CCC: Draft law to defuse the hacker paragraphs is blunt

Federal Minister of Justice Marco Buschmann (FDP) is pressing ahead with his initiative to ensure that ethical hackers no longer have to fear sanctions, including prison sentences. To this end, he has submitted a draft bill to modernize computer criminal law for departmental coordination with the rest of the federal government. "Criminal law must be prevented from deterring actions that are in the interests of society and are therefore desirable," it says. Buschmann wants to tackle Section 202a of the German Criminal Code (Strafgesetzbuch, StGB) in particular, which deals with the spying and interception of data as well as preparatory acts.

Currently, 202a criminalizes unauthorized access to specially secured data by overcoming security precautions. Buschmann now wishes to clarify that such actions are lawful if they are carried out "with the intention" of identifying "a vulnerability or other security risk" in an IT system and the responsible parties, service providers, manufacturers or the Federal Office for Information Security (BSI) are identified via the identified security vulnerability. The same should apply to Section 202b of the German Criminal Code. This currently carries a penalty of up to two years in prison or a fine for anyone who obtains data for themselves or others without authorization, for example from a non-public transfer.

Section 202a recently led to the conviction of a programmer in the Modern Solution case. Section 202c of the German Criminal Code is particularly controversial, however. According to this, the preparation of a criminal offense through the production, procurement, sale, transfer, distribution or making available of passwords or other security codes for data access as well as suitable computer programs is punishable by a fine or imprisonment of up to one year. However, the "hacker tools" criminalized in this way are also used by system administrators, for example, to check networks and end devices for security vulnerabilities. However, Buschmann sees no need to amend 202c, as ethical hackers lack the required intent with the reform of the other two paragraphs and there is no longer any risk of criminal liability for IT security research.

CCC: Section 202c StGB must be removed

This is not enough for the Chaos Computer Club (CCC). A spokesperson for the hacker association told Netzpolitik.org that they welcomed the insight "that inspections of supposedly secure IT systems are legal in principle". However, a signal that computer security is "finally being taken seriously in this country too" is overdue. This should consist of abolishing paragraph 202c. Instead, the draft "only expressly permits obviously harmless inspections". Professional security researchers will therefore continue to work "largely in a dangerous gray area".

Lilith Wittmann, who got into trouble after reporting a security breach at the CDU, criticized that the required good intentions were "probably not so easy to establish". Because if this only emerges in court after a potential house search and similar repression by the state, "the situation is not really improved de facto". Konstantin von Notz, deputy leader of the Green parliamentary group, and digital politician Sabine Grützmacher announced their intention to further develop the draft bill in the parliamentary process, "also with a view to the legality of tools for detecting security vulnerabilities". It is commendable that the penalties are to be increased "if, for example, critical infrastructures are endangered or impaired".

(nen)