Difference Between Spreading Information and Enabling Crime

Tuesday, February 14, 2012

Rafal Los


I'm taking a break from clouds for a minute to wax philosophically with you.  I sense I know there will be a sharp divide on this issue about to be discussed here, so I'm hoping we can have a constructive conversation around the topic. 

I also think that as in an earlier conversation on Twitter it's a matter of perspective and understanding fully the implications.  So here's the issue...

Let's take this as a for instance... with all the hacking going on, it is quite real I assure you.

Imagine a site being hacked, the database cracked wide open and pulled out... posted to pastebin or one of the equally used paste sites and the link posted to Twitter from one of the hacker teams, collectives or whatever accounts.  It is the re-tweeted over, and over, and over, and over ad nauseum and while everyone keeps getting at the data a question arises.  Is this legal... or even ethical?

This is the basis for the question I'm asking.  Is re-posting and spreading (or helping spread) the exploits of one of these hacker groups or individuals OK?

A question of ethics

I think ultimately it comes down to what you believe, and where you draw your own ethics boundaries.  Whether you think this is a violation of an ethics code or not - you have to be able to see that this is a slipper slope. 

Where does the line between being complicit in a crime (say a cache of credit card information was just exposed and you're helping to spread it around?) end, and the need to spread information and awareness begin.

A colleague and personal friend made the point that it's in our best interest to ensure that we check these caches of information to make sure friends, family, and colleagues aren't exposed without knowing it. 

A very valid point except you have to ask yourself where, again, the line is between you looking out for yourself and your loved ones, and peeking at the information of others you shouldn't (legally or otherwise) have access to.  Is it right (is it OK) to perpetuate a criminal activity (the hacking incident itself) by continuing to spread the information that was hacked/stolen?  This is the root of the case.

What about the law?

What's unclear is how the law feels about this.  As someone else pointed out, the media does this all the time with photos or information that was discovered illegally and rarely does anyone get arrested or charged.  I would agree with that fact except that I would add that rarely does an individual get to hide behind the freedom of the press shield... right?

Another issue is if the stolen information (because let's be clear, this is a cache of stolen information from somewhere that is otherwise not public) is not considered public because it has been posted somewhere publicly.  This is an interesting legal boundary question, and I'm definitely not qualified to give an assessment of this from a legal standpoint so I'll give you my understanding and opinion. 

As far as I understand the law in the United States (and if someone reading this is a lawyer, please comment!) property that is stolen in the commission of a crime (in the physical world or digital) that is made public does not auto-magically become public information.  That information is still considered private. 

I am making this supposition because I've seen this unfold from military cases where national secrets [classified information] were stolen and made public. This did not make them unclassified and furthermore, anyone who asked a law enforcement official was advised not to view, download, or spread links to that information because it was the continuation of a federal crime.

I don't think this situation is that much different ...perhaps significantly less extreme, but not that much different.  I'm fairly confident that if some company decided that they wanted to go after everyone who re-tweeted the links to the pastebin where their stolen company proprietary information was, they could make a fair run at it in the US court system, even with the law years behind the Internet.

It's about the cache

Luckily most people don't get prosecuted or charged for distributing (or re-tweeting) a link to a pastebin dump.  Where is the line drawn then, and why are some incidents bigger than others?  I think the question ultimately goes to the cache of information. 

While I think we can agree knowingly distributing stolen information or data (or things obtained during the commission of a crime) is illegal, there is some leeway with "how illegal" that can be and whether you'll be the target of a legal probe if you pass on a link, download some information, or do an 'in depth analysis' on your blog.

If a company ends up losing its password database, that's pretty bad but arguments could be made that this isn't the end of the world and that in the end we the security community could use the information "for research purposes" in the correct forum and with purity in our hearts for the betterment of humankind. 

This is unlikely to land you in jail... but heck, what do I know.  It's different if that cache of information is medical data, stolen company secrets, or classified government documents.  It's all about the context and the information (data) being discussed so it's just not that simple.

I think in the end what is unethical doesn't change, but what is illegal depends on case law, what the attorneys are willing to prosecute, and what's even realistically worthwhile for prosecution.  The amount, classification of, and value of the data you're helping to disseminate or download is what ultimately makes or breaks your legal case.

