
The Ethics of Running a Data Breach Search Service - robin_reala
https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
======
mattmanser
Interesting read, I'm always impressed with the work Troy puts into this
service and his general security campaigning.

------
Sophistifunk
I'd happily pay $20 a year to get notifications for my wife's and my various
email addresses, if it meant an honest service that wasn't trying to sell us
shit via spam.

------
feelin_googley
"Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but
won't give me any details so there's very little I can do about it"

* * *

"An increasingly large number of organisations are doing precisely what's
described above - trawling the underbelly of the web, obtaining breached data
then using it to better protect their own accounts. _You think about it_ \-
if, for example, Amazon finds a dump of data that has thousands of their
customers in there with the same username and password as on their own
service, that's really useful info for them."

[https://www.troyhunt.com/random-thoughts-on-the-use-of-
breac...](https://www.troyhunt.com/random-thoughts-on-the-use-of-breach-data/)

Yes, I do think about it.

But my thoughts are not reflected by these blog posts.

First, if a confidential email address leaked, potentially to any third party
who is interested, the last thing I would want as the owner is to give that
email address, or provide any meta data about it, to one more third party.

Thus, any website "service" purporting to check the dump for a particular
email address is, for me, unacceptable.

I recall the months before Hunt started his website, when others were running
similar websites to search then-current dumps of data breaches.

In online discussions at the time it seemed that many observers were correctly
identifying these sites as a potential means for third parties to collect
email addresses or even for parties in possession of a dump to verify which
email addresses were active, and to correlate them with an IP address.

This sort of critical commentary seems to have died off, and today a high-
traffic site like Hunt's appears to be bordering on some sort of commercial
enterprise. It is frightening to think of all the dumps he has collected and
that they reside on computers connected to the internet. He further discloses
that he is affiliated with Microsoft/LinkedIn.

There exists at least one user who would be willing to download dumps and
check for themselves, privately, _offline_.FN1 Downloads of the dumps are not
provided. However Hunt mentions users were querying his site at 40,000 queries
per minute. One can see why Hunt might be having some ethical questions about
what he is doing.

Those parties who really want these dumps will get them. (I can accept this.)
But the fact that it may be Microsoft or another web company that is getting
them is IMO no less potentially harmful. Unfortunately the availablity of
dumps has not led to sites that provide a means for users to search privately
offline but instead ones that purport to check the dumps in return for further
data e.g. "Enter an email address." (I still have a difficult time accepting
this, hence this comment.)

While companies obtaining the dumps can make an argument they are not the "bad
guys" I find it no less concerning that they are obtaining the data.

Some of the data may relate to their own customers as Hunt suggests, _however
some of it may not_.

Second, we have no idea how companies are using the data. I think it is naive
or deliberately ignorant to believe they will not use it in ways that put
their own commercial interests before those of the persons owning the data in
the dumps.

Third, for some users, the data was never meant to be in the possession of
these companies. In fact, that may have been the reason the data was "private"
to begin with, i.e. to protect against the privacy invasiveness of such
companies. To these users, the _companies_ may be the "bad guys".

Anyway, those are my thoughts. As you can see, they differ somewhat from Mr.
Hunt's.

FN1. Bias discosure: I write filters that transform "unreadable" formats, like
SQL dumps, to readable text, as a hobby. Of course it has crossed my mind that
someone could provide software that lets a user 1. download a dump (in the
same way they routinely download other large files e.g. videos), 2. converts
the file to a simple text format and 3. provides a simple search interface to
search the saved dump _offline_. I am not suggesting this is the best solution
for everyone. Nor am I suggesting that no one should use Hunt's website. I am
merely commenting that I do not see online search via a third party website
nor joining an email alert list as ideal solutions. I am suggesting there
should be more critical commentary of these sites and "services" and
consideration that maybe we as users could do better.

~~~
rocqua
> He further discloses that he is affiliated with Microsoft/LinkedIn.

This is not correct. I assume you are referring to:

"There are degrees, of course; at one end of the spectrum you have the likes
of Microsoft and Amazon using data breaches to better protect their customers'
accounts."

However, that text only contains a link [1] to a blog post about how companies
(like Microsoft and LinkedIn) go and look for this data by themselves. Nowhere
is it stated that Troy helped them, or even that anyone discussed such help.

I agree that it is scary that someone has this data, but I see very little
that is dangerous about how Troy uses it. The worst complaint I have is not at
first marking the furries leak as sensitive.

[1] [https://www.troyhunt.com/random-thoughts-on-the-use-of-
breac...](https://www.troyhunt.com/random-thoughts-on-the-use-of-breach-data/)

~~~
akerl_
I suspect the connection to Microsoft was drawn from this on the site’s about
page:

“I'm Troy Hunt, an Australian Microsoft Regional Director and also a Microsoft
Most Valuable Professional for Developer Security. I don't work for Microsoft,
but they're kind enough to recognise my community contributions by way of
their award programs which I've been an awardee of since 2011.”

~~~
feelin_googley
Correct. It was a poor choice of words.

s/affiliated with/an evangelist for/

The implication here is that he may see fewer problems with Microsoft or its
subsidiaries, e.g. LinkedIn, having access to stolen personal data than
another user who may take a different view of these companies, for a variety
of reasons. I am implying he has a high opinion of Microsoft.

Contrary to the other commenter's interpretation, I am not implying he shares
data with any companies under some special arrangement or assists them in
locating dumps. Of course, given his comments that he believes these companies
only use such data to protect users, it seems reasonable to imagine that he
might not have any ethical issues with doing that.

