Start a social entreprise that invloves data breaches (how to do it legally)

Hi Everyone,

I would like to launch my own website that shows people what kind of personal data have been leaked on the dark web.some websites are already available such as haveI beenpwnd, but what I want to do is more advanced, show people their personal data and documents such as driving license, utility bills etc(they can literally have a copy of all what has been leaked about them as well as the breach time) this can be useful for them to know what data is available for scamers but also for them to know if they should take action.

obviously this would mean that I will have to store leaked data in my own server and one thing that worries me is will I be breaching the law if I store such data? I am not sure who to ask

Also, I live in the UK, but I would prefer to offer this service worldwide, so the data breaches/ransomwares I would keep would be for people from different countries too

do you guys think this is ambitious and useful service to offer? what are the steps?

many thanks

My understanding is that you would have to register as a business (self-employed?) so that the government knows you’re a business that handles personal data. Then it would be your company’s responsibility to comply with the UK’s GDPR regulation.

Your lawyer.

I understand, Although I might change my mind in future, I dont want this to be a business, maybe that fall in the category of “social entreprise” Setting up a social enterprise - GOV.UK

I suggested haveibeenpwd but some websites actually show the passwords with a very basic hash such as sha1 (which is easy to “dehash”), so technically, they do not provide accurate security to protect people’s data

yes I will speak to a lawyer, I just wanted to ask here first as this community is helpful with privacy discussions

Regardless of whether it’s legal, what you are suggesting is incredibly unethical. I can’t imagine you’d be very happy finding out someone else was hoarding your personal data in this way. It’s hard to reconcile a supposed belief in the right to privacy with your willingness to throw everyone else’s privacy out the window.

I guess the word I should have used is organization rather than business.

good point

I appreciate you honestly but I will have to disagree with you in terms of this being unethical.
nowadays, so many people store personal data of others without consent, so many are either scammers, criminals, detectives (which is unethical)etc… some companies even offer to show me leaked passwords if I pay, even though these are my passwords
the fact that I will offer people to be able to view what kind of data was leaked about them is actually not a bad idea. me personally I would prefer to know what was leaked about me. I worked in a business that suffered a ransomware attack in the past, and not knowing what was leaked about me annoyed me more then the ransomware itself
of course I will be complying to request such as “please remove my data”
finally, this is just a suggestion, if many of you believe this is a bad idea, maybe I will focus on something else

I will chime in on this from a compliance perspective working closely with GDPR and the UK data protection act.

First and foremost you need to have justifiable and lawful basis to obtain this information. If you are storing data of a person(s) that they have not agreed to is in direct violation of both acts. If you have legal basis to do so, you would then need to use compliant storage and processing means and open to auditing from governing bodies.

Since consent is the key word hear and you are dealing with leaked data without their permission. If you could provide a demonstration of you your service and how it could benefit a said persons while ensuring that same data cannot be breached, you may have a chance.

If you end up being found to be in non-compliance you can be fined up to €20 million (this has varied recently) or 4% of your global turnover.

Now this is just a brief overview and you would need to start with those two acts for your current geography and there are many more for each part of the world. You would need to adhere to each regulation/act to the strictest measure in order to not be breaking any laws. Usa, Canada, Brazil, India, China and others all have their own versions and some will consider you a criminal and will also attempt to imprison you.

That being said there are many who would consider this extremely unethical as knowing you are in a breach by xxx or so and so is much different then saying “I have your social security number, bank account, and passwords.” I just cannot see that ending up working out well.

This is all of course based on my opinion, my interpretation of the regulation (this can vary from person to person) and should not be taken as law. But at least consider the repercussions not only by government entities but also bad actors who are trying to keep the information not so open.

Typically they do share what information was leaked. I don’t see the value in being able to actually see the raw data.

Like if my phone number gets leaked by a company, typically that company and/or HIBP will say that my phone number was leaked. I don’t need to see what the actual number in the leak was, because I already know my own number.

This feels as thought the idea is “just trust me aggregating all of this info, I promise to protect it”. Sure, it’s already leaked and out there, but do you want to be the person who gathers it all in one place? It’s like taking every bank robbery money bag in the world and putting it in one place.

