Another day, another data hack in the news. Yet in a world in which no online account seems safe from criminal hackers, Facebook has so far avoided any scandals of this nature. At last month’s Web Summit in Lisbon, Facebook’s Chief Security Officer, Alex Stamos, made a rather surprising admission.
Stamos explained that, in addition to less controversial security measures designed protect users’ accounts, Facebook buys stolen passwords from hackers on the internet. It then analyses these and cross-references them with passwords used by its users.
Although “computationally heavy,” Stamos claimed that Facebook had alerted tens of millions of its users that their passwords were not secure enough and needed changing. Given that Facebook has yet to suffer a major data hack, it seems this tactic is effective. But is it ethical?
The Ransom Dilemma
Most people are aware of this classic dilemma. In the event of a kidnapping, should a ransom be paid in order to free the victims unharmed?
When those victims are loved ones, most of us would willingly pay up, and damn the consequences. I think most us of recognize, however, that this is objectively not the right thing to do. Not only does it reward violent criminals for their actions, but it encourages others to commit similar crimes.
Paying ransoms, therefore, creates a spiral in which the more ransoms are paid, the more kidnappings are committed, which results in more ransoms being paid, and so on. If everyone refused to pay a ransom, the environment in which criminals could prosper by committing kidnappings would simply not exist.
In real life, this messy situation inevitably leads to loss of life. Thankfully, when dealing with digital crime, the analogy begins to fall down at this point.
Buying Stolen Data
The situation with buying stolen data is very similar. When Facebook and other tech companies buy stolen passwords, they are creating a market for stolen passwords. If this market did not exist, there would be less incentive for hackers to steal passwords in the first place!
So, much like a family paying kidnappers to save their loved one, but potentially at the cost of many other lives further down the line, Facebook is protecting its own users at the cost of making the digital world less safe for all.
Facebook clearly sees itself as performing its duty to its own customers. But these customers will all also have accounts with numerous other online services. So Facebook is, in fact, doing them a grave disservice and making them more likely to be hacked in the wider context.
Indeed, by helping to create a market for hacked passwords, Facebook may also be putting its own accounts in jeopardy. As Danny Rogers from TechCrunch notes,
“I’ve heard anecdotes of companies that haven’t even been breached until one of their own contractors offered payment on the black market for their data! In this instance, and probably in many others, purchasing stolen data caused the very problem it was trying to solve.”
A further ethical concern is that Facebook is not buying data stolen from itself (although as just noted, this situation is not outside the bounds of possibility). It is instead buying stolen data that belongs to others, which is blatantly illegal.
If a dodgy character sidles up to you in bar and offers to sell you stolen goods, it is neither legal nor morally correct to do so.
With regards to stolen digital data, this principle has yet to be properly tested in front of a court of law. But it is almost impossible to conceive a verdict that would not convict Facebook (and others like it) of the crime of receiving stolen goods.
Facebook (and everyone else responsible)… stop it now! What you are doing here not only rewards criminals for their crimes, but actively endangers all internet users’ online security. It will also likely come back to bite you hard on the ass, when hackers realize that you will pay even more to buy back data stolen from Facebook accounts. Or perhaps your competitors will, in order to help secure their accounts!
It is worth remembering that digital data is infinitely reproducible, and criminals are not known for their honesty. So there is no guarantee when buying up your own data that it will not also be sold to everyone else willing to pay…