heise PlusAbo
Anzeige

Federal Constitutional Court rejects appeal in Modern Solution case

The Federal Constitutional Court refuses to provide more clarity on the application of Section 202 of the German Criminal Code (StGB) concerning hacking.

listen Print view
A man in a suit presses his index finger on a virtual eGovernment icon.

(Image: Cherdchai101/Shutterstock)

11 min. read
By
  • Fabian A. Scherschel
Contents

The Federal Constitutional Court has rejected the constitutional complaint filed by the IT expert accused in the Modern Solution trial without giving reasons. In a decision dated September 15, which is available to heise online, it states that three judges of the Third Chamber of the Second Senate of the court unanimously decided that the constitutional complaint would not be accepted for a ruling. This means that since June 2021, the Modern Solution case has gone through all German court instances, from the JĂĽlich Local Court to the Federal Constitutional Court in Karlsruhe.

The story of the freelance IT expert from Heinsberg in North Rhine-Westphalia, who discovered a security vulnerability in e-commerce software from Moden Solution in Gladbeck in the Ruhr area and, instead of a reward, was met with a complaint and a search, was followed with interest by many observers from the German IT industry. Quite a few had hoped that the constitutional complaint would clarify the various legal uncertainties in the everyday lives of IT experts and security researchers. Instead, the final decision of the Cologne Higher Regional Court and now the rejection of the constitutional complaint have had the opposite effect: the so-called hacker paragraph 202 of the German Criminal Code (StGB) makes it more difficult than ever in Germany to bring a discovered security vulnerability to the attention of the public.

The Modern Solution case: a modern fairy tale from Neuland

The saga surrounding Modern Solution began at the end of June 2021, when the public learned of a security vulnerability that had resulted in the names, addresses, account details, and other information of around 700,000 online shoppers being freely accessible on the internet. The security vulnerability was found in e-commerce middleware from Modern Solution, which was designed to enable smaller online shops to offer their goods in the large online shops of Kaufland, Otto, Check24, and other companies. Modern Solution had stored the data of all shoppers who had been transmitted to the operators of the Modern Solution software via this software in a single database. The password for this database on Modern Solution's servers was stored unencrypted in an executable file of the middleware software and was the same for all Modern Solution customers. This meant that anyone with access to this software, which could be downloaded freely from the internet at the time, could easily obtain this data. At heise online, we were able to confirm public access to this data ourselves at the time.

Instead of fixing the error, Modern Solution proved uncooperative, which is why the IT consultant who discovered the vulnerability reported it to an e-commerce blogger in order to increase pressure on the company. This led Modern Solution to close the vulnerability, but they also reported the consultant who reported the vulnerability and the blogger who reported on it. The case against the blogger was dropped, but in October 2021, the independent IT expert's home was searched and all his work equipment was confiscated.

Proceedings in JĂĽlich

In June 2023, the Cologne public prosecutor's office initially failed to bring charges against the IT consultant. The JĂĽlich District Court rejected the case on the grounds that no crime had been committed, as the data to which the security expert had access in the course of his investigations had not been effectively protected. The Cologne public prosecutor's office appealed, and in July 2023, the Aachen Regional Court ruled that the case must be heard in JĂĽlich after all. The data had been specially secured because it was password-protected and "could only be retrieved after decompilation," according to the regional court's ruling. "Securing access by means of a password is sufficient as access security," thus fulfilling the criminal offense of hacking.

In January 2024, the case finally came to trial before the tranquil district court in JĂĽlich. The defense took the position that the defendant had examined software that Modern Solution had made available to its customer, including all associated data. He had therefore only accessed data that was intended for him. The court did not agree with this argument and considered it a criminal offense within the meaning of Section 202a of the German Criminal Code (StGB).

