Chinese "white hat" hackers, who have been reporting IT security risks in recent years, have fallen silent after two of their online platforms shut down, triggering speculation about their legal standing and arousing concerns over the future of these helpful hackers.
Unlike malicious or "black hat" hackers, white hat hackers hack into restricted systems and networks to test and assess their defenses and release reports on any vulnerabilities.
White hat hackers have long been reporting risks to enterprises or government departments and they have often been rewarded for their efforts to protect cyber security. Statistics from China's National Vulnerability Database (CNVD) show that domestic Internet security monitoring platforms reported 25,314 vulnerabilities in 2015.
However, the ambiguous legal standing of these hackers and this platform has come into the public spotlight after white hat hacker Yuan Wei was arrested in April for hacking into dating site Jiayuan.com. Yuan helped detect a vulnerability on its website in December 2015, but Jiayuan.com later filed a report with the police saying Yuan had stolen information.
Yuan's arrest has made a splash among the public with many people beginning to wonder whether white hat hackers are information thieves or cyber security protectors.
Chinese Internet security experts pointed out that white hat hackers have played an important role in safeguarding the country's cyber security, and have called for the government to define the legal status of the group as soon as possible.
Thief or protector?
Yan Hanbing with the National Computer Network Emergency Response Technical Team Coordination Center, an NGO, said at the China Internet Security Conference in Beijing on Tuesday that over 200,000 vulnerabilities have been found since 2009, and a significant chunk of those were uncovered by white hat hackers.
For example, since 2013, hacker platform wooyun.org has revealed weaknesses on the websites of many enterprises such as 12306.cn, China's official online train ticket platform; Ctrip.com International, a Chinese NASDAQ-listed travel booking website; the Beijing-based employment portal Zhilian Zhaopin; and a variety of government websites.
The exact number of white hat hackers is unknown. wooyun.org alone has some 7,000 registered members, news site jiemian.com reported.
In June 2015, wooyun.org, Qihu 360's Internet security monitoring platform butian.360.cn and another 30 groups signed a convention to regulate the receiving and publishing of websites' vulnerabilities.
However, while recognizing their good work, the CNDV said at the time that the monitoring platforms failed to notify the related commercial or official departments before publicly revealing vulnerabilities, the information they release is too detailed and sometimes they exaggerate vulnerabilities which causes panic.
More concerns over the position of white hat hackers were sparked when wooyun.org and another hacker platform suspended their operations in July. Why they shut down was not clear, however many suspect these decisions are linked to Yuan's arrest.
These closures have stirred up further chaos, as many believe that without these benevolent channels for hackers, some could turn to more nefarious types of hacking.
Many Internet security insiders have argued that whether or not hackers' right to detect vulnerabilities and then reveal them is legitimate needs further public discussion.
Under the sun
Huang Daoli, an associate researcher with the cyber security legal studies center under the Ministry of Public Security, said at a forum held on the sidelines of the China Internet Security Conference that white hat hackers are in a gray legal area, since there is no specific law to regulate the digging-out, revealing, utilization and trade in Internet vulnerabilities and it is very easy for white hat hackers to cross legal boundaries based on the country's criminal law and other regulations.
"Along with the booming of the Internet, the market needs public efforts in safeguarding cyber security. It cannot stop hackers from revealing vulnerabilities and white hat hackers have greatly contributed to the safety of Internet development," Xie Yongjiang, an associate professor at the Beijing University of Posts and Telecommunications, told the Global Times on Wednesday.
Xie said that the group should report risks to government-approved vulnerability reporting platforms. They should be 'put in the sun' and be encouraged to establish relationships with enterprises.
More importantly, the government should release regulations on and define the legal status of white hat hacker platforms, regulating and promoting the development of the industry, said Xie.
