The FreeHour Ethical Hacking Case — When Helping Got Three Students Prosecuted
In 2022, three university students in Malta unintentionally highlighted the famous FreeHour ethical hacking case in a classroom assignment related to cybersecurity. The goal that was assigned to them was to understand digital vulnerabilities and to explore that how can we secure systems against latest threats. But the assignment led them to an avenue which was not apprehended by them.
While analyzing some of the real world applications, they discovered serious flaws in FreeHour app. FreeHour is a popular student app, which is used for managing class schedules, sharing study notes, and finding part time jobs for the students. They uncovered significant vulnerabilities in the app. Identified vulnerabilities of the kind that could compromise student’s data.
A Responsible Act Turns Into a Legal Nightmare
The students who were working on an assignment chose the ethical path to address the vulnerabilities. Therefore, instead of exploiting the flaws, they notified FreeHour’s development team about the vulnerabilities. They never asked for money or fame, because they actually wanted to help them.
However, the reaction from FreeHour came as a surprise for them. FreeHour team reported the students to authorities as Hackers. Now a project which was started as a classroom project suddenly changed into a criminal case. All the three students were charged with unauthorized access under Malta’s cybercrime laws.
A Deeper Look — What Went Wrong?
This case initiated a debate among the cybersecurity world. Because ethical hacking is often called white-hat hacking, and is widely used as a crucial way of testing cybersecurity to identify risks before criminals can exploit them. Therefore, the biggest question was that why are these students being treated or considered to be criminals? And the reason was simple and clear which I am going to explain below:-
Lack of Clear Legal Frameworks
The relevant law of Malta, which encompasses these types of crimes is Malta’s Computer Misuse Act. This act doesn’t clearly separate ethical hacking from malicious hacking. It is not the case with Malta only, because similar legal gray areas exist in existing legal framework of many countries. These countries are not limited, but include United States. In USA, its Computer Fraud and Abuse Act (CFAA) is being criticized for failing to distinguish between security in good faith research and criminal hacking. Similarly in Pakistan, the Prevention of Electronic Crimes Act (PECA) 2016 can also be interpreted broadly. However, in case of Pakistan, recent amendments in PECA 2016 have somehow strengthened the law. However, it is also being criticized by social activists to be a bar on freedom of free speech.
That is why in 2022, the U.S. Department of Justice announced that it would not prosecute good faith security researchers under CFAA. This was a progressive step which was not followed by Malta thus ended up in this mess.
Although Interpol’s Cybercrime Directorate and the Budapest Convention on Cybercrime (a UN-backed treaty) promote responsible disclosure; yet, none of these treaties bound the signatory countries to enforce these regulations unless these regulations abide by their local laws. Therefore, all the concerned signatories have to update their laws to cop up with these international treaties.
Global Echoes of the FreeHour Ethical Hacking Case
This lacuna of the legal system is not only a failure of Malta state. If all other countries recognizes it; it’s a wake-up call for them too. It is a normal practice for ethical hackers that they sometimes roam around a thin line. Therefore, it is legal clarity which can differentiate among the ethical hackers and malicious hackers. Hence I would say that without legal protection, ethical hackers are at risk of being prosecuted for criminal offences even when they are acting in the public interest.
The Lahore (Pakistan) Incident – 2020
In 2020, a computer science student from Lahore, Pakistan, uncovered a major vulnerability in the Punjab Provincial Health Department’s COVID-19 database. The platform was designed to track COVID 19 patient cases, vaccination statuses, and healthcare resources. This platform had a major flaw in it. Major vulnerability in the system was that it exposed sensitive medical records of thousands of citizens of Punjab which were recorded under this platform.
The student, being a responsible citizen, contacted government officials and offered to submit a detailed report to highlight the vulnerability. However, instead of being acknowledged and rewarded, he was threatened to be charged criminal charges under the Prevention of Electronic Crimes Act (PECA) 2016. He was specifically threatened to be charged under Section 3 (unauthorized access to information systems) and Section 4 (unauthorized copying or transmission of data).
Despite that he had good intentions and had not carried out any malicious activity, the authorities viewed his access as a breach and unauthorized access. The situation sparked resistance from digital rights groups, including Digital Rights Foundation (DRF) and Bytes for All. They issued public statements to defend the student and criticized the government’s response.
This case highlighted two major issues for Global Digital Forums:
- Lack of a structured policy to disclose vulnerability: There was no policy of the Government under which the student could report cybersecurity flaws to the concerned.
- Overreach of Legal provisions: In this case the act of the student was to curb the possible breach of information; however the vague definitions in local cybercrime laws put ethical hackers at risk of being encriminated.
As of today, even after recent amendments in 2025, there is nothing that formally protects ethical hackers in Pakistan. Whereas, concerned groups are continuously agitating that there is a dire need of such changes in local laws. The incident remains a textbook case of how good-faith cybersecurity efforts can be penalized in the absence of a clear legal framework.
Lessons for Governments and Developers
- Governments need to adopt clear legal protections for ethical hackers. As ambiguities in criminal laws breaks down innovation and discourages responsible disclosure of vulnernabilities.
- Companies must set up secure, structured disclosure policies. They can introduce vulnerability identification bonus programs. This will enhance urge in ethical hackers to proactively identify vulnerabilities in the systems.
- Universities should have public private partnership with legal experts to guide students on responsible cybersecurity research.
Where the Case Stands Now
Coming back to our today’s topic of Malta case, let me tell you that as of 2025, the charges against the Maltese students were dropped. However, it took months of legal pressure and support from international ethical hacking communities to make it clear that it was not a malicious hacking. Good part in the case was that, their university stood by them. But the experience was traumatic for the 3 students. This could have easily ended in conviction if international communities were not involved in to explain the scenario.
Conclusion
This case is not only an eye opener for Malta; but, it highlights the urgent need to align laws with the realities of cybersecurity for all countries. When students will get started, being punished for doing the right thing, we have nothing to redress the whole mess. The FreeHour ethical hacking case is a landmark example of how current laws can misinterpret good faith cybersecurity efforts.
Everyone must understand that Ethical hackers are not criminals; they are the first line of defense in an increasingly digital world.
If you think that we are supporting the next generation of cybersecurity defenders and want them to be prosecutted then, please share your thoughts in the comments below or reach out to me to discuss that how ethical hacking should be protected.
Other Relevant Links:
Nicely done
Governments must improve their local laws so that ethical hackers are protected.