Ed. Note: This post by Tanvi Apte is a part of the TLF Editorial Board Test 2018
It is 2008. An entity called ASTRA has been stealing sensitive weapons technology from the Dassault Group for over half a decade and selling it to individuals, costing the company $360 million and the world much more.[1] Ironically enough, ASTRA means “weapon” in Sanskrit.
It is 2013. Every single one of the 3 billion accounts of Yahoo have been compromised. Personal information is known to be floating on a cloud called the “dark web”. No one conclusively knows who is responsible. [2]
It is 2016. American Presidential Elections are around the corner. Someone called Gucifer 2.0 has gained access to the Democratic Convention Network and leaked over thousands of classified documents. Yet again, No one knows Gucifer 2.0. but everyone knows the impact of his actions. [3]
These events are just the tip of the iceberg. They are common examples of what is perceived to be “hacking”. A combination of fascination, curiosity, and dread is what comes to most of our minds when we think of hackers, thus making the community an enigma. It is this enigma that has made society perceive hackers as fringe elements. Their anonymity, precision, lack of detection and the sheer impact of their actions have made us wary of them, thus promoting the perception that all hackers are criminals or at the very least, anti-social elements.
However, contrary to popular perception, not all hacking is illegal and not every hacker is a criminal. To start with, there is a nomenclature problem. The term “hacker” refers to not only criminals but also to those who help organisations make their system more secure. They use their skills in a constructive and intelligent manner, thereby preventing crime. There is another term to refer to those who maliciously access others’ systems without authorization – Cracking. [4] Sadly, few know of the distinction between hackers and crackers. Thus, crackers have been collapsed into the term “hackers” which is delegitimizing and demeaning hackers themselves. As a result, even a good-intentioned hacker is perceived to be a malicious criminal.
Due to this misconstruction, hackers have begun stratifying themselves in other ways, that is by calling themselves “ethical” or “white hat hackers”, thereby in contrast to their malicious counterparts – “black hat hackers” or “crackers”. Furthermore, some also identify themselves as “grey hat hackers” – those between the black and the white whose actions might not be strictly “ethical” all the time.[5] Thus, hackers are developing specialized identities to gain legitimacy in the eyes of law and society.
This attempt of the hacker community to gain legitimacy has been reflected in the Indian law to an extent. The IT Act 2000[6] is the chief legislation against hacking in India. It is important to note that the word “hacker” has been omitted from this act via amendment in 2008.[7] This omission explicitly shows that the law does not consider every hacker a criminal in a blanket fashion. It recognizes that all hacking is not illegal. This leads to questions about the threshold to determine legality of hacking. Two aspects are used to determine this threshold– consent and intention, simultaneous application of which leads to gradation of liability.
Hacking with consent of the owner but without malice does not invite any liability. Major companies and security agencies even invite hackers to find faults in their system and subsequently reward them for their work. For example, Alphabet paid a staggering $112,500 to a security researcher who found two bugs in its Android system. [8]
Hacking without consent but lacking in malicious intention however does invite civil liability under Section 43 of the IT Act. Thus, hacking is actionable per se. Moving further up the severity scale, hacking without consent and with malicious intention (cracking) invites criminal liability under Section 66 of the Act. In addition, cracking also attracts the provision of cyber theft under Section 378 the Indian Penal Code, thus cementing the severity of the offence. [9]
Therefore, it is seen that Indian law recognizes different levels of severity as a basis for fixing liability. This is in tandem with how hackers categorize themselves. Ethical hacking or “white hat hacking” does not invite any liability while cracking or “black hat hacking” invites the most severe liability. Hacking without malice falls within the ambit of “grey hat hacking”, thereby inviting civil liability, the middle ground in this scenario. Thus, all cracking is illegal but not all hacking is illegal. Hacking becomes illegal at the point where consent of the owner of the system so hacked does not exist.
While this gradation of liability by law does serve to alter the blanket perception of illegality associated with hacking to an extent, it is not enough in itself. The legal system must make hackers abandon their ambivalence and perceive law as liberating rather than as restrictive. It is important to simultaneously develop a vibrant counter culture of ethical hacking because ethical hackers are the only ones who have the expertise to stop their malicious counterparts. The aim of law is not only to punish but also to prevent. Explicit support to ethical hackers will be an effective tool to achieve this objective. This can be done by providing legal recognition and subsequent rights and incentives to hackers. More awareness about ethical hacking both at the domestic and international level along with laws that present favourable conditions for the surrender of crackers will also go a long way in achieving the same. These changes must however be brought about keeping in mind the policy concerns associated with creating an environment which “breeds” a community of “genius” hackers who could pose a serious problem if they turn sour.
Thus, the pivotal role of ethical hacking in the prevention of cracking has not been explicitly acknowledged by the black letter of our law and our legal system yet. The onus is on the legal system and its enforcement institutions to keep integrating more ethical hackers within it for systematic, robust crime control in the future.
[1]Damien Scott, The 8 Best Computer Hackers of All Time, Complex, February 13 2012. (http://www.complex.com/pop-culture/2012/02/the-8-best-computer-hackers-of-all-time/)
[2]Selena Larson, Every single Yahoo account was hacked – 3 billion in all, CNN tech, October 4 2017. (http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html)
[3]Joel Lee, 10 of the World’s Most Famous Hackers & What Happened to Them, MUO, June 28, 2017. (https://www.makeuseof.com/tag/5-of-the-worlds-most-famous-hackers-what-happened-to-them/)
[4]Abhishek Jaiswal, Cyber Hacking law, Legal Services India. (http://www.legalservicesindia.com/articles/cyhac.htm)
[5] Clare Edwards, Is Computer Hacking a Crime?, It Still Works. (https://itstillworks.com/computer-hacking-crime-1387.html)
[6] The Information Technology Act, 2000 (Act No. 21 Of 2000).
[7] Sylvine, Laws Against Hacking in India, Pleaders, July 1, 2016. (https://blog.ipleaders.in/laws-hacking-india/)
[8] Luke Stangel, Google just cut a check for its biggest bug bounty in history, Silicon Valley Business Journal, January 22, 2018. (https://www.bizjournals.com/sanjose/news/2018/01/22/google-bug-bounty-android-guang-gong-goog.html)
[9] supra note 4.