This article is written by Lokesh Vyas, a student of Institute of law Nirma University and Ayushi Kumari. In this article, the author discusses the issue of ethical hacking and its legality in India. Furthermore, it also discusses the provisions dealing with the hacking in brief and the scope of this profession in the current scenario.
Table of Contents
Introduction
In the era of computers, our life oscillates between cyber threats and cybersecurity. Hacking is the sour reality of this era wherein an unauthorized person enters into a computer or a network by using his computer knowledge and skills. It is done to cause wrongful loss to other, the person who indulges in such activity is called a hacker or black hat hacker or cracker. As diamond cuts diamond, ethical hacking is a pre-emptive action for hacking and the person who performs it is called an ethical hacker. Theoretically, both are the same because the underlying principle in both is to intrude upon the computer data of another but the difference lies in the intention and permission. Blackhat hackers intrude with bad intention and without permission whereas white hat hackers work with authorization and good intention. On the one hand hacker modifies or alters the computer software and hardware to achieve a goal which is considered to be against creator’s original objective, and on the other hand ethical hacking is the act of locating weaknesses and vulnerabilities of a computer and information systems by duplicating the intent and actions of malicious hackers.
The way we have moved towards the internet and the way the internet has surpassed almost everything in order to be regarded as the ‘most important’ thing is although enthralling but certainly not an unexpected thing. The role social media is playing today is overwhelming. We get updates from around the world within minutes. However, the internet in return is keeping a myriad of our data with it. And these data are vulnerable to being misused by a person or a group of people or an organization. For people with malicious intent, there are numerous ways of stealing someone’s data in an online world. For example phishing, UI address, virus, cookie theft, denial of service (DOS), etc. This act of stealing someone’s online data is known as hacking. However, not all hacking activity is done with malicious intent or with grudges. There is hacking that is done with due permission and to avoid or mitigate the dangers of being the victim of online harassment.
Conceptual understanding
Ethical hacking is a branch of study where computer security experts (ethical hackers/white hat hackers) find the vulnerabilities and weaknesses of a system with the permission of the owner of the system who is responsible for fixing of vulnerability. So it can be called a good hacking which finds out any probable way to hack the system and fixes it before it is hacked by black hat hackers. It is also understood as a preemptive action by the original owner of the system.
The term “Ethical hacking” has always been contentious. Many people question the existence of this term because the two words ethical and hacking are themselves contradictory. At the end of the day, hacking is an unauthorized intrusion which is a negative connotation and is never considered an ethical thing to do therefore the term is always questioned. Ethical hacking is also known as penetration testing, intrusion testing, or red teaming but it is not only limited to penetration testing. If hacking is offensive, ethical hacking is defensive.
White hat hackers are normal computer hackers who possess expertise in computer security research, work independently or with other researchers. Nowadays ethical hacking has become a profession. These people ensure the security of an organization’s information systems.
History of ethical hacking
The first instance of hacking took place around 1960 at MIT which gave birth to the word hacker. By the end of 1980, the internet had been acknowledged by the market. People had started utilizing the internet for their business, internet-based businesses were also coming up with advertisements, e-commerce etc. This time people were also worried about hackers because if the system is hacked they may lose control of private and personal information regarding its employees, the organization, and its clients. So it was the time when people felt the need of ethical hacker and thought of hiring a computer expert who could hack their system with their permission but instead of damaging the system he would evaluate the system security and report the vulnerabilities that they have found. Ethical hacking is also known as penetration testing. Moreover, they would provide instructions for fixing those remedies. Initial ethical hacks were conducted by United States Military to evaluate their operating systems to determine whether they should employ a two-level (secret/top secret) classification system.
Guidelines for ethical hackers
In order to hack lawfully, ethical hackers must adhere to a set of rules. A good hacker is aware of his or her responsibilities and follows all ethical norms. The following are the most essential ethical hacking rules:
- The organisation that owns the system must give permission to an ethical hacker. Before executing any security audit on the system or network, hackers should get complete authorisation.
- Determine the scope of their assessment and inform the organisation of their plan.
