When is “ethical hacking” legal and ethical?
This piece was originally submitted as an essay and received a commendation as part of the Research Institute for Ethics and Law (RIEL) 2018 Essay Prize, Swansea University.
The “hacker” has come to occupy our collective imaginary, as well as the centre stage of political discourse. The UK Government has classed cybercrime as “Tier One” threat since 2010, “the highest priority based on high likelihood and/or high impact” (2016, p.85) and has committed to spend £1.9bn on cyber-security by 2021 (2017, p.10). At the same time, hacking is often constructed as a kind of “black magic” which could bring about societal destruction. However, the meaning of “hacking” has changed considerably. The “hack” mainly referred to "a material practice that produces differences in computer, network and communications technologies" (Jordan, 2008, p.12), linked to the characteristically liberal principles of liberty and individual autonomy. As such, it was a subversive but usually ethical practice. However, technology has also facilitated the development of deviant subcultures (Holt, 2009) and thus malicious hacking has come to dominate public discourse. Nonetheless, the distinction between ethical and unethical, legal and illegal hacking is not always straightforward, as illustrated by the metaphor of white, black and grey-hat hackers, widely used within the cyber-security industry. A white-hat hacker is a cyber-security professional contractually engaged by a company to test their networks for vulnerabilities. A black-hat is the malicious hacker, or cracker, who breaks into computer systems in order to access sensitive information, or disrupt the system. A grey-hat hacker, is somewhere between the previous two. Like a black-hat they "will roam the Internet in search of vulnerable systems”, but “like the white-hat hacker, the targeted company [or individual] will be informed of any weaknesses” (Chandrika, 2014, p.45) and given the opportunity to fix them. This essay explores the extent to which these shades of hacking are legitimate from a legal and ethical perspective. It considers illegal access as defined by the Cybercrime Convention as well as the UK’s Computer Misuse Act 1990 (CMA 1990). It also analyses possible ethical justifications for hacking including virtue ethics, Kant’s categorical imperative, social contract and the utilitarian perspectives. It concludes that some ethical hacking practices could be better protected by law.
The Legal Landscape
Hacking is likely to constitute a criminal offence within the signatory states to the Council of Europe’s Convention on Cybercrime, known as the Budapest Convention. Article 2 of the convention stipulates that each state party “shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right”. In addition, “a Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system”. In line with the Budapest convention, the concept of authorisation is the cornerstone of the UK’s CMA 1990. Section 1 of the act defines the basic offence of “unauthorised access” as causing a computer to perform any function (the actus reus element, from the Latin "guilty act"), when this is done knowingly without authorisation (the mens rea or the "guilty mind" element of the crime). The actus reus is further defined in section 17(2) as including a number of actions such as using, altering, copying, moving, erasing or causing a programme or data to “output”. As such, merely “using” a computer will satisfy the actus reus of the offence. This is illustrated in the case of Ellis v DPP  EWHC Admin 362, where a Newcastle University alumnus was convicted under section 1 for using computers left logged-in by current students at the library. The threshold of action is thus lower than that required under the Cybercrime Convention which allows signatories to require that security measures be infringed in the act of access. The mens rea element of the offence is made out following section 17(5). Accordingly, the hacker's access is unauthorised if they (a) are not themselves entitled to control access of the kind in question to the program or data; and (b) do not have consent from any person who is so entitled. Once again, this formulation is broader than the requirements of the Budapest Convention. Thus, the offence captures unauthorised use, even where the there is no dishonest intent, or the act results in no damage to the system. In addition, section 3 of the CMA 1990 covers “unauthorised acts with intent to impair, or with recklessness as to impairing” the operation of a computer system. In DPP v Lennon  EWHC 1201, the court applied this offence to the context of a denial-of-service (DoS) attack and held the view that the owner’s consent to the receipt of traffic (e.g. e-mails) is not without limits, and does not extend to the kind of traffic that overwhelms servers. Both unauthorised access and denial-of-service attacks have been used by white, black and grey-hat hackers. Such acts may or may not be legal or ethically justifiable.
