Should 'good' hackers be protected by law?

A Dutch MP who brought to light a security gap on a medical site is himself being accused of hacking crimes, pulling him into an ongoing debate in the Netherlands over 'ethical hacking.'

Henk Krol does not fit the stereotype of a computer hacker. He's not even that good with technology.

“I am quite the nitwit when it comes to computers,” says the recently elected Dutch parliamentarian of 50PLUS, a party that advocates the interest of the elderly.

But Mr. Krol is facing criminal charges of "digital trespassing" in the Netherlands, thanks to his efforts to bring to light a security hole in a medical research center website. That act has put him squarely amid a Dutch debate over whether to protect "ethical hackers": hackers who act to find and report security holes to server owners.

Krol is expected in court on February 1, he announced yesterday via a tweet of his summons. But the accusations stem from last year, when a party member told him about a login to a medical research center's website that was going around on the Internet. The password was the same combination of five characters as the username.

“I was able to see medical records, with information like whether someone was HIV-positive. I was shocked to find it was so easy to access these data,” Krol says. “I called the research center, but they said I had to make a written report first.”

Sensing a lack of urgency, Krol called a local journalist. After his report was broadcast in the media, the medical center pressed charges. It also demanded compensation.

Although until recently he was unaware the term existed, Krol has been branded an ethical hacker. Ethical hackers, or "white-hat hackers," access computers systems with good intentions, for example to show that there is a security breach. However, under the current Dutch law, a company or an organization can still file a complaint against such hackers, good intentions notwithstanding.

This month the Dutch government explicitly acknowledged the importance of ethical hacking for the first time. A new non-binding directive, written by the cybersecurity department of the Dutch Ministry of Justice, lays out a new set of rules. Companies and organizations can adopt these rules as a kind of terms of service for ethical hackers. If the hacker promises to inform the organization that has a badly secured website and not to do any damage, the company says it will not press charges.

“We have tried to provide clarity for the different parties involved,” says Wil van Gemert, director of cybersecurity at the Ministry of Justice, who is responsible for the directive. “We call on companies to adopt this directive and make transparent policy on ethical hacking.”

But some say that the directive is too non-committal. “The directive has symbolic value, but is not worth much legally," says Juerd Waalboer, co-founder of a website that allows hacker to report security leaks anonymously.

"The government clearly states that there is such a thing as ethical hacking and that it has a useful function in society." But Mr. Waalboer points out that even if an ethical hacker adheres to the directive, a company still has the option of pressing charges. "If you really want to protect ethical hackers, then the law needs to change.”

Astrid Oosenbrug, member of parliament for the Labor party, says the directive is “a good first step,” but also added that more protection is need for the hacker. “If I report a security breach but it leads to being summoned by a court, then the next time I would not report the breach, and that would be more dangerous,” Ms. Oosenbrug says.

“We do not want to oblige companies to refrain from filing a complaint,” says Mr. van Gemert, adding that there will always be cases in which a complaint is necessary – in part because it is not always immediately clear whether someone is an ethical hacker or not.

The European Parliament has legislation under consideration that would make cyber attacks a criminal offense, but would give an exemption to cases “when the damage caused by the offense is insignificant.” However, due to a political dispute with the European Council, voting on these rules have been delayed.

Even if the Netherlands or Europe pass such laws, Krol will not benefit from them. But he hopes the court will keep an open mind. "I'll be interested in hearing what the judges have to say," he says.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Should 'good' hackers be protected by law?
Read this article in
https://www.csmonitor.com/World/Europe/2013/0115/Should-good-hackers-be-protected-by-law
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe