A professor found guilty of hacking into a computer system left open a question about the legality of “white-hat” hackers.
In 香港特別行政區 訴 馮建雄 [2024] HKCFI 504, a man was convicted of accessing a computer with dishonest intent—Hong Kong’s classic cybercrime offence under s 161 Crimes Ordinance (Cap 200).
It transpired that a local university professor upgraded his account in the University Grants Committee (UGC) computer system, gaining administrative privileges. He then proceeded to alter the records of an external reviewer, reset 12 other accounts’ passwords, and download other’s research proposals.
Interestingly, the central defence theme is that the professor tested and discovered a security loophole in UGC’s system, intending to inform UGC later. In other words, this is a classic case of “white-hat hacking” in contrast to “black-hat hacking”—names originating from old westerns.
white hat noun
a hacker (= a person who gets into computer systems without permission) who has morally good reasons for doing this
black hat noun
a hacker … who does this for criminal or bad reasons
Cambridge Advanced Learner’s Dictionary & Thesaurus
Just like in the movies of the Wild West, White Hat hackers are considered the good guys. They work with companies to improve their client’s security posture at either the system or the network level, or finding vulnerabilities and exploits that could be used by a malicious or unauthorized user. The hope is that once a vulnerability or exploit is discovered by a White Hat, the company will mitigate the risk.
Thomas Wilhelm, Professional Penetration Testing (Second Edition), 2013
Ultimately, the court rejected the Defendant’s claim, concluding he had dishonest intent to gain for himself from accessing other’s proposals. Therefore, the court did not come to a conclusion as to the legality of such “white-hat hacking,” which is unfortunate as it has never been decided in the cases of Hong Kong. The white hat is still left up in the air. However, arguably, “white hat hackers” may not have the requisite dishonest intent, and thus, this may be a valid defence.
Notably, the Crown Prosecution Service of England and Wales recognises “white hats” and “black hats” in their prosecution guidance for cybercrime:
Hacker
An individual skilled with computer systems and software, who pushes the limits of software or hardware. Some hackers originate good ideas and share their thoughts to make computing more efficient (white hats). However, some intentionally use their expertise for malicious ends, (black hats).
Coincidentally, “white hat hacking” has recently been brought into the spotlight of law reform. In July 2021, the Law Reform Commission of Hong Kong published a consultation paper on “Cyber-Dependent Crimes and Jurisdictional Issues”.
The consultation paper contained a detailed analysis of the issue under the heading “Unauthorised access for cybersecurity purposes” in paras 2.110-2.112. It also recognised that “white hat hacking” may be of benevolent purposes, for example:
During the WannaCry incident in 2017, 100some cybersecurity experts ran tests and warned computer users if their computer required patching to guard against infection. Those experts’ work apparently benefitted society.
100WannaCry was a piece of ransomware that would scan for computers with an unpatched Microsoft Windows vulnerability over the internet and attempt to infect them. Many computer users across the world, including Hong Kong, were affected…
While the LRC has yet to reach a conclusion, the consultation paper also highlighted whether “cybersecurity professionals” should have a defence or exemption, raising questions about their identification and accreditation. The LRC recognised that no accrediting or professional body is regarded as the sole cybersecurity authority. At the same time, many in the field are not accredited despite having significant hands-on experience in cybersecurity.
This is a dilemma for the LRC due to the IT industry’s landscape. Many renowned tech companies started with their founders in garages. Unlike many other professions, many programmers, system administrators, and cybersecurity experts are self-taught. Trying to impose an accreditation regime could be a fundamental disruption to the industry, with unforeseeable consequences.
The future of “white hat hacking” remained up in the air. However, as the law currently stands, it may still be a valid defence.
Gordon Chan, Esq
Barrister-at-law, Archbold Hong Kong Editor on Public Health, and Member of the Bar Association's Committee on Criminal Law and Procedure. Specialised in medical, technology and criminal law.
Andy Chung
Business Administration and Law Student at the University of Hong Kong
