Setting the bar for government access to Have I Been Pwned
troyhunt.comIf Troy is giving access to information which is already free and publicly available on the web, it doesn't really matter who he gives access to.
He is free to choose whoever he likes, but if I were in his position, I'd give access to anyone and everyone. If the API starts costing too much money to run, I'd start charging money for it, and then allow anyone who can pay.
Well obviously it does matter, and he is only “free to give anyone access” if you completely disregard any damage to his brand. He’s free kind of in the same way that Coca Cola is “free to change their recipe”.
I for one like the approach he has taken. And I would not at all like the approach you suggest, which feels like it boils down to “I have no quarrels supporting authorities war mongering regimes unless it costs extra, in which case I want money for my support.
He’s talking about allowing governments to search for their own government domains.
The threshold should be “am I confident the user I’m giving access to actually owns the accounts.”
I don’t see an issue in allowing a terrible regime the ability to more efficiently see if it’s own accounts have appeared in leaked databases.
Maybe, maybe, maybe if there is concern the government will persecute the hackers in a way that violates human rights. Maybe.
At the same time “it doesn’t feel right” matters. If your moral compass tells you something is off, listen to it.