Help! Leaks, Breaches & Logs Legality

Questions
1

I am trying to see the legality of using publicly available data coming from data leaks, breaches, and log data for a specific use case

I read Michael Bazzell’s book ‘Leaks, Breaches & Logs.’ In the book, he says to consult an attorney to ensure you are complying with national, state, local, laws. However, I cannot find an attorney that covers this topic.

Bazzell spoke with his attorneys and notes in the book that this type of data: “This is similar to viewing an email stolen from Hillary Clinton posted on WikiLeaks or an internal document stolen from Google posted on a blog.” Bazzell references the value in creating one’s own ‘Have I Been Pwnd’ database.

Anecdotally, I have not used or paid for DeHashed, but I point to sites like DeHashed. DeHashed’s Search service “(offering) delivers enterprise-grade open-source intelligence and risk assessment. Our industry-leading platform allows us to collect data that’s been compromised on the deep-web and enables users to search through breached data for usernames, email addresses, IP addresses, and more.” It seems like anyone can sign up for DeHashed.

Here is the research I’ve done so far:

  • Gotten on Bazzell’s waitlist for a consult with his in-house attorneys
  • Googled/asked LLMs what type of attorney I’d need to speak to. The result was attorneys that cover:
    • Data privacy law
    • data breach law
    • internet law
    • internet criminal defense - I thought of this one on my own. Called 3 different criminal defense, but they only offer defense, not consultations or ongoing advice
  • Called 28 attorneys in my state. 18 or so call backs. 15/18 attorneys I spoke with had NO CLUE what I was talking about. What I’m finding is the lawyers represent the companies who have the breached data, not working with individuals. Specifically; all the attorneys I called said their firms work with XYZ corp, ABC corp; they did not know the inverse of working with the data once the hacked data is public.
  • 3/18 attorneys were helpful, but only 1/3 attorney had an actual clue. The 1 attorney who had a clue also represented corporations, but he said he could see the parallels to how his experience might apply to my idea. This attorney probably was 80-85% of what I was looking for. I naturally would prefer using someone similar to Michael Bazzell’s attorneys for advice who do this work based on the book all the time (although I am not in their state of California). I did have a chat and this attorney could help. Spoke for 15 minutes and he was going in the right direction of how to use this publicly available data. However his fee was $1,500 an hour.

Typically when I evaluate attorneys, I like to look at 3-4 different ones. In this case I can only find one, and even then that attorney has not worked on areas like this commonly.

My Questions

  • What type of attorney would I need to consult based on the book by Michael Bazzell?
  • Does anyone have experience working with an attorney on something like this?
2

Can you elaborate that specific use case?

3

People don’t seem to get in trouble for downloading/using it. If it’s illegal use like hacking, it doesn’t matter where you got it.

Haveibeenpwned and countless others use that kind of data and never get in trouble. I feel like internet crimes are somewhat rarely prosecuted and if they are it’s for serious shenanigans.

Can’t say more without more details. Of course very different use case for starting a business versus personal use.

4

  1. To not give away detail, it is a legal OSINT use case that I’d like to compliment with the methods in the book

  2. “People don’t seem to get in trouble for downloading/using it.” - anecdotally agree, however I want to be safe and ask questions to a lawyer to cover my legal bases. The 1 attorney I spoke to alluded to this being legal with caveats, but warranted a further discussion on the particulars.

I was hoping to have a pool of attorneys to choose from, but so far I can only find one, and he is not 100% knowledgeable on the topic.

The issue is I do not know the type of attorney I need to consult. That is what I am trying to find out, or if anyone has experience speaking with an attorney about this

While looking for attorneys, I see corporations have interest in this, but broadly speaking, civilians do not have an interest. Therefore, attorneys broadly serve corporations (as they have interest), and attorneys are not versed on when the data goes public, aka the civilian aspect and legalities of the public data (as civilians do not have interest)

Does anyone know what type of attorney to speak with, or have experience speaking with an attorney on this subject?

5

I know the second-best best person you can speak to, Micah Lee:

Quick reminder, they handle leaked dataset dumps for their investigative work, so they can walk you through the tooling as well as the legality behind it, at least from the US side.