[Infowarrior] - German hacker-tool law snares...no-one
Richard Forno
rforno at infowarrior.org
Sun Jun 7 19:10:42 UTC 2009
Original URL: http://www.theregister.co.uk/2009/06/07/germany_hacker_tool_law/
German hacker-tool law snares...no-one
Security researchers are put out
By Mark Rasch, SecurityFocus
Posted in Crime, 7th June 2009 08:02 GMT
On August 10, 2007, a new section of the German Penal code went into
effect. The statute, intended to implement certain provisions of the
Council of Europe Treaty on Cybercrime, could be interpreted to make
the creation or distribution of computer security software a criminal
offense.
In the wake of the statute, numerous computer security companies
announced their relocation out of Germany. However, to date there have
been no prosecutions under this provision, and only a small amount of
reported litigation. So far, the statute that scared the bejeezus out
of the legitimate security community has not deterred or diminished
the spread of hacker tools in Germany or anywhere else and has created
legal uncertainty about potential liability.
The German law came out of the February 24, 2005 Council of Europe's
Convention on Cybercrime (pdf (http://eur-lex.europa.eu/LexUriServ/site/en/oj/2005/l_069/l_06920050316en00670071.pdf)
). This convention compelled signatories to adopt implement
legislation that, among other things, defined cybercrime, provided
procedures for collecting evidence, and create a framework for
international cooperation on cybercrime investigations.
Article 6 of the Treaty required signatories to make it a crime to
intentionally engage in:
the production, sale, procurement for use, import, distribution
or otherwise making available of ... a device, including a computer
program, designed or adapted primarily for the purpose of committing
[a computer crime] [or] a computer password, access code, or similar
data by which the whole or any part of a computer system is capable of
being accessed, with intent that it be used for the purpose of
committing [a computer crime].
The treaty language goes on to note that it would not be a crime to
produce, sell or distribute a "hacker tool" if it is for a legitimate
security purpose.
Of Tools and Authors
Germany adopted Section 202(c) of its penal code in an effort to
comply with its obligations under the COE Cybercrime Convention. The
German law makes it an offense to create, obtain or distribute any
computer program that violates its cybercrime laws. The penalty set by
law is up to a year in jail and fines. The statute is broad enough to
cover the creation and transmission of a host of programs — whether in
hardware, software or both — including password crackers, decryption
programs, penetration testing tools, and other common security tools,
if it is done as a way of preparing to commit a cybercrime. The
statute requires that the commission of the criminal offense be the
express purpose of the computer program. The intent of the programmer
does not, apparently, matter.
Worded differently, the statute could have focused on the intent of
the author or distributor, and not on the purpose of the tool. The law
still would have left open the question of whether committing a crime
had to be the sole purpose, or just one of the purposes, of the author
or distributor of the hacker tools.
The German law was intended to criminalize only the creation or
distribution of devices (including software) that were "designed or
adapted primarily for the purpose of committing [cybercrime]
offences." However, these offenses include things like unauthorized
access and destruction.
A tool does not know whether the access is authorized or not. It does
not know whether the file destruction is with or without the consent
of the file owner. Tools primarily designed to find and exploit
vulnerabilities are commonly used by security professionals to test
and secure software, networks, and applications. They are, in fact,
primarily designed to do things which, if not for the authorization of
the network owners, would be a violation of the statute.
Moreover, whether the use of tools without the authorization of the
owner of the hardware or software is "authorized" is hardly a neat
question. Apple recently argued (pdf (http://www.copyright.gov/1201/2008/responses/apple-inc-31.pdf)
) that the use of software by the owner of an iPhone or iPod Touch to
jailbreak their own phone violated the provisions of the U.S. Digital
Millennium Copyright Act, and was therefore unlawful and unauthorized.
Under this interpretation, the creation or distribution of such
software, which would be primarily designed to make an "unauthorized"
access to your own phone, would be a crime. Terms of Service, Terms of
Use, and End User License Agreements would set out the conditions
under which the licensee could test the security of the software,
hardware or other products they were buying or licensing.
