The Federal Ministry of Justice’s (BMJ) draft law on the reform of the Criminal Computer Act, which was submitted for approval by the department in October, aims to facilitate the responsible identification of information security researchers and to close information security gaps. In principle, this approach is a step in the right direction, civil society representatives explained at a hearing organized by the Bundesministerium für Justiz (BMJ). However, the plan still needs to be improved in various areas and, above all, it needs to be approved by the Bundestag in good time – preferably before the new elections in February. The BMJ is primarily focused on dismantling Section 202a of the German Penal Code (StGB), which deals with espionage and interception of information and preparatory actions. It recently led to the conviction of a programmer in the Modern Solution case.
Ad
The German government should use the remaining time of the legislative period to finally reduce legal uncertainty in IT security research and strengthen cybersecurity in Germany in the long term, emphasizes Nikolas Becker, head of policy and science at the German Informatics Society (GI). “It would be important to deal more clearly with the preparatory activities of the information security investigation and to simplify the legal proof of honest intentions.” In his statement, GI emphasized the need for correction from his own point of view. Clear evidentiary criteria were missing.
The actual hacker section 202c StGB is particularly controversial. According to this, the preparation of a crime by manufacturing, acquiring, selling, transferring, distributing or making available passwords or other data access security codes and suitable computer programs is punishable by a fine or a maximum of one term of imprisonment. year. However, “hacker tools” criminalized in this way are used by system administrators, for example, to check information security holes in networks and end devices. GI also criticizes, like Chaos Computer Club (CCC), that BMJ wants to leave this point unchanged.
The risk of home searches remains
AG Kritis, who deals with the security of critical infrastructures, also emphasizes the urgent need for action in his statement. This is primarily in the interests of researchers “who are committed to information security in Germany voluntarily and in the public interest”. Legal uncertainty leads to a worrying ‘chilling effect’: “Security vulnerabilities are no longer reported for fear of criminal repercussions, meaning potential risks to the public go unnoticed.” The approach chosen by the BMJ brings improvements to this, but is not the best possible. In the future, IT security researchers may regularly be acquitted in court. However, the search, seizure of the equipment and the costs of the court will remain.
According to AG Kritiken, the investigators should also be released in such a way that no charges are brought in the majority of cases. One conceivable solution would be to add an element of the crime to the Criminal Code, namely intent to harm. The official prosecutors would then have to find out whether it is a voluntary data security investigation. In addition, focusing on criminal law reforms alone is not enough. Reform is also needed in civil law, for example in the Copyright Act, which concerns the prohibition of decommissioning. In addition, business secrets lack an exception for reporting information security gaps. Regarding radio interfaces, the current ban on listening prevents the reporting of vulnerabilities legally.
(vbr)
Don’t miss out on news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated by technical support and editorially reviewed before publication.