1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
title: Clause 202c of German penal code endangers German IT industry
date: 2008-07-21 00:00:00
updated: 2009-04-18 19:12:41
author: frankro
tags: update, pressemitteilung
In a substantial report to the Bundesverfassungsgericht (BVerfG,
German constitutional court) the Chaos Computer Club (CCC) has studied
the impacts of the so-called "Hacker Paragraph", a change to the penal
code. The CCC comes to the conclusion, that clause 202c is unsuitable
and even runs contrary to the legislator's intended goal.
<!-- TEASER_END -->
The programming, making available, distributing or aquisition of
so-called hacker-tools, necessary for the daily work of network
administrators and security experts, is sanctioned by clause 202c StGB
(German penal code). Due to a constitutional complaint against the new
clause, the BVerfG is looking into the question, whether it is generally
possible to distinguish so-called hacker-tools from allegedly harmless
software. The CCC also studied, the likely consequences this new law
will have and whether the use of potentially harmful software is
necessary for the revision of the security of computer systems.
In the opinion of the CCC, the new fundamental right to the
confidentiality and integrity of IT-Systems implies that everybody must
be able to test their computer systems for security issues. Therefore
the possession, testing, public information sharing and further
developing of so-called hacker-tools is mandatory.
The risk of legal proceedings against those, who find or research
security vulnerabilities has been intensified through the enactment of
clause 202c. It has already been observed that the voluntary publication
of detected security problems is clearly decreasing in Germany. The
clause's criminalization of dealing with malware therefore leads to a
worse situation for IT security in Germany. Security researchers and
companies are unable to perform their services anymore without taking up
the risk of criminal prosecution.
The impact of clause 202c are described in detail by the report. Media
in the field of IT security, for instance, has already begun to limit
its coverage since the clause has come into effect. Professional and
private security researchers are planning to emigrate from Germany and
research and teaching also has strongly restricted itself. Many fears,
already expressed by experts from the fields of computer science and
practice during the hearings in the Bundestag, have already come true.
"The fact, that the observable effects of the change to the penal code
are occuring exactly as predicted by the experts, surprises no one. In
the long term Germany will become a target for criminals and a gateway
for industrial espionage, as the computer networks can't be effectively
defended anymore", Frank Rieger, speaker of the CCC, comments. "The
industry, as well as normal computer users, are denied the possibility
of testing computers for security vulnerabilities."
Overall the CCC study makes clear, that the legislator's goal of
achieving an improvement of the IT security situation by limiting the
access to malware and attack tools was missed. The criminalization of
software producers and users will lower the standard of security in
Germany. Simultaneously it causes disadvantages for German computer
science research and industry.
"The change of law brings no advantages but some severe risks. It likely
violates the constitutional rights of many, as it restricts their
freedom to carry out their professional duties as well as restricting
the freedoms of researchers and press significantly. In order to not
jeopardize the German IT industry, clause 202c must be abolished as soon
as possible", Rieger claims.
### Links
- \[1\] [CCC's report on the occasion of the constitutional complaint
against clause 202c StGB: Current and future effects of the change
of penal law on computer security, (in
German)](/202c/202cStellungnahme.pdf)
- \[2\] [Fundamental right to the confidentiality and integrity of it
systems, decision of Feb. 27th, 2008 (in
German)](http://www.bundesverfassungsgericht.de/entscheidungen/rs20080227_1bvr037007.html)
- \[3\] [Prohibition of computer security tools opens the floodgates
for the federal trojan (German
statement)](/updates/2007/paragraph-202c)
Media contact:
- presse\@ccc.de (preferred)
- 0700-CHAOSFON (0700 - 24267366)
|