Spotify Is Publishing AI Tracks of Dead Artists

44m
We start this week with Emanuel's wild story about Spotify publishing AI generated tracks that look like they come from artists' official accounts. One problem: those artists died a long time ago. After the break, Joseph tells us about a company that is selling data hacked from computers to debt collectors. In the subscribers-only section, we talk all about the Astronomer CEO and its privacy implications.

YouTube version: https://youtu.be/lFYyNOWVJV0

404 Media Live in Los Angeles

Spotify Publishes AI-Generated Songs From Dead Artists Without Permission

A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors

The Astronomer CEO's Coldplay Concert Fiasco Is Emblematic of Our Social Media Surveillance Dystopia

Subscribe at 404media.co for bonus content
Learn more about your ad choices. Visit megaphone.fm/adchoices

Listen and follow along

Transcript

Hello, and welcome to the 404 Media podcast, where we bring you unparalleled access to hidden worlds, both online and IRL.

404 Media is a journalist-founded company and needs your support.

To subscribe, go to 404media.co, as well as bonus content every single week.

Subscribers also get access to additional episodes where we respond to their best comments.

Gain access to that content at 404media.co.

I'm your host, host, Joseph, and with me are the 404 Media co-founders, Sam Cole,

Emmanuel Mayberg,

and Jason Kebler.

Hello, hello.

All right, straight off the top, I would just remind people that we're having an event in Los Angeles July 30th, Wednesday at 6 p.m.

404 Media subscribers get in for free.

There's going to be free wine and beer.

We're going to do a live podcast recording.

It's most likely going to be about the technology that powers immigration and customs enforcement.

Obviously, that has a ton of relevance to Los Angeles recently.

I believe we might have some guests, but we're finalizing that.

There's a link in the show notes.

Sign up if you're a subscriber in Los Angeles and come along for some free booze and to hang out with us and, you know, meet like-minded people.

If you're not a subscriber, it's $10

to get in.

but to be honest that's also the cost of a subscription so why so just subscribe that would make more sense yeah if you uh if you don't look at the show notes you can find the event page by going to bit.ly so bitly slash 404 rip space rip space that's the name of the venue that we're having it at so it's bit

bit.ly slash 404 rip space And if you're not in Los Angeles, we are going to probably attempt to do some live streaming beforehand.

No promises.

We are going to try to set it up though, just to experiment with something new.

Could be fun.

So I guess like if you're online Wednesday afternoon, check our socials, et cetera.

We may be going live, hopefully.

Yeah, still not sure how we're going to do that, but I think it'll be a fun experiment and just doing these events, you know, gives us a chance to try something new.

The other piece of housekeeping before we get to this week's stories is that we just published a wave of our ICE coverage in Spanish.

We got a professional team of translators to translate into Spanish that for us.

It's something like eight articles.

If you are a subscriber and you follow via an RSS feed, you've probably just got a bunch of Spanish articles into your feed.

And I got some comments with people asking, oh, what's going on?

And then it became clear what was happening, which is that we think this coverage is really important and more people should be able to read it.

So, you know, we've taken money kindly given to us by our subscribers and paid for this to be translated.

So if you see that on the site, that's why.

And if you think of anybody who really could do with reading that coverage, of course,

please send it to them as well.

All right.

Let's get into this week's stories.

The first is one from a manual.

The headline is, Spotify publishes AI-generated songs from dead artists without permission.

I mean, kind of spoils it in the head almost.

There isn't really a twist here.

It's very, very on the nose and very clear what this is going to be about.

But let's sort of start at the beginning, Emmanuel.

Who is Blaise Foley?

I hope I'm pronouncing that correctly.

Who is that exactly?

Yeah, so I'll just give the caveat that I'm not a big music expert and definitely not a country music expert.

But I was very interested in Blaise Foley's story, who I frankly only learned about from reporting the story.

But he was a country singer, songwriter, poet from Texas, was performing mostly in Texas, I believe mainly active in the 80s.

