WHAT IS ETHICAL HACKING AND HOW FAR IS IT LEGALLY PROTECTED?
The term “hacking” can be described as the process where a person gains unauthorized access to someone’s online accounts or by bypassing their security. People who indulge in this kind of activity are known as hackers. The term “hacker” was first coined by the Massachusetts Institute of Technology in the 1960s to define people who were involved in the process of hacking. Hacking, in general, is illegal because it is used to bypass the security systems and gain unauthorized access to cyber information of the people. However, ethical hacking is different in this regard. The two can be differentiated from each other in two main aspects-intention and permission. Ethical hackers have no mala fide intention with regard to their actions. Their main purpose is to point out the system’s vulnerabilities and not use them to their own advantage. However, this is not the case with unethical hackers.
Furthermore, ethical hackers are often hired by firms and/or government organizations to keep a tab on their cyber security systems. Usually, they have prior permission from the adequate authorities before bypassing the system. However, this is not the case with the other hackers who make their activities illegal. It is important to note that online hacking can only be done by the people who are aware of the technical intricacies. . Often, people with such expertise are hired by the government or private organizations to test their security systems and to find flaws and loopholes, so that they can be corrected. This type of hacking, which is done after being hired or to find loopholes in a cyber-system is called ethical hacking.
BASICS STEPS OF ETHICAL HACKING
Ethical hacking involves duplicating the steps of a criminal hacker to gain unauthorized access into a cyber system and can involve multiple things like jamming the system, stealing data or introducing malware, or virus into the system. To better grasp the work of an ethical hacker, it is important to know the general process of ethical hacking. Ethical hacking consists of mainly 6 steps: i)Reconnaissance-This is the step where the hacker gains active or passive knowledge of the target system and this is done by using tools like Google Dorks.
ii) Scanning- In the second step, the hackers look for vulnerabilities in the cyber system.
iii)Gaining access- The hacker tries to gain access into the system to exploit the vulnerabilities of the target system in the third step.
iv)Maintaining access- The hacker in this step creates backdoors so that the system is easily accessible as per the hacker’s wishes.
v)Clearing tracks-After creating the required backdoor, the hacker tries to wipe away any track of him ever accessing the system.
vi) Reporting- In the final step, the ethical hacker reports all his findings to the owner of the system.
It is important to note that ethical hackers have no criminal intent and more often than not, their actions are pre-approved by the required personnel. In this article, the author aims to enumerate the various types of ethical hacking, their benefits, and the laws surrounding the same. The author has also tried to talk about the challenges that the concept of ethical hacking faces in India.
TYPES OF HACKERS
There are 3 main types of hackers:
1) White Hat Hackers- They are also known as ethical hackers. They hack into cyber securities of firms and organizations not with any mala fide intention but to find out all the loopholes and vulnerabilities of the system so that they can be resolved. They are often hired by firms like Apple and Microsoft to hack into their systems and find their vulnerabilities, often before the final product hits the market.
2) Black Hat Hackers- These hackers use their technical knowledge to hack into the security of firms and organizations. They are criminals in the true sense of the word and hack into cyber securities with ill will and mala fide intentions. They often steal information, release malware into the system, or hold the computer system hostage.
3) Grey Hat Hackers- They are hackers who hack into the security systems without the knowledge or authorization of the owner. They do not hack into the system with any mala fide intention but rather do so for fun. They intend to point out the vulnerabilities of the cyber system and hope to get an appreciation for the same.
These are the three broad categories of hackers. It is important to note that they mainly differ from each other in terms of their intentions. While all hackers are technical experts who hack into cyber systems, their motives are what differentiate them from each other.
BENEFITS OF ETHICAL HACKING
In a world where technological dependency is increasing day by day, cybersecurity has become a priority. However, time and again, there have been a number of data breaches by hackers that leaked sensitive and personal information online and put the public and their safety at risk.
Data leaks pose a very tangible threat to security of the people. Equifax data leak, Adobe data leak, Zhenhua data leak, Yahoo data leak are some examples of the same. In May 2017, the data of thousands of British, American, and Canadian citizens was leaked onto the dark web. This came to be known as the Equifax data leaks case and is one of the biggest identity theft cases in the world, currently. Similarly, the Zhenhua data leak brought into light a number of strategic identity thefts and is even being tied to espionage.
