Ethical Hacking vs Hacktivism: where perspective matters.
By Aqsa Hussain.
What is ethical hacking?
There are codes of conduct for almost every industry, from the rules of the game in sport to the constitution in law to safety measures in factories. Ethical hacking is no different. It is governed by a code of conduct created by a community who consider themselves to be experts in this line of work. In the formal sense, an ethical hacker is either a company or an individual who identifies and exposes potential threats on a computer system, before someone with malicious intentions does so. Upon discovery, these gaps in the system are plugged to ensure the safety of the computers and networks being probed.
Rules of the ethical hacking game
The rules of the game include: asking for explicit consent from the party to be probed, respecting their privacy, ensuring that there are no open avenues for malicious hackers to enter the systems and finally they must alert the organisation/individual if there are any vulnerabilities they have found.
In fact, most companies with an online presence use a Bug Bounty program – a crowdsourcing initiative – to identify vulnerabilities on the company website in exchange for rewards in the form of compensation or recognition. Companies hope that in this way instead of becoming the victim of cybercrimes, they continue to remain a secure environment for their users.
However, there are instances when hackers attack a system under the umbrella of ethics, without adhering to the rules of the game. Can the ethical element of hacking still be present here?
The ethics of Hacktivism
When hackers enter a system without permission and with the purpose of hacking for the ‘greater good’, they consider themselves ‘hacktivists’ – conducting ethical hacking with a political purpose. Hacktivist attack the system of organisations they fundamentally disagree with the goal of exposing their activities to the wider public. Although they don’t play by the rules, they do not believe that their actions are disruptive or illegal since they are merely calling attention to issues that matter.
Is hacking to counter controversial morals ethical?
Take the relatively recent 2015 hack of the online dating site Ashley Madison. A group called ‘The Impact Team’ attacked this website which enabled married couples to engage in extramarital affairs. They obtained the personal information of the entire user base and in mid-August 2015 decided to release over 10 gigabytes of data (real names, addresses, credit card transactions, search history etc). That amounts to over 30 million people in over 40 countries. The Impact Team had provided the parent company of Ashley Madison, Avid Life Media, with numerous warnings expecting it to be shut down based on the fact that it was immoral to create a platform to allow people to actively be unfaithful to their partners. Yet, the parent company stood by the fact that they were merely providing a service in demand and it was not their role to judge its users’ morality. Evidently, the hacktivist team did not think such a response was sufficient. Can this be considered ethical hacking or is it a form of cyber-terrorism? The cliche of ‘one man’s terrorist is another man’s freedom fighter’ is in play here where The Impact Team wholeheartedly believed that releasing all of that private information was right. On the contrary, Ashley Madison believes that the rights of its users were violated as well as the act being nothing short of illegal.
Is hacking to counter terrorism ethical?
On the other hand, you have examples such as the hacktivist group Anonymous which claims to be ‘at war’ with the terrorist organisation Islamic State (ISIS). They have been systematically hacking the social media accounts of ISIS members and followers as well as bringing down their propaganda websites. Their aiming is to stunt the growth of the terror group. Can this be considered another form of ethical hacking, despite not entirely following the rules of the game?
Needless to say, the practice of ethical hacking is one in which you can become professionally qualified in if you have the drive to seeks vulnerabilities in a legitimate way and report them accordingly. Companies accept this intrusion into their system as a legal and justifiable act, rewarding it as such. Yet, hacktivism requires no such qualification and its legitimacy comes down to being a matter of opinion. Many agree with the morality behind the Ashley Madison hack, whilst others claim it was a cybercrime causing immeasurable damage to users. Similarly, the ethics of countering IS’ online terrorism with a form of cyber-crime itself, can we consider this more than or equally as ethical as that of the Ashley Madison hack?