Comment: Those who act in the public interest will be punished

The case surrounding "Modern Solution" and the programmer convicted of exploiting a security vulnerability will have catastrophic consequences. The Aachen Regional Court's decision may be in line with established law. Nevertheless, it is a disaster for IT security in our country.

Ein Kommentar von Fabian A. Scherschel

Fabian A. Scherschel schrieb von 2012 bis 2018 als Redakteur täglich für heise online und c't, zuerst in London auf Englisch, später auf Deutsch aus Hannover. Seit 2019 berichtet er als freier Autor und unabhängiger Podcaster über IT-Sicherheit, Betriebssysteme, Open-Source-Software und Videospiele.

Not only have the judiciary and law enforcement authorities allowed themselves to be used as an instrument by a company that would rather lash out than admit its own mistakes: They are criminalizing a charitable act with this verdict. This not only endangers security researchers who report vulnerabilities to affected companies, but also whistleblowers who want to expose the dangers posed by unruly security illiterates.

The crux of the matter Screenshots

The sticking point in the Aachen trial was the screenshots that the defendant used to document the security vulnerability found. Without documentation, neither affected companies nor reputable journalists, to whom a security researcher turns, believe that a security gap really exists. But it was precisely this documentation of the vulnerability that was the programmer's undoing, as the screenshots ultimately confirmed his guilt.

What does this mean for programmers or support staff who come across security vulnerabilities in the course of their work? That it's best not to report them to the company concerned, because in the worst-case scenario this could land them in jail. I'm inclined to agree with Fefe when he comments that it's probably less risky to "dump the data directly on the darknet."

The only option for such people who want to do the right thing for society despite all the dangers is, according to this judgment, to turn to a trustworthy journalist for whom source protection is a top priority (for example, the author of this commentary or the colleagues at Heise Security). Because only a conscientious journalist can report the leak to the company and then inform the public without putting themselves and the whistleblower in unnecessary danger.

The air is getting thinner

It is true that the air is also getting thinner for journalists since the EU's media freedom law has clearly permitted spying on the press to uncover the criminal acts of sources. However, journalists are still the best option for security researchers who want to act conscientiously without putting themselves at unnecessary risk.

(vbr)