German hacker-tool law snares...no-one
Security researchers are put out
On August 10, 2007, a new section of the German Penal code went into effect. The statute, intended to implement certain provisions of the Council of Europe Treaty on Cybercrime, could be interpreted to make the creation or distribution of computer security software a criminal offense.
In the wake of the statute, numerous computer security companies announced their relocation out of Germany. However, to date there have been no prosecutions under this provision, and only a small amount of reported litigation. So far, the statute that scared the bejeezus out of the legitimate security community has not deterred or diminished the spread of hacker tools in Germany or anywhere else and has created legal uncertainty about potential liability.
The German law came out of the February 24, 2005 Council of Europe's Convention on Cybercrime (pdf). This convention compelled signatories to adopt implement legislation that, among other things, defined cybercrime, provided procedures for collecting evidence, and create a framework for international cooperation on cybercrime investigations.
Article 6 of the Treaty required signatories to make it a crime to intentionally engage in:
the production, sale, procurement for use, import, distribution or otherwise making available of ... a device, including a computer program, designed or adapted primarily for the purpose of committing [a computer crime] [or] a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing [a computer crime].
The treaty language goes on to note that it would not be a crime to produce, sell or distribute a "hacker tool" if it is for a legitimate security purpose.
Of Tools and Authors
Germany adopted Section 202(c) of its penal code in an effort to comply with its obligations under the COE Cybercrime Convention. The German law makes it an offense to create, obtain or distribute any computer program that violates its cybercrime laws. The penalty set by law is up to a year in jail and fines. The statute is broad enough to cover the creation and transmission of a host of programs — whether in hardware, software or both — including password crackers, decryption programs, penetration testing tools, and other common security tools, if it is done as a way of preparing to commit a cybercrime. The statute requires that the commission of the criminal offense be the express purpose of the computer program. The intent of the programmer does not, apparently, matter.
Worded differently, the statute could have focused on the intent of the author or distributor, and not on the purpose of the tool. The law still would have left open the question of whether committing a crime had to be the sole purpose, or just one of the purposes, of the author or distributor of the hacker tools.
The German law was intended to criminalize only the creation or distribution of devices (including software) that were "designed or adapted primarily for the purpose of committing [cybercrime] offences." However, these offenses include things like unauthorized access and destruction.
A tool does not know whether the access is authorized or not. It does not know whether the file destruction is with or without the consent of the file owner. Tools primarily designed to find and exploit vulnerabilities are commonly used by security professionals to test and secure software, networks, and applications. They are, in fact, primarily designed to do things which, if not for the authorization of the network owners, would be a violation of the statute.
Moreover, whether the use of tools without the authorization of the owner of the hardware or software is "authorized" is hardly a neat question. Apple recently argued (pdf) that the use of software by the owner of an iPhone or iPod Touch to jailbreak their own phone violated the provisions of the U.S. Digital Millennium Copyright Act, and was therefore unlawful and unauthorized.
A notorious case of a few years back involved Network Associates EULA which prohibited both benchmarking and the publication of the results of benchmarking. Thus, contract terms, which limit the right to do security testing, are then used to render testing tools into felonies.
The COE treaty which the German law is intended to implement, noted that it was not intended to create criminal liability where "the production, sale, procurement for use, import, distribution or otherwise making available or possession ... is not for the purpose of committing a [computer crime] offence."
If I intend to facilitate some other crime like unauthorized access or destruction, then can’t I be prosecuted as a conspirator or aider and abettor even without this statute? Moreover, because the definition of computer crime hinges on the authorization to access or use a computer system or network, it is difficult if not impossible to determine whether the creation or distribution of the tool is intended to facilitate a crime. A wily hacker could simply say — with a wink and a nod — that the tool “should not be used to commit any crime,” and thereby escape liability.
Better laws needed
For all these reasons, the German statute is a mess.
While we can empathize with the desire to keep hacker tools out of the hands of script kiddies who intend harm, and keep black hat hackers from developing and distributing ever more sophisticated hacker tools and zero day attacks, the problem remains that these same tools can be and are used for good purposes by good people. While the statute attempts to focus on bad people with bad intent, it lacks the precision to do so.
There were a few cases where the German statute was challenged. The government investigated but declined to prosecute the online magazine Tec-Channel in September 2007, where someone offered a password cracker on the website. In that case, the Federal Office for Security in Information Technology (BSI) determined that there was no intent to violate section 202(c).
There has been a constitutional challenge to the statute. German law, like the law of many countries, requires that criminal statutes be sufficiently definite to describe precisely what is prohibited without overreaching and banning conduct which should be permissible. In Germany, this is codified in Article 103(2) of the fundamental laws of the Constitution.
Right after the law went into force, a German computer security company Visukom filed a lawsuit seeking to declare the statute to be unconstitutionally vague and prohibiting lawful and legitimate conduct. The case remains pending, and according to Visukom’s former president, should be decided later this year.
We should recognize that there are similar laws on the books in the UK, Poland and even in the United States. Amendments to the UK Computer Misuse Act in 2006 created a new section which makes it a crime if someone "makes, adapts, supplies or offers to supply any [program or data] intending it to be used to commit, or to assist in the commission of [a cybercrime] believing that it is likely to be so used."
Similarly, Article 269(b) of the Polish penal code states that, "whoever prepares, obtains, sells or makes available for other persons the computer devices or software tailored to the purposes of committing [a cybercrime], or prepares computer passwords, entry codes or other data that makes information stored in a computer system or network available” shall be guilty of a crime. While neither the United States nor Canada appear to have any explicit "hacker tools" statutes, the US makes it a crime to make or distribute hardware or software designed to get pirated cable or satellite TV signals.
Two years out, the German law has been effectively used to scare legitimate security researchers, while no reported cases have been brought against computer hackers for a violation of the hacker tools provision.
We should use the general laws against conspiracy and aiding and abetting crime — laws which require strict proof of intent to facilitate crime, or acting in concert to achieve an objective — rather than simply passing laws which, subject to the whim of the local prosecutor, could be used to criminalize legitimate conduct.
Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
This article originally appeared in Security Focus.
Copyright © 2008, SecurityFocus