Law Firm of the Year Award
Ethical Hackers (White Hats), Grey Hat and Black Hat Hackers
The terms “hacking,” “ethical hacking,” and reverse engineering (”reversing”) are not synonymous. Use of the word “hacking” alone is an abused and somewhat dated term with many different contextual meanings. Without context, “hacking” has become meaningless. Too often “hacking” is associated with social or media efforts to create a predetermined impression or provoke a certain reaction from a non-technical audience who simply equate “hacking” with “bad” – either immoral or illegal.
But the question whether ethical hacking or reversing is “illegal” is usually localized by state or country if the law can be determined at all. Technology usually progresses faster than law, and the law and public policies that underpin hacking are currently in their relative infancy, even in relation to other aspects of technology law. Legal protection for ethical hackers needs development at both a judicial (law) and legislative (policy) level. Our discussion of the main, existing legislation and some judicial decisions that apply to hacking is here.
Our discussion of reverse engineering is a separate discussion, which is here.
This discussion addresses hacking or ethical hacking as a narrower discipline than reverse engineering. For purposes of this discussion, we limit hacking or ethical hacking to the practice of what is called penetration testing to determine the security or vulnerabilities in the systems or networks of a given enterprise.
In common parlance, there are essentially three classes of “hacker,” each referenced by the different color of their “hat:” Black, White, or Grey. By definition as a hacker, all “hats” ferret out or exploit computer system and network weaknesses. Their differences are intent, motive and sometimes, legality.
Black Hats’ self-serving malicious activities range in motive from financial gain to conjuring fear or chaos.
White Hats (“Ethical Hackers”) are usually professionals who practice their craft absent criminal intent, and with the contractual approval of a principal enterprise or employer. White Hats render a straightforward business service, and are generally hired by a commercial enterprise to perform what is called a penetration test; a technique intended to determine the relative security of a system or network. With the results of penetration testing, an enterprise can identify its own system or network weaknesses and eliminate them before criminal Black Hats can exploit them. White hats deserve legal respect. But White Hats can also have legal exposure and vulnerability to lawsuits, even when they hack systems with good intent, but do so essentially unsolicited or uninvited within the context of a formal contractual engagement by a principal, as we explain below.
Grey Hats frequently hack systems without approval or authorization from a principal enterprise, usually to prove they can, but then usually notify the system or network owner or vendor of any discovered weakness.
Presently, a major legal challenge for White Hats is the risk of subjective judicial interpretation about their conduct and intent in performance of their work. The law currently does not provide much of an objective legislative framework, and not much of one in judicial decisions, which ideally should balance potentially unfettered powers of a hacker compared to the principal or organization that owns the system to be hacked for investigation, together with standards for what degree of discretion a hacker should have once engaged to get the job done if the scope of work described in a contract does not adequately address a given situation as it might arise.
Similarly, the community of professional ethical hackers is relatively new, and self- imposed codes of conducts or ethics are emerging but not universally accepted or applied. Our discussion of various industry self-imposed codes of conduct is [here].
A few obvious questions raised by lawyers and among those who employ White Hats is whether their ethical hacking is truly ethical, and why? And, more specifcally, is ethical hacking legal?
Most principal organizations and the White Hats they deploy believe a principal’s contractual authorization of the White Hat to test their own system, network, defenses or security itself should be the legal protection to justify both sides of the hacking equation in this context; specifically: (1) is the initial act of retaining or engaging a White Hat sufficient legal justification or protection for what may emerge as questionable moral or legal activities by the White Hat; and (2) the White Hat’s belief that because they have a contract with a principal they are legally justified to act in the best interests of the principal. This dichotomy can translate into an “ends justify the means” attitude that can present grey legal challenges, even when the players are an honest principal that has engaged an honest White Hat – or a White Hat that believes in their own honesty and ethics.
The reality is in life, however, is that few things are truly Black and White, and this truth is no different regarding Black Hats, Grey Hats or White Hats. Every “Hat” wears a shade of grey tempered by their intent or motive. Some White Hats venture beyond the law because the law is unclear, or they do not realize they are astray. Some hackers go to great lengths to test the systems they are hired to analyze.
A good example of how grey a White Hat’s activities can become can occur when a White Hat logs into a subject system, but with someone else’s credentials, which credentials may have been obtained illicitly. After all, so goes the argument, if the White Hat does not know for sure if the system can be accessed that way, how can it be tested thoroughly to accomplish the goals of the contractual engagement? At this point, this access is illegal, because the White Hat has used another person’s confidential information. If this is, for example, the confidential information of a customer or employee of the principal enterprise, then the White Hat and the principal may have violated pertinent data protection legislation which proscribes precisely this approach to system security analysis, which legislation we discuss here.
To further illustrate, to test the principal enterprise’s system, the White Hat may surreptitiously obtain access from the principal’s business partners who have legitimate access to the principal’s system or network. It is common for many sophisticated enterprises already to have deployed strong security measures before the engagement of the White Hat, and the very purpose of the White Hat’s engagement may be to focus on the weakest elements in systems that are shared or which can be accessed by an enterprise’s supply chain – by their suppliers or customers. It is also common for the supply chain players to be smaller enterprises who themselves have unsophisticated system or network protections, but who by virtue of being in the supply chain of a larger, more sophisticated enterprise have privileged access to the system or networks of their upstream business partners. So, for the White Hat to test the principal enterprise’s system, the end justifies the means attitude may make intuitive sense, and result in the White Hat deciding to access the system of a downstream supply chain business partner to test whether the principal enterprise can become a target given the downstream supply chain access or back door.
And thus the legal issues arise. Did the principal enterprise include the downstream business partner in the scope of the White Hat’s testing? If not, has the White Hat thus exceeded the bounds of permissible law? What then is the legal liability of the principal enterprise that has essentially engaged in conscious avoidance of the methods used by its White Hat?
Legal liability and protection for White Hats, Grey Hats and their consulting clients or employers is an evolving area of law and policy. Ethical Hacker attorneys and attorneys for the commercial enterprises who engage them must have extensive knowledge of ethical hacking law to defend or advance the rights of our clients. Our attorneys have over thirty years of experience generally, and cutting edge experience that has evolved with this relatively new and evolving field of law. Our ethical hacking or White Hat attorneys are committed to protecting our clients’ commercial interests from Black Hats or other people seeking to interfere with those rights or interests. Located in Chicago and Elmhurst, Illinois, we have won judgments or settlements for our clients in disputes or suits throughout the Chicago area. To arrange for a consultation with one of our attorneys, contact us online or call at 630-333-0333.
The attorneys at Lubin Austermuehle have over thirty years of experience defending and prosecuting non-compete, trade secret and restrictive covenant lawsuits. We are committed to fighting for our clients’ rights in the courtroom and at the negotiating table. Conveniently located in Chicago and Elmhurst, Illinois, we have successfully litigated non-compete and trade secret and covenant not to compete cases for clients all over the Chicago area. To schedule a consultation with one of our skilled attorneys, you can contact us online or give us a call at 630-333-0333.