Password Checkup, a new extension for Google’s Chrome browser, checks whether passwords that you use while browsing have been previously compromised in a data breach. According to Google, the extension checks the login details that you enter against a database of approximately four billion leaked usernames and passwords, and warns you if it finds a match.
Because people often reuse passwords, this tool – and others like it – can help protect people from credential stuffing attacks in which criminals attempt to access accounts on one site by sending the site username-password combinations stolen from other sites.
I wonder, however, about the legality and moral propriety of the approach taken by Google, and by several other parties offering related services.
Stolen password databases are, of course, stolen property. Is possession of stolen property – and using it within a product – legal?
In some cases, or perhaps all, the owners of the breached databases may have authorized the post-breach use of the material by third-parties for the purposes of protecting people – which might address the stolen property issue, but, still leaves open some serious questions.
First, is it clear that authorizations were provided for all of the records in those databases? Were all such authorizations provided to for-profit companies like Google to use the data to create offerings and improve their products, or were some made only for non-profit sites that allow people to check if their passwords are secure?
Additionally, is it even clear that the data owners themselves have the right to give Google or anyone else the authorization to use the data? Didn’t some (or, possibly, most) of the breached organizations have privacy policies that stated that they would not give users’ private information to third parties? Aren’t passwords private information? Violating such privacy policies may be a civil matter – but, in regions in which violating privacy policies can subject a business to regulatory fines, the matter could be more serious. And, even if providing passwords to third parties under such circumstances is legal, is doing so ethical?
Think about it like this, if you use a website whose owner promises you that it will never provide your data to a third party, and that it will never use the data for any purpose other than transacting business with you, does it really have a right to allow Google to use the private password that you created under such terms and conditions?
I am not an attorney, and do not claim to know the answers to the above questions. Yet, for quite some time, I have asked questions like those above – to lawyers, to various parties providing password-check services, and to others, and I have never received a clear, definitive answer as to where the lines are drawn when it comes to the possession of, and use of, of stolen digital property. Furthermore, over the past decade, we have seen stolen emails, memos, and databases published online – in many cases to the detriment of their owners – with law enforcement taking absolutely no action.
It is time for legislators to bring our stolen property laws into the 21st Century, and to clarify exactly what can and cannot be done with compromised digital materials.