It’s impossible to answer “Is hacking illegal?” with a simple yes/no answer. It depends on various factors, including who you’re targeting, your intentions, whether you’re acting under authorization, and the impact of your action on the target system.
In most jurisdictions, lawmakers and prosecutors try to distinguish between malicious hacking and good-faith security research.
However, merely accessing a computer without authorization can sometimes be classed as illegal - even where no actual harm was caused. So don’t assume that because you think you’re on the side of the good guys, the law will always give you an automatic free pass!
Read on for a better understanding of hacking categories (black hat, white hat, and several shades in-between) and how the law treats different types of hacking activity.
Different Perspectives on Hacking
Before you answer the question, “Is hacking illegal?” another important question needs addressing first. Namely, “What exactly do we mean by hacking?” And, depending on who you’re asking, you tend to get subtly different answers…
What Is the Definition of Hacking?
To understand hacking in its broadest sense, it’s worth going way back to 1955 and the first recorded usage of the term in relation to technology. According to minutes of a Tech Model Railway Club meeting at the Massachusetts Institute of Technology (MIT), students were urged to turn off the power source before “hacking on the electrical system.”
Fast forward to 1963, and the first known published reference to computer hacking appeared in the MIT student magazine, The Tech.
“Many telephone services have been curtailed because of so-called hackers, according to Profess. Carlton Tucker… The hackers have accomplished such things as tying up all the tie-lines between Harvard and MIT, or making long-distance calls by charging them to a local radar installation.
“The method involved connecting the PDP-1 computer to the phone system to search the lines until a dial tone, indicating an outside line, was found… And because of the ‘hacking,’ the majority of the MIT phones are ‘trapped’”.
This ties in with the broad definition of “hack”, summed up by Merriam-Webster as “a usually creatively improvised solution to a computer hardware or programming problem or limitation.”
Cyber security definition
To describe hacking from a cyber perspective, this definition from Kaspersky is fairly typical:
“Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. Hacking is not always a malicious activity, but the term has mostly negative connotations due to its association with cyber crime”.
Along similar lines, Fortinet describes a hacker as follows:
“An individual with the computing and networking skills necessary to solve and overcome technical problems. Ethical hackers use their skills to discover security vulnerabilities and help organizations mitigate them, while malicious hackers use theirs to commit cyber crimes.”
Bringing the Definitions Together: What Does ‘Hacking’ Mean?
Based on the general and cyber-specific definitions of term, it’s useful to sum up hacking as follows:
- It’s about solving a problem, often through improvisation or through sidestepping standard methods or techniques.
- From a cyber-specific perspective, hacking involves gaining access to a device, system, or network in a way that the creator of that entity did not intend (e.g. by bypassing or overriding security measures, or by exploiting a vulnerability). Often, hacking occurs without express authorization or permission from the entity owner.
- In itself, hacking is morally neutral. It can be used for positive ends (e.g. investigative pentesting) or for malicious means.
The Distinction Between Malicious and Ethical Hackers
To assess the legality of hacking, it’s also important to distinguish between malicious and ethical hacking.
The term “malicious hackers” (aka “black hat” hackers) refers to the bad guys. Their precise motives can vary but are usually focused on personal gain. Their goals can include stealing information in order to exploit it themselves or to sell it, extortion (e.g. through ransomware), or bringing a target organization offline or preventing it from operating (e.g. state-sponsored hackers).
Malicious hackers really don’t care about what level of damage they cause - including collateral damage. What’s more, if it works, they’ll try pretty much any hacking method to achieve their aims. These include (but are not limited to) the following:
- Malware: Viruses, trojans, spyware, and other malicious software - including ransomware - to compromise and control targeted systems.
- DDoS attacks: A Distributed Denial of Service attack disrupts a targeted network or service by flooding it with internet traffic.
- Social engineering: The purpose of a so-called ‘phishing attack’ is to dupe someone (often a target organization’s employee) into doing what the malicious hacker wants. It could be getting them to click on a link to launch malicious script, or convincing them to hand over credentials or other sensitive information. For some illustrations of how phishing attacks work, check out our Social Engineering Example article. If you are interested in seeing how pentesters can assess an organization’s resilience against phishing attacks, see this guide, Unlock SET: How to Use The Social EngineerToolkit Effectively.
On the whole, ethical hackers are the good guys. They’ll put their skills to work by breaking into devices and bypassing security measures. However, they do it not for destructive reasons or personal gain, but rather to investigate the target system, reveal weak points, and enable those system owners to find out how and where to bolster their security measures.
