Story continued from Page 1
What will happen with the new laws?
Marco Gercke: The implementation of the Cybercrime Convention - that is just taking place - could change this situation as Art. 6 Paragraph 1 a ii is taking regard to "computer password, access code or similar data".
Article 6 - Misuse of devices
1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:
a. the production, sale, procurement for use, import, distribution or otherwise making available of:
b. the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.
- a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;
- a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and
If the disclosed information can be interpreted as "other data" the disclosure can lead to criminal sanctions. As the term "other data" is used in context with "password, access code" it is very likely that pure information about vulnerabilities will not be covered.
Does this cover the modification of personal devices such as videogame consoles or mobile phones that you have bought?
Marco Gercke: It is depending what you do with the devices. If you just activate functions that were disabled or something like this, the answer is no. The criminalisation of preparatory acts is limited to some very few crimes. Therefore the mentioned manipulation are in general not covered.
I am wondering if during the new lawsuits that will happen in future, the judge will have to completely ignore precedent verdicts made with the old laws...
Marco Gercke: Yes, with regard to those provisions where the wording changed they have to stick to the wording. An example is Paragraph 202a Penal Code. Under the old law hacking (without further criminal activity like data espionage) was not criminalised. Now the courts will have to prosecute those acts due to the change of the law. Nevertheless in some cases they will be able to keep the interpretation of certain legal terms if those terms have not changed.
Are these laws limited to Germany, or they will be applied to other EU countries and citizens?
Marco Gercke: The law is implementing international standards (EU Framework Decision on Attacks against Information Systems and Council of Europe Convention on Cybercrime). Therefore those provisions that are implemented in Germany will or have already been implemented in other countries.
Do you know if this framework has been adopted by UN (United Nations) or any other country outside EU?
Marco Gercke: No, not the framework decision. This will always be limited to the 27 EU States. But the Convention on Cybercrime (important because of Art. 6 - see above) was signed by non EU and non European countries. It is more detailed and going far beyond than the Framework decision. I was involved in various activities in East European Countries as well as African and Arabic countries that are at least planning to sign and ratify the Convention.
Do you expect to see a real crackdown on german security researchers and companies who might be breaking the new laws using "security evaluation tools"? Or maybe we could discover how these laws will be applied only after the first lawsuit?
Marco Gercke: This is depending on the way security researchers work. In those cases where a company orders the security researchers to test the system these tests are not criminalised by the new law. The situation is the same in those cases where the tests are processed in a closed environment (eg. in a laboratory). The practice to attack a system without permission first of all and then ask for the permission was criminalised before as well.
Ok, but I have heard from multiple sources that one of the worst aspects of the new laws was that security tools such as nmap (a port scanner), would become illegal. Just having them on your computer will be enough. Is it true? Every detail about this topic would be appreciated...
Marco Gercke: The risk is there. Unlike Art. 6 of Convention on Cybercrime, Paragraph 202c Penal Code does not limit the criminalisation to tools that are primarily designed to commit certain computer crimes. Therefore it will be necessary to wait for the first verdicts. It is very likely that the courts will limit the application of the software with the result that the possession without link to criminal activities will not be punished.