When is hacking 'ethical' - and when is it not?
Almost anyone who listens to the news or watches movies these days has heard the term hacking. For many, it evokes images of hoodie-clad criminals with fingerless gloves - furiously scanning through dark screens of green text in search of hidden secrets. But what about the hackers who aren't criminals and don't wear hoodies?
You may have heard of so-called ethical hackers... But what makes them different? And how clear is the line between them and 'the bad guys'?
Hint: It's not as clear as you might think ๐...
Isn't hacking stealing? a.k.a. BAD??โ
That is a fair question that highlights a need to define 'hacking'. While many equate hacking with stealing, I prefer another common definition for hacking:
Manipulating technology to make it behave in a way that differs from its original design.
I believe this is a more helpful definition than 'being bad and breaking into computers and stealing stuff,' which seems to be the most commonly implied definition by modern media outlets.
This is a more helpful definition because it still effectively conveys a clear meaning, but it also promotes a broader understanding of what it means to hack. It also removes some of the unnecessary stigma around the term.
I had a coworker who once demonstrated a particularly clever manipulation of technology that made his life easier and helped him achieve his goals. I was fascinated and proud of him. However, because of the stigma that surrounds hacking, he very quickly made sure to state: "But I promise I'm definitely NOT a hacker! I don't know anything about hacking..."
I wish he had understood hacking the way I do so that he could wear the title of 'hacker' proudly. Hackers have the ability to make the world a better place with their unique skills, and I would love to see that represented more often in the way people talk about hackers.
To reiterate, no. Hacking is not (necessarily) stealing.
Of course, hacking can involve stealing... I think it's pretty clear that manipulating a computer to reveal sensitive information without proper authorization falls under the larger definition of hacking that I mentioned earlier. So is that ever okay, and if so, when?
'Ethical' vs 'Unethical'โ
While most of the world will probably always see hackers as nasty bad guys that break into computer systems, we in the security community have a more nuanced perception of hackers, often classifying them as 'white-hat' or 'black-hat' based on whether they have permission to do their hacking.
We'll often call someone a 'white-hat hacker' if we deem their actions to be ethical (watch out for that word... we'll talk about it more), but even with our nuanced perceptions, it's often difficult to label someone's actions as purely 'ethical' or 'unethical'.
But what is ethical?
The dilemmaโ
One doesn't have to spend much time researching the topic of 'ethics' to find out that it's quite subjective. One of the most generic definitions you'll find for 'ethical' behavior is:
"conforming to generally accepted standards of conduct"
So it sounds like ethical behavior is behavior that conforms to generally accepted standards of conduct. But doesn't that change wherever you go? Different countries have different laws and cultures, and even different communities in the same region have unique customs. For example, here in the United States, it's perfectly acceptable in many areas to carry a gun in public places. However, there are many countries throughout the world - and even some places in the U.S. - where such behavior is strictly prohibited.
Thus, it seems that ethicality depends a lot on external factors - and those factors vary greatly between different places and contexts. The dilemma is: it's hard to know what's ethical and unethical depending on where you are. (BUT, that doesn't mean it's not important, and I'll talk about why near the end of this post.)
Ethics vs Moralsโ
What would you say is the difference between ethics and morals? That's a question that had me thinking hard... and it seems like it's had that effect on others as well. Many dictionaries list ethical and moral as synonyms! But that's really interesting to me, because one such dictionary defines 'moral' as:
conforming to a standard of right behavior | (as opposed to wrong behavior)
But who decides what's right and wrong? As a religious person, I personally believe God is essentially the one that dictates that, so it's certainly not up to 'the masses' to determine what's right and wrong. Even if everyone in the world thinks something is right, that doesn't make it right.
Even if you don't believe in God, I think you'll agree that other people don't get to decide what's right and wrong for you. And if you don't believe God decides what's right and wrong, I'm willing to bet you probably believe you are the one who decides what's right and wrong. (Technically, you might even say that's what I'm doing, because I make decisions based on what I believe God would want me to do.)
Therefore: if ethics pertain to what's socially acceptable/unacceptable, and morals pertain to what's right/wrong, then I don't think ethics and morals can be the same thing. Ethics and morals may align sometimes, but they're not the same thing. You may disagree, and that's fine! But that's not really the point I'm trying to make here. I'm setting the background for something much more important. For the purpose of this blog, I will stipulate that:
- Ethics are interpreted by other people.
