Germany is passing some new laws regarding cybercrime that might affect security professionals. Federico Biancuzzi interviewed Marco Gercke, one of the experts that was invited to the parliamentary hearing, to learn more about this delicate subject. They discussed what is covered by the new laws, which areas remain in the dark, and how they might affect vulnerability disclosure and the use of common tools, such as nmap.
Could you introduce yourself?
Marco Gercke: I am a Lecturer for Law related to Cybercrime at the University of Cologne, Expert for the Council of Europe. My website.
What "cyber" things are covered by the new laws?
Marco Gercke: The new law implements the EU Framework Decision on Attacks against Information Systems. The Framework Decision needed to be implemented before the 16th of March 2007 - the implementation was therefore late. In addition the new law implements Art. 6 of Convention on Cybercrime.
The law criminalises a number of computer-related offences that were not or at least not up to the required extend criminalised previously. The most important changes are related to the following offences:
- Unlike most countries with computer-related criminal law provisions, the pure access to a computer system (that was not going along with further offences) was not criminalised. The new law criminalises the access to data and as a consequence the access to a computer system.
- Until the new law was implemented system interference (such as denial-of-service attacks) were only criminalised if they affected a computer-system from a company or official institution. Now attacks that affect private computers are covered as well.
- Criminalisation of the misuse of devices. The provision implements - as mentioned previously - Art. 6 of Convention on Cybercrime. With it's implementation the preparation of computer-related crimes is criminalised if the crime is prepared by certain interaction with regard to passwords and computer tools.
Do you think that the new laws are more technologically up-to-date?
Marco Gercke: Yes, they cover the modern threats and up to a certain degree they are open for new technical developments. Nevertheless it is important to keep in mind that with regard to the fundamental "principle of certainty" in the civil law countries the laws needed to be precise. Therefore it might be necessary to address new scams that differ from the acts covered by the law with new laws in the future.
Do you think that the new laws clarify the subject or make it more complicated?
Marco Gercke: This question is difficult to answer. The implementation of the EU Framework decision is harmonising the laws within the EU and as a result enabling the parties to cooperate much better in international investigations. The implementation is - apart from some minor points - implementing the Framework decision in a very precise way. The possibilities of the national lawmaker was very much limited - therefore a complication would very much result from the EU Framework Decision and not from the implementation.
What was the situation regarding vulnerabilities disclosure with the old laws?
Marco Gercke: Under the old German Law the disclosure of security vulnerabilities of software could on a theoretical basis lead to a criminal responsibility for incitement or accessoryship. Never the less the majority of pure publications of software vulnerabilities will never lead to criminal liability as the liability is limited to very few case scenarios.
Situation regarding the old law:
1) The disclosure of security vulnerabilities does not lead to a violation of criminal provisions under the Copyright Act (Urhebergesetz). Paragraph 106 of the Copyright Act, that sanctions the duplication and dissemination of copyright protected artwork is not applicable unless the disclosure of security vulnerabilities goes along with the duplication or dissemination of the (copyright protect) software or parts of this software.
2) Paragraph 108b of the Copyright Act, that sanctions the interference with protection measures does not criminalise the pure disclosure of information.
3) According to Penal Code (Strafgesetzbuch), the disclosure of security vulnerabilities does not lead to a violation of substantive criminal law provisions. Paragraph 202a Penal Code criminalises the spying of data. The criminalisation can in some cases even cover acts of gaining access to information systems ("hacking"). The pure disclosure of software vulnerabilities does not lead to a violation of Paragraph 202a Penal Code. The publication of security vulnerabilities can lead to criminal sanction by taking consideration Paragraph 26 and 27 of the German Penal Code.
The publication does only lead to a criminalisation of the person, who published it if:
- Somebody commits intentionally commits an unlawful act
- The published security vulnerability was used to commit the unlawful act OR the person who committed the unlawful act felt induced by the publication of the security vulnerability
- The person, who disclosed the security vulnerability, had the intention to aid or abet with regard to the unlawful act
- The person, who disclosed the security vulnerability, had at least some idea about the unlawful act that a third person committed
With regard to the last two aspects an analysis of a criminal responsibility needs to take into account the details of the underlying case. It can for example be important where the information is published. If somebody publishes security vulnerability in a "cracker" forum this can be an argument for his intention and with this his criminal responsibility. An important aspect can as well be the interaction between the publisher and the software company. If the information about existing security vulnerabilities is first of all forwarded to the software company and - after a reaction time - disclosed to the public this can be used as an argument against a criminal responsibility.