After Prison, Hackers Face Tech Restrictions, Limited Job Prospects

“The limitations are sensible, but they may introduce complications to what we’d expect in the rehabilitation and re-entry process,” said Thomas Holt, a professor in the School of Criminal Justice at Michigan State University.

After Tommy DeVoss was caught hacking into hundreds of corporate, military and state and federal government systems in 2000, he spent the next 10 years either banned from using computers or in prison. He was twice sent back for breaking provisions of supervised release, including for using a computer.

“Being told you can’t do something that is pretty much the most joyful high you get, it’s pretty impactful,” said Mr. DeVoss, now 38 years old and living near Richmond, Va.

After his prison term, he applied for tech jobs for several years without success, working in construction and restaurants until landing a technology job in 2013.

Now Mr. DeVoss, who calls himself a “reformed black hat,” works in cybersecurity for software firm Braze Inc., and looks for bugs in software and other vulnerabilities as a bug-bounty hunter for HackerOne Inc., a firm that helps companies work with security researchers.

Alex Rice, HackerOne’s co-founder and chief technology officer, said anyone can participate in its public programs if they follow certain rules and a code of conduct that bans blackmail, unauthorized disclosure of personal data and impersonating others.

Braze CTO Jon Hyman said the company doesn’t hire people convicted of violent offenses or crimes such as embezzlement or fraud. Mr. DeVoss’s conviction isn’t “material to his role” at Braze, he said.

The cyber industry is expecting to face more situations that require executives to decide if they would hire convicted hackers. The Federal Bureau of Investigation received 847,376 reports of cyberattacks last year, up 7% from 2020.

Many hackers have the right kind of technical and critical-thinking skills needed in a cyber professional. In a few countries, such as Belgium and the Netherlands, tech restrictions on released hackers are rare, said Catherine Van de Heyning, a Belgian prosecutor and professor of law at the University of Antwerp. Many judges deny such requests from prosecutors, saying limitations would harm the individual’s ability to work and rejoin society, she said.

One step toward entering the corporate workforce for a convicted hacker is earning a certificate from a respected cyber organization. But it isn’t a path many take. The International Information System Security Certification Consortium, a key training organization, has received fewer than 10 applications in the past decade from individuals with a cybercrime charge or conviction, said Clar Rosso, chief executive of the consortium.

Individuals go through ethics and background checks before being certified through (ISC)2, whose ethics code requires that applicants “act honorably, honestly, justly, responsibly, and legally.”

“It would be very unlikely we would allow them to hold our certification because of how closely tied that is to the violation of our ethical canons,” said Ms. Rosso of convicted hackers.

Still, said (ISC)2’s general counsel Graham Jackson, some such applicants have been accepted, but he declined to elaborate.

In the U.K., Daniel Kelley was released last year from the high-security Her Majesty’s Prison Belmarsh in England after serving half of a four-year sentence for hacking several companies, including Britain’s TalkTalk Telecom Group PLC in 2015, when he was 18. TalkTalk said the attack cost it £42 million, equivalent to $48 million, in the immediate aftermath, and personal data from around 156,000 customers were exposed. Mr. Kelley said he didn’t make money from hacking TalkTalk.

On probation until 2023, Mr. Kelley must comply with tech restrictions for another three years after that. They include having to register his devices with probation authorities and limits on his access to apps and online services, such as virtual private networks—which many companies require for remote work. Every few months, authorities collect Mr. Kelley’s devices without prior notice to inspect and copy their data, he said.

“There’s a level of paranoia all the time,” said Mr. Kelley, who is now 25 and lives in Llanelli, in South Wales. TalkTalk declined to comment.

When he applied to be certified by (ISC)2 last year, he was informed that because of his criminal conviction, an ethics committee would decide whether he could take the exam, be banned for life from its certifications or apply for certification later, according to an email from the organization viewed by The Wall Street Journal.

Mr. Kelley said he can’t afford to hire a lawyer to send copies of his case documents, which (ISC)2 requested. “If I could take certification today, at least that would mean in a couple years from now I would still have certification relevant to my field. I would still be valuable,” he said.

Post-release orders for any type of crime are intended to keep people from reoffending, and in cybercrime cases they naturally include technology curbs, said Alison Abbott, head of the U.K.’s National Crime Agency’s lifetime management unit, which manages the orders.

“The judge has got to make that balancing decision as to what might be restricted for the individual and what might protect the public,” she said.

Mr. Kelley said he is frustrated watching employers’ interest fade once they hear the list of technologies he can’t use, even if they at first appeared ready to give him a chance despite his hacking conviction.

“I still want employment in cybersecurity,” Mr. Kelley said. “The longer it goes on, the less realistic it looks.”

Write to Catherine Stupp at [email protected]