"Moral hacking" will soon no longer be penalised
The German Ministry of Justice has decided that they want to protect hackers better. At least when they act "in good faith". Legally, however, this is difficult. There is also disagreement as to how far impunity should go.
At the end of October, Federal Minister of Justice Marco Buschmann (FDP) submitted a draft bill to modernise criminal computer law to the federal government for approval. He is of the opinion that hackers whose actions are in the "public interest" should no longer be prosecuted. In his opinion, people who want to close IT security loopholes deserve recognition and not punishment. After all, such security gaps could also be exploited by malicious parties.
"Good intent" difficult to prove
The envisaged revision of the law specifically concerns Section 202a of the Criminal Code. This provides for a prison sentence of up to two years or a fine for persons who "obtain unauthorised access to specially secured data for themselves or others by overcoming security precautions".
Source: Shutterstock
The penalty should no longer be imposed if it can be proven that a person has merely penetrated a system (of a public authority or company, etc.) in order to identify a security vulnerability. In addition, this vulnerability must be reported to the responsible organisation. It must also be clear that there is no other way to identify this vulnerability. The same should apply to section 202b. This provides for the same penalty if a person "obtains data from a non-public transfer for themselves or others without authorisation".
At the same time, however, the spying and interception of data is to be penalised more severely in particularly serious cases. For example, if the hack was carried out for profit or if someone has suffered a loss of assets. But also, for example, if the infrastructure of the federal government or a state has been damaged. In these cases, the penalty could be increased to up to five years.
The bone of contention: Section 202c StGB
Section 202c of the German Criminal Code is not to be affected by the planned amendment. This criminalises the "production (...) or making available of passwords or (...) suitable computer programs (...)". This criminalises so-called hacker tools, which are already being used by network administrators, for example, but will also (have to) be used for legal purposes in the future, according to critical voices.
This is why the Chaos Computer Club (CCC), for example, is of the opinion that paragraph c of section 202 should also be abolished, as they told Netzpolitik.org. Otherwise, even professional security researchers will continue to work in a "dangerous grey area". However, Buschmann sees no need for change there.
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.