Civil society exerts pressure to curb hacking penalties

The draft bill to modernize criminal computer law, which was submitted for departmental approval by the Federal Ministry of Justice (BMJ) in October, aims to make it easier for IT security researchers to responsibly identify and close security loopholes. In principle, this approach is a step in the right direction, explained representatives of civil society at a hearing organized by the Bundesministerium für Justiz (BMJ). However, the plan still needs to be improved in various areas and, above all, adopted by the Bundestag in a timely manner –, preferably before the new elections in February. Above all, the BMJ is focusing on defusing Section 202a of the German Criminal Code (StGB), which deals with spying on and intercepting data as well as preparatory acts. It recently led to the conviction of a programmer in the Modern Solution case.

The German government should use the remaining time in the legislative period to finally reduce the legal uncertainty in IT security research and strengthen cybersecurity in Germany in the long term, emphasizes Nikolas Becker, Head of Policy & Science at the German Informatics Society (GI). "It would be important to address preparatory actions for IT security research more clearly and to simplify the legally compliant proof of honest intentions." In a statement, the GI pointed out the need for correction from its point of view. There was a lack of clear criteria for proof.

The actual hacker paragraph 202c StGB is particularly controversial. According to this, the preparation of a criminal offense through the production, procurement, sale, transfer, distribution or making available of passwords or other security codes for data access as well as suitable computer programs is punishable by a fine or imprisonment of up to one year. However, the "hacker tools" criminalized in this way are used by system administrators, for example, to check networks and end devices for security vulnerabilities. The GI also criticizes –, like the Chaos Computer Club (CCC) –, that the BMJ wants to leave this paragraph unchanged.

Risk of house searches remains

The AG Kritis, which deals with the security of critical infrastructures, also emphasizes the urgent need for action in its statement. This is primarily in the interests of researchers "who are committed to IT security in Germany on a voluntary basis and out of public interest". The legal uncertainty leads to a worrying "chilling effect": "Security vulnerabilities are no longer reported for fear of criminal consequences, which means that potential dangers to the public remain undetected." The approach chosen by the BMJ brings improvements here, but is not the best possible one. In the future, IT security researchers could be regularly acquitted in court. However, the risk of a house search, the confiscation of hardware and the expense of conducting a trial will remain.

According to the AG Kritis, researchers should also be exonerated in such a way that in the vast majority of cases, no charges are brought in the first place. One conceivable solution would be to add an element of the offense to the Criminal Code, namely intent to cause harm. The public prosecutor's offices would then be obliged to find out whether it is a case of voluntary IT security research. Furthermore, the focus on criminal law reforms alone is not enough. There is also a need for reform in civil law, for example in copyright law regarding the ban on decompilation. Furthermore, the Trade Secrets Act lacks an exception for reporting security vulnerabilities. In the case of radio interfaces, the current interception ban stands in the way of lawful reports of vulnerabilities.

(vbr)