Since 2013, developer Troy Hunt has been offering an invaluable online security tool called Have I Been Pwned. Enter your email address, and the site will let you know if it’s been found in any known security breaches… giving you a pretty good idea of whether it’s time to change your password.
Now Hunt says he plans to make the code base behind Have I Been Pwned open source in an effort to ensure the project isn’t dependent on just one person (and to get some help fixing bugs or adding new features).
But the data that’s used to determine if your information is vulnerable? That’s probably not going to be open sourced anytime soon.
As Hunt notes, that’s because of the way Have I Been Pwned works:
HIBP only exists due to a whole bunch of criminal activity resulting in data that’s ultimately ended up in my possession. Of course, the situation is a bit more nuanced than that with the vast bulk of data in HIBP already being in broad public circulation and passing through many hands. But be that as it may, even the legality of possessing it remains grey…
In other words, what happens is that someone steals a bunch of private user information in a data breach and then tries to sell it or leaks it online… and Hunt uses that data to help you find out if your personal data is at risk.
Major companies and non-profits have worked with Hunt in recent years, or used the same grey-market data as Have I Been Pwned for their own security tools. So it may not exactly be illegal for Hunt to make this data available to the public… but it’s probably not the best idea either, since it includes the personal data of “literally billions of people that have been impacted by data breaches.”
So Hunt says one of the things he wants to do before ultimately releasing the source for Have I Been Pwned is to “ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent.”
That said, if one of the goals is to ensure that the project isn’t just in the hands of one person, I have to wonder how useful the source code would be if it doesn’t involve a dataset. If anything were to happen to Hunt and someone else were to take over the project, would that person have to start compiling breach data from scratch?