Hackers have been all over the news in our current era where everything feels like it’s based off of the internet. With that, our data is on the internet, including card numbers, social security numbers, phone numbers…basically every sort of number. Hackers can get their hands on this information if you’re not careful (and sometimes even if you are careful). People that do this are known as black hat hackers. These are the ‘bad guys’ of the internet that steal data for their own personal gain. Think of identity thieves or bank robbers, hence the “black hat” like the villains from old western films would wear.
White hat hackers, though, are on the opposite end of the spectrum. White hats are the ones that are trying to bolster your private data, and they can actually do that through hacking. White hats receive permission from agencies and companies to try and find any potential areas that can be breached. This is completely legal, and those that have permission aren’t subject to any criminal charges. In fact, most white hats are employed by those that they’re trying to hack. However, it does get a bit trickier when you’re talking about those that didn’t get permission.
A subset of the white hats is known as a gray hat hacker. White hat hackers simply find weaknesses and then don’t do anything with the information that they’ve obtained in their hacks. Black hats have very malicious intent, and gray hats are somewhere in between. Gray hats are those that find and exploit weaknesses, but don’t use it for their own monetary gain via an individual. Instead, they may tell a company that they’ve found weaknesses and will fix it for them for money or a job.
Of course, this falls into a legal “gray” area, if you will, as some of them violate laws with their hacking but don’t get severe punishments due to not actually stealing anything. In most cases, gray hats are subject to a small fine or even a warning. That doesn’t mean that all white hat and gray hat hackers haven’t been subject to legal trouble, though, especially in recent years. The US Department of Justice has ramped up efforts against all hackers, especially when it comes to extortion.
A new policy called the Computer Fraud and Abuse Act is trying to weed out these hackers that use their talents to exploit for money. “The new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith,” the DOJ said. “For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”
With that in mind, you have to be very particular with what you’re doing as a white hat hacker and make sure you’re getting permission to do what you’re doing. As of now, the Department of Justice is not seeking any legal action against those that fall under the definition of white hat hackers, but those in the gray area should be on high alert. “Good faith security research means accessing a computer solely for purposes of good faith testing, investigation, and/or correction of a security flaw or vulnerability,” the DOJ said.