Strict German Computer Crime Law Now in Effect

SkiifGeek writes "With little fanfare, section 202c of the German computer crime laws came into effect over the weekend. Worryingly for Security professionals, the laws make the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) many useful tools illegal. A similar law was proposed for the UK, however it was modified prior to passing through parliament due to the outcry from the industry. Phenoelit, KisMAC, the CCC, and the Month of PHP Bugs are just some of the relatively high profile projects and groups to have already taken measures to remove or modify content under this law."

The good news for hackers. . . .

[Anonymous Coward]

germany is now going to be a REALLY easy place to hack.

Re:There is no effective law against curiousity

[Anonymous Coward]

Yes, but it is to be expected that most people won't understand that because after all, like Thomas Paine said: "Time makes more converts than reason".

Well, I guess we're really screwed then. To quote Thomas Paine, "The greatest remedy for anger is delay."

By the time everyone else gets outraged about this, we'll all be cooled off.

As the author of Nmap ...

[fv]

As the author of Nmap [insecure.org], I'm more than a little concerned about this law. It could mean that I can never again visit Germany, which is a shame because I have many friends there. But I don't want to risk a year in prison or the Halvar treatment [slashdot.org]. Many of these articles state as a matter of fact that the creation or distribution of Nmap (mentioned by name in TFA) is illegal now. If true, what does that mean for all the Linux distributors who include Nmap and other security tools [sectools.org]?

Does anyone have a link to a good English translation and legal analysis of the new law? The Phenoelit page [phenoelit.de] translates the law as affecting "computer programs whose aim is to commit a crime". That doesn't cover Nmap, which I designed for security professionals. But of course some blackhats use it too, and I don't want to bet my freedom on being able to convince a technologically illiterate judge in Germany of my intent.

I hope groups like the CCC [ccc.de] (which is apparently quite powerful in Germany) are able to get this overturned! If legitimate German admins are afraid to use Nmap and other security tools while the crackers retain full access to them, that won't be a pretty sight!

-Fyodor
Insecure.Org [insecure.org]

Every Browser is now Illegal

[EEPROMS]

Ive seen security analysts demonstrating breaking into websites with a web browser, you dont need specific hacking tools in many cases because what is available will often do the job just fine.

i am afraid

[Anonymous Coward]

as a young german citizen currently working in tech support i must state that i am very very afraid.
though my boss did not even know about this law (strange), it somehow makes me believe it could be good to try another profession.

Q: can one be prepared for the "kristallnacht", i ?

Re:As the author of Nmap ...

[julesh]

A Google translation of the relevant section is:

(1) Who prepares a criminal offence after 202a or 202b, by he
1. Passwords or other safeguard codes, those the entrance to data ( 202a
Exp. 2) make possible, or
2. Computer programs, whose purpose is committing such an act,
manufactures, or another provided, sold, another leaves themselves, common
or makes otherwise accessible, becomes with imprisonment up to one year or also
Fine punishes.

I find the idea that this is any worse than the UK law that passed strange:

3A
Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
(4) In this section "article" includes any program or data held in electronic form.
(5) A person guilty of an offence under this section shall be liable--
      (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
      (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
      (c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

Section (2) is much more general than the German law, requiring only that you believe it likely that the article supplied will be used in such a crime, while the German law requires intent that it be used in such a crime. Plus, the UK law allows 2 years imprisonment, the German law only one.

So, all in all, I'd say you're on much safer grounds visiting Germany than the UK over this one.

Re:Law not just evil but also dumb

[Advocadus Diaboli]

The possession of this software is virtually undetectable unless some kind of crime has been committed using them (such as using it to actually attack someone else's machine). Well guess what, attacking someone else's machine has ALREADY been illegal (and justly so).

I would say "you are right" by just looking at this law. Being a German citizen I can also see other attempts of the government that go into the direction of seeiking private PCs online and without letting the user know. Of course they say its against terrrorsts, but if we put away the fact that they will have some difficulties on the technical side it would give them the basics to see if you have those tools installed or not. And then the question is if you are a person that the government wants to get rid of or not. If you're harmless probably nothing will happen, if you're a danger for the government because you make the people think, then you have a good chance to be put behind bars for some silly reason.

Germany is actually close to the methods they were using 1933-1945 and 1945-1989 in Eastern Germany. The german constitution (aka "Grundgesetz") is changed frequently to allow new laws that would have made the people of 1949 who wrote the Rev. 1 think that George Orwell was an optimist.

The actual german government has lost the confidence of the people because they spend much more effort in installing the Big Brother than they spend efforts in solving the real problems of their country. Next elections will be very interesting.

I'm German and have read the law.

[aix tom]

http://dejure.org/gesetze/StGB/202c.html [dejure.org]

  202c
Vorbereiten des Ausspähens und Abfangens von Daten
-> Preparation to spy out or intercept data.

(1) Wer eine Straftat nach 202a oder 202b vorbereitet, indem er
-> Anyone preparing a criminal offense according to 202a or 202b by ...

        1. Passwörter oder sonstige Sicherungscodes, die den Zugang zu Daten ( 202a Abs. 2) ermöglichen, oder
                            -> collecting passwords or similar security codes, which allow access to data ( 202a / 2), or

        2. Computerprogramme, deren Zweck die Begehung einer solchen Tat ist, herstellt, sich oder einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.
                            -> produe, supply or sell Computer Software with aims at perpetrating such offenses, is punishable by one one year in prison or a fine.

Where 202a/b basically define the crime "getting at data you are not supposed to get at"

I think the real problem is the first sentence "Anyone preparing a criminal offense according to 202a or 202b by..." which creates a circular dependency. I really don't understand even from the German text if that means that 202c 1/2 only comes into effect if you really are preparing to actually hack someone specific (202a/b) of if it's the other way around.

I don't give that law a lot of time before it is changed. (At least I hope so)

Re:Germany...

[stevedcc]

I think this whole fuss is somehwat overblown... my finacee is a german law student... pased her first state exams, about to go and do the "on the job learning" part. She's been translating the law for me (she wants to defend her country against all this fuss). Some points she made:

• This law is implementing a European Council Convention ruling from 2001 (don't just pick on Germany), to keep consistent criminal cyber law across Europe.
• The law states that someone is only comitting a criminal offence if they're acting without authorisation
• It's only illegal to develop software that is INTENDED to be used for computer crime - tools with genuine uses would not be subject to this by just existing, but misuse of them would be a crime
• The concerns people have been expressing about "the whole security industry will be operating in a grey area" just aren't fair: security researchers shouldn't be poking about in machines without authorisation, so it's not a problem

I understand that there's a lot of concern about how the laws will be applied, but this is hardly unique to Germany, tech crime is generally difficult for law enforcement agencies to deal with, we'll see what happens with that. My fiancee thinks that part of the problem is that most of us English speakers don't have a basic understanding of the German legal system

NB IANAL, my fiancee isn't(yet) and she's not your lawyer.