When does hacking = journalism? - Macleans.ca

When does hacking = journalism?

A Dutch journalist faces criminal charges for exposing the security flaws of local transit passes


Brenno de Winter is a Dutch investigative journalist. He was skeptical of his government’s €2 billion project to implement digital payment cards for public transit. De Winter suspected that the cards were technologically insecure and easily hackable using basic computer skills. So he hacked them using basic computer skills. He found that a 30 Euro card could be repeatedly loaded up with 150 Euros of credit, and the transit system would never catch on.

He documented these hacks in print, on television and on the radio, and the story became headline news in the Netherlands. His work led to the Dutch parliament postponing the release of the cards, and widespread fraud was thus averted.

De Winter now faces a possible sentence of six years in prison.

Trans Link Systems, the company contracted to build the card, has filed criminal charges against de Winter, alleging he defrauded their system.  He cannot discuss the case while it is pending, and is therefore effectively gagged from continuing to work on the story at the exact moment a replacement system is being rolled out. Other journalists have repeated his hack in Spartacus-style solidarity, but no charges have been filed against them.

As a digitally literate journalist, de Winter had to prove that the cards were insecure in order to report on their insecurity. How else could he have done his duty to inform the public? A technologically complex explanation of the vulnerabilities would hardly have been good journalism.  So he did what any good reporter or white-hat hacker would do—he illustrated the problem with a practical example, from which he did not personally benefit.

So the question stands: when is a hacker a journalist? And should someone who exposes vulnerabilities be subject to the same punishments as those who exploit them?

Jesse Brown is the host of TVO.org’s Search Engine podcast. He is on Twitter @jessebrown.

[Slideshow image courtesy of Lisa Padilla/Flickr]


When does hacking = journalism?

  1. I actually think a lot of hacking that we’ve seen recently is done for the same reasons that inspire many journalists. Most of the Anonymous ‘hacks’ in recent years have been done to bring attention to related social/political/economic issues of importance. And their viral distribution of Tom Cruise’s bizarre Scientology video several years ago exposed the cult for what it really was. The recent hacking of the Syrian MoD was a way of communicating with the Syrian people when the government is trying to shut down all external communications, precisely to keep the media at bay.

    A lot of the time the goals are the same, only the means are different.

    • I see a difference – a large one. de Winter Did it for the story – admitted he did it, and reported on it, to expose a problem. The hackers, on the other hand – regardless of their motives – either don’t report what they have done, or do so as a media event, where the focus is as much “look what I did” as it is “look what they did”. And then they hide behind anonymity.

      The “white hat” hackers are more a protest group than journalists. That’s not to say they are necessarily wrong in their intent, but rather that there is a difference in intent and motives.

      • Everything Anonymous and lulsec hacked, they posted. fyi…

  2. Unless the transportation ministry can show this guy profited personally from his hacking, or in other words actually using the recharged cards without then immediately paying back the money, I don’t see how they can make a case that they were defrauded.  But, it may well be that the guy had no way to  pay back the money immediately (and he had to use them to see if the hack was successful).  In which case, sucks to be him.  Hopefully, they don’t have ‘standard minimum sentences’ for stuff like this in The Netherlands.

  3. Any reasonable court will toss this out.

    • Uh-oh. If that’s true, then odds need to be estimated on the case NOT being tossed.

      • Yeah, true…I have no idea if Dutch courts are good, bad or indifferent.