Shades of Ethics: Black, White, Gray, and Red Hats
The world of ethical hacking is often likened to the wild west. There are sheriff-type characters (“white hat” hackers) who do everything by the book. They work on the express instructions and authorization of their target organizations. They employ techniques and processes that are planned, fully accountable, in line with best practice, and will (ideally) never lead to any collateral damage.
Alongside the white hats, there are also more ambiguous characters known as gray hat and red hat hackers. For a deepdive into red hat hacking, check out our guide, What Is a Red Hat Hacker. Here’s a closer look at these distinctions.
As we’ll see, the more you stray into red hat and gray hat territory, the greater the risk of falling foul of the law. This is especially true if you take matters into your own hands and take action without the express permission and authorization of your targets.
Hacking and the Law
Each jurisdiction obviously has its own set of rules dealing with cyber crime. However, no matter where you are based, you’ll tend to find that these frameworks tend to share certain characteristics.
For a start, you’ll almost certainly find that there are no actual references to ‘hacking.’ Put simply, ‘hacking’ is NOT a legal term.
You will, however, almost certainly find plenty of references to “unauthorized use” and “unauthorized access.” Whether or not an offense has been committed often centers around this issue of authorization (more on this later).
You’ll see that the laws themselves are phrased in very broad terms. This is deliberate. If lawmakers decided to compile long lists of activities and scenarios they wanted to prohibit, they would be forever adding to those lists as technology evolves. So, they keep things general.
This means that if you are involved in freelance pentesting or similar work, you should look carefully at the nature and likely consequences of the activities you are involved in, cross-reference it to the rules in place within your jurisdiction, and check that you are on the right side of the law.
Here’s a closer look at the legal frameworks in place in two locations, the United States and the United Kingdom. Along the way, we’ll highlight issues and characteristics that are common to many other jurisdictions.
The United States
The majority of prosecutions relating to hacking in the United States are tried under the Computer Fraud and Abuse Act (CFAA), (full text here).
This is a federal law that dates back to 1986. It was originally devised with the aim of protecting government departments and large enterprises from cyber attacks. With the emergence and evolution of the internet, however, it is now pretty much the go-to statute for protecting all computers in the country - including mobile devices.
The law sets out federal crimes relating to hacking. It can also give rise to civil claims for damages. Businesses often use CFAA to bring private civil suits seeking injunctions or compensation from third-party hackers, competitors involved in industrial espionage, and rogue employees.
Criminal law violations
Key violations under CFAA include the following:
- Accessing a computer to obtain information without permission
- Obtaining national security information (through unauthorized access of a government computer system or website)
- Accessing computers or systems to obtain value or defraud a victim
- Extortion involving computers
The following violations, while not giving rise to criminal prosecution could, nevertheless, land you with a civil claim.
- Damaging or deleting computer data belonging to a person or business
- Sending or aiding in the sending of spam
- Procuring or selling passwords or similar information that may be used to access a computer or computer programs that may allow a person to commit identity theft
- Obtaining information from a computer without authorization (i.e. ‘computer trespass’).
Unauthorized access and use
Generally, CFAA prohibits misuse of computers where you have intentionally or knowingly accessed a computer “without authorization.” So if you hack a company without telling them what you’re doing first, you’re clearly lacking that all-important authorization.
Note, however, that this “without authorization” point also covers situations where you have “exceeded authorized access.”
So, let’s say you have agreed with a company to do some freelance pentesting analysis. However, if you decide of your own volition to investigate areas that stray beyond what was agreed (for example, you test a part of the network or a specific host that was out-of-scope), you could be opening yourself up to claims of a violation here.
At the lower end of the scale, trafficking in passwords or accessing information can typically land you with a fine in excess of $5,000 or a prison sentence of one to five years.
Instances of hacking to obtain government information can land you with a prison sentence of up to 10 years under CFAA. However, if the charges are tied to broader violations linked to national security or wire fraud, penalties may be considerably in excess of this.
In most business cases, in order to claim damages through a civil claim, the plaintiff must be able to show that, during any one-year period, they have suffered a loss of at least $5,000 because of the CFAA violation.
So let’s say you hack a company without authorization, purely with the intention of highlighting that company’s security weaknesses. Their core services are interrupted for a period. The company suffers lost revenue. Furthermore, it incurs additional losses in, for example, emergency data restoration and internal investigations. You could, potentially, be in the frame for the cost of all of this.
The United Kingdom
The Computer Misuse Act 1990 (CMA) is the UK’s principal legal defense against hacking and data theft. The full text of the Act is available here.
Computer Misuse Act offenses
CMA sets out five criminal offenses. These are as follows:
Offense 1: Gaining unauthorized access to computer material
This offense arises if a person knowingly uses a computer with an intent to obtain unauthorized access to any data or program stored on a computer.
