Hacker Paragraph: BSI Chief Calls for Decriminalization of Security Researchers
The President of the Federal Office for Information Security has called for changes to the hacker paragraph. Support comes from the opposition.
(Image: Motortion Films/Shutterstock.com)
BSI President Claudia Plattner is calling for a reform of the so-called hacker paragraph. "If someone comes to me and says there's a problem in your software, that person shouldn't be prosecuted," Plattner told the Funke Mediengruppe newspapers. "Then we just have to say thank you." The aim is to effectively protect private and scientific security researchers from prosecution. This would mean a reform of computer criminal law, the infamous Paragraphs 202a onwards in the Criminal Code.
Support for this demand comes from the opposition in the Bundestag: "The Minister of the Interior constantly warns of cyberattacks, yet anyone who wants to prevent them for the common good risks a prison sentence," criticizes Green Party Bundestag member Jeanne Dillschneider. "The federal government must finally resolve this contradiction and join the BSI President's call for reform."
No government timeline
The coalition agreement between the CDU, CSU, and SPD provides for creating "legal certainty for IT security research." However, the responsible Federal Ministry of Justice under Stefanie Hubig (SPD) has not yet been able to provide a timeline. "The Federal Ministry of Justice and Consumer Protection takes this mandate seriously and is currently examining how these requirements can best be implemented," a spokesperson told heise online on Tuesday morning. "The feedback received on the draft bill to modernize computer criminal law, which was published in the previous legislative period but not passed by the Bundestag, will also be considered."
Videos by heise
Under the previous administration, the then FDP leadership had only presented a proposal in its final days. The difficulty from the perspective of those responsible lies in the structure of criminal liability: §§ 202c and 202a of the German Criminal Code (StGB), which also apply to legitimate security research interests, criminalize the unauthorized access to data or the preparation thereof. This should generally remain punishable. The traffic light coalition had therefore planned to introduce a retroactive exception that could have exempted from punishment under certain circumstances. Critics also considered this insufficient: suspicion and investigations could still have taken place, thus criminalizing security researchers.
In Germany, the case of Modern Solutions is particularly well-known, which went all the way to the Federal Constitutional Court. However, there are credible reports from potentially affected security researchers who could not publish security vulnerabilities or were unwilling to report them to those affected because they feared potential prosecution for their actions. These also affect IT infrastructures established by state requirements – for whose security the BSI is responsible, among others.
(afl)
