Is there a framework for determining what is legal to provide to Brian Krebs or Haveibeenpwned.com?
Would it have been illegal of Brian Krebs to pay money to weleakinfo.com for a database that also existed elsewhere?
Basically is it illegal to buy, sell, give away for free to masses, give away for free to vetted individuals/researchers, or illegal to hold privately once you received it?
Would love if anyone could point me towards the path of enlightenment here. US/EU, and other laws all seem relevant.
What does this mean? In the US there is no law for this.
In the EU we have the GDPR which says you never get to own or control someone else's personal information without their permission.
Just because the info is leaked, that doesn't make it public domain. The data still belongs to the user, and the people that hold it should only ever be doing so with permission.
For context, the US has arrested people who have never set foot in the US and held no assets in the US ... for breaking US law. So when it comes to "the internet" nowadays I assume I have to comply with all major countries' law, not just my own (USA). Or at least it could be helpful to know other countries laws (EU) as they compare to my own (USA).
> In the US there is no law for this.
If the FBI seized the website, I would be led to assume there's probably at least one law covering it.
> The data still belongs to the user
If I'm one of the affected users, can I see what of my data was leaked? Wouldn't I have to download the leaked data to do that? Would that be legal to download? Would it be legal for someone else to provide my own leaked data to me?
> the people that hold it should only ever be doing so with permission.
This would make http://haveibeenpwned.com/ and Google Chrome's password checker illegal -- and probably 90% of security researchers would be outlaws. That seems like an untenable policy position.
Yeah, that's pretty Matrix-like.
I feel like the nuance would almost always be lost though
