from the ethical-hacking-or-not dept
A few folks sent over this story of Dutch Member of Parliament (MP) Henk Krol being fined about $1,000 for “hacking.” He claims that he was just exposing poor security on the part of a Dutch medical laboratory called “Diagnostics for You,” which he felt was especially important since there are stricter privacy rules for medical info. Of course, “hacking” is used loosely here: basically, a patient overheard an employee at Diagnostics for You reveal the system password while he was in the lobby, and that patient passed the password along to Krol. So, the “flaw” could be as simple as a stupid employee revealing their password out loud (though, you could argue that a system like that should require two-factor authentication or some other more advanced security than a simple password).
Either way, the court recognized that Krol’s intentions may have been in the right place, but faulted him for viewing and printing “more files than necessary” to make his point — and also for going to the press with his findings at around the same time he notified the laboratory. The court said simply finding the flaw and even downloading some records to prove it to the lab would have been fine, but that he went too far (even if he carefully redacted personal info). And then going to the press immediately when the problem seemed to be more a case of a bad employee revealing their password, just seemed like too much. As the court noted: “the problem was not so acute that immediate use of media was necessary.”
Of course, this kind of thing is often a struggle when it comes to security hacking. Different people have different opinions on whether or not it’s appropriate to go to the press, and also how much information to access. But it seems to be handled on a case by case basis, rather than with clear rules. There are some norms among security researchers — and that tends to include giving a company some period of time to fix things — but this remains an area of the law that is sometimes a bit fuzzy. You want companies to respond quickly to security flaws, and sometimes going to the press ensures getting a real response faster. But, it also seems less likely to cause significant damage if you contact them first.
Perhaps MP Krol can now try to pass some legislation with standards on how to handle security breaches found without having them turn into legal cases against the researchers.