[OscarCunningham]

My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

[PeterisP]

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

[OscarCunningham]

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

[PeterisP]

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

[OscarCunningham]

Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk.

[PeterisP]

Okay, if private data of the company's customers is at risk, then it is a reason to push for some action, but it matters how you do it. In this case I don't see a big need for reinventing the wheel - this is a common issue for which all the options, pros, cons and risks have already been discussed and there is a somewhat clear consensus (with some debate about nuances) on the expected ethical action, and that is https://en.wikipedia.org/wiki/Responsible_disclosure or http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...? . Many nations have some more specific guidelines issued by e.g. their local CERT that are adapted to their local legal situation.

The process works reasonably well even if the vendor is not cooperative. In that case it is somewhat similar to the message proposed above, but substantially different - first, the threat is not that you'll destroy or publish their data (which is extortion) but that you'll publish your description of the vulnerability (which generally is not); second, the threat is not that you might consider damaging the data (i.e. stating that you'd be willing to do an immoral thing) instead that some other immoral people might damage the data; and third, the disclosure is not conditional on receiving money from them.

I can see that the proposed threat was meant in the same direction, and is somewhat similar to the "threat" implied in general responsible disclosure, i.e., if you don't fix it in 45 days then we'll publish info that most likely will mean that you'll get hacked. But it's substantially different, the details are quite important, and you'd need a good reason to deviate from the standard responsible disclosure guidelines.

I mean, what do you do when after sending a message "I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention." you see that they have not fixed the issue but have transferred the requested Bitcoins? It'd be a possible direct result of your actions. Is that a desirable outcome? Is that an ethical outcome?