For another perspective...

Seeking a perspective outside my own, I turned to Laura Walker (@LauraWalkerKC), JD & Research Analyst in the fields of Intelligence, Counterintelligence, OSINT, HUMINT, Terrorism & Political Violence, Legal Issues in Information Security, Computer Forensics & Cybercrime.  She is clearly qualified to speak on behalf of some of the legal implications here...

On the topic of reposting or posting links to stolen data:

As with a lot of IS issues, the law is way behind the technology, but there are principles in common law and statutes governing stolen goods that are applicable.  For example, "trafficking in stolen goods" reaches beyond the actual theft or possession of stolen goods to disseminating them, and not necessarily for profit.  With most criminal law you are dealing with "mens rea" or criminal intent. 

Just viewing a pastebin put up by Anonymous that has stolen data on it isn't necessarily going to qualify - it is more like rubbernecking a car accident.  It is plausible you had no idea the post contained actual stolen data and if you witness it and move on - you really haven't done anything wrong.

But reposting the information or passing around a link to it is different.  Assuming you visited the link, you know it leads to stolen data.  By passing that link around, you are passing access to stolen goods and encouraging others to view them and do what they will.  You are facilitating the use of the stolen data = trafficking.  You might as well be handing out stolen credit cards on a street corner, because that is what a jury would see.

Trafficking in stolen goods is typically a felony.  Some random examples of trafficking statutes:

Washington: RCW 9A.82.050 Trafficking in stolen property in the first degree.
(1) A person who knowingly initiates, organizes, plans, finances, directs, manages, or supervises the theft of property for sale to others, or who knowingly traffics in stolen property, is guilty of trafficking in stolen property in the first degree.
(2) Trafficking in stolen property in the first degree is a class B felony.
[2003 c 53 § 86; 2001 c 222 § 8. Prior: 1984 c 270 § 5.]

Arizona: 13-2307.  Trafficking in stolen property; classification
(A) A person who recklessly traffics in the property of another that has been stolen is guilty of trafficking in stolen property in the second degree.

(B) A person who knowingly initiates, organizes, plans, finances, directs, manages or supervises the theft and trafficking in the property of another that has been stolen is guilty of trafficking in stolen property in the first degree.

(C) Trafficking in stolen property in the second degree is a class 3 felony.  Trafficking in stolen property in the first degree is a class 2 felony.

The likelihood of actually being prosecuted solely for disseminating the link to stolen data is pretty much nonexistent - for now.  The jurisdictional issues alone are a  mess, and law enforcement resources are better spent on identifying and prosecuting the actual thieves. 

But if by some random chance you are pulled into a sweep of potential Anonymous hacking cases - well good luck to you.  A baby A.D.A. could make the felony stick if you're already in the case.  At best, you just found a way to pay another lawyer a nice fat retainer for what I am telling you for free.

Btw - we had a brief discussion about the ethics of reposting links to stolen data posts.  I find it amusing anyone would consider this a "grey area". I suspect the ethics wouldn't be so fuzzy if you saw your own social security number or bank account on one of those posts.

There you have it.  What do you think?  How do you feel about all those links to the pastebin sites you're likely re-posted or re-tweeted that contain hacked or illegally obtained information? 

Add your opinion here, or speak out on Twitter, just reply to @Wh1t3Rabbit... let's hear your thoughts.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Legal breaches Intellectual Property Information Security Infosec Illegal content Law Enforcement Ethics Pastebin Proprietary Information Data Dump Rafal Los Laura Walker
Post Rating I Like this!
Krypt3ia Two words "Mens Rea" http://en.wikipedia.org/wiki/Mens_rea We have had this argument before. It is the intent not that its out there. It comes to court that will be the base of the case if you have a good lawyer.
Mike J On the ethical front, given that the motivation for a lot of these hacks is notoriety, spreading the information around is fueling the fire. By assisting the hacker in gaining the maximum exposure for the illegal activity you are in a sense providing the benefit that they expected for committing the act. It is harder to justify spreading the information as ethically sound, knowing that by doing so you are encouraging unethical acts.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.