I would like to launch my own website that shows people what kind of personal data have been leaked on the dark web.some websites are already available such as haveI beenpwnd, but what I want to do is more advanced, show people their personal data and documents such as driving license, utility bills etc(they can literally have a copy of all what has been leaked about them as well as the breach time) this can be useful for them to know what data is available for scamers but also for them to know if they should take action.
obviously this would mean that I will have to store leaked data in my own server and one thing that worries me is will I be breaching the law if I store such data? I am not sure who to ask
Also, I live in the UK, but I would prefer to offer this service worldwide, so the data breaches/ransomwares I would keep would be for people from different countries too
do you guys think this is ambitious and useful service to offer? what are the steps?
My understanding is that you would have to register as a business (self-employed?) so that the government knows you’re a business that handles personal data. Then it would be your company’s responsibility to comply with the UK’s GDPR regulation.
I understand, Although I might change my mind in future, I dont want this to be a business, maybe that fall in the category of “social entreprise” Setting up a social enterprise - GOV.UK
I suggested haveibeenpwd but some websites actually show the passwords with a very basic hash such as sha1 (which is easy to “dehash”), so technically, they do not provide accurate security to protect people’s data
Regardless of whether it’s legal, what you are suggesting is incredibly unethical. I can’t imagine you’d be very happy finding out someone else was hoarding your personal data in this way. It’s hard to reconcile a supposed belief in the right to privacy with your willingness to throw everyone else’s privacy out the window.
I appreciate you honestly but I will have to disagree with you in terms of this being unethical.
nowadays, so many people store personal data of others without consent, so many are either scammers, criminals, detectives (which is unethical)etc… some companies even offer to show me leaked passwords if I pay, even though these are my passwords
the fact that I will offer people to be able to view what kind of data was leaked about them is actually not a bad idea. me personally I would prefer to know what was leaked about me. I worked in a business that suffered a ransomware attack in the past, and not knowing what was leaked about me annoyed me more then the ransomware itself
of course I will be complying to request such as “please remove my data”
finally, this is just a suggestion, if many of you believe this is a bad idea, maybe I will focus on something else
I will chime in on this from a compliance perspective working closely with GDPR and the UK data protection act.
First and foremost you need to have justifiable and lawful basis to obtain this information. If you are storing data of a person(s) that they have not agreed to is in direct violation of both acts. If you have legal basis to do so, you would then need to use compliant storage and processing means and open to auditing from governing bodies.
Since consent is the key word hear and you are dealing with leaked data without their permission. If you could provide a demonstration of you your service and how it could benefit a said persons while ensuring that same data cannot be breached, you may have a chance.
If you end up being found to be in non-compliance you can be fined up to €20 million (this has varied recently) or 4% of your global turnover.
Now this is just a brief overview and you would need to start with those two acts for your current geography and there are many more for each part of the world. You would need to adhere to each regulation/act to the strictest measure in order to not be breaking any laws. Usa, Canada, Brazil, India, China and others all have their own versions and some will consider you a criminal and will also attempt to imprison you.
That being said there are many who would consider this extremely unethical as knowing you are in a breach by xxx or so and so is much different then saying “I have your social security number, bank account, and passwords.” I just cannot see that ending up working out well.
This is all of course based on my opinion, my interpretation of the regulation (this can vary from person to person) and should not be taken as law. But at least consider the repercussions not only by government entities but also bad actors who are trying to keep the information not so open.
Typically they do share what information was leaked. I don’t see the value in being able to actually see the raw data.
Like if my phone number gets leaked by a company, typically that company and/or HIBP will say that my phone number was leaked. I don’t need to see what the actual number in the leak was, because I already know my own number.
This feels as thought the idea is “just trust me aggregating all of this info, I promise to protect it”. Sure, it’s already leaked and out there, but do you want to be the person who gathers it all in one place? It’s like taking every bank robbery money bag in the world and putting it in one place.
This sounds like a hackers wet dream to have a public API to scrape PII data. Your threat model now likely becomes international threats to protect against. I’d rather swim with sharks than even think about how to deal with that. Even if you get lawyers to sign off, you’ve got a hell of a job securing said data. Failure will make you a very disliked person worldwide, among probably lawsuits and fines of failing to protect PII.
I’ll say it’s a bad idea, and there is a reason other sites used hashed version without storing plaintext information.
Yea I wolpd only find this kind of service okay if I as the user have consented to it, before you start storing data about me.
And additionally have a method for each data to verify that it really is accessed by the right person.
And I would never use it as it sounds like an unnecessary third party to have data at.
I think others have put it very clearly and here’s my 2 cents.
The key here is consent, even Google of all companies and even when creating an account gives you privacy options/control and turning off personalized advertisement, if you opt opt you tell Google essentially that I do not consent to this.
Legally you have to ask for consent because you can imagine that under many Privacy laws like GDPR, CCPA and many other versions of it you have to, because you can imagine that collecting that data without the user consenting or legally agreeing will have severe legal consequences.
Take for example this scenario:
One day on a cafe with friends, just chilling, then you email me that you have my data or something, without consent without even visiting your site, I can file a small claim lawsuit against you for breach of privacy and violating GDPR as I am in an EU Country, and the damages will depend on what data you got after me, for example if it’s a phone number this would cost a little more in damages, we’re talking for my country, 200 bucks which is basically a week worth of wage, then add fees to change my SIM Card on the phone. If you get and breach say my IMEI of the phone is involved and you leaked it, that would cost you even more in damages, that adds to the 200 bucks plus the Fees to change my SIM Card plus the damages to replace my phone.
I think you’re understanding that without proper legal consent, you’re not able to do this, and even then you have to not lie in your Privacy Policy or that’s more legal trouble than it already is.