- Morals are interpreted by you - and only you.
The importance of intentionโ
I'm sure you've heard phrases like these before:
- "It was not my intention to..."
- "I didn't mean it that way."
These phrases are both referring to the concept of 'intention'. Intention refers to the purpose or goal someone has in mind when performing an action. When making a decision between right and wrong, intention can influence interpretation greatly. This is why the concept of 'white lies' exists. A white lie is a lie that is told with righteous intention. While most people generally consider lying to be wrong, they recognize that the intention behind a lie bears significant weight when determining whether lying is the right or wrong thing to do.
With ethics, however, intention doesn't seem to hold quite as much weight. I'll admit that intention seems to have some significance when it comes to ethics, but not as much as morals. Why? I think it's partially because it's much easier for one person to decide whether something is acceptable or unacceptable than it is for multiple people to agree on such a decision.
Why does this matter?: I think this is important to understand because - while I believe you should make ALL decisions based on what you think is right (morally correct) - you would be foolish to ignore what other people might interpret as ethical (socially acceptable).
Why do ethics matter?โ
Imagine that you're at a dinner party with a family that has invited you to their home. (And let's assume - for the purpose of this exercise - that you want to be there.) You, as their guest, are expected to behave a certain way. If you do not follow their rules and customs, you risk offending them. Offend them badly enough, and you may just get kicked out of the house.
The fact that what you did offended the family does not make it wrong. But their interpretation of your actions as unacceptable still affected you negatively.
That leads me to the first reason that ethics matter: Other people will probably attempt to punish you if they think your actions are unacceptable. You don't get to decide what other people think is right and wrong, and you shouldn't expect them to care about what you think is right and wrong.
Reason number 2 that ethics matter: You get to help decide what's ethical in your community. I won't focus much on this one because it doesn't pertain much to my argument, but I'll say this... If ethics is something interpreted by the people around you, you play a role in deciding that as a group. It's in your best interest to contribute to the development of your community's ethical standards such that they agree with your own.
Are you an 'ethical' hacker?โ
I've already mentioned how security professionals have terms like 'white hat hacker' and 'black hat hacker.' A white hat hacker is someone who hacks only with permission from the person/entity they're hacking, and generally has good intentions. A black hat hacker hacks without permission and generally has malicious intentions.
But what about the in-between? What about people who hack without permission but with good intentions? (or at least benign intentions...) Most would consider them 'grey hat hackers'. Are they ethical or not?
Well, if you agree that ethics are determined by other people, then you can only consider yourself an ethical hacker if your hacking is acceptable to others. That may differ from your beliefs about what it means to be an 'ethical hacker.' From my conversations with other hackers, it seems to me that most of them consider themselves 'ethical' hackers because they never hack with malicious intention, even if they sometimes hack without permission. However, I want to warn against this kind of thinking. Many hackers who think this way have gotten themselves arrested over the years, and it's caused them a world of hurt.
Stories of grey-hat hackers who got in troubleโ
Here are some cautionary tales just to drive the point home.
- Alberto Daniel Hill from Montevideo, Uruguay. He found a weak login page on a medical provider's website and hacked it practically by accident. He notified the medical provider in an effort to help them fix it, but he was later arrested and spent 9 months in prison. Listen to his story in this podcast.
- Martin Gottesfeld, from Andover, Massachusetts. He hacked a hospital (It's a little hard calling him a grey-hat hacker because that's pretty messed up. But he swears he thought he was doing the right thing.) in protest of the hospital's treatment of a 15-year-old patient. Listen to the story in this podcast.
Conclusionโ
Are you an ethical hacker?... You don't get to decide.
Only other people can decide that for you.
Since only other people can decide whether you're an ethical hacker, I would say grey-hat hackers should be very careful considering themselves 'ethical hackers.'
If you're interested in hacking, that's awesome! I think it's an incredibly rewarding hobby, and you should totally give it a shot. But if you want my advice... You'll do well to keep your hacking ethical.
Resources for learning ethical hackingโ
Check out these awesome resources that will help you learn hacking safely and ethically!
There are MANY more, but these are the two that I've used for the most part and I have thoroughly enjoyed them.
If you liked this post, you'll probably like my other post about why ethical hacking skills are important for cybersecurity.