Ethical hacking vs. the law – will you get arrested for a good deed?

Ethical hacking can be a slippery business, especially when companies don’t clearly specify it in their terms of use and local laws don’t make the distinction between ethical and malicious hacking. A recent case in Malta has reignited the discussion about finally introducing legislation that would protect ethical hackers from criminal action for responsibly reporting security flaws.

Ethical hacking vs. the law – will you get arrested for a good deed?

The nation of Malta was jolted last week when local media disclosed that four students who reported a vulnerability to the makers of a student-focused app were detained, strip-searched, and are now under police investigation. This sparked a massive social media backlash against the business that reported the students, the local police force, and, most importantly, the local laws that led to this predicament.

While we don’t yet have a full picture of the situation, the underlying issue is not unique to Malta and could happen virtually anyplace else in the globe. In fact, similar cases have arisen in the past in the US (in Florida and Texas, for example, and there was even a case that involved the FBI), in Hungary, Uruguay, China, Argentina, and more. The letter of the law frequently struggles to differentiate between entirely ethical white-hat hacking, potentially hazardous gray-hat hacking, and the malicious actions of black-hat criminals.

Why does the law struggle with ethical hacking?

Ethical hacking can be legally problematic since it differs from black-hat hacking by a factor that is not always readily identifiable: intent. White-hat and black-hat hackers’ actions are often quite similar, especially in the eyes of non-specialized law enforcement. And the law frequently assumes malicious intent, subjecting white-hat hackers to investigations that often result in criminal records. In this case, the “innocent until proven guilty” principle does not always apply.

While this type of legal approach upsets the hacker community, it is frequently viewed as necessary. In the eyes of law enforcement, it is generally considered preferable to respond forcefully and prevent more criminal activity than to assume innocence and allow a bad actor to escape or cause more harm.

There’s another reason why ethical hackers frequently have to walk a fine line between observing the law and demonstrating a vulnerability: when attempting to prove a vulnerability, they may unknowingly access sensitive information that they should not even be able to see. Whenever this happens, organizations are required to report the incident to data protection entities, which may then lead to legal action against anyone who accessed sensitive data without authorization. This was exactly what happened in the recent case from Malta.

White-hat hacking is a risky business. Successful ethical hackers must not only be able to uncover uncommon flaws before anyone else, but they must also be able to navigate national laws as well as company terms and conditions – and craft their communications in such a way that there is no doubt about their good intentions.

The fact that identifying vulnerabilities and informing the respective business owners of them can be considered a crime is completely unjust. As a legal professional, however, I appreciate that this is a tough scenario for everyone involved, including law enforcement.

– Karl Gonzi, Invicti General Manager, Malta

The dramatic consequences of arresting ethical hackers

The challenges that ethical hackers encounter have long-term ramifications for both the individuals involved and the community as a whole. Every time white-hat hackers witness their colleagues in danger as a result of merely doing their job, it has an impact on their future career and life choices. They may reconsider whether they want to face the legal penalties, which could include having to expend large sums of money to engage lawyers go through endless court proceedings. They may simply wonder, “Is it worth it?”

The clouds may get much darker for those who have already crossed the line, such as the four young Maltese IT students. While it may have some immediate positive consequences, such as local security companies hiring them, it may also result in their having a criminal record in the long run. And what if they want to work in sensitive government organizations, for example, where a clean criminal record is required? Their options will be limited for the rest of their lives.

Laws and enforcement measures that target ethical hackers are harmful to overall IT security. Applying the letter of the law to immediately label them criminals may deter an entire generation of inquisitive young minds from pursuing a career in cybersecurity, further contributing to the already serious cybersecurity skills gap. And in the end, it is the organizations with vulnerabilities in their public-facing assets that suffer the most.

Teams like mine need young people with unique minds, such as these students, and we cannot afford to lose them due to unjust legal repercussions. However, the fact that the public strongly sides with these youngsters gives me hope.

– Matthew Sciberras, Invicti CISO & VP of IT & InfoSec

What can be done to improve the situation?

In the instance of the students from Malta, social media users and even local politicians voiced fury at both the letter of the law and the company that reported this case as a potential attack. However, there are two sides to every coin – the company noted that it was legally required to report a sensitive data breach to the authorities, and that it was the authorities who pursued further legal action. It appears that the problem, as in so many similar cases, is ambiguity within the laws themselves.

A significant step was taken in the United States about a year ago when the Department of Justice stated that ethical hackers would not be prosecuted under the Computer Fraud and Abuse Act. While this does not guarantee that arrests such as the one of DeMercurio and Wrynn in Dallas will never happen again, it shows a significant shift in mindset, suggesting that legislators are extending a more friendly hand to protect ethical hackers.

Voices across the world have called for such changes in legislation and for local authorities to take action. Many Maltese residents are hoping that suitable legal changes will occur very soon, ensuring that local talent is well-protected and appreciated rather than being subjected to derogatory actions such as strip-searching or confiscation of all electronic equipment. Additionally, such changes in legislation would promote innovation and have significant economic benefits.

At the same time, everyone in the cybersecurity industry has a shared responsibility to remind organizations, both private and public, that ethical hacking is invaluable to us all, and to educate them on how to work with white-hat security researchers. For example, the Malta-based business could have informed the public immediately of the existence of the vulnerability and the fact that it was swiftly fixed, and given the students a bounty reward for their excellent work.

While a career as a security researcher in a company like ours is an excellent choice for many, we also value those who choose to seek more freedom and excitement as bug bounty hunters, and we must all do whatever it takes to ensure their talent is not wasted. After all, we’re all part of the same community and share the same goals.

– Frank Catucci, Invicti CTO & Head of Security Research

The responsibility for keeping the ethical hacking and security communities healthy lies not just with lawmakers. Companies worldwide need to treat ethical hackers with the respect they deserve and recognize that bug hunting is hard yet extremely valuable work that ought to be rewarded.