The Malta Independent on Sunday
A much needed legal amendment
Ethical hacking is a concept which Malta has begun to better understand. Sadly, it took a particular case involving three students and a lecturer to bring it to the fore.
Back in 2022, three students named Giorgio Grigolo, Michael Debono, and Luke Bjorn Scerri, and their lecturer, Mark Joseph Vella, had found “serious security vulnerabilities” in the popular FreeHour student timetable mobile application. Upon these findings, the group informed the company about these security flaws and requested a “bug bounty” - a common reward practice in ethical hacking.
The group of four were then arrested, and had all their computer equipment seized by the authorities. They are now facing criminal charges which can carry a sentence of up to four years imprisonment. The first court date when they will appear has been set for next year.
Prime Minister Robert Abela, during an interview on party media, had addressed the ethical hacking situation in the country. He made the announcement that Malta was going to have an ethical hacking framework, and recently a draft was issued for public consultation.
Ethical hackers play an important role, helping to identify security vulnerabilities in companies. This in turn means that a company can then fix that security flaw, before hackers with harmful intentions could exploit it.
The Prime Minister, during that interview, had said that Malta lacked regulation in this sector. “I want this case to be addressed let me be clear, as the facts are what they are and I want to incentivise our youths, who study and aim for new sectors that tie in to our vision regarding being less labour intensive and more skilled, so we cannot leave a framework of laws that either have lacunae or are ambiguous, or for which there is a lack of regulation. I think what happened in this case is that there was a lack of regulation in this important economic sector.”
As said, the case regarding the three students and their lecturer will go before the courts, and the authorities seem to have decided to move forward with the case.
In a statement sometime after it experienced the breach, Freehour had said that from the mention of payment, the changes to the app’s front end “and a 90 day ultimatum, FreeHour was legally advised to report this to the Police as a potential threat. We also had a responsibility to inform Malta’s
Data Protection Authority (IDPC) within 48 hours, which we did.” But, it also went on to say at the time that after hearing the four students’ perspective and understanding their intentions, “it has become clearer that there was no malicious intent.”
More recently, the Times of Malta published an article stating that the app wants a more “positive ending” for the students.
Since the news broke that the students and lecturer are to face criminal charges, a number of organisations expressed concern over the situation, or called for the charges to be dropped. The Nationalist Party called on the government to end the investigation into the students and lecturer. But this has not happened.
Should the authorities have taken it this far? “Our institutions and entities did their job in the context of the report they have and of the legislative framework the country has today,” Abela said.
It seems the case will end up going before the courts. The news regarding Freehour wishing for a positive ending will be relevant for the court’s assessment.
Now that there will be a set of regulations put in place soon, ethical hackers will at least have a set of guidelines, so-to-speak, that they will be able to follow. It would also make it clearer in terms of who is an ethical hacker and those who hack with malicious intent. White hats should not face criminal charges when their aim is to help.
Ethical hacking should not be a crime and the law should be amended without delay to reflect this.