The Grey Morality of Stolen Data
US law enforcement has a long history of attempting to gain greater insight into the digital world and its data. On the legislative front, the US government is currently pushing a bill to legalize the mandate of encryption backdoors for Internet-reliant companies. In the absence of a legal enabler, the acquisition of hacked information is an alternative method for gaining access into private companies’ data. At its root, the conversation around encryption and data security boils down to whether or not it is morally acceptable to sacrifice civilian privacy and acknowledge hacking as a viable alternative to legal means of information gathering in order to potentially prevent more heinous activities such as terrorist financing, human trafficking, and child abuse. Simultaneously, the normalization of a surveillance state, where both the physical and digital worlds are controlled by law enforcement, should give the general public pause.
The Denouncement of Encryption
The US government has long pushed for the circumvention of privacy requirements in the name of law enforcement, and the legal battle around data access by law enforcement is currently being fought in Congress. US Attorney General William Barr made various attempts throughout 2019 to implement encryption backdoors (not in so many words, though) for tech companies. These efforts were a direct continuation of demands from the Justice Department leading all the way back to the 1990s to allow law enforcement agencies access to encrypted data, popularly described as the “going dark” problem.
Earlier this year, a bipartisan group of senators introduced a bill titled the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), which would allow the government to scan every message sent online and create a commission (led by Attorney General Barr and dominated by law enforcement agencies) with the authority make new rules on “best practices” that all Internet-reliant companies would be required to follow to maintain their Section 230 protections. This bill immediately drew significant ire from big tech companies, privacy advocates, and consumer watchdogs alike because it poses a direct threat to the use of encryption and puts authority over the Internet directly in the hands of law enforcement.
The recent rekindling of interest in these encryption workarounds was partially triggered by Apple’s refusal to help the FBI develop a method to forcibly access data on a locked iPhone used by Syed Rizwan Farook, one of the perpetrators of the San Bernardino massacre that took place in December 2015. The dispute drew national attention and caused mixed reactions – a survey conducted jointly by CBS and the New York Times found a nearly even split between those that believed Apple should have unlocked the iPhone and those who supported Apple’s decision to protect user privacy. Interestingly, despite this even split, a significant majority recognized the precedent that would have been created had Apple conceded, and nearly 70% of responders believed that the phone would have become more susceptible to hacking. The FBI, which initially sued Apple in 2016 for its refusal to comply, eventually dropped the lawsuit after discovering another workaround, and the case wrapped without a decision made.
The Current Legal Battle
Since the Apple case, two other relevant policy debates have emerged, centered on enabling access to user data for law enforcement: Section 215 of the PATRIOT Act and the Lawful Access to Encrypted Data Act.
Edward Snowden’s 2013 leaks revealed how Section 215 enabled the federal government to collect phone records through approval from a secret court established by the Foreign Intelligence Act (FISA). Because the court is subject to little oversight and approved most requests, the law essentially allowed for mass surveillance of citizens. This act, unsurprisingly, has proved controversial. When the PATRIOT Act was up for reauthorization this May, the Senate voted not to pass an amendment that would have banned law enforcement from obtaining internet browsing and search history data through FISA approval; however, the amendment failed to pass by only one vote, an extremely close outcome further muddied by the fact that 4 senators were unable to vote as a direct result of attendance limited by COVID-19.
Washington’s push to increase law enforcement access to user data (on the part of some senators) went a step further with the Lawful Access of Encrypted Data Act announced in June 2020, which would essentially force tech companies to build backdoors in their operating systems so that data can be decrypted upon request. This law presents a direct challenge to tech companies by providing another avenue for the government to surveil users with little oversight while simultaneously undermining overall user security. Had this law been effective in 2015, Apple would have had no choice but to decrypt Farook’s phone. Unsurprisingly, such legislative efforts have been met with continued criticism by tech companies, privacy experts, and nonprofits.
A Lucrative Business
The use of hacked information by government agencies also validates the fraudsters behind the hacking. Currently, there are 15 billion credentials sourced from more than 100,000 data breaches circulating on the Dark Web and in underground marketplaces. Credentials to high-value accounts (bank accounts with confirmed high balances, accounts with privileged access to enterprise systems) are auctioned to bidders at prices ranging from $500 to $120,000 per account. And non-high-value accounts still cost a pretty penny: domain administrator accounts fetch an average of $3,139, while bank account credentials average $70.91 each. Even a list of active phone numbers can sell for up to nearly $2,000.
Concurrently, we are witnessing the growth of account takeover-as-a-service, which allows for the temporary “rental” of identities. The tacit acknowledgment by law enforcement of the value of such data, in conjunction with the already lucrative prices associated with selling and “renting” identities, may very well embolden the actions of fraudsters and expose the personal data and details of more civilian users.
How can we reconcile this behavior by law enforcement agencies against existing privacy regulations such as the California Consumer Privacy Act, which places further control of personal data into consumer hands? Consumer data does not transform into public property just because it has been hacked. As such, consumers should have recourse in deciding whether or not to allow companies to sell their information, and provide or withhold consent from law enforcement agencies to access or use sensitive personal data.
Fundamentally, we need to consider the ethics around online data and stolen data. Is it morally acceptable to circumvent existing privacy laws in order to prevent activity that is “more” illegal? Weighing the pros and cons when considering the use of hacked data by law enforcement, does the potential for good outweigh the authenticity it lends to bad actors? If given the choice between hacking and heinous illegal activity such as terrorism funding, human trafficking, or child abuse, can we afford to fund the lesser of two evils?
Performing this kind of cost-benefit analysis requires the consideration of a grey morality. In the absence of a regulatory decision being made to require or forbid the implementation of encryption backdoors, we need to decide if the crimes that may be prevented are worth the validation of hacking, the loss of civilian privacy, and the normalization of a surveillance state.