Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more. Motherboard reports: Motherboard obtained webinar slides by a company called SpyCloud presented to prospective customers. In that webinar, the company claimed to “empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice.” The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data. SpyCloud confirmed the slides were authentic to Motherboard. “We’re turning the criminals’ data against them, or at least we’re empowering law enforcement to do that,” Dave Endler, co-founder and chief product officer of SpyCloud, told Motherboard in a phone call.
The sale highlights a somewhat novel use of breached data, and signals how data ordinarily associated with the commercial sector can be repurposed by law enforcement too. But it also raises questions about whether law enforcement agencies should be leveraging information originally stolen by hackers. By buying products from SpyCloud, law enforcement would also be obtaining access to hacked data on people who are not associated with any crimes — the vast majority of people affected by data breaches are not criminals — and would not need to follow the usual mechanisms of sending a legal request to a company to obtain user data.