
Legal considerations when gathering threat intellegence from illict sources [pdf] - scalableUnicon
https://www.justice.gov/criminal-ccips/page/file/1252341/download
======
tptacek
To me, the big question underneath all of this is password dumps. I don't know
that there was much uncertainty about buying vulnerabilities. But password
dumps are almost always per se stolen data, and it's a bit of an open secret
that there are anti-ATO teams using those dumps to create better versions of
HIBP. I read this looking for clear guidance on whether it was safe to buy a
password dump if you're only using it to force password resets for your users,
and didn't come away with much certainty in either direction.

~~~
LannisterDebt
>As noted above, many of the federal criminal statutes associated with the
type of stolen data that tends to be sold in Dark Markets—e.g., passwords,
account numbers, and other personally identifiable information—only apply if
there is intent to further another crime: for instance, an intent to use the
information to defraud.33 For this reason, a purchaser of the stolen data who
lacks a criminal motive is unlikely to face prosecution under those statutes.

Which part is unclear?

~~~
varenc
> knowingly purchasing another party’s stolen data without that party’s
> authorization can pose some legal risk. It is much more likely to raise
> questions about the purchaser’s motives and result in scrutiny from law
> enforcement and the legitimate data owner, particularly if a trade secret is
> involved.

So if you're buying password dumps only to protect your own users from account
takeover then you're _unlikely_ to face legal consequences? However, that's
not ironclad and not explicitly protected by the law. No promises.

I know some large sites will use illicit passwords dumps to revoke re-used
passwords for their own users. Though they'll be very obtuse and just tell
users something like " _your password has expired_ ". Given the fuzzy legality
of this practice, I can understand why.

~~~
tptacek
Also, there's a potential gap between "protecting your users" and "selling
protection for users to other companies" that you'd really like to see
clarified, if you're a vendor who buys password dumps to provide a commercial
ATO service.

------
meowface
I'm glad they released this and made it clear that there is a legal and safe
way to collect this sort of information.

From my reading, as long as you're not furthering any crimes the community is
engaged in, or impersonating a real person to gain their trust (as opposed to
a fictional false identity), or breaching any systems they use, then it's
generally okay to gather information. Purchasing stolen data (that you own/are
authorized to possess) and vulnerabilities is more complicated, but they
explain some legal ways of doing it.

~~~
whatsmyusername
One thing to keep in mine. They specifically call out anything involving child
pornography isn't covered by this document. The gist I got was, "Don't be a
dipshit, run screaming in the other direction if you get even a whiff of it,"
which is my policy on the subject irregardless of this document.

~~~
ncmecthrowaway
There are several situations where you, by nature of your employment and/or
the discovery, may be legally required to disclose finding it to certain
parties. Running away as you suggest can create legal liability in a few
circumstances. Speak with your corporate lawyer and someone at NCMEC if you
are based in the United States and come across this situation, _especially_ if
it is UGC that your network touched in any way.

Any U.S. organization that handles UGC MUST be aware of this, because failure
to follow the process can clap back rapidly. IANAL, so ask yours, and I’m only
familiar with the U.S. If you accept and transmit UGC, it will happen. Be
ready and train your people, and be ready to support them when they collapse
mentally from dealing with it (not even to mention the impact to the
children).

I still have very specific nightmares and refuse to work in UGC/hosting due to
this.

~~~
LiquidSky
I used to work as in-house counsel at a machine learning company and we had
exactly the system you describe set up: a standard set of procedures for
immediate reporting of child pornography found in image batches sent to us by
customers, NCMEC notification, quarantining and isolated storage of the data,
and offering counseling for affected employees. It didn't happen often,
thankfully, but was pretty eye-opening about what's out there.

------
JadeNB
'Intellegence' in the title should be 'intelligence', as in the linked
document.

