German hacker-tool law snares...no-one
Security researchers are put out
On August 10, 2007, a new section of the German Penal code went into effect. The statute, intended to implement certain provisions of the Council of Europe Treaty on Cybercrime, could be interpreted to make the creation or distribution of computer security software a criminal offense.
In the wake of the statute, numerous computer security companies announced their relocation out of Germany. However, to date there have been no prosecutions under this provision, and only a small amount of reported litigation. So far, the statute that scared the bejeezus out of the legitimate security community has not deterred or diminished the spread of hacker tools in Germany or anywhere else and has created legal uncertainty about potential liability.
The German law came out of the February 24, 2005 Council of Europe's Convention on Cybercrime (pdf). This convention compelled signatories to adopt implement legislation that, among other things, defined cybercrime, provided procedures for collecting evidence, and create a framework for international cooperation on cybercrime investigations.
Article 6 of the Treaty required signatories to make it a crime to intentionally engage in:
the production, sale, procurement for use, import, distribution or otherwise making available of ... a device, including a computer program, designed or adapted primarily for the purpose of committing [a computer crime] [or] a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing [a computer crime].
The treaty language goes on to note that it would not be a crime to produce, sell or distribute a "hacker tool" if it is for a legitimate security purpose.
Of Tools and Authors
Germany adopted Section 202(c) of its penal code in an effort to comply with its obligations under the COE Cybercrime Convention. The German law makes it an offense to create, obtain or distribute any computer program that violates its cybercrime laws. The penalty set by law is up to a year in jail and fines. The statute is broad enough to cover the creation and transmission of a host of programs — whether in hardware, software or both — including password crackers, decryption programs, penetration testing tools, and other common security tools, if it is done as a way of preparing to commit a cybercrime. The statute requires that the commission of the criminal offense be the express purpose of the computer program. The intent of the programmer does not, apparently, matter.
Worded differently, the statute could have focused on the intent of the author or distributor, and not on the purpose of the tool. The law still would have left open the question of whether committing a crime had to be the sole purpose, or just one of the purposes, of the author or distributor of the hacker tools.
The German law was intended to criminalize only the creation or distribution of devices (including software) that were "designed or adapted primarily for the purpose of committing [cybercrime] offences." However, these offenses include things like unauthorized access and destruction.
A tool does not know whether the access is authorized or not. It does not know whether the file destruction is with or without the consent of the file owner. Tools primarily designed to find and exploit vulnerabilities are commonly used by security professionals to test and secure software, networks, and applications. They are, in fact, primarily designed to do things which, if not for the authorization of the network owners, would be a violation of the statute.
Moreover, whether the use of tools without the authorization of the owner of the hardware or software is "authorized" is hardly a neat question. Apple recently argued (pdf) that the use of software by the owner of an iPhone or iPod Touch to jailbreak their own phone violated the provisions of the U.S. Digital Millennium Copyright Act, and was therefore unlawful and unauthorized.
A notorious case of a few years back involved Network Associates EULA which prohibited both benchmarking and the publication of the results of benchmarking. Thus, contract terms, which limit the right to do security testing, are then used to render testing tools into felonies.
"there's a big difference between writing a tool that looks for SQL injection weaknesses and simply reports them, or one which then goes ahead to take over the system"
Unfortunatly, it is not possible for a computer program to 'see' whether a door is open, it must instead give each door a push. In the case of a brute-force password check, that is fine, but for SQL injection, or similar, the only way to prove that something is vulnerable is to break it.
A better analogy might be checking the strength of a rope or shackle - pull it hard and see if it breaks - but you can't carry out the test without _some_ risk of damaging the article under test.
You make some valid points, but I'm not sure I fully agree.
There's no good reason why a system administrator needs to know the user's password. Tell them their account's been disabled and that using common words but replacing 'e' with '3' doesn't constitute a good password - users will soon learn if they can't get on the system!
Some people certainly do jail break an iPhone to run it on another network, but plenty of others do so so they can run apps without paying for them, or to access services such as tethering which they haven't paid for. Apple couldn't care less about individuals jailbreaking their own iPhones though. It's companies doing it commercially that they're trying to stop.
@ Rolf Howarth Posted Sunday 7th June 2009 23:12 GMT
>>> It seems to me it ought to be possible to determine the intention of one of these programs fairly easily. Surely there's a difference between detecting a vulnerability and actually exploiting it. A password cracker that scans for weak passwords and then reports which accounts are vulnerable only needs to display a score and lock the account out, it doesn't need to display the password it found.
Well that depends. If your only interest is in knowing that there is a weak password, then you are right. But perhaps the admit would like to know WHY the password is weak, or HOW the user that set it thinks - because that is more likely to actually solve the problem than simply acting the bad guy (in teh users eyes) by educating them with a bit of "clue by four".
Or, the purpose of password cracking may be to gain access to your own equipment - perhaps you are the city public authority and your network admin has changed all the passwords across the whole city and won't tell you what they are.
>>> As for jail breaking iPhones and removing copy protection mechanisms in it being "ok because it's your phone", how is that any different from claiming that jail breaking a satellite receiver and removing protection within that is ok just because you bought the receiver?
There is a big difference there. Hacking a receiver is usually (but not always) done as a means to getting services for which you have not paid. That is NOT the case for unlocking/jailbreaking an iPhone - where your reasons are simply to allow you to use the device to run your choice of software on your choice of network supplier. Only if the purpose was to allow you to use (say) AT&T's network without paying AT&T a cent would your analogy be correct.
The locking stuff on iPhone is not there for any valid security reason, it is there simply to reduce user choice. See http://www.eff.org/cases/2009-dmca-rulemaking