Bundestag report: Other EU states protect ethical hackers better

Information provided by third parties from civil society, business, science and volunteer security experts is essential for detecting IT security vulnerabilities. However, such hackers acting on their own initiative would "generally be liable to prosecution" in Germany without the consent of the program or system administrators concerned. This also applies to Lithuania and Sweden, according to a recently published report by the Bundestag's Scientific Service on the criminal liability of hacking in an international comparison, which was commissioned by Anke Domscheit-Berg, a member of the Left Party. In other EU countries such as France, the Netherlands and Austria, the exposure of security vulnerabilities by ethical hackers is largely welcomed.

The main bone of contention in Germany has long been Section 202c of the German Criminal Code (StGB), which the Bundestag passed in 2007 alongside other hacker clauses. According to this, the preparation of a criminal offense through the production, procurement, sale, transfer, distribution or making available of passwords or other security codes for data access as well as suitable computer programs is punishable by a fine or imprisonment of up to one year. However, the "hacker tools" criminalized in this way are also used by system administrators, programmers and consultants to check networks and end devices for security vulnerabilities.

Section 202b of the German Criminal Code stipulates that anyone who uses such tools to obtain unauthorized data from a non-public data transmission or from the electromagnetic radiation of an IT system for themselves or others is liable to up to two years in prison or a fine. With Section 202a, the legislator also stipulated that even unauthorized access to specially secured data by overcoming security precautions is criminalized and punishable by up to three years in prison. According to the experts, "the prevailing opinion" has interpreted the original definition of "obtaining data", which was only removed in 2006, so broadly "that hacking was, in fact, already covered to a large extent - contrary to the legislator's intention".

The left is putting pressure on the planned amendment

With this arsenal, "uncertainty is likely to remain among those who deal with IT security professionally", the parliamentary lawyers write. "White-hat hackers" who identify security vulnerabilities in IT infrastructures expose themselves to "a risk of criminal liability" without a mandate from the organization concerned. In Holland, on the other hand, the public prosecutor's office considers it important that ethical hackers "can continue to search for vulnerabilities and report them" to make IT systems more secure. At the same time, organizations and companies are encouraged to define guidelines for reporting security vulnerabilities. In Austria and France, it would also be conceivable to omit criminal liability in relevant cases.

In a motion, the left-wing group in the Bundestag is therefore calling on the federal government to "promptly present a draft law that would enable the investigation, detection and reporting of IT security vulnerabilities by natural or legal persons without criminal penalties". Corresponding exclusions from criminal liability should be introduced "if the actions serve the purpose of ethically responsible research, identification, reporting and closure" of vulnerabilities in hardware and software. In November, Federal Minister of Justice Marco Buschmann (FDP) announced a reform of the hacker paragraphs that have been controversial for years. According to the key points, he wants the principle of ethical hacking to be considered "also in criminal law" in line with the coalition agreement of the traffic light coalition. The Liberal promised a concrete draft bill "in the first half of 2024", but this has not materialized.

(nie)