Informed third parties from civil society, business, science and volunteer security experts are needed to detect IT security gaps. However, such hackers acting on their own initiative without the consent of the affected program or system administrators would “fundamentally commit a criminal offence” in Germany. This also applies to Lithuania and Sweden, according to a report now published by the Scientific Service of the Bundestag on the criminal liability of hacking in international comparison, which was commissioned by left-wing MP Anke Domscheit-Berg. In other EU countries such as France, the Netherlands and Austria, the discovery of security gaps by ethical hackers is largely welcomed.
Advertisement
The right to fast internet will soon mean: at least 10 Mbit/sThe main bone of contention in this country has long been Section 202c of the Criminal Code (StGB), which the Bundestag passed in 2007 in parallel with further hacking clauses. According to this, preparation for a crime by producing, buying, selling, transferring, distributing or creating accessible passwords or other security codes for data access as well as suitable computer programs is punishable by a fine or imprisonment for up to one year. However, the “hacker tools” criminalized in this way are also used by system administrators, programmers and consultants to check networks and end devices for security gaps.
Paragraph 202B of the Criminal Code states that whoever uses such devices to obtain unauthorized data from non-public data transmissions or from electromagnetic radiation of IT systems shall be punished with a prison term of up to two years or a fine. With paragraph 202A, the legislature also stipulated that unauthorized access to particularly protected data by exceeding security precautions shall be considered a crime and punishable by a prison term of up to three years. Thereby According to reviewers On top of this, “prevailing opinion” interpreted “obtaining data”, which was originally included and only eliminated in 2006, so broadly that “hacking was in fact already covered on a broad scale—contrary to the legislature’s intent”.
Leftists are pressing for planned amendment
With this arsenal, “uncertainty among those who work professionally with IT security” is likely to persist, the parliamentary lawyer writes. “White hat hackers” who identify security vulnerabilities in IT infrastructure without being commissioned by the relevant organization expose themselves to the “risk of criminal liability”. However, in Holland, the public prosecutor’s office believes it is important that ethical hackers “continue to discover and report vulnerabilities” in order to make IT systems more secure. At the same time, organizations and companies will be encouraged to set guidelines for reporting security vulnerabilities. In Austria and France it is also possible to exclude criminal liability in relevant cases.
The left-wing group in the Bundestag is demanding a federal government in an application It is therefore called for “to immediately introduce a draft law that enables the investigation, detection and reporting of IT security gaps by natural or legal persons without penalty”. The corresponding exclusion should be introduced “if the action serves the goal of ethically responsible research, detection, reporting and closure” for vulnerabilities in hardware and software. In November, Federal Justice Minister Marco Buschmann (FDP) announced a reform of the hacking paragraphs, which have been controversial for years. According to the key points, he wants the principle of ethical hacking to be taken into account “also in criminal law” in the spirit of the traffic light coalition agreement. The Liberals promised a concrete draft law “in the first half of 2024”, but nothing happened.
(Never)
BGH on Dubus: AI cannot be an inventor
