[LannisterDebt]

>As noted above, many of the federal criminal statutes associated with the type of stolen data that tends to be sold in Dark Markets—e.g., passwords, account numbers, and other personally identifiable information—only apply if there is intent to further another crime: for instance, an intent to use the information to defraud.33 For this reason, a purchaser of the stolen data who lacks a criminal motive is unlikely to face prosecution under those statutes.

Which part is unclear?

[varenc]

> knowingly purchasing another party’s stolen data without that party’s authorization can pose some legal risk. It is much more likely to raise questions about the purchaser’s motives and result in scrutiny from law enforcement and the legitimate data owner, particularly if a trade secret is involved.

So if you're buying password dumps only to protect your own users from account takeover then you're unlikely to face legal consequences? However, that's not ironclad and not explicitly protected by the law. No promises.

I know some large sites will use illicit passwords dumps to revoke re-used passwords for their own users. Though they'll be very obtuse and just tell users something like "your password has expired". Given the fuzzy legality of this practice, I can understand why.

[tptacek]

Also, there's a potential gap between "protecting your users" and "selling protection for users to other companies" that you'd really like to see clarified, if you're a vendor who buys password dumps to provide a commercial ATO service.

[djehh3r7d]

Most lawyers would still say not to do this to a small client with limited resources to defend themselves. A more well funded client would be walked through a process that combines obfuscation with plausible deniability. Being scrutinized is just as bad as being put on trial when the alternative is a zero risk position. So when you collect the data you need a strategy that minimizes being noticed (or being noticed by a party that is allowed to act), executes in a way that produces minimal evidence (or the kinds of evidence a lawyer can't have dismissed), and which might violate the spirit of the law but not its letter (unless you're European because they find writing real laws cumbersome).

[tptacek]

The part where it goes on to say that the data should be sequestered and surrendered immediately to law enforcement, and that you might still be subject to an investigation.

[kosievdmerwe]

If motive is the defense against prosecution, then clearly you should be potentially subject to investigation. How else should we check that you're not actually lying about your motive?

[bigiain]

"unlikely" is very very unclear.