The new cybercriminal law: compromise between legal certainty and practice
Are security researchers always liable to prosecution? No, the new computer criminal law gives them significantly more security - but it remains a compromise.
(Image: iX)
- Prof. Dennis-Kenji Kipker
The professional and social debate on the reform of German criminal computer law was one of the evergreens of German digital policy for many years. After widespread criticism that the overly broad definition of the offences would torpedo national IT security research, the coalition government finally decided to tackle the issue and include the modernization of computer criminal law in the coalition agreement.
What followed was not only a wait of several years, but also a long phase of further legal uncertainty for IT security researchers: cyber threats had increased massively, but the legal situation with its deficits remained unchanged. The case of Modern Solutions, which was highly controversial both legally and socially, finally put the topic back on the political agenda in January 2024. Since then, the Federal Ministry of Justice has been working intensively and in a leading role on a reform package to amend German computer-related criminal law, the draft of which was finally submitted for departmental approval in October. This was preceded by two symposiums with the participation of representatives from academia, civil society and the IT security industry.
At first glance at the newly proposed regulations, the intended changes to criminal computer law seem almost mundane and some may wonder why so much time had to pass to revise so few regulations. The legislator is only touching on Section 202a StGB (spying on data), Section 202b StGB (interception of data) and Section 303a StGB (alteration of data) as part of the amendment. The particularly controversial Section 202c StGB (preparation of spying and interception of data, also known colloquially as the hacker paragraph), on the other hand, will not change.
A necessary compromise?
However, a closer look at the provisions and their legal justification quickly reveals what the problem is: Detecting and reporting vulnerabilities can be a highly complex, dynamic and not always linear process for which there are no uniform internationally recognized standards. This is why legislators find it difficult to establish a uniform procedure with clearly defined characteristics as a legally binding element of criminal computer law. In addition, the principle of certainty in criminal law requires that the specifications of criminal liability be defined in the law itself. It is therefore not possible to simply refer to external documents or CVD policies such as those of the BSI in order to directly concretize criminal law. Otherwise, such a reference would possibly enable third parties to determine what is and is not punishable in Germany –. Moreover, such external guidelines can change over time without being noticed.
For this reason, the recently presented proposal for the modernization of computer criminal law has been based on a minimal legal solution which, on the one hand, already gives IT security researchers a clear legal privilege but, on the other hand, leaves them somewhat in the dark about the specific form of this privilege. This is therefore primarily a constitutional compromise between legal certainty and practicability.
The new exclusion of offenses clearly privileges IT security researchers
The core content of the new privileges for IT security researchers under computer criminal law is contained in Section 202a (3) of the draft StGB: Where Section 202a (1) StGB criminalizes the unauthorized obtaining of access-secured data, the new privilege is now intended to regulate when exactly this is not the case. In future, an IT security researcher will not be liable to prosecution if the act is committed with the intention of identifying a vulnerability or other security risk in an IT system (security gap) and informing those responsible for the IT system, the service provider operating the system in question, the manufacturer of the IT application in question or the BSI of the security gap identified and the action is necessary to identify the security gap.
From a legal point of view, this is far better than the current computer criminal law: because currently, in the absence of privileges, there is always an initial criminal liability, which may later lapse due to a lack of illegality or guilt. And it is precisely this deficient legal situation that has so far created legal uncertainty and led to IT security-related reports perhaps not being made for fear of criminal liability, even though they would actually be technically necessary. Nevertheless, when looking at the regulations, many of those affected are now rightly asking themselves the central question: How are they supposed to prove this required intention of lack of authorization of their actions in a legally secure manner? For the reasons mentioned above, the draft bill does not contain any further details on this.
No change to the hacker paragraph
And this is ultimately the crux of the new computer criminal law. Because where, as outlined above, it is almost impossible to conclusively integrate such a proof procedure into a legal offense, IT security researchers themselves will also be required to act in the future and document their actions and intentions when accessing third-party IT systems as reliably as possible. After all, in case of doubt, it is ultimately a matter of convincing the court that they did not act without authorization. If this intention has not been sufficiently manifested to the outside world –, which is conceivable in countless cases, as the action may not always be planned from the outset –, the question arises as to how the actions of IT security researchers can be legally distinguished from unauthorized actions – and whether the actual cyber offender may also want to claim that he acted with authorization if he is prosecuted under criminal law.
This problem is particularly virulent for the actual hacker paragraph, i.e. Section 202c StGB, which covers preparatory acts before the actual access to third-party IT systems under criminal law. The current draft bill deliberately makes no change here –, not in order to further criminalize preparatory acts, but because the newly proposed privilege in Section 202a StGB, to which the hacker paragraph also indirectly refers, should mean that IT security research is no longer at risk of criminal liability, even in advance. Although this may be legally correct, additional clarification would be useful here in the interests of a better understanding of the law, as misunderstandings regarding the interpretation of this provision are already circulating in the community.
Videos by heise
What needs to be done now
Overall, a closer analysis of the reform of computer criminal law presented by the Federal Ministry of Justice makes it clear that it is ultimately nothing more than a legally conditioned compromise. It will certainly be possible to tweak one or two things, but it will hardly be possible to anchor one hundred percent legal certainty in the criminal law in advance of the commission of possible computer crimes.
In this respect, the compromise presented is a good one, because it puts IT security researchers in a much better legal position than before, but without proposing regulations that cannot be implemented in practice. We are therefore on the right track as far as the modernization of criminal computer law is concerned. If these amendments to the Criminal Code are therefore adopted in this form, it will be important to breathe life into the new regulations in order to make them easier to understand and handle for everyone. For example, in a regular exchange between authorities, criminal justice bodies, IT security researchers, civil society and cybersecurity companies, common best practices and orientation values will be developed to further specify the authority to act. In future, it should be possible to use these as a guide when identifying and reporting vulnerabilities in order to benefit as much as possible from the advantages of the new computer criminal law and thus create more cyber security for everyone.
(dahe)
