A Boring (But Essential) Article Every Cybersecurity Pro Must Read: DOJ on Dark Web Law

This ‘boring’ article could save you from legal trouble in dark web investigations. Get the U.S. DOJ’s legal insights on safe cyber threat research.

Legal Shadows. Image created using DALL-E.

In the last two articles, we have covered how to automate threat intelligence monitoring on the dark web using Python, and we have talked about how to monitor activity on the dark web without any coding requirements. It’s only prudent that we now discuss the legal considerations when engaging in such activities. Of course, it goes without saying that you should always consult your legal counsel when undertaking these kinds of actions, but this article aims to provide some general guidance from the U.S. Department of Justice’s “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources” document.

Python for Dark Web OSINT: Automate Threat Monitoring

Point-and-Click OSINT: Dark Web Scraping with GUI Tools

The DOJ clarifies that passively gathering intelligence from criminal forums by “lurking” and reading posted communications without actively participating carries little legal risk as long as you gain access through legitimate means. The document states, “If a practitioner reads and collects communications posted openly on the forums but does not respond to forum communications or otherwise communicate with others...there is practically no risk of federal criminal liability." This passive monitoring approach is a relatively safe starting point.

However, the legal risks increase substantially if you start actively engaging with these forums. The DOJ sternly warns that “soliciting or inducing the commission of a computer crime can expose a practitioner to criminal liability." Something as simple as posting an inquiry about illegal activities could potentially be viewed as a solicitation. To mitigate these risks, the DOJ recommends:

1. Documenting operational plans and keeping detailed records of all online activities and how information was gathered and used. As they explain, “In the event of a criminal investigation, such records may help establish that their conduct was legitimate cybersecurity activity."
2. Establishing clear “rules of engagement” or compliance protocols vetted by legal counsel. Having documented policies “can help prevent personnel from accidentally or unintentionally putting their organization and its employees in legal jeopardy or risk compromising its security."
3. Building relationships and informing law enforcement before conducting these activities. As noted in the document, “It may also be beneficial to inform law enforcement before engaging in these intelligence-gathering activities by building an ongoing relationship with the local FBI field office or Cyber Task Force and the local U.S. Secret Service field office or Electronic Crimes Task Force."

If you move beyond just monitoring and start exchanging information directly with forum members, the legal pitfalls compound even further. The DOJ sternly cautions that “a practitioner must avoid doing anything that furthers the criminal objectives of others on the forums." This includes seemingly small actions - the document explicitly warns against providing any "true, accurate, or useful information that could advance such crimes," as that could constitute aiding and abetting under federal law.

The document also delves into legal considerations around purchasing data, malware, or vulnerabilities from dark web markets. While it notes that “federal prosecutors have not typically brought charges against parties who merely attempt to purchase their own stolen data," there are still numerous potential legal landmines to navigate:

1. Suppose you unknowingly purchase data that belongs to other victims. In that case, the DOJ advises you to “promptly sequester it and not further access, review, or use it" and to quickly contact law enforcement and/or the rightful owners. Failure to do so could raise questions about intent.
2. Purchasing certain types of stolen data, such as trade secrets or credit cards, can result in a violation of statutes like the Theft of Trade Secrets Act or the Access Device Fraud statute if there is a perceived intent to defraud or economically benefit.
3. Engaging in any transactions with individuals or entities sanctioned by the U.S. government, such as designated terrorist groups or those covered under the International Emergency Economic Powers Act (IEEPA), is illegal. As a specific example, the DOJ states, “If a practitioner bought the stolen data knowing the seller was a member of such a foreign terrorism group, the practitioner would violate section 2339B," which prohibits providing material support to terrorist organizations.

Figure 1. The image displays a section from “18 U.S. Code § 2339B — Providing Material Support or Resources to Designated Foreign Terrorist Organizations,” detailing the illegality and consequences of such actions, along with relevant legal definitions. Source: Cornell Law School, Legal Information Institute.

When it comes to purchasing vulnerabilities or malware samples, that is generally permitted as long as there is no criminal intent behind the acquisition. However, the DOJ flags two exceptions to be aware of:

1. Certain malware designed to intercept electronic communications could violate the Wiretap Act’s prohibition on possessing devices “primarily useful for the purpose of the surreptitious interception of...electronic communications."
2. Once again, any transactions with sanctioned individuals or entities are illegal under statutes like IEEPA.

The overall clear theme from the DOJ guidance is the paramount importance of avoiding any actions that could be construed as furthering criminal activities and the necessity of thoroughly documenting legitimate purposes and consulting counsel. As they advise, “having vetted 'rules of engagement' or a 'compliance program' can help prevent personnel from accidentally or unintentionally putting their organization and its employees in legal jeopardy."

While the prospect of facing legal jeopardy may seem daunting, the DOJ is clear that proper policies and protocols can allow organizations to lawfully gather threat intelligence and pursue stolen data from illicit sources. This can provide immense value in strengthening cybersecurity readiness and response capabilities. However, given the complexities involved, the DOJ’s strongest recommendation is to “consult with legal counsel to make proper use of its recommendations and analysis."

Figure 2. The image displays instructions on how to contact law enforcement, specifically the FBI and U.S. Secret Service, for reporting or discussing cybercrime investigations. Source: Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, pg. 15.

By diligently adhering to best practices like those outlined in this DOJ guidance, researchers, analysts, and cybersecurity experts can navigate the legal minefield of dark web activities. With comprehensive policies backed by legal counsel, organizations can realize security benefits while mitigating criminal liability risks. The path is cautious, but a well-prepared and advised approach can bring dark web intelligence into the light safely and lawfully. While this article covers key points from the DOJ’s document, I recommend that anyone engaging in these activities thoroughly review the full 15-page “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources” publication to ensure compliance.

Explore Next

Now that we learned how to get data from the dark web and how to do it legally, let’s talk about turning that data into actionable intelligence. Read on…

Transforming Dark Web Data into Cybersecurity Intelligence

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Mirror.xyz.