- Any security flaws or vulnerabilities discovered in the system or network should be reported.
- Ethical hackers should agree to and respect their non-disclosure agreement because their goal is to secure the system or network.
- After evaluating the system for vulnerabilities, delete any evidence of the attack. It stops malevolent hackers from exploiting the system’s vulnerabilities.
Ethical hacking in India
Before going into the legality of ethical hacking, we have to keep in mind that hacking and ethical hacking are different. Hacking is a wrongful act under Indian legal system. Although ethical hacking is not so prevalent in India yet it is an evolving profession. There are various institutes and colleges in different cities of India which offer courses of ethical hacking. India emerged as the third most vulnerable country in terms of risk of cyber threats, such as malware, spam, and ransomware, in 2017, moving up one place over the previous year, according to a report by security solutions provider Symantec.
Although Indian laws do not specifically deal with ethical hacking yet hacking is a punishable offense in India. The act of Hacking contravenes the underlying principles of India legal system. The subject of ethical hacking has not been dealt with explicitly in Indian laws, therefore, it enjoyed neutral status under Indian legal system.
Constitutional argument
As per constitutional principles hacking interferes with Article 21 which deals with the right to life and personal liberty which includes right to live with dignity. Moreover, the act of hacking also infringes the right to privacy of an individual which is a fundamental right now. By intruding upon the system, black hats invade the private information of a person or organization whereas ethical hacking ensures that such things do not happen. Thus ethical hacking is legal as it stands true on constitutional parameters.
Not a crime
Two elements are required for the constitution of a crime and these two elements are
1.) mens rea i.e. bad intention
2.) actus reus i.e. physical act.
In ethical hacking, the first and the basic ingredient i.e. mens rea itself is missing, therefore, the question of it being a crime does not arise. Moreover, ethical hacking is done in order to prevent hacking, therefore, it is necessary.
Trespass
Trespass is mainly divided into 2 sections namely
- Trespass to the person, and
- Trespass to property.
For this article, the only trespass to property is relevant. The general definition of trespass states that it is an unauthorized intrusion upon the property of another without the permission of the true owner. The trespass is a wrong under both the branches of laws i.e. civil law and criminal law. In Civil laws, the intention is irrelevant whereas in the latter intention is essential.
The wrong of trespass is the only offense which is often attributed to ethical hacking but it is actually applicable to the act of hacking and not ethical hacking.
Civil law
Under civil law, trespass means entering in the property of another without the permission of the owner. It is a part of the Law of Torts which is an uncodified law and based on the case laws. Although the law of torts only covers tangible property so it will neither be applicable to hacking nor is it applicable to ethical hacking. In furtherance of the same, ethical hacking does not invoke any liability because it is done with the permission of the owner so the question of it being a civil wrong will never arise.
Criminal law
Under Indian criminal law, trespass is defined under section 441 of Indian Penal Code (IPC), 1860 with a very wide scope. In short, it defines trespass as entering upon the property of another with malice or with the intention to cause some harm or to intimidate the owner of the concerned property. Here, it is not specified that what kind of property is needed to constitute the crime of trespass.
Trespass is a wrong against the property which is of two types
1). tangible
2). intangible.
Hacking is trespass to a computer system which is an intangible property. Physical intrusion and physical harm are not always important to determine the liability for trespass. Nowadays computer system, software, websites all are construed as property. The expressions like homepage, visiting a website, domain or traveling to a site etc. are used in the internet world, this suggests that the websites are property. Therefore any kind of unauthorized intrusion on them with bad intention can come under the purview of criminal trespass. All the essentials such as intent to commit an offense or to intimidate, insult or annoy are absent in the act of ethical hacking, therefore, it is legal and doesn’t invoke any liability.
Information Technology Act, 2000
Information technology (IT) Act, 2000 is a watershed movement in Indian legal system and a landmark in the cyber law arena. If we look at the provisions of IT act cautiously, we can deduce that it covers almost all the wrongs that emerge from hacking because hacking is such offence which is very wide and covers a lot of other offenses e.g. a person who hacks the system of another person can leak the private information of the owner, it can also be used to extort money, a black hat hacker can also use the information to enrich himself etc.