He was tragically

killed in 1989.

And as far as I understand, died mostly unknown.

Like people knew him in the Texan music scene, but he wasn't

like a very famous country singer.

And after his death, somebody who owns a label in Texas discovered a live recording of what I think was his last live show

a few days before he was murdered.

And he just loved it, went looking for more recording

of his music, got in touch with his mother and asked for permission to

put all his music out.

And he did.

This is Craig McDonald, who I talked to for this story.

He runs Lost Art Records, and they are like the company that puts all the music.

And since he did that, he got posthumously more famous and kind of is like a loved

country singer whose music is on Spotify, thanks to McDonald.

Yeah, and with all that context, a little bit weirdly, he allegedly has a new song called Together.

I'm going to play just a few snippets of it.

I'll probably jump through, but here's a little bit of that.

It's just that the night has fallen.

And I want to be with you.

Okay,

so...

What's the issue with this song?

I think there are two issues.

The first one's pretty obvious that he's not alive.

What's the second issue?

So, yeah, I mean,

according to the Spotify page for this song, which appeared on Blaze Foley's official Spotify page, like if you searched Spotify for Blaze Foley and you went to his official artist page, you would see this as his latest song.

It claimed to have been released on July 14,

which doesn't make sense because he's dead.

And then, also, if you were a Blaze Foley fan, you would immediately know that this is not his music.

Um,

I think Jason and Sam listen to some country music, and from what I understand, this is kind of like maybe like modern country music adjacent, maybe,

but this is not the kind of music that Blaze Foley put out.

And I don't know if we

can or want.

I have to admit, I don't know much about Blaze Foley either.

I do listen to country sometimes,

but this doesn't really sound like him.

Yeah, it's like super produced and like, I don't know what the correct term for it, but like pop country or something like that.

And he was like way more gritty, kind of like a load on an acoustic guitar kind of vibe.

I will say real quick, the fact that he's dead doesn't necessarily mean like no new music comes comes out, just because it's like there's been so many artists, uh, like Elliot Smith died and then released like four more albums because his like state went through his demos and started releasing them.

Like, Tupac, what the joke was, like, Tupac, have you heard Tupac's new album?

Like, 15 years after he died, same with like Juice World, etc.

But, like, to be clear, these are not, this is not that.

This is like nothing like that.

Well, Emmanuel, maybe it's helpful to go back

a little bit and just tell us how did you learn about this?

And we'll get to the fact that it's AI generated in a minute.

And maybe that was in the original tip as well.

I will say that us just listening to it now.

I mean, I haven't listened to a ton of AI generated music.

We have spoken about it on the podcast before.

We have played snippets on the pod before as well.

And that was very, very obvious then.

This was like more than a year ago.

And it has that like wishy, washy, almost dream-like quality.

I don't know.

I listened to that.

Sounds like that could be a recording, but that's getting a little bit ahead of ourselves.

How did you learn about this, first of all?

I first learned about it from a Reddit post that I believe was posted to R Artificial, which is a AI subreddit, but it was from someone who was a fan of Dave Foley, and they just shared a screenshot of that Spotify page, which, by the way,

doesn't only include this AI-generated song, it includes like an AI-generated image of the artist who is like a young,

I don't know, like punk singer of some kind.

Again, not Blaze Foley, who has like a cowboy hat and a big beard and mustache, you know, looks like a like a Texan country singer.

And they were like, this sucks.

Like, this sucks.

I'm a fan of him.

And like, this is super disrespectful.

And we know that there's AI music on Spotify.

This is not

something that Spotify has banned.

I don't know.

Someone could argue that this, like, having a lot of AI-generated tracks on Spotify benefits them.

But

the fact that it was flagged by a fan first and the fan said, like, this is super disrespectful to a dead artist, is obviously what caught my attention and why I decided to look into it.

Immediately verified that

this happened, verified that it has happened to other people.

And

I was like, who do I talk to in order to

verify this?

You know, you can't talk to the artist, he has died.