The prosecution had spent a considerable part of the hearing of evidence trying to prove that the defendant had decompiled the program code of Modern Solution's software in order to obtain the password for the database connection. The defendant stated for the record that he had only viewed the file in question with a text editor and had thus read the database password in plain text. He had found this in the immediate vicinity of other known connection data from the MySQL connection he had previously observed. During the hearing of evidence, the court did not deal directly with the relevant file, nor did it attempt to verify the defendant's statements. According to the parts of the investigation file read out during the trial, the police also appear not to have done so. Furthermore, the court was unable to prove that the defendant had obtained the password by decompiling. Although the police investigators were able to secure evidence of the decompilation of the Modern Solution software on the defendant's computers, this only proved that he had recompiled the software *after* his alleged spying on the data.

At the end of the trial, however, this had little impact on the verdict. The presiding judge stated for the record that the mere fact that the software had set a password for the connection meant that viewing the raw data of the program and subsequently connecting to the Modern Solution database constituted a criminal offense under the hacker paragraph. The fact that this had happened in the course of a "functional analysis" of the software on behalf of a customer of Modern Solution (who had received the password in question with the software), as the defense had emphasized several times, did not seem to play a role in this decision. With reference to the decision of the Aachen court, the JĂĽlich judge now said that, after a thorough review of the legal situation, it had been concluded that the legislature, by tightening Section 202a of the German Criminal Code in 2007, had obviously intended "to make hacking as such a criminal offense." From this perspective, protection that was "not easy for everyone" to circumvent was sufficient to fulfill the elements of the offense. Since the defendant had no previous convictions, he was sentenced to a fine and avoided a prison term.

Second appeal, revision, and constitutional complaint

The defendant appealed to the Aachen Regional Court, which thus had to rule on an appeal in the case for the second time. In November 2024, the court decided to dismiss the appeal as unfounded. In the trial, the Aachen Regional Court consistently adopted the assessment of the JĂĽlich Local Court that accessing the secured database constituted a criminal offense. In addition, the court apparently did not care how the defendant obtained the password. The password was not easy to guess or publicly known, which made accessing it a criminal offense. During the trial, the court's small criminal division emphasized that the defendant could have avoided criminal liability if he had stopped accessing the data as soon as he realized that he was able to access customer data that he was not supposed to see. The fact that he documented this data with screenshots, which was undisputed during the trial, sealed his criminal liability.

The defense then requested a review of the trial at the Higher Regional Court of Cologne, whose 1st Criminal Division ruled on July 3, 2025, that the decision of the Regional Court of Aachen did not contain any legal errors and was therefore legally binding. As is customary in appeals, the actual circumstances of the case were not re-examined in this proceeding. Since the defense still considered the treatment of the defendant in the two trials in JĂĽlich and Aachen to be unfair and assumed that his constitutional rights had been violated, but legal recourse had now been exhausted, a complaint was filed with the Federal Constitutional Court in August 2025, which has now been rejected. The decision of the Federal Constitutional Court is final.

Conclusion for IT experts and security researchers

This case provides several important insights for anyone who may encounter security vulnerabilities in IT systems in their work. The treatment of the IT expert in this case shows that in Germany, it can be a fatal mistake to publish details of security vulnerabilities – even if these have already been closed. Furthermore, the proceedings make it clear that German courts may consider it a criminal offense for a programmer to gain access to data provided by business partners on behalf of their customer in order to solve software problems

Videos by heise

Securing such data with a password of any kind, even if they are simple and easy to guess. In case of doubt, this is sufficient to constitute access security within the meaning of the law and makes accessing the data a criminal offense. This also applies if this password can be found in plain text in software that is publicly available on the internet. Anyone who has to analyze software for a living should also bear in mind that German prosecutors apparently consider having a decompiler on your computer to be evidence of criminal behavior. This opinion was expressed several times in court in this case and was even adopted by some judges.In conclusion, it can be said that more than four years of the Modern Solution saga have not led to a reduction in the legal uncertainties surrounding the criminality of software analysis and the publication of security vulnerabilities in Germany. On the contrary, the legal opinions represented by the courts make Section 202 of the German Criminal Code (StGB) an even greater threat than ever before to anyone who wants to improve software quality in Germany. And even the Federal Constitutional Court seems more inclined to criminalize any so-called "hacking" per se than to set itself the goal of improving the working conditions for IT professionals who act with good intentions in the public interest.

(nen)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten