The ethicalness and legality of gray hat hacking is a major controversial issue depending on viewing from deontological or humanitarian view. It may not always be in first thing in the general public’s mind, but when the issue comes up, it sweeps across the front page of all new paper. Famous examples of gray hat hacking include WikiLeaks, Edward Snowden, and Khalil Shreateh against on Mark Zuckerberg’s Facebook account. Since the result of these legal cases didn’t have a consistent standard, deciding on the ethicalness of this will help shape the laws and make changes.
White hat hacking is when computer security experts are formally employed by a company to hack their own company under explicit permission. Only a specific part of the system is allowed each time and the expert follows directions from the company and reports the result. Black hat hacking are hackers who hack into a system without permissions and usually for their own benefit, money or fame. Strictly speaking, gray hat hacking are those who hack into systems without permission but usually for good intention. They could have hacked because of their interest, curiosity, or by accident. They will not sell the data for their own profit, and will help the company fix the security holes after the hack for free or for some reasonable compensation. For this paper, I will include those who hacked into the system under good intention in general.
The deontological view believes that there are absolute standards of right or wrong. For example, lying, cheating, or killing people. They think that hacking into someone’s system without permission is a disrespect and violation to their privacy. Since gray hat hacker hacks into the system first, then asks for forgiveness by explaining the security hole to justify their actions. However, when the hacker decides the ethicalness for their action, it is more or less influenced by their own belief systems, and still may cross the line when they think they did the right thing. Once we allowed some gray hat hacking, we almost have to judge on a case by case based and the room for unfairness means it creates disorder.
The humanitarian view thinks we should consider human behaviors together with its context. It’s possible to have good intention but bad result or bad intention with good result. Both are weighed, but more weight is on right intention. For example, as with the Facebook case, Khalil Shreateh repeatedly let Facebook know of the security holes he found but wasn’t taken seriously. The hole could let strangers post on someone else’s Facebook. At the same time, Facebook also failed its responsibility under consumer rights to its users by warning them about this security holes and plan for fixes.
We can understand from the Facebook’s side that they are run by humans as well. Although they have bounty rules to award people who reported security holes for them, they probably want to save face from their CEO’s account being hacked. They probably also don’t want to admit that somehow, an outsider, someone whom they have no background knowledge of, actually knows more than their years of experience. Their initial response was refusing to pay the bounty because Shreateh’s hack was intrusive and broke the rules.Such flipping response once again showed that people, from the company to court judges, are humans who can make mistakes, and didn’t respond under consistent standards.
In 1999, a seventeen year old hacked and replaced the homepage of three U.S. government agency websites, including the homepages of NASA’s Goddard Flight Center, the Office of Land Management’s National Training Center, the Office of Land Management’s National Training Center, and a Defense Contracts Audit Agency with a message. The message asks them to fix the security flaws he already told them about, which was probably ignored. This was a fact. Even though this hacker with the name “ytcracker”, only hacked because he thinks he has no other way, and he did it to make sure our country’s military system is protected.
With the cases that we have considered, we see a pattern again and again that often, gray hat hackers have already repeatedly tried to let the victim know about the security holes he or she discovered. However, the company’s response were not taking the issue seriously, which means that the security hole could affect many more unknowing users of the product of the company. Weighing the privacy of the company and the users against the security protection of the hundreds of thousands of people, gray hat hackers chose the latter. This is understandable because, as a habit of their profession, they are used to putting computer security as the top aspects of the problem.
Therefore, I propose a modified law that allows a standard to evaluate reasonable fix time and compensation for these cases. Also, they should allow different companies to make their own security policy. Some may want stricter policy, like no gray hat hacking allowed. Some may want flexible security system so they might be able to benefit from it, so the gray hat hackers who would like to help don’t have to worry about legal consequences. Further, they should connect with security experts to decide and meditate on a reasonable time period allowing the companies to fix the security bugs and help prevent gray hat hackers from asking unreasonable amount of compensation in particular cases.
Besides the law, I also propose to have a group of computer security experts who can help handle cases for gray hat hackers, they can help prevent the problems of a single person justifying for themselves. The group of computer security experts all have been checked to make sure that they are not black hat hackers and will follow professional and ethical standards. This way, we created a method for gray hat hackers who suffers from their dilemma. They can now let people outside of the company to alert and pressure the company to fix security holes. It can help create a little time before they must tell the consumers, so black hat hackers don’t become aware of the holes as well. There is no contribute to advertising the problem to the public when the extra added good and bad is about the same.