Chapter XI Section 66 of IT Act, 2000 particularly deals with the act of hacking. Section 66(1) defines a hack as, any person, dishonestly or fraudulently, does any act referred to in Section 43 is called hacking, and Section 66(2) prescribes the punishment for it. Hacking is a punishable offense in India with imprisonment up to 3 years, or with fine up to two lakh rupees, or with both.
Chapter IX Section 43 of IT act, 2000 prescribes a penalty for the damage to computer or computer system. It is a common thing which happens whenever a computer system is hacked. Black hats damage the system that they hack and steal the information. This enumerative provision includes a lot of activities.
Chapter XI Section 65 of the said act makes tampering with computer source documents an offense. Section 72 of the same chapter makes the breach of confidentiality and privacy, a punishable offense. This is the most common aftermath of hacking.
All the above-mentioned provisions mandatorize the need of mala fide i.e intention to cause harm which is absent in ethical hacking therefore ethical hacking is not illegal in India.
The need of the hour
India is ranked third among countries which are facing highest number of cyber threats as per security software firm Symantec . The same research also ranked second in terms of targeted attacks (see here). Keeping this data in mind, it is unjustified to ignore the necessity and importance of ethical hacking in the current legal scenario. It is a legal way of hacking a networking system and has to work under some rules. As far as the governing rules are complied with, the act is justified. Furthermore, ethical hacking includes the permission of the owner of the system and that is done in compliance with the law which again strengthens the legal of ethical hacking.
On the one side, a black hat can break in the system and use the points of entry to promote illegal activity, on the other hand a white hat enters into a computer system with the prior permission of the owner to find the points of entry which may be used by black hats to promote illegal activity. Therefore white hats obstruct the invasion of black hats and ensure safety.
The era we live in is the era of internet, a computer system is a home to infinite information and accounts so the threat is omnipresent. As a result of this mass storage of information, our computer system needs to be updated timely and required action should be taken to prevent black hats from gaining such data. Therefore ethical hacking is legal.
Ethical hacking as a profession
Cyber Security and Networking are booming Industries of the world today. Every country in the world seeks efficient utilization of the Internet. Companies use the Internet to run them and manage their activities. Internet utilization has eased the work of such entities but at the same time, it also poses a threat to them. Thus the ethical hacking is altogether a new profession in itself and its growing day by day. The dream of the digitized country further strengthens the need for ethical hacking in India because it seeks utmost utilization of the Internet.
We need to understand that cyber-security is a process and not a product and there is no server or cyber system which is beyond hacking. Everything on the internet can b hacked depends upon the expertise of hacker and the efforts given. White hats work with the government and private firms to test their networks for vulnerabilities, loopholes, and bugs to stop an actual black hat from encroaching upon the network.
The profession of Ethical Hacking can be of two types namely:-
-
Ethical hackers are hired by companies to hack their own respective company
In the age of information, the most dangerous things s the information itself. It is in your favor as long as you possess it but as soon as it escapes and reaches to wrong hands it overshadows any other most dangerous things. In such scenario, big companies face the biggest cyber security threats from their competitors. They always live under the threat of their system being hacked. All the information pertaining to their business are stored on the server which if hacked can ramshackle the business Ethical hackers are euphemistically called cyber security experts. The profession of Ethical hacking is not only limited to IT companies but other companies also hire ethical hacker now. Companies like Wipro, Infosys and IBM Wipro, Infosys, IBM, TCS, Tech Mahindra, HCL, Airtel, Reliance are some of the examples of the companies which are known for ethical hacker recruiters.
-
When ethical hackers are hired by government as cyber security experts
Nowadays government of different countries is facing a problem with respect to their cyber security. Although Government of India does not offer Job of the ethical hacker in any of its departments. In various government departments, cyber security experts are employed for the cyber-related work.
Moreover, various government agencies and wings of the military and law enforcement, defense organizations, forensic laboratories, detective companies, and investigative services need ethical hackers. Investigative agencies like the Central Bureau of Investigation (CBI), the National Security Agency (NSA) and the Federal Bureau of Information (FBI) employ cyber security experts but don’t divulge their information in public.
Some of the government departments where government recruits cyber security experts are Department of Electronics and Information Technology and under which there is ICERT (Indian Computer Emergency Response Team), Intelligence Bureau, Ministry of Communications & Information Technology, Department of Telecom, National Technical Research Organisation, Defence Research and Development Organisation, Army etc. This is not an exhaustive list and nowadays other departments of government also need computer experts. There are proper written exams and interviews for such jobs.
Ethical hackers as helping hands
Ethical hackers assisting Gurgaon police
A cybercrime case including defamation and harassment was filed in August 2016 after a 24-year-old lady filed a complaint with the Gurgaon police alleging that the accused hacked into her Facebook account and sent offensive remarks to her friends. According to the complaint, he also publicly defamed her by posting digitally altered (photoshopped) pictures. The cyber cell was assigned to investigate the case.
Members of an ethical hacking organisation that had interned with the police department assisted the cyber cell. The cops were assisted by a group of engineering students from a private institution in cracking her laptop password. The laptop had been formatted and all files were removed, according to the investigating officers and ethical hackers. The ethical hackers, on the other hand, used a specialised set of tools and software to recover the data, proving that the woman’s allegations were correct. Also, the accused later on confessed that he did alter her photos out of rage.
Bank fraud case
A woman stated that her account had been fraudulently accessed and an amount of Rs 5 lakh withdrawn in another case that was solved with the help of a group of ethical hackers. Working together, the cyber cell and hackers discovered that the complainant’s phone had a malicious application installed that allowed the crooks to access her banking information. It was discovered that the software on her phone had access to her private communications and that messages from her bank alerting her to fraudulent activities were immediately deleted. The bank was also ordered to give all of the devices that were used to make transactions from the victim’s accounts with their IP addresses. However, the police were eventually able to apprehend the perpetrators after locating one of the suspects in a cyber café in Gurgaon.
In the UK
According to the Office for National Statistics, cybercrime is recorded every 10 minutes in the United Kingdom. It may be impossible to prosecute cyber criminals effectively since their technology surpasses traditional law enforcement. A traditional police force nowadays may find it difficult to combat cybercrime all alone. That is why, around the country, police officers are undergoing specialised cybersecurity training. They’re evolving into ethical hackers.
At crime scenes, devices are frequently discovered and must be handled swiftly by frontline officers. Critical evidence is lost as it gets stuck for months in a lengthy evidence procedure, due to a lack of expertise required to examine and triage these devices.
Speed is crucial for front-line cops investigating cybercrime or any other crime scene involving digital devices. A computer loses data saved in its memory cache every second it is left unattended. This cache could contain activity logs and internet history, which could be significant evidence in criminal prosecution.
Law enforcement in the United Kingdom is learning cybersecurity skills on courses that integrate well-known cybersecurity credentials. Every week, police officers from throughout the UK travel to training centres across the country to receive cutting-edge cybersecurity training from veterans who are normally in charge of educating ‘ethical hackers’ and ‘penetration testers’ all over the world.
From hacking to encryption and cryptography, the training covers all areas of information security. In addition, police learn about the whole hacking lifecycle, from data collection to track-covering. Even recognised cyber security certificates, such as the Certified Ethical Hacker, are part of their curriculum.
What do you need to become an ethical hacker?
To become an ethical hacker the first thing you need is the love for computers. Your passion and creativity make you different from other computer experts. The more one knows about the computer the better cyber security expert he can become. In India, there are a lot of institutes which provides courses for ethical hacking.
Basic requirement
The first and foremost requirement for becoming an Ethical Hacker is a strong foundation in Computer Science or Information Technology through for which people opt B.Tech or B.Sc. It is the first requirement of ethical hacking and needs to be fulfilled before taking specialized courses in Internet Security. Knowledge of the programming languages like C, C++, Python, Ruby etc. is prerequisite for this profession. Good understanding of operating systems like Windows, Linux and Firefox etc. is also an important part of the ethical hacking profession.