So I looked at who manages his music and reached out to this record company and then ended up talking to Craig McDonald, who was quite nice and also understandably

offended.

Who, you know, he does this as a business, but clearly it is a passion project that he got into out of like respect and love for this guy's music.

It was horrified that this happened.

Yeah, I was going to ask just to elaborate on that you say he was horrified what was his reaction to uh this happening and did he already know or were you the one who told him or

uh he knew he said uh that his wife noticed it the day before they had not it was over the weekend so they had not contacted spotify yet he did contact like a distribution partner who he believes kind of manages some of the Spotify end of things and he had not heard back from them.

I reached out to them as well and I have not heard back from them either.

His reaction kind of like, I think he had two main points.

The first is like he put the music on Spotify, not because

it was some genius money-making scheme, because artists don't make a lot of money on Spotify, you know, it's just like even if millions of people listen to Blaze Foley on Spotify, that would not really benefit him a lot financially.

He put it on there because he was like, oh, more people could discover this guy's music who I love and I want to share with the world.

And it's like a really easy way to access it.

So I'll put it there.

I think totally fair.

And he was in a situation where this page that he was allegedly in charge of without his permission suddenly put this fake, bullshit, bad music in front of people and said, Hey, this is actually Blaze Foley.

And, you know, that he found damaging because it misrepresented the artist, it disrespected his music, et cetera.

So that's the first point, which I think is totally fair.

The other one, he was like, I'm not an engineer.

I'm not a computer guy.

I'm not an expert.

But he was like, I feel like this should be easy to fix.

Like, I feel like this should be easy to fix and prevent.

entirely with the simple addition of like, hey, if I manage this page, could Spotify please check in with me before they add anything else to the page?

And I'd like, yeah, that sounds like a totally fair way to handle this.

So that's kind of his response.

Yeah.

And you mentioned this, but there's something I just want to stress, which is that this is not just like the earlier examples of AI music.

Like there was like

a Drake track a couple of years ago, right?

Where people didn't know whether it was Drake or not, and impersonating with AI, blah, blah, blah.

I don't have to go into all of that, but that happened.

This is that,

but also

Spotify is representing it as from the official account, from the official page of this artist.

And I think that's what really stings a lot here.

Before we just get to a couple more questions, what are some other examples then?

So it's not just one artist.

You found, I think, a couple more as well, right?

Yeah.

So there is another...

singer-songwriter, also a country singer-songwriter named Guy Clark.

He actually won a Grammy

and he's, you know, much more famous than Blaze and he had a song

called Happened to You which was also AI generated.

It seems to have come from the same place as the fake Blaze song and that is that seems pretty clear to me based on again it had the same kind of AI generated image of a guy who looked nothing like Guy Clark

and there was a copyright at the bottom of both pages

both indicating that the copyright belonged to a company called Syntax Error, which I couldn't find

any traces of online other than a few Spotify pages that were AI-generated songs on the pages of real human artists on Spotify.

So there's Guy Clark and then another one.

A singer named Dan Burke, who I think is relatively unknown and and is very much alive, had one of these songs on his page.

I reached out to him.

I haven't heard back.

If anybody knows Dan Burke, please hit him up and tell him to get back to me.

I'd love to hear his perspective.

And yeah, I ran all of these by a company called Reality Defender, who we mentioned a few times, and they do like deep fake detection.

And they said all the songs seem to be AI generated.

Gotcha.

So, do we know exactly what is going on here?

Like, how are these AI-generated songs, which are made by the original artist, how are they ending up on the official profiles of real artists?

Like, is it something to do with how people upload tracks to Spotify or something or mischaracterize him?

Like, do we have any insight into that yet?

Or does that come later, do you think?

I published a story and then immediately after I published, Spotify came back to me and said that they removed all the songs that I mentioned here, and that I flagged to them all these songs that were uploaded seemingly by this entity called syntax error.

And

what

Spotify, what Spotify claims is, I'll just read what they said.