A notorious case of a few years back involved Network Associates EULA
which prohibited (http://news.cnet.com/2100-1023-981228.html) both
benchmarking and the publication of the results of benchmarking. Thus,
contract terms, which limit the right to do security testing, are then
used to render testing tools into felonies.
The COE treaty which the German law is intended to implement, noted
that it was not intended to create criminal liability where "the
production, sale, procurement for use, import, distribution or
otherwise making available or possession ... is not for the purpose of
committing a [computer crime] offence."
If I intend to facilitate some other crime like unauthorized access or
destruction, then can’t I be prosecuted as a conspirator or aider and
abettor even without this statute? Moreover, because the definition of
computer crime hinges on the authorization to access or use a computer
system or network, it is difficult if not impossible to determine
whether the creation or distribution of the tool is intended to
facilitate a crime. A wily hacker could simply say — with a wink and a
nod — that the tool “should not be used to commit any crime,” and
thereby escape liability.
Better laws needed
For all these reasons, the German statute is a mess.
While we can empathize with the desire to keep hacker tools out of the
hands of script kiddies who intend harm, and keep black hat hackers
from developing and distributing ever more sophisticated hacker tools
and zero day attacks, the problem remains that these same tools can be
and are used for good purposes by good people. While the statute
attempts to focus on bad people with bad intent, it lacks the
precision to do so.
There were a few cases where the German statute was challenged. The
government investigated but declined to prosecute the online magazine
Tec-Channel in September 2007, where someone offered a password
cracker on the website. In that case, the Federal Office for Security
in Information Technology (BSI) determined that there was no intent to
violate section 202(c).
There has been a constitutional challenge to the statute. German law,
like the law of many countries, requires that criminal statutes be
sufficiently definite to describe precisely what is prohibited without
overreaching and banning conduct which should be permissible. In
Germany, this is codified in Article 103(2) of the fundamental laws of
the Constitution.
Right after the law went into force, a German computer security
company Visukom filed a lawsuit seeking to declare the statute to be
unconstitutionally vague and prohibiting lawful and legitimate
conduct. The case remains pending, and according to Visukom’s former
president, should be decided later this year.
We should recognize that there are similar laws on the books in the
UK, Poland and even in the United States. Amendments to the UK
Computer Misuse Act in 2006 created a new section which makes it a
crime if someone "makes, adapts, supplies or offers to supply any
[program or data] intending it to be used to commit, or to assist in
the commission of [a cybercrime] believing that it is likely to be so
used."
Similarly, Article 269(b) of the Polish penal code states that,
"whoever prepares, obtains, sells or makes available for other persons
the computer devices or software tailored to the purposes of
committing [a cybercrime], or prepares computer passwords, entry codes
or other data that makes information stored in a computer system or
network available” shall be guilty of a crime. While neither the
United States nor Canada appear to have any explicit "hacker tools"
statutes, the US makes it a crime to make or distribute hardware or
software designed to get pirated cable or satellite TV signals.
Two years out, the German law has been effectively used to scare
legitimate security researchers, while no reported cases have been
brought against computer hackers for a violation of the hacker tools
provision.
We should use the general laws against conspiracy and aiding and
abetting crime — laws which require strict proof of intent to
facilitate crime, or acting in concert to achieve an objective —
rather than simply passing laws which, subject to the whim of the
local prosecutor, could be used to criminalize legitimate conduct.
Mark D. Rasch is an attorney and technology expert in the areas of
intellectual property protection, computer security, privacy and
regulatory compliance. He formerly worked at the Department of
Justice, where he was responsible for the prosecution of Robert
Morris, the Cornell University graduate student responsible for the so-
called Morris Worm and the investigations of the Hannover hackers
featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
This article originally appeared in Security Focus (http://www.securityfocus.com/columnists/502
).
Copyright © 2008, SecurityFocus (http://www.securityfocus.com/)
More information about the Infowarrior
mailing list