Is Ethical Hacking Legal in India?

Is Ethical Hacking Legal in India?

Is Ethical Hacking Legal in India?

Generally speaking the word “hacking” has negative appeal, but ethical hackers use their skills in constructive manner to protect organizations from malicious black hat hackers. 

Hacking in common parlance is understood as unauthorized access to a computer or network. In most of the cases, hackers leverage the vulnerabilities including zero day vulnerabilities to accomplish unauthorized intrusion. However, not all hacking are with mens rea i.e, bad intention. This is what differentiates ethical hacking from others. In this write up, we shall discuss what ethical hacking is and whether it’s legal in India. 

Categories of Hackers:
Based on intention, hackers can be broadly divided into three categories, as below:

Category 1: White hat hackers: They are also known as ethical hackers. They use their computer skills to protect and secure the systems from malicious elements like black hat hackers. They are generally recruited by firms and government, and in turn are paid for exposing and rectifying the vulnerabilities found in the system. They breach into the system with prior authorization and are defenders of the virtual world. 

Category 2: Black hat hackers: They are also known as crackers. They have malice in their hearts and hack into an entity for personal gains. They are evils of the virtual world, who are to be defended against. 

Category 3: Grey hat hackers: They are ambivalent. They become white hat or black hat hacker as per the situation. As such, they are not trustworthy. In most situations they are self proclaimed ethical hackers.  

What is Ethical Hacking?
We read bout white hat hackers, grey hats and finally black hats. While black hats intrude into the system with malice and without legitimate prior authorization, white hats are complete opposite. They are recruited by individuals and corporate for specific task of ethical hacking, and thus work with prior consent and has good intention. 

Black hat hackers aim to cause wrongful loss to the entity being compromised. For example, data breaches. Here, hackers compromise the data stored within the systems of an organization and then either force the entity to pay ransom or sell the data on underground forums like DarkNet. In few other cases, hackers simply paste the sensitive personal information so gathered on sites like Pastebin. 

On the other hand, ethical hacking is meant to contain the fallouts of black hat hacking, and the person recruited for the purpose is called ethical hacker. In most aspects both are same as underlying principles and fundamentals remain the same. But the difference lies in the consent and intention. 

Hacking can cause irreversible and irreparable loss to an organization. It includes loss of faith of public in the institution, legal liability in terms of monetary compensation for data theft (for example under European Union, Global Data Protection Rules), lowering of values of shares, loss of customers/ users etc. 

Ethical hackers on the other hand, showcase the exploits and vulnerabilities of the systems. It enables security officers to patch the vulnerabilities, before black hat hackers exploit it for personal gains. Thus, ethical hackers make the system more safe and secure by addressing the issues in the networks and systems. 

Ethical Hacking Decoded Further:
Ethical hacking is the study of vulnerabilities and weaknesses of a system/ network with prior consent of the owner, by cyber security experts. The study finds and exposes the probable ways to hack the system. If so found, the person responsible for cyber security, patches the exploits before it can be hacked by black hat hackers. 

Thus, ethical hacking is constructed as good hacking. 

Why term Ethical Hacking is Contentious?
The term “Ethical Hacking” has been contentious since it’s inception. Mainly because the words ethical and hacking are seen as contradictory. At the end of the day, hacking involves intrusion into a system’s defenses, and therefore has a negative connotation. 

Many feel, the term “Ethical Hacking” is hacking in disguise. However, the proponents of Ethical Hacking, view it as defensive form of hacking. 

Importance of Ethical Hacking:
In recent times, there has been a massive increase in number of hacking attempts. Data of even large organizations like Facebook are getting compromised. Since, any theft of sensitive personal information can put the customers at risk – for example, of well crafted phishing campaigns. Similarly, if passwords get stolen in hacking attacks, it puts several accounts of users at risk. It includes not only the account created on the website breached, but also others. This is because most users tend to re-use passwords across websites. 

Thus, any successful hacking by black hat hacker, can seriously point fingers at the credibility of the organization. Keeping interest of users, data privacy laws have evolved in the last few years. Most of these laws penalize the company breached, for not protecting the data of its users sufficiently. In times to come more stricter data privacy laws are expected, which may mandate jail or enhanced penalties for data breaches. 

For especially severe violations, listed in Article 83(5) of GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. 

But for even the catalogue of less severe violations in Article 83(4), GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

Not only this, a newer threat vector – ransom-ware attacks – has unsettled organizations and government alike. “Ransom malware, or ransom-ware, is a type of malware that prevents users from accessing their own system or personal files. The attackers demand ransom, generally in form of money in order to regain access to files”. 

These attacks have paralyzed organizations, forcing many of them to brink of bankruptcy. As per recent studies, on an average ransom-ware attacks, inflict direct damage of Rs 8 crore to an organization. The indirect damages in terms of opportunity cost, perhaps are much larger. 

The continuous cyber attacks have forced entities, to employ ethical hackers and deploy robust intrusion detection systems. The studies show that not only this approach is cost effective but also better in terms of outcomes. As such, ethical hacking is rapidly growing into well paid profession, whose future seems brighter with every passing day. 

History of Ethical Hacking:
The earliest reported ethical hacking were conducted by United States of America military agencies, to test the security worthiness of their systems before deploying them on full fledged basis. Gradually, as internet got worldwide acceptance, both hacking and ethical hacking became buzzword and rightly continues to be so. 