These data leaks occur when hackers bypass the security system of a firm or an organization’s cyber framework and gain unauthorized access to sensitive and personal information which ends up affecting millions of people. Such a bypass of security is only possible when there are loopholes and vulnerabilities present in the cyber security system. This is where ethical hackers step in. They check the cyber security system for all the vulnerabilities and loopholes so that they can be fixed. They put themselves in the shoes of a Black Hat hacker and try to find all the weak spots of the system that can be exploited. This service of ethical hackers is often used by giant firms like Apple and Microsoft to ensure that they can give the assurance of having the most secure system on the market and avoid any potential data breaches and leaks.
LAWS SURROUNDING ETHICAL HACKING
Before analysing the laws around ethical hacking, it is important to understand the debate between ethical and unethical hackers and what differentiates them from each other. Technically, there is no difference between the two as far as their skill sets are concerned. They both have technical expertise. However, the main bone of contention between the two is their ethics and morals. While ethical hackers don’t cause any harm to the cyber system and help in making the system more secure, unethical hackers intend to cause harm and do not care about their moral or legal obligations. While Black Hat hackers have the mens rea(intention) to commit a crime and are responsible for the dark side of the web, White Hat Hackers have no such intention. They use their knowledge to safeguard the system and not exploit them. Thus, mens rea is absent in the case of White Hat hackers.
Countries like the United Kingdom have protected ethical hackers by looking into the act with the essentiality of mens rea and actus reus. This focus on the presence of mens rea as a necessity to prove criminal intent can often backfire as far as ethical hacking is concerned. This is so because mens rea (intent) is already difficult to prove as a stand-alone concept. When technically, there is no difference between the actions of an ethical and an unethical hacker, an ethical hacker can only be protected by proving his lack of mens rea. This can be a difficult task, especially in cases where there was no prior permission from the required authorities.India has also made mens rea an essential element in cases of hacking. The IT Act has dealt with ethical hacking in various sections. Section 66 of the Act defines a “hack” and prescribes the punishment for it. Section 65 of the Act clearly states that tampering with documents on a computer or online system is an offence. Section 72 of the Act makes the breach of online privacy (and thus the act of data leaks) illegal. In all of the aforementioned sections, mens rea must be present.
Section 84 of the IT Act deals with White Hat hackers directly. It clearly states that if a person is hired by a government organization or a controller of an organization in order to bypass their security system so that the same can be made safer in the long run, then that person is not liable for the offense of hacking. This is because the criminal intent is missing from the act.The 2008 amendment to the IT Act made hacking a bailable offence. However, a large part of the community believes that due to the lack of jurisprudence around it there is no comprehensive legislation surrounding ethical hackers and it has become the need of the hour to enact a meticulous law on the subject.
As stated earlier, the only thing differentiating a Black Hat hacker from a White Hat hacker is their intention(mens rea) which is extremely difficult to prove, on its own. While this protects the interests of the White Hat hackers to a certain extent, it still does not provide them with complete protection. It is important to note that there is no state or central laws which explicitly allow hackers to hack into cyber systems to look for vulnerabilities without prior permission. Ultimately, the entire case falls on the establishment of mala fide intention, which is still a huge risk for the person involved.
The word “hacker” generally has a negative connotation to a layman. Through this article, the author has tried to distinguish between the different types of hackers and has focused on the benefits of an ethical hacker and the laws which surround them.
In today’s world, where every aspect of one’s life is heavily dependent on the cyber world, the safety measures taken to protect the data with regard to the same, are of the utmost importance. An absence of explicit laws which protect ethical hackers have created a risqué scenario for them and thus stops them from taking bold steps without prior permission, which is a long enough task in itself.
While India encourages its youth to learn coding and technical expertise from a young age, it is crucial that laws are changed in order to protect ethical hackers so that there is no dearth of them, and firms and organisations are easily able to afford and avail of their services, without any fear.
Title mage: Mint
This article has been written by Megha Gupta. Megha is a fifth year law student from Dr. Ram Manohar Lohiya National Law University, Lucknow. Her areas of interest are history, constitutional law, human rights and IPR.