FreeHour has said it wants a more "positive ending" for students who face criminal charges for exposing a security flaw in its systems, but stopped short of saying what it intends to do about it. 

The student-focused online platform said the incident "underscores the urgent, genuine need for more modern laws and guidelines surrounding cybersecurity practices", adding that it was "committed towards finding a solution for a more agreeable and positive ending to this incident." 

But when pressed, the app's founder Zach Ciappara declined to specify how that commitment would translate into action. 

In October 2022, Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri were arrested after they highlighted security vulnerabilities in FreeHour, an app that helps students manage their schedules. 

The students contacted FreeHour to inform the company of the security flaw and requested a reward - or ‘bug bounty’- a common practice in ethical or ‘white hat’ hacking. 

Instead, they were arrested, strip-searched, and had their computer equipment confiscated. 

Now, the students have been accused of gaining unauthorised access to a computer’s data, software or supporting documentation held in the computer, and using, copying or modifying the data, software or document. 

The three students will appear before Magistrate Marse-Ann Farrugia in March 2025. So too will their lecturer Mark Joseph Vella, who has been charged as an accomplice. 

When contacted for a reaction on Tuesday, FreeHour's Ciappara recounted the details of the incident and defended the company's original decision to report the students to the police. 

He noted that Freehour had reported the incident to authorities following advice and to ensure it complied with data protection and cybersecurity regulations. 

It was only later that the company learnt that the students' intentions were not malicious, Ciappara said.  

When asked how the company would aid the students, whether the company would testify in favour of the students or ask the authorities to drop the charges, Ciappara remained tight-lipped.

"In response to your questions, FreeHour is not able to disclose further details at this juncture, beyond what has already been said in the statement provided earlier," he said.

Ciappara noted that Freehour had at the time told authorities that it did not intend to press charges against the students.

Last year, FreeHour said it was “exploring ways” to help the students.

What does the law say about ethical hacking? 

The students argue that they should not be treated like cybercriminals, as their hacking was done with the intention of identifying and fixing vulnerabilities. 

Legal experts have however noted that the concept of ethical hacking does not exist in Maltese laws, and called for laws to be updated to allow ethical hackers to report cybersecurity vulnerabilities without fear of prosecution. 

The students are being investigated under Article 337 of the Criminal Code, which makes it illegal to access an application without being “duly authorised by an entitled person”.

The criminal investigation has already impacted the three students - last July they were barred from competing in a European cybersecurity challenge due to the probe. 

Since then, the PN has urged the government to resolve the ongoing issues involved in the case. 

KSU reaches out to both students and company

The University Students’ Council (KSU) said it has reached out to both parties to better understand the facts of the case. 

“After understanding the different sides to the story and looking at the different factors at play, action will be taken accordingly,” KSU president Luke Bonanno told Times of Malta. 

 

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.