Is My Project Idea a Crime?

Published 7 hours ago• 12 minute read

Spoiler: Probably not, though it should be.

Microsoft's security wing claims to process 78 trillion signals in 2024, a 225% increase from 2020. Catching up in cybersecurity means being able to crunch massive amounts of data. As I gear up for a career in the field, I have made sure to keep my data skills sharp. The hard part is I don't have free-reign over an enterprise network to harvest data from. However, there's another infinite font of interesting data: the dark web.

Didn’t want to put money in the “used a picture of a hoodie guy leaning over a laptop in a post about the dark web” jar

I have a couple of ideas for interesting research questions involving dark net data dumps that I would pursue if I had the patience for IRB paperwork and the funding:

: Ads of dumps for sale on the dark web sometimes boast about containing the data of notable people, including government officials or C-suite executives. The presence of these records increases the value, but by how much? Also, how does sector impact the price of leaked data? Do records of hospital staff or stock traders cost more than teachers? Though ambitious, we can construct a model with enough data points to price a data dump given its characteristics like data dump size, target sector, government connections, and cryptocurrency exchange rates.

Leaning on some of my work from my last post, where I attempted to guess the countries of origin for individual open source authors, what is the spread of countries that show up in data leaks? Also, can we correlate people across data leaks and see if they've changed their passwords?

In the infamous Ashley Madison leak in 2015, the hackers were very public about their motivation. The hackers clearly stated that they targeted Ashley Madison on ideological grounds. They leaked everything, even desk locations, payroll, and the port assignments for network jacks. How do ideologically motivated leaks differ from financially motivated leaks? Is data leaked by ransomware gangs likely to be as extensive as the Ashley Madison leak, or just contain passwords? Is the breadth of the Ashley Madison typical of ideologically motivated leaks? Are there any instances of data leaks attributed to foreign intelligence agencies, and how does that differ?

Of course, I am not a lawyer; I'm just a coffee shop. Nothing I say should be taken as legal advice.

GET A LAWYER. THIS IS NOT LEGAL ADVICE.

That being said, enter Section 1030 of the US Criminal Code, title "Fraud and related activity in connection with computers." This is the primary section used by the federal government to prosecute hackers and ransomers, and it was made law after the passage of the Computer Fraud and Abuse Act of 1983. Allegedly, this was rushed through Congress after panic from the 1983 movie WarGames.

Movie Review: 1983's WarGames is Still Relevant (and Good) – The Campitor — He just like me fr

Remember, I want to download illegally obtained data and release an anonymized analysis of this data. At no point would I plan to distribute data, even an anonymized or redacted set. I would take every care to ensure that anonymity is preserved in my final published analysis. At no point would I pay anyone for any data, meaning I am not contributing to the illegal data trafficking ecosystem. I would immediately delete the data once it is processed, and I would go so far as to only store it on a cheap external hard drive, which I would promptly destroy after I have analyzed the data.

To be clear, I haven't done any of this, nor do I plan to. For transparency, I downloaded the Ashley Madison data dump a while ago out of curiosity, but that's hardly remarkable. Heck, it's linked on at least one large publication's website, along with instructions on how to torrent it.

This gives us a single legal question: Can I download stolen data?

Let's examine the section's actual verbiage. §1030.a provides seven definitions of crimes covered by this section, so let's examine that.

Starting off:

§1030.a.1 Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

This clause deals with leaking classified information and national security. If I find classified information, I will immediately report it to the authorities.

§1030.a.2 Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act(15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

§1030.a.2 specifies "intentionally accesses a computer without authorization... and thereby obtains...". Because I am not personally hacking into a computer, I am clear from subsection 2. However, the bullets introduce the "protected computer" term, which will appear later. A "protected computer" is any computer that is a) used by a financial institution or the US Government or b) used in interstate commerce, even if located outside the US or c) part of a voting system.

It is interesting that financial institutions are given the same level of importance as classified government systems, though as a big fan of America's monopoly on the global financial system, I can't complain. That being said, I now know to be wary of any records linked to a financial institution.

§1030.a.3 criminalizes accessing nonpublic computers without authorization, which I will not be doing. This will be a common theme.

§1030.a.3 Whoever intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

§1030.a.4 specifies hacking or stealing from a protected computer computer used by the government.

§1030.a.4 Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

Another subsection that criminalizes actively hacking into a computer. Not applicable to me.

Subsection 5 specifies sending malicious network traffic over the wire to a computer.

§1030.a.5
(A) Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

I would imagine that prosecutors can used this to go after organizers of DDoS campaigns, but again, not applicable to me.

Subsection 6 is one we should focus on.

