heise PlusAbo
Anzeige

Modern Solution: Convicted IT expert files constitutional complaint

The verdict against a security researcher convicted under the hacker paragraph is final. The convicted man will now go to Karlsruhe.

listen Print view
A man in a suit presses his index finger on a virtual eGovernment icon.

(Image: Cherdchai101/Shutterstock)

9 min. read
By
  • Fabian A. Scherschel
Contents

The security researcher convicted of criminal computer offenses in the Modern Solution case has now lodged a constitutional complaint. His lawyers believe that the proceedings are unfair and that their client's constitutional rights have been violated. The constitutional complaint is necessary because the normal legal process has been exhausted.

The self-employed programmer had investigated a problem with the software of the Gladbeck-based company Modern Solution GmbH & Co KG on behalf of a third party and discovered a security vulnerability that had exposed the data of almost 700,000 German consumers on the internet. The store platforms affected included Kaufland, Otto and Check24, which used the Modern Solution software. The password to this database was stored unencrypted in an executable file of the middleware product and was the same for all Modern Solution customers.

After the programmer reported the vulnerability to Modern Solution, he made it public shortly afterwards in cooperation with the operator of an industry-related blog. Modern Solution then reported the security researcher to the police, who searched his home and confiscated his work equipment.

Cologne Higher Regional Court confirms judgment

At the end of July 2025, the Cologne Higher Regional Court ruled on the defendant's appeal and confirmed the judgment of the Aachen Regional Court of 4 November 2024. The programmer has thus been sentenced to a fine of 3,000 euros and must bear the costs of the proceedings.

The court considered it proven that the man had committed a criminal offense when he read out a password in his customer's software in order to gain access to the associated database on the Modern Solution servers. The developer insisted to the end that he had only accessed this database in order to find a bug in the Modern Solution software that was causing problems for his customer. Modern Solution had stated in its complaint to the police that the programmer had wanted to harm the company because he himself was working on competing software to the Modern Solution product.

The convicted man's lawyer has now lodged an appeal with the Federal Constitutional Court on his behalf. This is based both on the allegation that the proceedings were conducted unfairly and on the argument that the defendant's constitutional right to freely exercise his profession (Article 12 of the Basic Law) was restricted. The next step is for the Federal Constitutional Court to decide whether the constitutional complaint has any prospect of success and will be accepted. Experience shows that this can take months.

Rejection could also bring progress

In an interview with heise online, the programmer's lawyer said that even a rejection of the complaint could be a victory for the general public of lawyers and IT employees in Germany. Although this would be of little help to the defendant, a rejection by the BVerfG could, for example, provide guidance for the future handling of §202a StGB.

This could at least somewhat defuse the current minefield that many security researchers and other IT experts see themselves confronted with. Some security researchers commented on the case that they would not report new security vulnerabilities in such a situation in order to avoid criminal prosecution of the company concerned. If this attitude prevails in the industry, it would inevitably lead to a nationwide deterioration in IT security.

Parts of the industry therefore see a decision by the Federal Constitutional Court on the hacker paragraph as desirable. In 2009, the court rejected a constitutional complaint regarding §202c StGB, but at least made it clear that the mere fact that a program can be used for illegal activities does not make its use punishable. However, the relationship of such software to §202a StGB has obviously still not been conclusively clarified.

This is shown, among other things, by the Modern Solution proceedings, in which one of the public prosecutors cited the fact that the defendant had used software to decompile program code as justification for his dishonest intentions. This was precisely the kind of "dual use" product that the judges in Karlsruhe had actually declared unobjectionable in their 2009 decision.

Lack of understanding among IT professionals

On the one hand, the Modern Solution case concerns the ongoing uncertainties in dealing with software that can be used both for legitimate troubleshooting by an IT consultant and for a hacker attack by a criminal. On the other hand, it also needs to be clarified at what point a technician is guilty if he examines a computer system of a third-party company on behalf of a customer. Namely, if he obtains access to data "which is not intended for him and which is specially secured against unauthorized access" in accordance with §202a StGB.

The judges' view that a standard password stored in plain text in the source code is sufficient to ensure "special security" is met with incomprehension in practice by experts, who see such a situation as a security gap rather than effective security.

It was surprising how the judges in Aachen and Cologne decided, said the security researcher's lawyer in an interview with heise online. One motivation for the constitutional complaint was that the decision of the Higher Regional Court of Cologne had little substance. In addition, the case had been followed with interest not only in the IT industry, but also in the legal literature.

Against this background alone, guidance from the Federal Constitutional Court seems desirable. This is also due to the fact that the proposed amendment to the hacking law in November has apparently not made any progress so far and has not gone far enough for many experts anyway.

Videos by heise

No technical investigation

During the hearing of evidence, the court in JĂĽlich did not deal directly with the password file and no attempt was made to verify the defendant's statements. The police do not appear to have done so either, according to the parts of the investigation file read out during the trial. Furthermore, the court was unable to prove that the defendant had obtained the password by decompiling it.

At the end of the trial, however, even this had little effect on the verdict. According to the presiding judge, the set password alone meant that a look at the raw data of the program and a subsequent database connection to Modern Solution fulfilled the offence of hacking. The fact that this happened, as the defense had emphasized several times, in the course of a "functional analysis" of the software on behalf of a customer of Modern Solution did not seem to play a role in this decision. This also applies to the fact that the password in question was delivered together with the software.

Court: "Hacking is generally punishable"

The JĂĽlich judge justified his decision by stating that the legislator's intention in tightening Section 202a of the German Criminal Code (StGB) in 2007 was obviously to "criminalize hacking as such". From this perspective, protection that is "not easy for everyone" to circumvent is sufficient to constitute the offense. As the defendant had no previous convictions, he was sentenced to a fine and avoided a prison sentence.

The man appealed to the Aachen Regional Court. In November 2024, the court decided to dismiss it as unfounded. In the trial, the Regional Court of Aachen consistently adopted the assessment of the JĂĽlich District Court that accessing the secure database constituted a criminal offense because the password could not be easily guessed or was publicly known. The small criminal division of the court emphasized that the defendant would not have been liable to prosecution if he had terminated the access when viewing third-party customer data. The screenshots taken therefore sealed his criminal liability.

The defense then applied to the Cologne Higher Regional Court for an appeal of the case. On July 3, 2025, the 1st Criminal Senate of the court ruled that the decision of the Regional Court of Aachen did not contain any legal errors and was therefore legally binding. As is usual with appeals, the factual circumstances of the case were not re-examined in these proceedings.

(vbr)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten