🎩 Who Gets To Wear The White Hat
There are two kinds of hackers (well, more, but let’s keep this simple): black hat hackers and white hat hackers. Black hats are malicious hackers — think Russian or North Korean state-sponsored hackers looking to destroy infrastructure or steal currency. White hats, on the other hand, claim to be benevolent — people working with companies and institutions to expose weaknesses in their security so that they may be strengthened. Paige Thompson claims to be a white hat hacker. Yet, in a federal trial that began last week, she faces 10 counts of computer fraud, wire fraud, and identity theft for breaching Capital One's database and downloading the personal information of some 100 million users, ultimately costing the company $270 million in multiple settlements.
Ms. Thompson, in addition to her software engineering job at Amazon, ran an online community for programmers. Capital One's user data, which she breached, was hosted on AWS, Amazon's cloud service.
While Ms. Thompson “is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act,” reports the New York Times, she has pleaded not guilty claiming her actions were that of a “novice white hat hacker.”
The DOJ, which is prosecuting Thompson, is “interpreting a statute so broadly that it captures conduct that is innocent and as a society, we should be supporting, which is security researchers going out on the internet and trying to make it safer,” Brian Klein, her lawyer, said.
In late May, the DOJ announced that it would no longer prosecute white hat hackers. “The department has never been interested in prosecuting good-faith computer security research as a crime,” stated Deputy Attorney General Lisa O. Monaco, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” The policy took effect immediately, and required all federal prosecutors looking to charge a case under the Computer Fraud and Abuse Act (or CFAA) “to follow the new policy, and to consult with CCIPS before bringing any charges.”
Even if Ms. Thompson acted with the best of intentions, she did cause millions of dollars in damages to Capital One and illegally downloaded the personal data of millions. Seems the DOJ’s hands are tied here, but this case could prove to be a valuable precedent for future cases.