2023-07-03 09:08:23
The Federal Data Protection and Transparency Commissioner (FDPIC) has addressed ethical hackers. In a document, he explains what they must take care of so as not to come into conflict with data protection law.
When ethical hackers attack computer systems, they have only good intentions. However, sometimes white hat hackers, as they are also known, break local laws in the course of their activities.
The Federal Data Protection and Transparency Commissioner (FDPIC) has looked into the activities of these ethical hackers. The result is an information sheet with proposals for action through which the authority wishes to “raise awareness of the nature of their activities with regard to the legal framework in which they operate, in particular from the point of view of the protection of data”.
Supplement to NCSC Rules
The PFPDT specifies in its memorandum that it does not wish to evaluate the activities of white hat hackers. And he specifies that the document is intended exclusively for people who “work to detect faults with a benevolent perspective”, but who also act “outside any framework and without the knowledge of the operator of the system”. Activist hacking, for example blocking a website for protest purposes, does not fall within the definition, nor does hacking into a system to extract data for personal gain. Hackers who act with the consent of the system operator are also not subject to the information sheet.
The FDPIC then recalls the existence of the declaration platform set up by the National Cybersecurity Center (NCSC) for the coordinated disclosure of vulnerabilities (Coordinated Vulnerability Disclosure, CVD) and points out that the framework conditions and the rules which are listed should be considered as a supplement to its information sheet.
Principles and risks
In the part devoted to the legal situation, the data protection officer notes that ethical hackers process data within the meaning of the new data protection law as soon as they consult, download or save personal data through of a security breach. If they do not respect certain principles during the processing, “they must be aware that the processing carried out is a priori unlawful”. The principles in question are in particular lawfulness, good faith, finality and proportionality. The transmission of the data concerned by the security breach or the communication of the security breach (except to the supervisory authorities) violates these principles, specifies the authority. Communication to the media before the security breach is closed is also not compatible with these principles.
In the event of violations of the principles, system operators or affected persons can assert civil law. In addition, white hat hackers sometimes expose themselves to criminal risks. The PFPDT specifies, however, that if it adopts the behavior of an ideal ethical hacker and if it strives to respect the principles of data protection “it can be assumed that there will however be no real interest in acting in justice”.
It is also “not mandatory”, according to the information sheet, that ethical hackers inform the PFPDT of their findings (this is not provided for by the LPD). According to the new data protection law, on the other hand, it is the data protection officer of the attacked company who is obliged to make a declaration – at least “when a breach leads to a high risk for the persons concerned. “.
1688377450
#Ethical #Hackers #Longer #Excuses #Respecting #Data #Protection