[rectang]

The "person suffering the attack" is not the only party who suffers from an attack — the individuals whose information gets leaked also suffer when a company hoards toxic data and it inevitably spills.

From the perspective of those individuals, there is a dramatic difference between black hats who exploit their data and grey hats who humiliate the toxic data hoarders.

[voakbasda]

Do you think those individuals will see the difference?

Also, I would argue there is no gray. A white that breaks the law cannot be trusted, because they become indistinguishable from a black hat that is pretending to be a white hat.

This all comes down a matter of trust, and breaking the law does not build trust in anyone except other criminals. If anything, it erodes trust by demonstrating the willingness to skirt the rules when it suits you.

In this case and context, I see the use of "gray hat" as an attempt whitewash black hat activities. Once you behave like a black hat, you always need to be treated like a black hat. Trust is like that, particularly when talking about security.

[rectang]

> Do you think those individuals will see the difference?

No more or less than an individual whose home was not robbed because a crime was prevented unbeknownst to them.

However, I believe that the toxic data hoarding companies collectively don't see any difference, and so they don't care if individuals suffer. The suffering of individuals when data is leaked is an externality, and it is only when forced to pay for that externality that companies would start to care.

In this regard, the black hats and the toxic data hoarders both contribute towards undermining the common good. Companies don't care if money disappears mysteriously from the bank accounts of individuals who happen to be their customers — companies just don't want to be embarrassed, as it isn't their money being stolen.

But the grey hats disrupt this state of affairs. They are truly antagonistic to the toxic data hoarders, because they humiliate them, rather than merely use them to steal from somebody else.

This status quo of companies operating unsafely, creating massive but dispersed and plausibly deniable harm, is perfectly legal. But should the public trust these companies? Should the public trust individuals who work hard at these companies to build toxic data stockpiles and cover up intrusions, rather than those who expose the harms these practices bring? Who are the "good guys"?