Feeds

German hacker-tool law snares...no-one

Security researchers are put out

Secure remote control for conventional and virtual desktops

On August 10, 2007, a new section of the German Penal code went into effect. The statute, intended to implement certain provisions of the Council of Europe Treaty on Cybercrime, could be interpreted to make the creation or distribution of computer security software a criminal offense.

In the wake of the statute, numerous computer security companies announced their relocation out of Germany. However, to date there have been no prosecutions under this provision, and only a small amount of reported litigation. So far, the statute that scared the bejeezus out of the legitimate security community has not deterred or diminished the spread of hacker tools in Germany or anywhere else and has created legal uncertainty about potential liability.

The German law came out of the February 24, 2005 Council of Europe's Convention on Cybercrime (pdf). This convention compelled signatories to adopt implement legislation that, among other things, defined cybercrime, provided procedures for collecting evidence, and create a framework for international cooperation on cybercrime investigations.

Article 6 of the Treaty required signatories to make it a crime to intentionally engage in:

the production, sale, procurement for use, import, distribution or otherwise making available of ... a device, including a computer program, designed or adapted primarily for the purpose of committing [a computer crime] [or] a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing [a computer crime].

The treaty language goes on to note that it would not be a crime to produce, sell or distribute a "hacker tool" if it is for a legitimate security purpose.

Of Tools and Authors

Germany adopted Section 202(c) of its penal code in an effort to comply with its obligations under the COE Cybercrime Convention. The German law makes it an offense to create, obtain or distribute any computer program that violates its cybercrime laws. The penalty set by law is up to a year in jail and fines. The statute is broad enough to cover the creation and transmission of a host of programs — whether in hardware, software or both — including password crackers, decryption programs, penetration testing tools, and other common security tools, if it is done as a way of preparing to commit a cybercrime. The statute requires that the commission of the criminal offense be the express purpose of the computer program. The intent of the programmer does not, apparently, matter.

Worded differently, the statute could have focused on the intent of the author or distributor, and not on the purpose of the tool. The law still would have left open the question of whether committing a crime had to be the sole purpose, or just one of the purposes, of the author or distributor of the hacker tools.

The German law was intended to criminalize only the creation or distribution of devices (including software) that were "designed or adapted primarily for the purpose of committing [cybercrime] offences." However, these offenses include things like unauthorized access and destruction.

A tool does not know whether the access is authorized or not. It does not know whether the file destruction is with or without the consent of the file owner. Tools primarily designed to find and exploit vulnerabilities are commonly used by security professionals to test and secure software, networks, and applications. They are, in fact, primarily designed to do things which, if not for the authorization of the network owners, would be a violation of the statute.

Moreover, whether the use of tools without the authorization of the owner of the hardware or software is "authorized" is hardly a neat question. Apple recently argued (pdf) that the use of software by the owner of an iPhone or iPod Touch to jailbreak their own phone violated the provisions of the U.S. Digital Millennium Copyright Act, and was therefore unlawful and unauthorized.

Under this interpretation, the creation or distribution of such software, which would be primarily designed to make an "unauthorized" access to your own phone, would be a crime. Terms of Service, Terms of Use, and End User License Agreements would set out the conditions under which the licensee could test the security of the software, hardware or other products they were buying or licensing.

A notorious case of a few years back involved Network Associates EULA which prohibited both benchmarking and the publication of the results of benchmarking. Thus, contract terms, which limit the right to do security testing, are then used to render testing tools into felonies.

Intelligent flash storage arrays

Next page: Better laws needed

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.