We flag the issue to sound on the distributor of the content in question, it has been removed for violating our deceptive content policy.

That's kind of like the extent of their statement.

And I was like, okay, interesting.

What is this?

What is Sound On?

This is like the first time that SoundOn has been mentioned by anyone that I talked to and it entered the conversation.

Sound on

is a company owned by TikTok and is essentially a music distribution company that TikTok runs.

It exists primarily.

So if you're an artist and you want to put your music up on TikTok and monetize it, you can do it via SoundOn.

So you upload it to SoundOn.

They make it easy to put it on TikTok and then, like, earn your royalties that way.

They also handle distribution to other platforms.

So, if you use sound on, you don't have to just put it on TikTok.

You can also take it to Apple Music, to YouTube, to Spotify, maybe Title as well.

And so, I don't know.

We don't know for a fact what has happened, but it seems like somebody basically created like a fraudulent.

This is my theory.

Somebody created a fraudulent sound on profile and then used it to upload music to the official pages of all these other artists on all these other platforms and for whatever reason

nobody bothered to check or the check like the the verification system wasn't good enough to detect that this has nothing to do with Blaise Foley or his estate or

with Dan Burke or all these other people.

And

I want to know more about this.

So if you're listening and like you're a musician and you have stuff up on other platforms and this is happening to you, I've already heard from quite a few people that this has happened to them.

And it definitely seems like something is messed up in the distribution of online music, which includes all these middlemen between the artist, the record company, and the platforms where some fuckery seems to be happening.

And this is what happened here.

And also, sorry, another thing I heard since like a lot of people flagged other AI generated music to me that was attached to the pages of real artists.

And it seems like a bunch of them got nuked.

And I might do a story on that later and see like how much of this music was actually removed.

But my bet is also that sound on just killed, you know, this one bad player and that took down all this bad music at the same time.

Yeah, that makes sense.

And I think just to end, Jason, you wanted to give us an update on the AI?

Yeah, I just wanted to say that like this seems like it was,

I guess, let's say a bad actor trying to, you know, populate this person's official Spotify profile.

And we have heard like this sort of music showing up on other platforms as well.

But there's been recent articles about AI generated music and like artists who don't exist that have gone viral on Spotify and

are racking up millions of streams.

And

one, it's like, I don't know, that's like the future that we're in now.

Like, there's AI slop all over Spotify.

And then there's also like,

I don't know how to say it, but like slightly better AI music that's like more produced that's showing up on Spotify.

And a few months ago, we were talking about these lawsuits by Universal Music, like Sony, a few other like major record labels against Suno, which is an AI music generation platform.

And at the time, it seemed like this was going to be like perhaps a pretty interesting lawsuit.

Like it was probably going to lead to some sort of consequences for Suno and UDO, which is the other major AI

music generation platform.

But in recent weeks, there's been reporting saying that Universal and some other really big record labels are most likely going to settle this case and they're most likely going to sign some sort of licensing deal, which I guess maybe we should have known was the most likely ultimate outcome of this.

But it seems more likely that record labels are going to try to integrate AI music generation like into their own ecosystem.

And

like, I personally think the end result of that is going to be like just way more AI generated music on every platform all over the place.

Like I don't see it ending super well.

And so that's just to say, like, this phenomenon that Emmanuel has found found and is like super disturbing because it's taking advantage of real life artists and hijacking their pages and watering down what they're doing.

But I do think that

these platforms are getting increasingly overrun with AI generated music.

And I think very soon record labels are like see the ability to generate music without artists and to do it super cheaply and take like a lot of shots at publishing music and trying to have a hit without having to pay human beings.

And I just like really worry about where that's going.

So I'm sure that we'll continue to cover it.

But like this big-time lawsuit really seems like it's probably not going to move forward.

And like there's going to probably be some big alliance between the AI music makers and the record labels.

Yeah.

And not just not pay people, but also gather the skills themselves to become a musician and develop music.

Very, very quick quick shout out.

