The existence of sensitive data, because it has been leaked, poses many legal and ethical concerns. To what extent can one use this unlawfully collected data to help victims? While the legislation seems to suggest no, one website, “Have I Been Pwned”, has enforced its pragmatism.
Any time a data breach is made public, the general public logically wonders, “Is my personal information included in this?” Almost often, personalised pages are built to address the challenge. Another explanation is the latest incident with the 500 million phone numbers stolen from Facebook. The next day, websites such as haveibeenzucked.com and haveibeenfacebooked.com were launched. You just have to input your personal details (phone number, name) to figure out whether you were a member of the data breach.
When data breaches become publicly accessible, the media, and therefore the general public, are usually concerned. To retrieve the Facebook data leak, for example, all you had to do was log in to a well-known data-sharing site, which can be accessed from any browser. Then, what you had to do was pay a few credits (the equivalent of two euros) on the web to get access to one of the download links.
The database was obtained by cybercriminals, cybersecurity analysts, media, and a wide variety of interested individuals. And some of them wished to contribute in some way. Anyone who builds a website allowing access to hacked data is entering a legal grey area—the life of personal data since it has been leaked. A zone through which several individuals join any time data is leaked, but only one location seems to be accepted by authorities in the long run. It is “Have I been Pwned“.
Have I been pwned, the unequivocal reference
Have I Been Pwned (HIBP) has been around since 2013, and it has only been managed by one guy, Troy Hunt! Today, this Australian is known as “Mr Data Leak” as he is the face of the website that has become the undisputed authority on the topic. “Have I Been Pwned is built on a simple question: an incident has occurred, we can’t fix it, so what’s the best thing to do? “
Hunt, a real visionary in the murky world of leaks, has seen them multiply in recent years. He has also been able to closely monitor the tightening of regulations, especially the implementation of the General Data Protection Regulation (GDPR) in 2018, a watershed moment in defence of personal data.
Today, HIBP allows visitors to browse through more than 10 billion rows of leaked data for their email address – and, with rare exceptions, other data. The platform then displays the email’s location in the leak, its existence, and what other forms of details are shared with it. These queries are conducted on Hunt’s sanitised databases, with just the email address remaining as the common denominator between leaks. What is the rationale for this precaution? Although the site is compromised every day, the damage will be limited since the hackers will only have access to this data.
Troy Hunt does not do his own database searches; however, his group sends them to him. His aim is not to construct the world’s largest leak database but rather to catalogue those that are of concern to the general public. This cooperative attitude helps him to stay away from illicit data sharing sites, although it has a drawback: if the archive is not delivered to him… well, it would never show on Have I Been Pwned.
In the face of the law, goodwill is not enough
A data breach involving 500,000 French patients sparked public outrage at the end of February 2021, but it took days for it to surface on Have I Been Pwned. Troy Hunt said that the data breach was significant enough that if he got it, he would index it.
In the case of haveibeenfacebooked.com, which was created in response to the recent leak of phone numbers, the Italian data authority cut to the chase: “The Italian authority warns anyone who has come into possession of personal data as a result of the breach, that their possible use, even for positive purposes, is prohibited by privacy legislation, as this information is the result of illegal processing. “
After the publication of this statement, the platform has confirmed that it is “unavailable for legal reasons”, but HIBP has stepped in.
Troy Hunt acknowledged “the sudden emergence of HIBP clones” in his most recent blog, which was published on April 6, 2021. Although he is “flattered by the influence of his project”, he also warns us that it is impossible to know how much confidence victims should put in these interventions. This is due to the fact that the tool’s author must be trusted to both validate the content of the leak and secure the data processing.
Have I been pwned has a special pass
Have I Been Pwned’s biggest strength is its trusting friendship? Troy Hunt has had 7 years to ask himself several questions regarding the legal and ethical boundaries of his activity, as well as to confront a variety of circumstances.
Still, now, he defends pragmatism: “This personal data is obtained through illegal activities and then shared on various networks.” On the one side, you may look at privacy rules, which state that you must get the victims’ permission to keep the records. On the other side, the data is now available to everyone, and it cannot be returned to its original location. “I frequently use the analogy of pee in the pool: you can scoop as much as you want, but you can’t take it out because it’s already diluted.”
Will have I been pwned exist in the absence of the founder
HIBP has never been concerned, despite the introduction of new rules, according to Troy Hunt. And the entrepreneur is unequivocal on the motives behind his laissez-faire attitude: “I’m able to do this business because I have good connections and have been doing it for a long time.” When his wellbeing approves, the Australian travels the world, meeting with officials and regulators in scores of countries in recent years. In reality, he has persuaded several of them to incorporate Have I Been Pwned into their software. The FBI and the Department of Homeland Security are among his clients. “I am very forthcoming about how I use data.” “I’ve been meeting with these agencies for seven years, and they are aware of my legitimate actions,” he says. A phrase that implies that the end justifies the means.
In recent years, Troy Hunt, who was on the brink of burnout, has attempted to share control of his prized idea. The aim is to expand the site and make it viable while maintaining commitments throughout the current arrangement. Despite almost promising efforts, he was unable to locate the right buyer. As a result, he cancelled the deal and retained ownership of his website, which he manages to maintain on his own. For the time being, this machine is functional. But who will handle the data leaks after he retires? Will Have I Been Pwned manage to have the same level of exemption? Who would notify leak victims that their information has been compromised?