The draft law to modernize computer criminal law, which was put up for departmental approval by the Federal Ministry of Justice (BMJ) in October, aims to make it easier for IT security researchers to responsibly identify security gaps and close them . In principle, this approach is going in the right direction, civil society representatives explained at the hearing organized by the BMJ. However, the project still requires improvements in various areas and, above all, must be passed immediately by the Bundestag – ideally before new elections in February. The BMJ is primarily focused on neutralizing section 202A of the Criminal Code (StGB), which deals with espionage and intercepting data, as well as preparatory actions. This recently led to the conviction of a programmer in the Modern Solutions case.
Advertisement
The federal government should use the time remaining in the legislative period to finally reduce legal uncertainty in IT security research and strengthen cybersecurity in Germany, emphasizes Nikolaus Becker, head of politics and science at the Gesellschaft für Informatik (GI). Are. “It will be important for IT security research to more clearly address preparatory tasks and simplify legally secure proof of fair intentions.” in one GI in his statement has expressed the need for improvement from his perspective.There were no clear criteria for proof.
The actual hacker Article 202c StGB is particularly hotly disputed. According to this, preparation for a crime by producing, purchasing, selling, transferring, distributing or making accessible passwords or other security codes for data access as well as suitable computer programs may be punished with a fine or imprisonment of up to one year. However, “hacker tools” criminalized in this manner are used by system administrators to probe networks and end devices for security gaps. GI also criticizes – like the Chaos Computer Club (CCC) before it – that the BMJ wants to leave this paragraph unchanged.
Danger of home search remains
AG Critis, which also deals with the protection of critical infrastructure Its statement highlighted the urgent need for actionIt is primarily of interest to researchers “who are committed to IT security in Germany on a voluntary and charitable basis.” Legal uncertainty leads to a worrying “chill effect”: “Security gaps are no longer reported due to fear of criminal consequences, meaning potential threats to the general public go undetected.” The approach chosen by the BMJ brings improvements here, but is not the best possible. IT security researchers are likely to be routinely acquitted in court in the future. However, the risk of home searches, seizure of hardware and expense of conducting testing remains.
According to AG Crites, researchers should also be acquitted in such a way that in most cases they do not face charges. For example, adding an element of crime to the Criminal Code, namely intent to cause harm, is conceivable here. The public prosecutor’s office would then be obliged to find out whether this was voluntary IT security research. Focusing solely on criminal justice reforms is not enough. Civil law also needs reform, for example in copyright law in terms of restrictions on decompilation. Furthermore, the Trade Secrets Act lacks an exception for reporting security gaps. In the case of radio interfaces, current restrictions on interception stand in the way of legitimate indication of vulnerabilities.
(MKI)
