What’s Changing?
The proposed changes focus on Section 202a of the German Criminal Code (StGB), which deals with unauthorized access to data. Under the new law, security researchers would be permitted to access IT systems without fear of prosecution, as long as they meet certain conditions:
- Intent: The researcher must act with the intention of identifying a security vulnerability.
- Disclosure: The vulnerability must be reported to the system operator, manufacturer, or the Federal Office for Information Security (BSI).
- Necessity: The technical measures taken must be necessary to identify the vulnerability.
This is a significant step forward, as it explicitly recognizes the value of ethical hacking in improving cybersecurity. Cases like that of Lilith Wittmann, who faced legal action for responsibly disclosing a vulnerability in the CDU’s systems, highlight the chilling effect the current laws have had on security researchers.
Concerns
Despite the positive changes, the draft law has also generated criticism (as always, of course). A key concern is the continued existence of Section 202c StGB, which criminalizes the possession of “hacker tools”. Security experts argue that these tools are essential for legitimate security research, and their criminalization creates a legal grey area for ethical hackers.
Another concern is the subjective nature of “intent”. Critics worry that proving a researcher’s good intentions in court could be difficult, potentially leaving them vulnerable to prosecution even after responsible disclosure.
The Way Forward
My friends at the Chaos Computer Club (CCC, a prominent German hacker association), also welcomed the draft law as a first step but called for further changes. They emphasized the need to remove Section 202c StGB and provide a clearer definition of “IT security research” to encompass the work of independent hackers and the security industry.
The Green party in the Bundestag has also voiced support for the draft law and pledged to further develop it during the parliamentary process, particularly regarding the legality of tools used for vulnerability research.
Conclusion
In general: I like the changes first of all. While the proposed reform is a positive development, it’s clear that more work needs to be done to ensure that our legal framework in Germany adequately supports and protects ethical hackers.
As cyber threats continue to evolve, fostering a strong and legally secure environment for security research is crucial for the safety and resilience of Germany’s digital infrastructure.
Let me know your thoughts.