If you're interested in somebody who is producing generative music, which can do sort of the promise of AI, but it does it in a much more ethical and interesting way, people should check out somebody called Tim Exile, who I've followed for years.

And he's been releasing some really, really interesting technology, software, and hardware over the past couple of months.

And I'm hoping to cover him.

at some point as well.

All right, we'll leave that there.

When we come back, we're going to talk about a story I wrote about,

you know, another interesting way to put it lightly: that hack data is being used or sold to debt collectors.

We'll be right back after this.

True or false, incognito mode makes you invisible on the internet.

The answer is false.

Most people have no idea, but your browsing history can still be monitored and even recorded unless you use ExpressVPN.

A lot of content on the internet, whether it's from Netflix, Disney Plus, BBC iPlayer, or porn if you're in one of the states with age verification laws, can be blocked based on your location.

ExpressVPN lets you change your online location so you control where a given website or streaming service thinks you're located.

They have servers in over 100 countries, so you can gain access to thousands of new shows and never run out of stuff to watch.

ExpressVPN is easy to use.

Just click one button to change locations.

It works on your phone, tablet, smart TV, laptop, whatever you're using.

And unlike a lot of other VPNs, ExpressVPN is fast, meaning you can stream an HD with no buffering.

I personally use ExpressVPN for my reporting all the time to see whether a site is blocked in a specific state or country and to circumvent these blocks.

I've lost count of the number of times I've used ExpressVPN while reporting a story, and I've started using it in my personal life too, to make sure I can watch what I want.

Protect your online privacy today by visiting expressvpn.com slash 404.

That's expressvpn.com slash 404 to find out how you can get up to four extra months free.

Expressvpn.com slash 404.

We don't usually associate speed with quality.

That's why we usually spend a while on our best work, making sure to bring you quality journalism rather than mass-produced stuff.

Or if you ask AI to do a report, well, you're probably going to have problems.

But there is an exception to this rule.

If you're hiring, you can find candidates fast who are also extremely qualified for your job.

Just use ZipRecruiter.

And right now, you can try ZipRecruiter for free at ziprecruiter.com slash 404 media.

Check out ZipRecruiter's advanced resume database where you can proactively find the best candidates and contact them within minutes.

320,000 new resumes are added monthly, meaning you'll be playing in a deep talent pool to fill your roles with quality candidates sooner.

No wonder ZipRecruiter is the number one rated hiring site based on G2.

Experience hiring speed and quality with ZipRecruiter.

Four out of five employers who post on ZipRecruiter get a quality candidate within the first day.

And if you go to ziprecruiter.com slash 404 media right now, you can try it for free.

Again, that's ziprecruiter.com/slash 404 media.

ZipRecruiter, the smartest smartest way to hire.

This is an ad by BetterHelp.

Lots of us who work take a short vacation over summer, but workplace stress is one of the top causes of declining mental health.

A vacation helps in the short term, but most of us can't wave goodbye to work.

To battle stress, we can start small with a focus on wellness, meditating, taking a walk, trying not to answer emails at all hours of the day, but longer-term therapy can help you navigate whatever challenges the workday or any day might bring.

Therapy can help you learn positive coping skills no matter what you're going through and can help empower you to become your best.

With over 30,000 therapists, BetterHelp is the world's largest online therapy platform, having served over 5 million people globally.

It's the most convenient way to fit therapy into your busy schedule.

You can join a session with a therapist at a click of a button, reschedule appointments easy, and switch therapists at any time.

As the largest online therapy provider in the world, BetterHelp can provide access to mental health professionals with a diverse variety of expertise.

Unwind from work with BetterHelp.

Our listeners get 10% off their first month at betterhelp.com/slash 404 media.

That's betterhelp, h-e-l-p.com/slash 404 media.

So, our next story is from Joe.

The headline is: a startup is selling data hacked from people's computers to debt collectors.

Joe, what is this company?

Where is this data coming from?

Who is it selling it to?

Yes.

So to give the very high-level view, and of course, we'll drill down on all of this.

