The programming, making available, distributing or aquisition of so-called hacker-tools, necessary for the daily work of network administrators and security experts, is sanctioned by clause 202c StGB (German penal code). Due to a constitutional complaint against the new clause, the BVerfG is looking into the question, whether it is generally possible to distinguish so-called hacker-tools from allegedly harmless software. The CCC also studied, the likely consequences this new law will have and whether the use of potentially harmful software is necessary for the revision of the security of computer systems.

In the opinion of the CCC, the new fundamental right to the confidentiality and integrity of IT-Systems implies that everybody must be able to test their computer systems for security issues. Therefore the possession, testing, public information sharing and further developing of so-called hacker-tools is mandatory.

The risk of legal proceedings against those, who find or research security vulnerabilities has been intensified through the enactment of clause 202c. It has already been observed that the voluntary publication of detected security problems is clearly decreasing in Germany. The clause's criminalization of dealing with malware therefore leads to a worse situation for IT security in Germany. Security researchers and companies are unable to perform their services anymore without taking up the risk of criminal prosecution.

The impact of clause 202c are described in detail by the report. Media in the field of IT security, for instance, has already begun to limit its coverage since the clause has come into effect. Professional and private security researchers are planning to emigrate from Germany and research and teaching also has strongly restricted itself. Many fears, already expressed by experts from the fields of computer science and practice during the hearings in the Bundestag, have already come true.

"The fact, that the observable effects of the change to the penal code are occuring exactly as predicted by the experts, surprises no one. In the long term Germany will become a target for criminals and a gateway for industrial espionage, as the computer networks can't be effectively defended anymore", Frank Rieger, speaker of the CCC, comments. "The industry, as well as normal computer users, are denied the possibility of testing computers for security vulnerabilities."

Overall the CCC study makes clear, that the legislator's goal of achieving an improvement of the IT security situation by limiting the access to malware and attack tools was missed. The criminalization of software producers and users will lower the standard of security in Germany. Simultaneously it causes disadvantages for German computer science research and industry.

"The change of law brings no advantages but some severe risks. It likely violates the constitutional rights of many, as it restricts their freedom to carry out their professional duties as well as restricting the freedoms of researchers and press significantly. In order to not jeopardize the German IT industry, clause 202c must be abolished as soon as possible", Rieger claims.

Links

• [1] CCC's report on the occasion of the constitutional complaint against clause 202c StGB: Current and future effects of the change of penal law on computer security, (in German)
• [2] Fundamental right to the confidentiality and integrity of it systems, decision of Feb. 27th, 2008 (in German)
• [3] Prohibition of computer security tools opens the floodgates for the federal trojan (German statement)

Media contact:

• presse@ccc.de (preferred)
• 0700-CHAOSFON (0700 - 24267366)