The Ethics & Lawfulness of Hacking
White-hats are the most likely to act legally and ethically. They hack systems with their target’s consent, codified by a contractual relationship and in line with contractualist ethics. For contractualists or social contract theorists, moral behaviour is defined by “an agreement between people, which they enter into because they have more to gain from doing so than by not doing so” (Benn, 1997, p.114). Alongside this, it can be argued that “the hack” embodies the Aristotelian idea of the individual using their rational abilities in the pursuit of eudaimonia (i.e. happiness, flourishing) and excellence. Malicious hacking however, interferes with the rights and economic interest of others. As such, it does not meet Aristotle’s doctrine of the mean, which places virtue between “two vices, one of excess and the other of deficiency” (Aristotle, 2006, p. 1107:1-5). Malicious hacking is closer to a vice than a virtue. However, there may be circumstances where white-hats cross the line of legality and delve into ethically dubious territory. One such example would be engaging in acts of cyber self-defence, i.e. defending against an on-going attack with a cyber-counter-attack. While self-defence is a well-established principle of criminal law, it requires proportionality. Given the interconnected nature of cyberspace, it is likely that such an act would spill-over into other systems, with potentially devastating consequences for innocent third parties. Furthermore, the unregulated nature of the internet leaves such an approach open to abuse. Ethically, while the contractualist perspective is to a large extent compatible with the Kantian tradition, “offensive” self-defence in cyberspace presents some challenges. Kant defended that we can know what is moral a priori - in accordance with a rationally deduced universal formula which he called the categorical imperative. One formulation of the categorical imperative is that one should "[act] in accordance with that maxim which can at the same time make itself into a universal law" (Kant, 1785, Ak 4:436). Arguably, an unregulated “wild west” of proactive defence, with its unpredictable collateral damage, could never constitute such a universal law. Another formulation is to treat people "as [an] end and never merely as means.” (Kant, 1785, Ak 4:429). Arguably the victimised third parties in this scenario would be treated as a “mere means”, irrespective of their free will and autonomy.
By definition, black-hats lack legal authorisation to access the systems they “break” into. In addition, where there is evidence of intent to commit a further offence (e.g. credit card fraud), it is clear that the hacker knew they had no authorisation to access the data. These hackers therefore act illegally and treat others unethically, as “mere means” to their own pleasure and/or financial gain. From an ethical perspective however, there may be circumstances where black-hat type activity may be justifiable through a Utilitarian lenses. J. S. Mill’s (1983) formulated the utility principle - the greatest happiness for the greatest number - as the ethical principle which determines whether or not an action may be considered moral. While the majority of black-hat hacking is unlikely to meet the utility test, “cybersecurity vigilantism” might (Silva, 2017, p.24). Cyber-vigilantism consists of a form of informal crime-control where “active citizens who, voluntarily and without the sanction of the State, launch attacks against cyber threats and cybercriminals with the goal of reestablishing justice and cybersecurity” (Ibid.). BrickerBot is one such example. BrickerBot was a PDoS (permanent denial of service attack) launched by a cyber-security vigilante to curtail the spread of Mirai, the first large-scale Internet of Things (IoT) botnet. In effect, BrickerBot permanently disabled IoT devices which would be vulnerable to the Mirai botnet infection. This action permanently deprived their users of the devices’ functionality without their consent and would clearly breach section 3 of the CMA 1990. However, it was carried out for the greater good - to stop more people from becoming Mirai targets. Arguably this amounts to treating people as “means” but not “mere means”. In addition, this action is in line with the utility principle.
The position of grey-hats is even more nuanced. On first consideration grey-hats do not have a contractual basis for authorisation to access the targeted network. However, determining authorisation is complicated by the widespread practice of “responsible disclosures”. Many companies including tech giants such as Google and Facebook have responsible disclosure policies which enable hackers to disclose vulnerabilities without facing legal action. These policies further encourage grey-hat activity by providing financial incentives in the form of “vulnerability bounties”. Facebook’s bug bounty programme offers a minimum reward is $500 (Facebook 2018) and Google offers rewards for qualifying bugs ranging from $100 to $31,337 (Google 2018). It can be argued that the existence of these disclosure policies and financial incentives provides a legal basis for authorisation as defined under section 17(5) of the CMA 1990. However, while Facebook gives assurance that they “will not initiate a lawsuit or law enforcement investigation [...] in response to [a] report” (2018), Google states that security testing “must not violate any law, or disrupt or compromise any data” that does not belong to the person making the disclosure (2018). In addition, grey-hat hacking goes on, even where companies do not have (public) responsible disclosure policies. As a result, this is a grey-area with respect to criminal liability and may also attract civil liability under data protection and intellectual property legislation. The activities of grey-hats may nonetheless be considered ethical as they improve the security of companies and Internet users. It will remain to be seen whether companies’ interest not to publicise vulnerabilities, prosecutorial discretion and the “court of public opinion” will suffice to protect grey-hat hackers from prosecution and lawsuits, or whether an ethical hacking defence will become increasingly necessary.
