Brenno de Winter is a Dutch investigative journalist. He was skeptical of his government’s €2 billion project to implement digital payment cards for public transit. De Winter suspected that the cards were technologically insecure and easily hackable using basic computer skills. So he hacked them using basic computer skills. He found that a 30 Euro card could be repeatedly loaded up with 150 Euros of credit, and the transit system would never catch on.
He documented these hacks in print, on television and on the radio, and the story became headline news in the Netherlands. His work led to the Dutch parliament postponing the release of the cards, and widespread fraud was thus averted.
De Winter now faces a possible sentence of six years in prison.
Trans Link Systems, the company contracted to build the card, has filed criminal charges against de Winter, alleging he defrauded their system. He cannot discuss the case while it is pending, and is therefore effectively gagged from continuing to work on the story at the exact moment a replacement system is being rolled out. Other journalists have repeated his hack in Spartacus-style solidarity, but no charges have been filed against them.
As a digitally literate journalist, de Winter had to prove that the cards were insecure in order to report on their insecurity. How else could he have done his duty to inform the public? A technologically complex explanation of the vulnerabilities would hardly have been good journalism. So he did what any good reporter or white-hat hacker would do—he illustrated the problem with a practical example, from which he did not personally benefit.
So the question stands: when is a hacker a journalist? And should someone who exposes vulnerabilities be subject to the same punishments as those who exploit them?
Jesse Brown is the host of TVO.org’s Search Engine podcast. He is on Twitter @jessebrown.
[Slideshow image courtesy of Lisa Padilla/Flickr]