Ethical hacking is legal

Hackers can be divided into a number of groups, some of which “are clearly ethical, others are clearly unethical, and still others exist in a gray area of sorts and whose ethics can be debated”, argues Pashel (2006, p. 197). White hats use their skills “in a manner that most would clearly define as ethical". For example, white hat hackers could be employees who "with permission, attack a company’s network in order to determine weaknesses, and law enforcement and intelligence agents who use their skill in the name of national security or to investigate and solve crimes” (p. 197).

For Bodhani (2013), there is white, black, and a wide range of in-between grey hat hackers “who will search for vulnerable systems and inform the company but will hack without permission” (p. 65). Bodhani (2013) presents 10 types of cyber hackers: White hats, black hats, grey hats, blue hats, elite hacker activist, script kiddies, spy hackers, cyber-terrorists and mobile hackers.

But for Young et al. (2007), 9 of the 10 shades of grey represent variations on the same theme: Illegal hacking. Computer hacking is either fully legal and authorized, or is an illegal activity. Presuming there is more than one type of acceptable hacking can give justification to illegal activity. Hackers often view themselves as modern-day Robin Hoods (Young et al., 2007). This Robin Hood mentality allows hackers “to deceive themselves and view their illegal activities as providing a service for the greater good. It also gives them cause to justify their activities should they be caught engaging in any illegal activities by blaming the victims” (p. 282).

Hacking as an illegal practice “is used most typically to describe a person who accesses computers and information stored on computers without first obtaining permission" (Pashel, 2006, p. 197). Pashel (2006), citing Logan and Clarkson (2005), advances the definition of hacking as accessing a system that one is either not authorized to access or one who accesses a system at a level beyond their authorization.

The practices of professional ethical hackers are governed by a legal framework. Ethical hackers abide by the imperative to obtain permission before attempting to access a computer network (Graves, 2010; Harris, 2021; Palmer, 2001).

While a white hat hacker is “authorised to break into supposedly ‘secure’ computer systems without malicious intent, but with the aim of discovering vulnerabilities in order to bring about improved protection,” a black-hat hacker is “someone who hacks with malicious intent and without authorisation” (Bodhani, 2013, p. 64).

Pike (2013) draws a sharp distinction between white and black hats. A white-hat hacker is defined as “a hacker who is committed to full compliance with legal and regulatory statutes as well as published ethical frameworks that apply to the task at hand.” In contrast, a black-hat hacker is “a hacker who either ignores or intentionally defies legal or regulatory statutes with presumably little interest in ethical frameworks” (p. 69).

Similarly, Palmer's (2001) use of the explicit terms “ethical hacker” and “criminal hacker” places him squarely in the same camp of moral clarity as Pike (2013) and Young et al. (2007)—there is really one type of ethical hacker, the hacker who hacks within a legal framework.

Logan and Clarkson (2005), Palmer (2001), Sharma and Sefchek (2007), Xu, Hu, and Zhang (2013), and Young et al. (2007) all more or less echo Pike’s definition--essentially placing hacking and hackers at either side of the law.

That ethical hacking is a legal practice is hardly a point of contention whether in literature or in the public sphere. But it should be noted, legal does not necessarily equate with ethical. For example, Pashel (2006) and Bodhani (2013) explicitly acknowledge variations of grey hat hacking exist, but they too agree that white hat hacking can be distinguished as being legal and authorized.

The key defining characteristic of ethical hacking in comparison to other hacking practices is the legal imperative: ethical hacking is unambiguously legal. The practices of ethical hackers are governed by a legal framework. Ethical hackers have authorization to hack the target system (Graves, 2010; Palmer, 2001). Ethical hackers need prior authorization, stipulated in a legally binding contract with the computer network owners, before attempting to breach a computer network (Bodhani, 2013; Palmer, 2001; Young, Lixuan, & Prybutok, 2007).