§1030.a.6 Whoever knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization

It looks like my ability to pursue this project hinges on the definition of "traffic" as described in §1029. Thankfully, the definition is as follows:

§1029.e.5 the term "traffic" means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of;

Because I will not distribute or sell any data I acquire, I am not "trafficking" in stolen data, so we're clear.

Subsection 7 deals with the extortion half of cybercrime, like ransomware.

§1030.a.7 Whoever, with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

Again, I'm not hacking into a computer, so we're clear.

All in all, I believe I am in the legal clear of Section 1030 for my specific use case. The only project on shaky ground is tracking passwords across breaches. While subsection 6 criminalizes the traffic of passwords, it doesn't apply to entities receiving the data without intent to sell. Let's look at another section.

The Economic Espionage Act created Section 1831 of the US Criminal Code, which has been used to indict hackers working for foreign actors to steal "trade secrets." This includes a case in 2015 in which five People's Liberation Army hackers were charged with 30 counts of economic espionage.

§1831.a In General.—Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly—

First, is the information in a credential dump a "trade secret"? According to the Uniform Trade Secrets Act adopted by 48 states, a "trade secret" must have "independent economic value, actual or potential." To my understanding, most courts have ruled that credentials do not count as "trade secrets", except for a notable case highlighted in RSA 2010. In this case, TMX Funding sued Impero Technologies, a company formed by laid off employees. TMX Funding believed that Impero had stolen or used their old credentials to remotely steal code and other actual "trade secrets" from TMX Funding, which confers "independent economic value" to the login credentials. However, to my understanding, this is a one-off ruling, and in most other situations, a dump of credentials cannot be considered a trade secret.

Second, the Economic Espionage Act only applies to those working for the benefit of a foreign entity.

There's a smattering of other sections of Federal Law I want to address:

: The entire section deals with "identification documents", which, to my understanding, are physical documents like driver's licenses, passports, and birth certificates. Even if passwords can be considered a digital document, every subsection criminalizes "possession with intent to (commit a crime)."

: This section deals with credit card fraud. Every subsection has "knowingly and with intent to defraud" as the first few words except subsection 9, which refers to possessing "hardware or software" that "insert(s) or modif(ies) telecommunication identifying information". While I'm not sure if a password dump counts as "telecommunication identifying information," it is irrelevant because I do not own any hacking tools meant to alter credit cards. I hope that there is a precedent that allows legitimate security research.

: Section 2314 criminalizes "Whoever transports, or transfers in interstate or foreign commerce any goods, wares, merchandise, security, or money." To my knowledge, precedent has determined that this act only deals with "tangible" goods, not software or data. Particularly a case where a former VP of engineering at Goldman Sachs absconded with the source code of their high-frequency trading platform and joined a startup. The case was dismissed after determining that the source code held no tangible value. While harshly criticized, this decision led to the "Defend Trade Secrets Act" of 2016, which codified Section 1836, which provides the country-wide definition of a trade secret.

: The Health Insurance Portability and Accountability Act introduced criminal penalties to anyone who "knowingly...obtains individually identifiable health information". I had no plan to download health information. Still, I'm glad to know that possession of Protected Health Information (PHI) is criminalized, even if a defendant has no intent to distribute or sell.

To be clear, I only looked at federal law and what case law I could find. State law is a different world entirely.

As far as I am aware, I can download leaked data off the internet with no legal repercussions as long as:

The fact that entities can just download stolen data is deeply troubling. While good for curiosity-driven researchers like myself, this is an obvious blind spot in the tools prosecutors can use to go after hackers, scammers, and ransomware gangs.

A genetic ancestor of mine had a serious disease that has genetic markers but has been asymptomatic for decades. Neither me nor any of their other descendants has shown any symptoms of this disease, and we almost certainly never will. It's not hard to imagine my health insurance provider downloading that ancestor's leaked genetic data from 23andMe or Ancestry, tying that back to me, and then raising my premiums because I am "predisposed" to a disease I never will have. While the Genetic Information Nondiscrimination Act (GINA), in theory, prevents health insurance companies from using genetic predisposition in premium decisions, and HIPAA would criminalize the possession of that data after it is tied back to me, do we trust health insurance companies to follow the law?

Here in the US, the slack from our dysfunctional federal government and its failure to adapt to the twenty-first century is being picked up by the states. My home state of Utah in 2022 became the fourth of the twenty states that have codified a comprehensive data privacy law. GDPR's not perfect, but I envy Europe and her universal privacy law.

There are many entities doing the dirty work of advocating for data privacy, including EPIC, ACLU, Consumer Action, and the storied Electronic Frontier Foundation. I met some of their people at ShmooCon in DC, and I can't speak highly enough of their drive to make the internet safer for us through their advocacy and technical work. Let's put democracy to work.