Some words may not make sense immediately.

But there's this company called Farnsworth Intelligence, like a private intelligence cybersecurity company.

And they're taking data that has been hacked from people's computers, passwords, email addresses, billing addresses,

sometimes even more information.

They're then taking that from something like 50 million computers, repackaging it, and selling it to skip tracers, which is a fancy term for debt collectors, basically, people going through divorce proceedings, or even companies looking to poach

their rivals' customers.

It's pretty audacious.

I have not seen hacked data

sold like this for these purposes.

And that's why I pulled it out.

You know, it's a really

telling story about how this data is now being viewed by the cybersecurity and sort of the broader open source intelligence industry as well.

Like people don't just consider OSINT as posts on Twitter anymore.

Some companies and people also consider data hacked from computers to be so-called OSINT as well.

Something I think is

interesting or might be useful to listeners

is that

we are very used to, and I'm used to it because of your reporting, but

you know, we'll find out about a giant hack

of T-Mobile or something.

And one of the ways we find out about it is that there's these forums where people

sell this data.

So people compromise a bunch of machines in various ways.

All this hacked data is floating around.

People compile it and then sell it in like huge batches on forms.

And like this kind of happens fairly in the open, right?

So it's like, it's like all this data is floating around all the time.

We know it happens, but it's very much like criminal, underworld, black market, gray market stuff.

And

this is basically the same data being offered by a legitimate company, right?

It's like it's the same kind of data or the exact same data.

Yeah, and there's some nuances in how Infosteala data specifically is distributed, which we'll, uh, which we might get to, but broadly, yeah, that's absolutely right.

You have these forums where every single day hackers are either just dumping publicly for free because they feel like it, or in many cases, they're selling it as well.

And you have to buy credits with the underground forum to then unlock the data, then you download it and blah, blah, blah.

This happens with

essentially every

data breach that ends up being public.

facing.

Maybe not the ransomware stuff because there's extortion there and you know, we won't publish it if you pay us.

That's the entire point.

But if you hear about a large profile beat breach nowadays very good chance it's posted to one of these websites as you say this company is basically taking that or similar data and then offering it to these industries i think that's very very important because some people may argue well the data's out there so why can't i just repackage it or whatever i don't think a random debt collector is going to know the underground hacking forum where they can get this information.

Also, it's very messy sometimes on the underground hacking forum.

Whereas here, Farnsworth Intelligence is taking that data, presumably cleaning it, or at least formatting it in some way so it can actually appear in a search tool and making it all very easy to access and searchable specifically for these industries.

If you're a divorce lawyer in some fancy tower, you know, in a big metropolitan city or whatever, and you're dealing with these big, high-profile divorce cases, you don't know where to go to find that data on the internet, but can use a private intelligence company like this to find it.

So it is really

funneling that data

to different industries, different people and different use cases.

And that's where the issue is, basically.

Yeah, what's crazy to me, and the reason I was like, you should do this story right now, definitely.

And this is more editorializing.

than we do in the story.

And I don't know, Joe, you don't have to respond to this, but it's like, to me, it felt like somebody was looking at the same

community slash black market that you look at every day.

And they were like, oh, there's a startup here.

Like, we can just like tap into an entirely different market if we just repackage the same data for

a legitimate quote-unquote client.

I do have a, I think, a useful way.

to get into that, which is that more specifically, this data is info stealer data.

And that is this really popular brand of malware or type of malware now which is often bundled with like cracked or pirated software so you download a cracked version of photoshop or whatever you're doing whatever it is you do in photoshop and then there's actually some malware in there which is stealing everything stored in your browser and that's going to be your passwords email addresses billing addresses also just like all the autofill stuff in chrome or whatever and we covered this in depth.

I actually spoke to the people making the malware and I also spoke to somebody Roda Senior on the Google security, Chrome security team about that.

And we've published that before.

But what happens there is that that data is often then fed into these Telegram channels and it's often sold.

You have to pay to access it.

