Despite the vociferous criticism directed at the new provision the
Federal Ministry of Justice sees no need to modify or amend the planned
"Hacker Software Paragraph" (PDF file). This position of the ministry
Ralf Kleindiek, the head of the office of the Federal Minister of
Justice Brigitte Zypries, confirmed in a talk with heise online.
Paragraph 202c of the German Penal Code (StGB), which is to be newly
created within the framework of the Criminal Law Amendment Act with an
eye to combating cyber crime, is designed to render acts preparatory to
the commission of a computer crime a criminal offense. Thus among other
things creating, handing over to others, distributing or procuring
"hacker tools" that by their very nature are designed "to serve illegal
purposes" will in future constitute a criminal offense. Thus it says in
Anyone who commits an act or acts preparatory to the commission of a
criminal offense as defined in 202a or 202b by
2. Creating, procuring for themselves or others, selling, distributing,
handing over or in any other manner making available to others
computer programs the purpose of which is the commission of such a
criminal offense will be punished with a prison term of up to one
year or with a fine.
As the wording of the draft makes clear the sole criterion here is the
objective risks inherent in the software -- and not as one might expect
the purpose for which it is meant to be used. Thus it says verbatim:
In particular the potentially widespread distribution of hacker tools
made possible by the Internet, their easy availability, as well as their
simple use, constitute a considerable danger, which can only be combated
effectively by making the distribution as such of such inherently
dangerous tools a crime.
Thus it is suggested in Section 1 Subheading 2 that the committing of an
act or acts preparatory to the commission of a criminal offense as
defined in 202a or 202b StGB by creating, procuring, selling,
distributing, handing over or in any other manner making available to
others computer programs the purpose of which is the commission of such
a criminal offense be penalized.
The draft has been vehemently criticized by German industry associations
such as the Association for Information Technology, Telecommunications
and New Media (Bitkom) (PDF file) and eco (PDF file) as well as the
Chaos Computer Club (CCC).
The critics are unanimous in fearing that the draft could make the use
of "hacker tools" for IT security purposes a criminal offense. Thus the
eco association has expressed apprehension at what it calls a
"criminalization frenzy" and has called for an amendment and
clarification of the new provision. The Chaos Computer Club for its part
has warned that implementing the draft could jeopardize the security of
These objections the Federal Ministry of Justice apparently cannot
understand. In a statement the ministry points out that if a computer
program "is acquired or made available to others for the purpose of
carrying out a security check or checks or developing security software"
no criminal liability arises. The decisive criterion, the ministry
writes, is whether or not "the act in question is one that is undertaken
in preparation of a computer crime (? 202a, 202b, 303a, 303b StGB)."
If this interpretation of the draft bill were to stand then the
criminalization threat that IT security measures face would to all
intents and purposes disappear. Unlike the official reasons given for
the draft bill, however, the statement of the ministry is by no means
binding for the courts. With a view to, among other things, providing
judges with an unambiguous interpretation and preventing them from
overinterpreting the new provision critics of the same are consequently
continuing to call for clarification of the wording of the law.
Mr. Kleindiek also pointed out to heise online that the status of the
new provision was as yet that of a government draft. The latter would
now be passed on to the upper (Bundesrat) and lower (Bundestag) chamber
of Germany's federal parliament and discussed there in the appropriate
committees, he said. In consequence the wording of the provision might
yet be changed, he observed. He did not, however, consider this to be a
necessity, Mr. Kleindiek asserted. He added that he considered the
provision as it stood to be unequivocal and unambiguous.
(Joerg Heidrich) (Robert W. Smith) / (jk/c't)
This article's URL:
This article links to:
 mailto: jk (at) ct.heise.de
Visit the InfoSec News store!