In conclusion, the legality of hacking is not as straightforward as it may first appear. White-hat, black-hat and grey-hat hacking can be understood from a variety of ethical perspectives, depending on intent and circumstances of the hack. As such, each of these categories of hacking broadly fit into a spectrum of “legality” ranging from clearly illegal to legitimate/legal hacking. This is not always perfectly aligned with what may be considered ethical or unethical. There are some circumstances where black-hat hacking may be justified from a Utilitarian perspective - and others where ethical hacking may incur legal liability. Given its focus on “authorisation”, the law allows for the recognition that some such hacking may in fact be authorised. However, there is no ethical hacking defence and thus there are little protections beyond market interest and prosecutorial discretion for those engaged in ethical hacking. At the same time, it is possible for white hats’ actions to raise legal and ethical questions. Inevitably, the law will have to continue to evolve to meet the challenges of securing cyberspace - a place whose architecture favours individual autonomy and the pursuit of “the hack”. For better or for worse, cyberspace needs the hacker.
If you are a security researcher and have worried about the legal implications of disclosing a vulnerability, it would be great to hear about your experience. Please get in touch on S.Correia@swansea.ac.uk
 Take the recent coverage of Russian cyber-attack on the UK (e.g. Dearden 2018) and media representations of hackers ranging from the 1983 film WarGames to the more recent Amazon Prime series Mr. Robot (2015).
 The terms Black Hat and White Hat are a reference to old Western films where the bad guys wore black hats and the good guys wore white hats.
 A denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network unavailable to its intended users by temporarily or indefinitely overwhelming the system with requests for information, such as by flooding it with emails.
 The Internet of Things (IoT) refers to the emerging network everyday objects (e.g. toasters, fridges, cars) which become “smart” by through computing and Internet connection, thus exceeding their original purpose and usefulness. A botnet is a network of “zombie” computers, or in this case IoT devices, whose security has been compromised so that their computer power may be leveraged by hackers in further cyber-attacks.
 For example the recent reports about US restaurant chain Panera Bread, alerted by security researcher Dylan Houlihan and security blogger Brian Krebs to a security vulnerability the former found by probing its internet-facing systems (Kirk 2018).
Benn, P. (1997). Ethics. London, Taylor & Francis Group.
Chandrika, V. (2014). "Ethical Hacking: Types of Ethical Hackers." International Journal of Emerging Technology in Computer Science & Electronics (IJETCSE) 11(1).
e Silva, K. K. (2018). "Vigilantism and cooperative criminal justice: is there a place for cybersecurity vigilantes in cybercrime fighting?" International Review of Law, Computers & Technology 32(1): 21-36.
Facebook (2018). "Information - Responsible disclosure policy." Retrieved 17 April 2018, from https://www.facebook.com/whitehat.
Google (2018). "Google Vulnerability Reward Program (VRP) Rules." Retrieved 17 April 2018, from https://www.google.com/about/appsecurity/reward-program/.
UK Government (2015). National Security Strategy and Strategic Defence and Security Review 2015. London.
UK Government (2016). National Cyber Security Strategy 2016-2021. London.
Holt, T. J. (2009). "Examining the Role of Technology in the Formation of Deviant Subcultures." Social Science Computer Review 28(4): 466-481.
Jordan, T. (2008). Hacking: digital media and technological determinism. Cambridge: Polity.
Kant, I. (1785). Groundwork for the Metaphysics of Morals. Rethinking the Western Tradition. A. W. Wood and J. B. Schneewind. New Haven, United States, Yale University Press.
Kirk, J. (2018). "Panera Bread Data Leak Persisted For Eight Months." Retrieved 22 April 2018, from https://www.bankinfosecurity.com/panera-bread-data-leak-persisted-for-eight-months-a-10760.
Aristotle (2006). Nicomachean Ethics, Books II-IV. Clarendon Aristotle Series. C. C. W. Taylor and L. Judson. Cary, United Kingdom, Oxford University Press.