But then also many of the channels just freely distribute them, probably to advertise the paid offering as well.

So to get to your point of like somebody seeing a startup here, multiple companies have tapped that data in different ways.

There's another company called Hudson Rock, a cybersecurity firm.

And like InfoSteal is like basically their entire thing.

They will go in, they will bring up the data.

And what they would do is they will release these free tools or I believe paid products as well.

And it's like, hey, if you're a company and you're worried about InfoStealers, we can warn you if your company is appearing in these credentials.

That's, you know, a pretty interesting and probably useful use case.

That's very different to going to the info stealers, grabbing all and being like, we're now going to sell it to debt collectors.

Like, it's entirely different.

It's a different question of use case.

And it's also different whether you can just search through the data or not as well.

And I should add that we're talking about the debt collectors and whatever,

which you have to apply for.

You like have to tell him,

sorry, you you have to tell the company, this is why I want to have access to it.

There is also this public-facing version of it, which is a little bit more of a limited data set.

I could still find rarity sensitive stuff in there.

And that costs like 50 bucks to just log in.

And there's no checks there.

You just make an account.

And then you're searching info stealer data, which is obviously, you know, potentially an issue for stalkers or anybody like that.

Yeah, I mean, let's get into that.

What did the experts you talk to say about the potential for abuse here and some other use cases?

Yeah, I mean, sort of the usual expected stuff came up, which is, you know, this is going to be a boon to law enforcement.

This is going to be a boon to law enforcement without a warrant, crucially.

This is going to be very, very useful for stalkers, that sort of thing.

But then specifically on the use cases I pulled out, and there are other ones, like Farnsworth Intelligence also offers it to cyber risk firms or law enforcement or anything like that.

But I pulled out divorces, debt collectors, and sort of competitive intelligence because those were the most egregious to me.

And

the divorce one, you know, a privacy lawyer I spoke to at Epic, they said, well, this might just be illegal.

You can't use this data.

And she pointed to a previous case with the Ashley Madison data dump, that dating website that got hacked way back when, nearly 10 years ago at this point, right?

And a judge said, even though this data has been published publicly, because the hackers release it online, it couldn't be used in court because it was still obtained illegally and it was still confidential in some respects.

There's obvious issues there.

The skip tracing one.

The debt collecting one, I mean, mostly the response to that from the experts I spoke to was just like, this is really unethical.

Like these people have already been the victim of a hack.

They've already had malware installed on their computer.

And now this company is re-victimizing them.

And not only that, but selling it to somebody who may be trying to chase down like a debt and harass them.

I think that has obvious ethical consequences.

And then the last one, which is, hey, maybe you could buy this data to find

people using your rival's products and then you could poach them.

You can make like a marketing list or something.

The way you would do that is you would find they would have logins.

for your rival's product.

And the privacy lawyer I spoke to said that may even fall under, you know, like trade secrets law or something like that, depending on what was going on here.

So it's a ton of use cases which just don't seem to be particularly well thought out.

And also, the website's full of typos as well.

Yeah.

Dibs for us on the blog, but I wonder if you can even use one of the EU or California privacy laws to be like, hey, is my data in here?

Like, get rid of it immediately because you're not supposed to have it.

That would be interesting because you could definitely search for yourself if you're using the free version, but whether you can get removed or not, I think that's a fair question.

Yeah.

So

I think most people are probably familiar with have I been pwned, which is a pretty useful database of

hacks that may have exposed your email or password, which is like somewhat similar to this, right?

It's like a database of hacked data.

How would you say this is

than that?

Yeah, have I been pwned, run by Troy Hunt, has been for basically a million years at this point, is a really, really useful service both for individuals and for companies.

And you can do what I just did, which is go to haveibeenpwned.com, you type in your email address, and it brings up a bunch of breaches that your data has been included in.

It doesn't return the passwords, it doesn't return the actual data itself.

All it's doing is telling you, oh, you were in this massive data dump of 2.7 billion records, or whatever, or you were in this data breach as well.