Specialized courses
Following are some of the courses which are opted for choosing ethical profession as a profession:-
- Certificate course in Ethical Hacking
- PG Diploma in Information Security and System Administration
- M.Sc in Cyber Forensics and Information Security
- M.Tech in Cyber Security and Information Security
- Certificate Course in Cyber Laws
- M.Sc. Cyber Forensics and Information Security
- Post Graduate Diploma in Cyber Laws
- Post Graduate Diploma in Digital and Cyber Forensics and Related Laws
- Advance Diploma in Ethical Hacking
- Certificate in Information Security and Ethical Hacking
- Certified Information System Security Professional (CISSP)
- CCNA Certification
- Post Graduate Diploma in IT Security
These are available both online and offline. The vital point to note in all above the courses is the availability of the certificate. Without a valid certificate, a person cannot become because legality is the first and foremost principle of this profession.
Institutes which are prevalent for Ethical Hacking
- Institute of Information Security, Mumbai, Chandigarh
- Ethical Hacking Training Institute, New Delhi
- Ankit Fadia Training Center, Delhi, Bihar, Chhattisgarh, Tamil Nadu, Jharkhand, Punjab, Tripura, Rajasthan, Andhra Pradesh
- National Institute of Electronics and Information Technology, Calicut
- University of Madras, Madras
- Indian Institute of Information Technology (IIIT), Allahabad
- SRM University, Tamil Nadu
- IMT, Ghaziabad
- Tech Defence, Ahmedabad, Delhi
- Amrita School of Engineering, Coimbatore
- School of Vocational Education and Training, Indira Gandhi National Open University (IGNOU)
- Indian School of Ethical Hacking, Kolkata
Important Examinations
Many colleges conduct their own exams for these courses, whereas there are colleges and institutes which have their own criteria for admission in these courses. Besides this, the Graduate Aptitude Test in Engineering (GATE) is the most common Entrance examination used for the admission in Masters Courses on Information Security such as M. Tech and M. Sc.
Conclusion
The act of ethical hacking is not defined in any Indian law. Its legality can only be ascertained after having a conceptual understanding of the laws that govern hacking. Ethical hacking lacks mens rea which is the prime reason for making any act, an illegal act. This is one of the reasons why ethical hacking is not illegal in India. After testing ethical hacking with parameters of both the civil law and the criminal law, it can be concluded that ethical is legal hacking in India.
References
- Laws Against Hacking In India by Surbhi Kapoor (https://blog.ipleaders.in/laws-hacking-india/)
- Hacking (http://www.amarjitassociates.com/articles/hacking.htm)
- The Information Technology Act, 2000 (http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf)
- Cyber Hacking law by Abhishek Jaiswal (http://www.legalservicesindia.com/articles/cyhac.htm)
- Information Technology Law (http://ictlaw.com/computer-crime/hacking/)
- Is white Hat Hacking legal in India? (https://blog.ipleaders.in/white-hat-hacking-legal-india/)
- Ethical Hacking and It’s Legality (http://legaldesire.com/ethical-hacking-legality/)
- white hat (https://searchsecurity.techtarget.com/definition/white-hat)
- Ethical hacking (http://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking)
- Ethical Hacker – Our cyber cops https://www.indiatoday.in/education-today/plan-your-career/story/ethical-hacker-188141-2014-04-08
- Ethical Hacking as a Career https://career.webindia123.com/career/options/it_field/ethical_hacking/intro.htm
- Ethical Hackers Are In Demand, And Here’s How You Can Become One https://www.huffingtonpost.in/siddarth-bharwani/ethical-hackers-a-growing_b_9304040.html.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
Hey,
This article on whether ethical hacking is legal is a great read, thanks for putting it together. In fact, I find your thoughts on criminal law very interesting.
I’m happy I found another amazing cyber security blogger.
More grease to your elbow… 🙂
Very insightful Post!
Looking forward for more such posts.
Thanks for this information. It’s really helpful.
Best Ethical Hacking Training in Kolkata
Indian Cyber Security Solutions