A security researcher is both testing and protesting U.S. cybercrime laws by publishing 10 million real usernames and passwords for research purposes.
Mark Burnett, a Utah-based independent security analyst, released the usernames and passwords in a plain text file through BitTorrent on Monday. While it’s not unusual for researchers to post information on leaked passwords, the inclusion of corresponding user names is rare, and approaches the boundaries of anti-hacking laws.
That’s partly the point, as Burnett spends the bulk of his blog post explaining why he shouldn’t be arrested. “I clearly have no criminal intent here,” Burnett wrote. “It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us.”
Why this matters: It’s worth noting that all of Burnett’s data is or was publicly available, taken from forums and paste boards dating back as far as 10 years, so any credentials in Burnett’s list are already compromised. While there could be some danger in repackaging that data, the bigger risk is to Burnett himself—with the potential payoff of publicity and plaudits if he gets away with it.
Trial by blog post
To explain why he shouldn’t be arrested, Burnett pointed out the steps he took to prevent illegal use of the data, such as removing email domains and keywords that could be tied back to a company. He also believes that many of the passwords are useless to begin with. For those reasons, Burnett argues that he has not knowingly aided in identify theft, nor has he intended to defraud people through login information.
Why compile and release all that data, then? “The primary purpose is to get good, clean, and consistent data out in the world so others can find new ways to explore and gain knowledge from it,” Burnett wrote in an FAQ. “The data isn’t perfect and there are a few anomalies, but it should provide good insight into user password selection.”
But there’s also an air of protest in Burnett’s blog post. He pointed to the case of Barrett Brown, the Anonymous spokesman who was initially arrested for copying and pasting a hyperlink to leaked Statfor data. While some of the original charges didn’t factor into Brown’s eventual five-year prison sentence, Burnett said the arrest could still have a chilling effect on journalism and research.
Even if Burnett’s actions aren’t illegal today, he argues that President Barack Obama’s proposal for tougher laws against cybercrime would almost certainly outlaw the data dump. “The problem is that it is that the laws themselves change the very definition of a criminal and put many innocent professionals at risk,” he wrote.