Also read this one, please:
http://www.securityfocus.com/print/columnists/448
Achtung! New German Laws on Cybercrime
Federico Biancuzzi,
Germany is passing some new laws regarding cybercrime that might affect security professionals. Federico Biancuzzi interviewed Marco Gercke, one of the experts that was invited to the parliamentary hearing, to learn more about this delicate subject. They discussed what is covered by the new laws, which areas remain in the dark, and how they might affect vulnerability disclosure and the use of common tools, such as nmap.
Could you introduce yourself?
Marco Gercke: I am a Lecturer for Law related to Cybercrime at the University of Cologne, Expert for the Council of Europe. My website.
What “cyber” things are covered by the new laws?
Marco Gercke: The new law implements the EU Framework Decision on Attacks against Information Systems. The Framework Decision needed to be implemented before the 16th of March 2007 - the implementation was therefore late. In addition the new law implements Art. 6 of Convention on Cybercrime.
The law criminalises a number of computer-related offences that were not or at least not up to the required extend criminalised previously. The most important changes are related to the following offences:
- Unlike most countries with computer-related criminal law provisions, the pure access to a computer system (that was not going along with further offences) was not criminalised. The new law criminalises the access to data and as a consequence the access to a computer system.
- Until the new law was implemented system interference (such as denial-of-service attacks) were only criminalised if they affected a computer-system from a company or official institution. Now attacks that affect private computers are covered as well.
- Criminalisation of the misuse of devices. The provision implements - as mentioned previously - Art. 6 of Convention on Cybercrime. With it’s implementation the preparation of computer-related crimes is criminalised if the crime is prepared by certain interaction with regard to passwords and computer tools.
Do you think that the new laws are more technologically up-to-date?
Marco Gercke: Yes, they cover the modern threats and up to a certain degree they are open for new technical developments. Nevertheless it is important to keep in mind that with regard to the fundamental “principle of certainty” in the civil law countries the laws needed to be precise. Therefore it might be necessary to address new scams that differ from the acts covered by the law with new laws in the future.
Do you think that the new laws clarify the subject or make it more complicated?
Marco Gercke: This question is difficult to answer. The implementation of the EU Framework decision is harmonising the laws within the EU and as a result enabling the parties to cooperate much better in international investigations. The implementation is - apart from some minor points - implementing the Framework decision in a very precise way. The possibilities of the national lawmaker was very much limited - therefore a complication would very much result from the EU Framework Decision and not from the implementation.
What was the situation regarding vulnerabilities disclosure with the old laws?
Marco Gercke: Under the old German Law the disclosure of security vulnerabilities of software could on a theoretical basis lead to a criminal responsibility for incitement or accessoryship. Never the less the majority of pure publications of software vulnerabilities will never lead to criminal liability as the liability is limited to very few case scenarios.
Situation regarding the old law:
-
The disclosure of security vulnerabilities does not lead to a violation of criminal provisions under the Copyright Act (Urhebergesetz). Paragraph 106 of the Copyright Act, that sanctions the duplication and dissemination of copyright protected artwork is not applicable unless the disclosure of security vulnerabilities goes along with the duplication or dissemination of the (copyright protect) software or parts of this software.
-
Paragraph 108b of the Copyright Act, that sanctions the interference with protection measures does not criminalise the pure disclosure of information.
-
According to Penal Code (Strafgesetzbuch), the disclosure of security vulnerabilities does not lead to a violation of substantive criminal law provisions. Paragraph 202a Penal Code criminalises the spying of data. The criminalisation can in some cases even cover acts of gaining access to information systems (“hacking”). The pure disclosure of software vulnerabilities does not lead to a violation of Paragraph 202a Penal Code. The publication of security vulnerabilities can lead to criminal sanction by taking consideration Paragraph 26 and 27 of the German Penal Code.
