Ethical hacking and criminal law

Hacking often involves the intrusion of systems with malicious intent. This form of hacking is definitely punishable. However, there is also hacking with a noble goal, so-called ethical hacking. This is also called white hat hacking, where malicious hackers are given a black hat.

Ethical hackers find vulnerabilities in networks and systems and distinguish themselves by not abusing them, but reporting vulnerabilities directly to the administrator of the system. In this way, the leak can be plugged and the system in question is better protected.

For example, signalling that a database via a form on a website is susceptible to SQL injections can fall under white hat hacking. Other actions fall outside the scope of ethical hacking, such as carrying out a DDoS attack or grossly forcing a system to gain access.

Dutch law makes no distinction based on the intentions of a hacker. Different penal provisions, including a breach of computer peace (art. 138ab of the Criminal Code), in principle also apply to ethical hacking. The legislator wanted to emphasise that hacking into a system is 'unconditionally not permitted' (see B.J. Koops and J.J. Oerlemans (ed.), Criminal Law and ICT, The Hague: Sdu 2019, p. 39). In practice, however, this does not always have to lead to a conviction (insofar as the identity of the hacker would already have become known). In the first place, a conscientious hack is not always reported. Secondly, a conviction must involve unlawfulness. This is where the chances lie for the ethical hacker.

No declaration to Coordinated Vulnerability Disclosure

Many organizations today have policies regarding Coordinated Vulnerability Disclosure (CVD), also known as Responsible Disclosure (RD). This involves reporting vulnerabilities responsibly, in a manner determined by the organization. If a vulnerability has been demonstrated and reported in accordance with these rules, in principle no report will be made. On the contrary, an honourable mention or even a reward is sometimes promised.

CVD policy originated from the realization that organizations benefit from being informed as quickly and carefully as possible about vulnerabilities in their systems. By means of this policy, organisations make it known in what way - and under what conditions - they are prepared not to report a breach of computer peace, for example. This provides clarity in advance about the 'rules of the game' of ethical hacking at the organisation in question.

In 2013, the National Cyber Security Centre (NCSC) will have a guide published to establish a practice of responsible disclosure. This guideline was updated in 2018 on the basis of experience gained. The NCSC emphasises that the reports in recent years have improved the security and continuity of information systems, thus recognising the value of ethical hacking.

The Public Prosecutor's Office published a policy letter in 2013. In this letter, the Board of Procurators General explains how the Public Prosecution Service should act in case of ethical hacking. The starting point is that no criminal investigation will take place in the event of "restoration of rights" between the reporting agent and the organisation. At the same time, the letter emphasizes that responsible reporting of a vulnerability "in no way exempts" the reporter from the possibility of a criminal investigation or even prosecution after all. In case of doubt, the Public Prosecution Service wants to be able to assess whether a reporter has not gone too far.

Assessment criteria OM and judge

Criteria in assessing ethical hacking are whether the action was necessary and whether the requirements of proportionality and subsidiarity have been met. For necessity, it is assessed whether there was an overriding public interest. Proportionality relates to the question whether the means chosen were in reasonable proportion to the objective. Subsidiarity finally relates to whether the hacker could and should have acted differently. Among other things, it is important here that a vulnerability is reported as soon as possible.

If criminal prosecution does take place, the white hat hacker may plead that the unlawfulness of his actions was lacking. If the court upholds this defence, acquittal will usually follow (e.g. in case of a breach of computer peace).

A hacker who penetrated on a hospital's server, the court deemed it necessary to prove that the network was poorly secured. Nevertheless, the hacker did not go unpunished because he immediately informed a journalist and later accessed the server a number of times. Moreover, he searched the system for data of a known Dutchman. The court therefore ruled that the limits of proportionality had been exceeded and convicted the hacker for breach of computer security.

Directly to the media, a suspect was also accused in a case from 2018. Also here the requirement of proportionality was not met.

Conclusion

In short, for the ethical hacker, it is advisable to first check the Coordinated Vulnerability Disclosure policy of an organization. The content of this policy is important. After all, it can describe in which cases a report is or is not made. For example, extensive scanning of systems is not always appreciated, because the organisation does not know in advance whether it is a white hat hacker or a malicious intruder. Unnecessary costs can then be incurred by deploying the Computer Emergency Response Team (CERT).

Above all, it is important to keep the infringement as limited as possible by using the least invasive means, not taking over data and reporting the leak immediately. The latter should also be done prudently, for example with an encrypted e-mail message so that third parties cannot become aware of the vulnerability. It is also not advisable to actively set conditions of your own, such as a reward. The initiative to do so will have to lie with the organization. Finally, it is advisable to only go public with the discovery after the vulnerability has been resolved.

Unless the ethical hacker remains completely anonymous, prosecution can never be completely ruled out. After all, the criteria offer room for interpretation. However, when all these conditions are met, the risk of criminal prosecution - despite the somewhat inexorable legal text and parliamentary history - is relatively small. Prosecution should always not take place in these cases. After all, the reporter who limits the infringement, takes over nothing and makes a report directly in accordance with the organisation's RD policy rules, thus doing the organisation and society a service.