily and lawfully subpoenaed from service providers and technology companies for the purpose of an ongoing criminal investigation … (subpoenaed data) won’t pose problems for law enforcement officers later.”
In the interview with Motherboard, Endler indicated that SpyCloud restricts the sale of breach data to only certain types of law enforcement agencies: those involving human trafficking, computer hacking and financial fraud investigations. The Justice Department’s 2018 acknowledgement of SpyCloud was in relation to a case that involved locating and shutting down 15 DDoS-for-hire sites.
Other law enforcement sources have acknowledged making use of breach data at times in their investigations. Kevin Metcalf, prosecuting attorney and head of the National Child Protection Task Force, told Motherboard that the organization makes use of breach data to track down child predators.
More transparency required?
While there is some question as to whether or not the data that SpyCloud is incorporating into its law enforcement packages is appropriate for use, the incident does highlight the fact that there is little regulation of or transparency into law enforcement access to breach data obtained via the dark web and underground forums. While there are firm laws preventing the use of it in court cases, this data might be used to make connections that could then be publicly justified through other means.
Though it is not necessarily happening in this particular case, normalizing the purchase of illicit breach data for investigative purposes creates the potential for a perverse incentive. The bad guys may be motivated to steal if they know that law enforcement is willing to pay for access to hacked data.
Stronger federal data privacy laws are under discussion in the United States and likely to soon become reality, and the issue of access to data breaches may well end up being addressed by them. While law enforcement agencies might carve out exceptions in terms of disclosing the personal data they are collecting and handling, private companies such as SpyCloud would not have the same protections. Disclosure laws similar to those in place in the European Union would at least clarify exactly what personal information is among the stolen credentials these companies are obtaining and providing to law enforcement agencies.