This sounds like a hackers wet dream to have a public API to scrape PII data. Your threat model now likely becomes international threats to protect against. I’d rather swim with sharks than even think about how to deal with that. Even if you get lawyers to sign off, you’ve got a hell of a job securing said data. Failure will make you a very disliked person worldwide, among probably lawsuits and fines of failing to protect PII.

I’ll say it’s a bad idea, and there is a reason other sites used hashed version without storing plaintext information.

Yea I wolpd only find this kind of service okay if I as the user have consented to it, before you start storing data about me.
And additionally have a method for each data to verify that it really is accessed by the right person.

And I would never use it as it sounds like an unnecessary third party to have data at.

I think others have put it very clearly and here’s my 2 cents.

The key here is consent, even Google of all companies and even when creating an account gives you privacy options/control and turning off personalized advertisement, if you opt opt you tell Google essentially that I do not consent to this.
Legally you have to ask for consent because you can imagine that under many Privacy laws like GDPR, CCPA and many other versions of it you have to, because you can imagine that collecting that data without the user consenting or legally agreeing will have severe legal consequences.
Take for example this scenario:
One day on a cafe with friends, just chilling, then you email me that you have my data or something, without consent without even visiting your site, I can file a small claim lawsuit against you for breach of privacy and violating GDPR as I am in an EU Country, and the damages will depend on what data you got after me, for example if it’s a phone number this would cost a little more in damages, we’re talking for my country, 200 bucks which is basically a week worth of wage, then add fees to change my SIM Card on the phone. If you get and breach say my IMEI of the phone is involved and you leaked it, that would cost you even more in damages, that adds to the 200 bucks plus the Fees to change my SIM Card plus the damages to replace my phone.

I think you’re understanding that without proper legal consent, you’re not able to do this, and even then you have to not lie in your Privacy Policy or that’s more legal trouble than it already is.

thank you all for your responses, I appreciate what you said and honestly, I prefer to have your opinion rather than creating a website that would annoy other whilst I think this is okay.

that being said, some of you misunderstood me since I never intended to contact people without any consent, especilly ruining someone’s day in a cafe with friends.

I note the folllowing:

• consent is the important (the most important)
• different countries = different regulations
• storing data about people is unethical
• auditing is needed
• data stored must be secured

I might be old school, but I believbe that the best way to secure data is store it on a server that is disconnected from the internet.

of course, I remain open to any audit for that

here is a proposal that I believe will not annoy anyone (I hope )

I create a website where people can register, but also unsubscribe. ( to get consent), since different countries have different regulations, it would better to start offering this in the UK only.

I gather data from different sources on the dark web, that includes any kind of PII as well as info stealers, this should be a large amount of data, maybe 100gb or more. then process that data in a separate server to see if anyone’s data who has subscribed has been found, the most exciting part of this project is to create the necessary code to find relevant information. if someone’s data who has subscribed is found, then he will be notified and shown what data has been leaked about him. once the processing has finished, all data is deleted.

this is like a free dark web monitor for whoever wants it.

the only inconvenient is that because I will delete the previous data acquired, i won’t be able to provide information about previous data breaches, the good thing is that I won’t have to pay for extra storage.

that is a very good point, some people might have a similar name and i wouldn’t want to give info to someone who is different.

I know, but what annoyed me is that some websites store hashed versions of data breaches in sha1, which is easy to decrypt

thank you for your detailed explanation, I appreciate that

I don’t know how old you are but the gall to think this is okay and actually useful to people is simply shocking. And I can’t compute how you thought asking this in a privacy forum is okay.

I am happy to provide you with an opinion and I am personally happy you asked here where people take privacy seriously. Having you ask here is also a two-edged sword as you can see how this can infringe on people’s rights as well as open your knowledge to possibly navigate this securely.

It’s also better to have this conversation than you just creating the website.

1. Source they use sha1? Unsure which C3 services you are referring to.
2. One does not decrypt hash functions, it’s a one way operation.