In recent years many of the privacy pitfalls innate to technology continue to be exposed. Social media conglomerates like Facebook have been ousted for unethical privacy practices relating to user data. Tech giants like Amazon have also been exposed for their questionable privacy-busting ploys. In response to these harrowing exposures, lawmakers and regulators have been clamoring to catch up and institute policies that better safeguard users. One law that was put in place to protect individuals’ data from being hacked is known as the Computer Fraud and Abuse Act. This act essentially makes it illegal for any individual or entity to download swaths of personally identifiable information. This is certainly helpful in preventing ill-intentioned individuals from hacking systems to acquire people’s personal information. However, according to The New York Times, that may change pending the outcome of one case.
The case in question involves actions taken by former software engineer and white-hat hacker Paige Thompson. Essentially a white-hat hacker is an individual who intentionally goes looking for vulnerabilities in systems so that companies can better safeguard against them. These people hack for the purpose of good. Back in 2019, Thompson downloaded hoards, totaling more than 100 million, of Capital One customer data. The data included extremely sensitive information like social security and bank account numbers. Due to the nature and sensitivity of the information that Thompson purposefully downloaded unbeknownst to Capital One or its customers has prompted legal prosecution. Simply put, Thompson is being brought on charges in court because she knowingly put over 100 million people’s personal information at risk.
On the surface, Thompson’s actions were undoubtedly wrong. Millions of people had no idea that their extremely sensitive personal information was in the hands of a complete stranger. That being said, Thompson’s lawyers are arguing that her intent was not to mishandle or misuse any of that information. She was merely trying to exploit Capital One’s system for vulnerabilities to then in turn help the bank. And that, unfortunately, she went about it the wrong way and made a “novice white-hat hacker” mistake. Thompson’s lawyer also pointed to the broad nature of the Computer Fraud and Abuse Act, arguing that it needs to be more clearly defined so that people like Thompson don’t end up getting caught in its web.
On the flip side, the prosecution is arguing that even if she didn’t intend to do anything malicious with the information that she acquired that her actions were far from altruistic. Nicholas W. Brown, the U.S. attorney for the Western District of Washington, disclosed in his legal filing against Thompson that her underlying motivation was monetary and reputational gain. He argued that the fact that she would be helping Capital One was a tertiary motivator at best. “Even if her actions could be broadly characterized as ‘research,’ she did not act in good faith. She was motivated both to make money and to gain notoriety in the hacking community and beyond,” wrote Brown in the legal filing obtained by The New York Times.
Moreover, others in agreement with Brown have asserted that they think Thompson’s actions went beyond that of what a white-hat hacker would typically do, citing that she probed too deeply into Capital One’s systems. “Legitimate people will push a door open if it looks ajar,” said Chester Wisniewski, who works as a principal research scientist at Sophos, to The New York Times.
Ultimately, it still remains to be seen how this court case will play out. However, whatever the verdict ends up being will serve to lay the groundwork for how permissible hacking becomes in the future. It will also serve as the foundation to determine who gets to legally gain access to individuals’ most sensitive personal information without them ever knowing. Consequently, there is a fine moral line being straddled there.