Henk Krol does not fit the stereotype of a computer hacker. He's not even that good with technology.
But Mr. Krol is facing criminal charges of "digital trespassing" in the Netherlands, thanks to his efforts to bring to light a security hole in a medical research center website. That act has put him squarely amid a Dutch debate over whether to protect "ethical hackers": hackers who act to find and report security holes to server owners.
Krol is expected in court on February 1, he announced yesterday via a tweet of his summons. But the accusations stem from last year, when a party member told him about a login to a medical research center's website that was going around on the Internet. The password was the same combination of five characters as the username.
“I was able to see medical records, with information like whether someone was HIV-positive. I was shocked to find it was so easy to access these data,” Krol says. “I called the research center, but they said I had to make a written report first.”
Sensing a lack of urgency, Krol called a local journalist. After his report was broadcast in the media, the medical center pressed charges. It also demanded compensation.
Although until recently he was unaware the term existed, Krol has been branded an ethical hacker. Ethical hackers, or "white-hat hackers," access computers systems with good intentions, for example to show that there is a security breach. However, under the current Dutch law, a company or an organization can still file a complaint against such hackers, good intentions notwithstanding.
This month the Dutch government explicitly acknowledged the importance of ethical hacking for the first time. A new non-binding directive, written by the cybersecurity department of the Dutch Ministry of Justice, lays out a new set of rules. Companies and organizations can adopt these rules as a kind of terms of service for ethical hackers. If the hacker promises to inform the organization that has a badly secured website and not to do any damage, the company says it will not press charges.
“We have tried to provide clarity for the different parties involved,” says Wil van Gemert, director of cybersecurity at the Ministry of Justice, who is responsible for the directive. “We call on companies to adopt this directive and make transparent policy on ethical hacking.”
But some say that the directive is too non-committal. “The directive has symbolic value, but is not worth much legally," says Juerd Waalboer, co-founder of a website that allows hacker to report security leaks anonymously.
"The government clearly states that there is such a thing as ethical hacking and that it has a useful function in society." But Mr. Waalboer points out that even if an ethical hacker adheres to the directive, a company still has the option of pressing charges. "If you really want to protect ethical hackers, then the law needs to change.”
Astrid Oosenbrug, member of parliament for the Labor party, says the directive is “a good first step,” but also added that more protection is need for the hacker. “If I report a security breach but it leads to being summoned by a court, then the next time I would not report the breach, and that would be more dangerous,” Ms. Oosenbrug says.
“We do not want to oblige companies to refrain from filing a complaint,” says Mr. van Gemert, adding that there will always be cases in which a complaint is necessary – in part because it is not always immediately clear whether someone is an ethical hacker or not.
The European Parliament has legislation under consideration that would make cyber attacks a criminal offense, but would give an exemption to cases “when the damage caused by the offense is insignificant.” However, due to a political dispute with the European Council, voting on these rules have been delayed.
Even if the Netherlands or Europe pass such laws, Krol will not benefit from them. But he hopes the court will keep an open mind. "I'll be interested in hearing what the judges have to say," he says.