As internet exploded in form of e commerce, information related websites, forums etc and instances of hacking increased, website owners became increasingly cautious for hacking attempts. It gave birth to systematic study of vulnerabilities and exploits in their own systems, also known as ethical hacking. Organizations started hiring cyber experts, Chief Information Security Officer etc who could access their system with consent, evaluate its security measure and report any vulnerabilities if found. Moreover, they also help fix the issues. 

Ethical Hacking in India:    
It must be borne in mind that hacking is illegal as per Indian laws – Information Technology Act, 2000. Here is the relevant section, reproduced below:

Section 43: Penalty and compensation for damage to computer, computer system, etc: 

If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – 

  • (a) Accesses or secures access to such computer, computer system or computer network or computer resource
  • (b) Downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium 
  • (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network 
  • (d) Damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network 
  • (e) Disrupts or causes disruption of any computer, computer system or computer network 
  • (f) Denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means 
  • (g) Provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under 
  • (h) Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network 
  • (i) Destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means 
  • (j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage

He shall be liable to pay damages by way of compensation to the person so affected. 

Explanation: For the purposes of this section 

  • (i) Computer contaminant means any set of computer instructions that are designed – (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network 
  • (ii) Computer data-base means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network 
  • (iii) Computer virus means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource 
  • (iv) Damage means to destroy, alter, delete, add, modify or rearrange any computer resource by any means. 
  • (v) Computer source code means the listing of programme, computer commands, design and layout and programme analysis of computer resource in any form.

The punishment has been provided under Section 66 of IT Act, 2000 reproduced in toto below:

Section 66: Computer related offences: 

If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Explanation: For the purposes of this section – 

  • (a) The word “dishonestly” shall have the meaning assigned to it in section 24 of the Indian Penal Code (45 of 1860) 
  • (b) The word “fraudulently” shall have the meaning assigned to it in section 25 of the Indian Penal Code (45 of 1860).

Now let’s move onto ethical hacking, which is a rapidly evolving profession in India. Several institutions pan India are providing courses and degrees in ethical hacking. Given it’s growing popularity and top notch institutions providing regular courses in ethical hacking, you might have sensed that it shouldn’t be illegal in India. In reality, ethical hacking has not been explicitly dealt by Indian laws, therefore it enjoys neutral status under Indian legal framework. 

We will now discuss ethical hacking in light of Indian criminal jurisprudence principles, whether they satisfy the ingredients to constitute a crime. 

Two elements essential to constitute a crime are:

  • Mens rea i.e, guily mind and 
  • Actus reus i.e, physical action 

In ethical hacking, the first ingredient i.e, mens rea (bad intention) is missing. Therefore, it’s not a crime. 

Their Growing Demand in India:
India stands at second position, in terms of number of targeted cyber attacks, as per cyber security firm Symantec. Therefore, for websites to function properly including e commerce sites, ethical hacking is the need of the hour. Till the time, the underlying motive is benign – to protect the system from black hat hackers – it’s definitely legal, and in fact should be promoted. Given it’s current necessity and importance, an ecosystem should be created to give boost to ethical hacking. 

Ethical Hacking as a Profession:
Cyber attacks especially data theft, ransom-ware threaten to nullify the gains of the virtual world. Therefore, cyber security has rapidly emerged as new profession. In fact, cyber security is one of the highly paid carrier options for tech savvy individuals. 

Ethical hackers are now-a-days, recruited not only by organizations and corporate, but also by governments. 

The possible career options in cyber security domain include:

  • Computer software engineer
  • Database administrator
  • Network system and web administrator
  • Cyber Security Architect
  • Information Security Lead
  • Network Security
  • Compliance and Auditing
  • Cryptographer/ Crypto-analyst
  • Security Consultant 
  • Vulnerability Researcher 
  • Web/ Mobile App Pen-tester 
  • Specialized Pen-tester
  • Red Teams
  • Information Security Crime Investigator/ Forensic Experts
  • Ethical hacker

In fact, this sector is so rapidly expanding that it’s near impossible to list down all the career options! The biggest employers of cyber professionals are:

  • Technology
  • Banking
  • Insurance
  • Retail 
  • Media

Recently, various posts have been created in the government sector also, including in e-governance, e-learning, DRDO, CERT-IN, as forensic experts, specialised pen-tester, cyber security architect, database administrator etc. So, government jobs are also being created in this field in large numbers. With the explosion of the virtual world, jobs creation in this sector in an inevitable phenomenon. 

How to Become Ethical Hacker?
To become ethical hacker the first and foremost requirement is your love for networking and coding. Basic requirements include knowledge of programming languages like Python, C++, C, Ruby, PhP etc. Besides you should have good knowledge of Operating Systems like Linux, Windows etc. Linux is favourite tool for pen-testers.  

There is vast amount of literature freely available on the internet meant to secure the world from such attacks. We recommend you the website https://www.owasp.org/index.php/Main_Page for more information. This site is considered the Gold standards on hacking, among thousands of websites freely available on the internet on hacking.

Additionally, you must have conceptual clarity about the following beforehand to firmly grasp the subject:

  • Verbs
  • Headers 
  • Response Codes / Error Codes
  • Ports etc

Conclusion:
Ethical hacking has not been dealt explicitly by Indian laws.  However, based on the basis fundamental of criminal jurisprudence in India, it can be safely said to be legal. The foremost reasons being lack of mens rea. Therefore, ethical hacking is not illegal in India.