Law enforcement agencies are using a legal loophole to buy up personal data exposed by hackers
- A company called SpyCloud is selling personal data originally obtained by hackers to law enforcement agencies, Vice reported Wednesday.
- Experts told Vice that, while the practice isn't illegal, it effectively lets police bypass processes they normally must go through to obtain private information.
- SpyCloud's chief product officer told Business Insider that the data is already public and that selling the data to law enforcement helps them track down cybercriminals and terrorists faster.
- Tech companies have found a lucrative business working with law enforcement, and while they argue their tools help catch criminals, critics are increasingly raising concerns about civil rights violations and innocent people being swept up in the process.
Law enforcement agencies have been buying up data originally obtained by hackers, including people's emails, usernames, passwords, internet addresses, and phone numbers, from a cybersecurity company called SpyCloud, allowing them to bypass normal legal processes, Vice first reported on Wednesday.
SpyCloud's primary business is selling software that helps companies and individuals prevent online fraud and account takeovers. The company's website says that software is powered by a massive database of "stolen credentials and [personally identifiable information]" that allows it to more quickly warn customers about exposed accounts.
But SpyCloud's clients also include federal law enforcement agencies, chief product officer David Engler confirmed to Business Insider in an email.
According to Vice, the company said in a webinar slide that its tools "empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice."
While SpyCloud presents its tools as a way to help law enforcement investigators (and companies) catch cybercriminals, it also raises concerns about enabling them to collect information on innocent people that would have been private had it not been accessed through a data breach.
Investigators often need permission from a court to obtain certain types of digital information, but buying breach data from a private company gives them a more efficient — and less accountable — way to scoop up data.
Riana Pfefferkorn, a cybersecurity expert at the Stanford Center for Internet and Society, told Vice that this method of collecting data is "disturbing" and "an end-run around the usual legal processes" imposed on law enforcement officials who want to access people's digital information.
Engler told Business Insider that SpyCloud considers breach data public because it's already "circulating within criminal communities," adding that the company "enables investigators to use public data to shorten the legal process, not eliminate it."
While some breach data is more widely available, many of those criminal communities are far from public. Additionally, more than 15 billion records were exposed in nearly 8,000 breaches in 2019, according to Risk Based Security, giving law enforcement a treasure trove of personal data.
"We are aware that breach data is sensitive," Engler said, adding that SpyCloud takes "serious precautions to ensure that it is not misused." That includes practices like vetting customers and uses of its products, as well as limiting customers' queries of its database.
Technology and data companies have developed lucrative businesses selling tools to law enforcement agencies and the military. Research published this week by the nonprofit Tech Inquiry found that companies including Google, Amazon, and Microsoft have secured more than 5,000 subcontracts with agencies such as the Department of Defense, Immigrations and Customs Enforcement, the Drug Enforcement Agency, and the FBI.
While companies argue their products play a vital role in helping the government track down criminals and terrorists, they've also sparked backlash from civil rights and privacy advocates — and increasingly, from employees — who worry about their ethical and legal implications, citing concerns such as companies selling data collected without people's permission to police and racial bias in facial recognition software.