And the data included email address and password.

That allows you to go, oh, damn, maybe I should change my password or something like that.

It's purely a cybersecurity tool, really, more than anything.

What's different here is that these InfoStealer products from Farnsworth are just returning the raw data.

And there is a slight difference in that the public-facing version that I paid $50 to use, you don't get the full password, but you do get a ton of other stuff.

I found somebody's personal billing address in there, for example, that seemed to be stored in their browser.

You do get the full password, it seems, with the sort of the version of the product available to debt collectors and that sort of thing.

So there's one difference.

And then I think there's one final difference between have I been pwned and services like that, that, and then Farnsworth, or really just more InfoStealer products, which is that have I been pwned

is collating information on breaches from companies.

It's like, oh, Adobe got hacked, and now we have the Adobe data.

The

Farnsworth one and others will be based on InfoStealers, which is malware installed on an individual laptop, probably belonging to an individual person.

It is way more personal simply in virtue of the sort of data that this malware collects.

And I'm sure some people will sort of balk at that distinction.

Well, hack data is hacked data.

I don't know.

I think there's something to be said between there's a difference between data being taken from a company server and it being lifted off your personal laptop.

Maybe the distinction is very thin, but I think there's something there.

I was going to say that to like to play devil's advocate, there is an interesting ethical, like a truly interesting ethical question about hack data that can be used for good.

For example,

our friend Jordan Pearson at the CBC

and a team of international journalists recently exposed the owner of Mr.

Deepfakes, which was like the main deepfakes distribution website on the open internet.

A very bad person, responsible for a lot of harm that was anonymous, that frankly, like a lot of people wanted to expose.

And I believe that the way that they eventually exposed him is by leveraging some hacked data versus his username that was public and kind of matching the emails and kind of going from there until they actually located him in Canada where he was working in a hospital and like confronted him and eventually forced him to shut down the website, which is like a huge, I think,

net good for the world because of hacked data.

So it's like there's something interesting and sticky there.

However, like selling it to deck collectors

as like this product from a startup is, I don't know, that seems

wrong to me.

Like, I think that's like a pretty clear violation of people's privacy.

Yeah.

I mean, beyond legal implications,

and I guess this ties into ethical implications, ultimately the use cases are arbitrary.

It is always going to boil down to whether somebody feels comfortable or whether they think it's appropriate to use this data for a certain use case.

So I personally see no problem using Infostealer malware to identify alleged users of child abuse websites, for example.

And people have been doing that.

Record of Future, another cybersecurity firm, they did that.

And to be fair to Farnsworth, it looks like they started doing that as well, somewhat recently.

So there's one use case.

There's another you mentioned, again, there's journalism as well.

Now, maybe somebody is in between those and they do think the debt collectors is okay.

I don't know.

I'm just going to straight up disagree with you and maybe we can have a debate about it.

But I guess just the last thing I would add is that, and then on top of all of those,

It's also different to have a website where you can just pay $50 and you can just search it.

Like then anybody can use it.

And it's like, if you are releasing a tool where anybody can use it, you straight up have to be ethically okay with literally any use case because you are morally and technologically responsible for it.

Like, you are responsible if a stalker goes in there and uses it to find somebody's address because you are making that data available.

All right, let's leave that there.

After the break, we are going to be talking about one of Jason's stories, which was in response to this,

I don't know, the biggest social media pylon I think I've ever seen.

We'll get all into that.

You can subscribe and gain access to that content at 404media.co.

As a reminder, 404 Media is journalist-founded and supported by subscribers.

If you do wish to subscribe to 404 Media and directly support our work, please go to 404media.co.

You'll get unlimited access to our articles and an ad-free version of this podcast.

You'll also get to listen to the subscribers-only section where we talk about a bonus story each week.

This podcast was produced by Kaleidoscope.

Another way to support us is by leaving a five-star rating and review for the podcast.

That stuff really helps us out.

This has been 404 Media.

We will see you again next week.