KSU Calls For Legal Reform To Protect Ethical Hacking After Lecturer And Former Students Get Criminally Charged
Kunsill Studenti Universitarji (KSU) is calling for an “urgent legislative reform” to define and protect ethical hacking after criminal charges were slapped on three former students and their University lecturer.
Recent graduates Giorgio Grigolo, Michael Debono and Luke Bjorn Scerri, as well as their lecturer Mark Joseph Vella are facing charges after they discovered security vulnerabilities within the FreeHour application and notified the company in October 2022.
This case, which is being pursued by the police and not at the request of FreeHour, has exposed a “clear gap” in the country’s legislative framework surrounding ethical hacking and cybersecurity, “one which necessitates urgent legislative reform,” KSU wrote.
Grigolo, Debono, Scerri and Vella informed the company of these vulnerabilities in the company’s backend which, if exploited, could have compromised the private data of users. The students then requested a “bug bounty” for spotting the flaw – this is a standard practice in ethical hacking.
However, the company was legally required to report this incident to the police, if it hadn’t, it would have been breaking the law. The students were then arrested in November and they, as well as Vella, were charged. Court proceedings are set for March 2025.
The accused have since received widespread support from different entities and unions who have urged authorities to consider that everything was done in good faith and in accordance with international standards.
The Forum Unions Maltin (For.U.M.) stressed that “educational process conducted in line with ethical standards should not be deemed a cyber attack on an organization.”
“This situation poses a serious threat to the educational process, which is essential for training students to use their computer-related skills and knowledge for the benefit of both the community and the organizations they serve,” the trade union wrote in a statement.
“These students are yet to begin their professional careers. Rather than being encouraged and properly trained as future cybersecurity experts, they are being subjected to criminal prosecution, creating unnecessary hardship at such a critical point in their studies. The state’s involvement in this case only adds to the hostility faced by these young professionals, who are merely trying to develop vital skills and knowledge in cybersecurity—a field crucial for community and organizational security.”
Meanwhile, the University of Malta Academic Staff Association shared a similar statement saying that Vella acted with “academic integrity and in accordance with procedure”.
“He provided his students with the ethical framework that should be applied when discovering vulnerabilities through ethical or ‘white hat’ hacking, fulfilling thereby his duties and responsibilities as a lecturer, and acting within the bounds of established ethical practices.”
FreeHour has also commented on the situation: “Almost two years on, FreeHour remains committed towards finding a more agreeable and positive ending to this incident.”
“This incident only underscores the urgent, genuine need for more modern laws and guidelines surrounding cybersecurity practices.”
Moreover, KSU is calling for reform that would encourage a “culture of transparency and collaboration in strengthening digital security, while safeguarding the rights and interests of those acting in good faith to prevent potential breaches.”
“KSU stands in solidarity with the accused recognising their actions as a well-intentioned effort to protect the data of thousands of students, many of whom are minors, from potential exploitation.”
Do you think the Maltese law should be reformed to protect ethical hacking?
READ NEXT: Maltese Freedivers Make History With First National Records