The person must intend to gain access to any unauthorized data or program - but not necessarily specific data or programs. So speculative access is covered; i.e. gaining access to see if there’s anything interesting or valuable on the system.
Offense 2: Unauthorized access with the intent to commit further offenses
Examples under this section include gaining unauthorized access in order to obtain financial information to use in the secondary crime of theft, or compromising personal information to use in blackmail.
Offense 3: Unauthorized acts with intent to impair
This offense tackles distributed denial of service (DDoS), and similar acts that are intended to impair a computer or system’s ability to function.
Offense 4: Unauthorized acts causing or creating risk of serious damage
“Serious damage” under this offense is defined as: (a) loss to human life (b) human illness or injury (c) disruption of a supply of money, food, water, energy or fuel (d) disruption of a system of communication (e) disruption of facilities for transport (f) disruption of services relating to health.
This offense is aimed mostly towards serious threat actors such as cyber terrorists.
Offense 5: Making, supplying or obtaining articles for use in other offenses
This offense covers the creation, distribution, or obtaining of items such as malware packets, password crackers, and other hacking-related tools.
- Up to two years in prison and/or a £5,000 fine for unauthorized access.
- Up to 10 years in prison and unlimited fines for acquiring unauthorized access to a computer with the intent to steal data or commit fraud or for obtaining/creating/supplying hacking tools.
- Up to life in prison under the “serious damage” offense (where the offense causes or creates a significant risk to human welfare or national security).
The old “set a thief to catch a thief” principle most definitely applies to cyber security. This is why ethical hackers will always have a key role to play within the sector.
Even if you’re as big as Apple, Paypal, or Goldman Sachs with vast internal resources, your constantly-evolving IT estate is never going to be free of vulnerabilities. That’s why organizations like these actively invite outsiders - in the form of ethical hackers - to hunt out and discover those vulnerabilities via organized bug bounty programs.
To learn more about the potential of bug bounty hunting, the HackerOne platform is worth exploring.
Purpose of Ethical Hacking
Ethical hacking performs a valuable social function in that it strengthens organizations’ ability to secure their IT estates. It’s essentially a kind of crowdsourced security strategy: inviting external hackers to help find vulnerabilities (in the case of bug bounties) or hiring hackers directly for audits (in the case of penetration tests and red team engagements) increases the chances of fixing problems before malicious hackers can exploit them.
Are there situations where ethical hacking can be considered illegal? The key issue focuses on that all-important A-word: authorization.
Even if you consider yourself on the side of the angels, once you start bypassing someone else’s security measures and delve into their systems without permission, you risk straying into the realms of illegality. With this in mind, focus on the following:
Get the permission of the target organization before you hack. Failure to do so could potentially leave you exposed to criminal penalties. Furthermore, if your unauthorized hack attempt causes business interruption and costs incurred in investigation and rectification, there’s a risk of being hit with a civil claim as well.
Stick to what’s agreed
You’ll want to have written authorization from your target, defining a clear scope of what you can and can’t do. Don’t go straying into parts of the network that haven’t been agreed with your target.
Follow your target’s reporting procedures
If you find something, report it to the target organization in line with their procedure. Don’t boast about it on hackers’ platforms prematurely (otherwise you could jeopardize your bounty/fee, and you’ll almost certainly be in breach of any NDA you were required to sign).
Illegal hacking - or, more specifically, the type of activity that the authorities deem fit to prosecute - can take many forms.
To see what we mean, here’s a selection of examples, including a clear instance of deliberate sabotage, a case that hinged on the issue of authorization, and a story where the individual in question wasn’t the actual hacker, but still had involvement that was deemed criminal…
A contraction of “lulz” for laughs, and “security”, this hacking group compromised a string of high-profile media organizations…
Swartz was indicted in 2001 after allegedly connecting to an MIT network and downloading a vast cache of academic papers that were actually freely available anyway via the JSTOR service. JSTOR didn’t pursue a complaint, but the DoJ prosecuted anyway…
Keys, a journalist, was sentenced to two years in prison after being convicted for supplying the Anonymous group with login credentials for the Tribune media corporation.
So is hacking illegal?
It all depends on who’s doing it, under what circumstances, and for what reasons.
As a rule, however, if you’re hacking for personal gain and without authorization, then quite clearly, you’re exposing yourself to a significant risk of prosecution.
If you hack under clear parameters that are agreed in advance with the target organization, then this is probably not illegal. Even here, however, you should still tread carefully, particularly around the risk of potential collateral damage in shared environments. If you are testing a client’s cloud environment or shared hosting website, you may need to contact the cloud provider or web hosting service to get clearance.