Ethical hacking: Thriving in the grey; experts for awareness, legal remedy

The recent case of a Delhi-based IT services company that allegedly ran a global hacking operation under the garb of ethical hacking has put the spotlight on grey areas in the law. Cyber legal framework and cyber laws in most countries have focused on hacking as an offence, and the criminal and penal consequences that come with it.
 

However, “ethical hacking” does not find a reference in law, nor is there much jurisprudence around it.   

Given the increasing instances of cyberattacks and threats on businesses and government-owned IT networks around the world — that has intensified during the Covid-19 pandemic-induced lockdowns — some experts feel it is time, India worked on having a holistic legal approach to ethical hacking as a paradigm.

The absence of data protection law, which is currently in the making, and a comprehensive legal framework on cybersecurity only adds to the greyness in this matter.

“There is a distinct necessity for India to have a legal standpoint on ethical hacking,” says Pavan Duggal, a cyberlaw expert.

The presence of Standing Operating Procedure for ethical hackers to operate within certain parameters would help, he adds.

Experts say when someone hacks into a computer system with the permission of the owner — with no malafide or criminal intention — is not considered an offence. However, if the hacking into the system goes beyond what is permitted by the owner,
it should be construed as criminal activity under the current cyber-law framework.

In the United States, for instance, the Computer Fraud and Abuse Act, enacted in 1986, has been amended several times not only to prohibit intentionally accessing of a computer without authorisation, but also apply to what is in excess of authorisation.

According to Mishi Choudhary, legal director at Software Freedom Law Center, a comprehensive data protection law will go a long way in protecting citizens or put the strict liability for financial fraud enabled by technology.

However, some peculiar issues faced in India arise as the people who are tasked with the job of enforcement are not trained to distinguish “hacking” from “ethical hacking”.

In the US, there are several laws, such as the Stored Communica-tions Act and the Electronic Communications Privacy Act where what was done by a so-called ‘hacker’ matters like in any criminal prosecution, adds Choudhary.

There are some experts, such as J Prasanna, chief executive of Singapore-based Cyber Security and Privacy Foundation, who do not have issues with the current cyber legal framework in India. “Most issues arise due to lack of application and enforcement of the rules,” says Prasanna.

A change in tack by corporate India towards incidences of cyberattacks and threats may also be need of the hour.

Generally, Indian companies do not take any reported vulnerabilities in their cybersecurity seriously, say experts. They either ignore or do not acknowledge, citing reputation risks. Most avoid approaching law enforcing agencies to report hacking incidents or attempts by hackers to extract money.

Experts say businesses need to proactively acknowledge vulnerabilities in their system and fix them. “Any threats by hackers should be reported to the police for further investigation,” says Prasanna.

Why ethical hacking is not a crime

Any criminal act comprises of two elements:

• Mens rea, that is, bad intention
• Actus reus, that is, the physical act

In ethical hacking, the first ingredient of an act to be called ‘criminal’ is missing.

The act of hacking, on the other hand, is defined under law in Section 66 (along with Section 43) of the Information Technology
Act, 2000. According to the Act, hacking is punishable with imprisonment up to three years, along with a fine of up to Rs 5 lakh.

Following the amendment of the Act in 2008, hacking was made bailable offence. 

When someone hires ‘ethical hackers’

• Be clear about the specific ambit of activity of the ethical hacker
• Have a written consent and agreement for the tasks to be performed
• The agreement should also stipulate legal consequences if the ethical hacker acts beyond contracted agreement
• Have some level of supervision of the activities