Earlier this year, the Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the United States Department of Justice released guidance for the private sector entitled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”  The Guidance (available here) is intended to aid private actors to assess the potential legal exposure under federal criminal law as a result of engaging in common cyber intelligence-gathering activities on the dark web.  Focusing on activity on TOR-based Dark Markets, i.e., “online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” CsU offers practical tips and best practices for legitimate private actors to reduce the risk of liability and other negative repercussions under federal law.[1]

The Guidance primarily addresses two types of activities: cyber threat intelligence-gathering and purchasing stolen data, malware, or security vulnerabilities.  While these activities are most likely to be conducted by specialist cybersecurity firms, the Guidance applies more broadly.  Some sophisticated companies may engage in these activities using in-house resources, but Monitoring or Communicating on the Dark Web: Cyber threat intelligence gathering may involve passive monitoring of online Dark Market forums or active solicitation or exchange of information with others.  According to the Guidance, passive monitoring alone poses little risk of federal criminal liability but exposure can arise when private actors communicate on such forums or use illicit means to access the forums.  For example, using completely fabricated credentials to access dark web forums generally will not create liability, whereas doing so by exploiting a vulnerability or using real third-party credentials without authorization can implicate multiple federal criminal laws.  Exchanging information on criminal forums could create liability should the information be subsequently used to commit a crime or be potentially construed as soliciting criminal activity.

To reduce risks, CsU suggests that organizations establish a relationship with local federal law enforcement agencies and keep them informed about the organization’s intelligence-gathering activities before they occur.  This is because active participation in discussions on such forums may draw attention from law enforcement and make the organization or its personnel a target of investigation or, even worse, unintentionally interfere with active law enforcement investigations.

The Guidance further suggests that organizations develop and implement compliance programs and rules of engagement to guide their personnel and third party contractors before engaging in intelligence-gathering activities.  Instituting prepared protocols can bring multiple benefits.  The process of drafting rules allows the organization to think through risks and solutions to potential issues in advance, discouraging personnel from making rash decisions in the moment that may place the organization in jeopardy.  Having documented rules and a compliance program may also prove useful to show good faith in the event of subsequent enforcement or litigation.

In addition to having vetted rules, the Guidance recommends that organizations keep records of the activities they conduct and the intelligence that was gathered, and track how the information was used.  Should the organization’s activities come under scrutiny, such records can be used to establish that the conduct was executed in furtherance of the company’s legitimate cybersecurity operations and plan, rather than illegal conduct by rogue actors.

Purchasing Stolen Data, Malware, or Security Vulnerabilities: As a proactive cybersecurity measure, organizations may seek to purchase data and cybersecurity products being offered for sale on Dark Markets. Buying stolen data or exploits may help an organization identify previously undetected data breaches, regain access to its own data, or take steps to prevent new cyberattacks by learning about new security vulnerabilities targeting systems or products that the organization uses.  While the goal may be legitimate, the Guidance cautions that such activities may carry legal risk, primarily centered around the ownership of the data, the nature of the data, and the identity of the seller.

Purchasing one’s own stolen data typically does not expose the purchaser to federal prosecution. Organizations can encounter trouble, however, when the data is commingled with data belonging to other third-parties, particularly sensitive personal information or trade secrets.  Since criminal liability usually requires some type of unlawful intent (e.g., knowledge that the data was stolen or intent to use the information unlawfully), CsU recommends that organizations who have purchased third-party data undertake a number of steps to demonstrate lack of intent.  Specifically, the Guidance suggests that the organization sequester the data; refrain from accessing, reviewing, or using it; and contact law enforcement or notify the owner of the data, if known.  In addition, it may be useful to document the organization’s response should its activities later come under scrutiny.

Similarly, purchases of malware and information about security vulnerabilities typically will not give rise to liability absent criminal intent.  However, buying certain software, such as programs designed to surreptitiously intercept electronic communications, may violate the federal Wiretap Act.

The Guidance further cautions that organizations should be cognizant of the identity of the data seller.  Transacting with particular entities could violate federal sanctions regulations or laws prohibiting providing material support to terrorist organizations.  Thus, organizations should consider including purchases of stolen data or products within their risk-based sanctions compliance program.

Even aside from potential criminal liability, the Guidance warns that organizations should operate cautiously when purchasing items on the Dark Market to avoid becoming a victim.  Sellers often operate anonymously, are located beyond the jurisdiction of U.S. courts, and demand payment using untraceable and irrevocable methods.  If the seller takes payment without producing the promised data, the organization will likely have no effective legal recourse. Moreover, the seller could seek to inject a vulnerability into the item designed to compromise the organization’s systems.  Thus, organizations should weigh not only the legal risks, but also the practical operational risks from engaging in proactive online intelligence-gathering activities.

[1] While the Guidance focuses on the risk of liability under federal criminal law, it notes that state and foreign law may also apply and should be considered whenever companies are considering engaging in these activities.