The publication does only lead to a criminalisation of the person, who published it if:
* Somebody commits intentionally commits an unlawful act
* The published security vulnerability was used to commit the unlawful act OR the person who committed the unlawful act felt induced by the publication of the security vulnerability
* The person, who disclosed the security vulnerability, had the intention to aid or abet with regard to the unlawful act
* The person, who disclosed the security vulnerability, had at least some idea about the unlawful act that a third person committed
With regard to the last two aspects an analysis of a criminal responsibility needs to take into account the details of the underlying case. It can for example be important where the information is published. If somebody publishes security vulnerability in a “cracker” forum this can be an argument for his intention and with this his criminal responsibility. An important aspect can as well be the interaction between the publisher and the software company. If the information about existing security vulnerabilities is first of all forwarded to the software company and - after a reaction time - disclosed to the public this can be used as an argument against a criminal responsibility.
What will happen with the new laws?
Marco Gercke: The implementation of the Cybercrime Convention - that is just taking place - could change this situation as Art. 6 Paragraph 1 a ii is taking regard to “computer password, access code or similar data”.
Article 6 - Misuse of devices
1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:
a. the production, sale, procurement for use, import, distribution or otherwise making available of:
1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;
2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and
b. the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.
If the disclosed information can be interpreted as “other data” the disclosure can lead to criminal sanctions. As the term “other data” is used in context with “password, access code” it is very likely that pure information about vulnerabilities will not be covered.
Does this cover the modification of personal devices such as videogame consoles or mobile phones that you have bought?
Marco Gercke: It is depending what you do with the devices. If you just activate functions that were disabled or something like this, the answer is no. The criminalisation of preparatory acts is limited to some very few crimes. Therefore the mentioned manipulation are in general not covered.
I am wondering if during the new lawsuits that will happen in future, the judge will have to completely ignore precedent verdicts made with the old laws…
Marco Gercke: Yes, with regard to those provisions where the wording changed they have to stick to the wording. An example is Paragraph 202a Penal Code. Under the old law hacking (without further criminal activity like data espionage) was not criminalised. Now the courts will have to prosecute those acts due to the change of the law. Nevertheless in some cases they will be able to keep the interpretation of certain legal terms if those terms have not changed.
Are these laws limited to Germany, or they will be applied to other EU countries and citizens?
Marco Gercke: The law is implementing international standards (EU Framework Decision on Attacks against Information Systems and Council of Europe Convention on Cybercrime). Therefore those provisions that are implemented in Germany will or have already been implemented in other countries.
Do you know if this framework has been adopted by UN (United Nations) or any other country outside EU?
Marco Gercke: No, not the framework decision. This will always be limited to the 27 EU States. But the Convention on Cybercrime (important because of Art. 6 - see above) was signed by non EU and non European countries. It is more detailed and going far beyond than the Framework decision. I was involved in various activities in East European Countries as well as African and Arabic countries that are at least planning to sign and ratify the Convention.
Do you expect to see a real crackdown on german security researchers and companies who might be breaking the new laws using “security evaluation tools”? Or maybe we could discover how these laws will be applied only after the first lawsuit?
Marco Gercke: This is depending on the way security researchers work. In those cases where a company orders the security researchers to test the system these tests are not criminalised by the new law. The situation is the same in those cases where the tests are processed in a closed environment (eg. in a laboratory). The practice to attack a system without permission first of all and then ask for the permission was criminalised before as well.
Ok, but I have heard from multiple sources that one of the worst aspects of the new laws was that security tools such as nmap (a port scanner), would become illegal. Just having them on your computer will be enough. Is it true? Every detail about this topic would be appreciated…
Marco Gercke: The risk is there. Unlike Art. 6 of Convention on Cybercrime, Paragraph 202c Penal Code does not limit the criminalisation to tools that are primarily designed to commit certain computer crimes. Therefore it will be necessary to wait for the first verdicts. It is very likely that the courts will limit the application of the software with the result that the possession without link to criminal activities will not be punished.