German "Hacker tool" development put on hold

Amid concerns that their program will be categorised as a banned hacker tool under the new section 202c of the German Criminal Code, the Germany-based developers of the KisMAC WLAN scanner for Mac OS X have put further work on their product on hold.

Under the new law, development, use or possession of a software tool that can be used to break into systems can attract a custodial sentence of up to three years. KisMAC's functions include WEP key cracking, so it might be considered to fall into the criminalised category. It is not clear what will happen to the existing source code and whether it will have to, for example, leave the country.

The much disputed amendment to the German Criminal Code for combating computer crime was approved by the Bundesrat (the upper house of the German parliament) in late July. Particularly controversial was Section 202c, cited by the KisMAC developers. Under this section, making preparations to commit a criminal offence through the production, acquisition, sale, surrender, distribution or provision of access to passwords or other security codes for data access or of relevant computer programs will in future by a punishable with a fine or up to one year in jail. A supplementary declaration issued by the legal committee of the Bundestag (the lower house of the German parliament) states that only computer programs primarily designed for, or produced with the aim of, performing computer crime are affected.

The developers are now considering whether take their activities out of German jurisdiction. However, this is likely to become a problem throughout the EU, as, by the end of 2007, all member states must have implemented the framework decision on attacks on information systems concluded in early 2005. Whether other member states also plan to ban hacker tools within this framework is not currently clear, as some discretion is apparently available to individual states. An amendment to the UK Computer Misuse Act with similar intent to Section 202c was suspended this year subject to (still ongoing) review, mainly, it seems, on the grounds that supposition about the intent of third parties is not a sound basis for culpability of developers or suppliers.

Given these two conflicting positions, the situation in Europe is in flux, and to be completely safe, the source code would need to be hosted on non-European servers. The hacker group Phenoelit, which rarely fails to create a stir at the annual convention of the Chaos Computer Club (CCC) by revealing security vulnerabilities in SAP software, BlackBerry devices or integrated systems, has, for instance, moved its website to an American web server.

Whether other projects relating to free security tools will close their doors remains to be seen. The new law has not yet entered into force. The supplementary declaration to the amendment, stating that only such program as have been primarily designed or produced in order to commit acts which are crimes under the hacker legislation, still leaves plenty of room for interpretation.

(mba)