Germany passes Anti-Hacking laws
On Friday night the German Bundestag – the lower chamber of Germany's federal parliament – passed without amendment a controversial government bill designed to facilitate criminal prosecution of computer crimes. Only the Left Party voted against it. At a hearing in March security experts and representatives of IT companies raised many objections all of which have been turned down.
It becomes an offence to create, sell, distribute or even aquire so called Hacker Tools that are built to conduct criminal acts like aquiring illegal access to protected data. It is feared by many that this might keep administrators and security experts from doing their job – i.e. from properly testing applications or networks to enhance security while on the other hand the blackhats don't really care that their choosen tool has been made illegal now. Interestingly a similar clause in the Police and Justice Act amendments to the UK Computer Misuse Act has recently been suspended pending amendment for this very reason.
Another new offence is the unauthorized access of secured data by means that require the disabling or circumventing of security measures. This echoes the circumvention clause of the US Digital Millennium Copyright Act, which is still highly controversial after almost a decade and has been used in ways not anticipated by its creators to stifle legitimate security reaearch.
Whereas until now computer sabotage involving attacks on enterprises, companies or public authorities was an offense, in a positive move this protection is now extended by the legislation to private data processing.
The "deliberate acquisition of data by tapping into a non-public transmission of data or by way of reading radiation leaked by a data processing system" also becomes an offence. This is an important and long over-due clause; however, legislation couched in this type of very specific technical terms has proved less than ideal in the past as it can rapidly become obsolete as technologies change.
It remains to be seen whether this new legislation, expected to become effective this summer, will serve its purpose to allow more effective prosecution of cybercrime or indeed will turn out to be a step backwards for computer security by keeping the good guys from doing their work. Indeed, in the light of past experience in the UK and elsewhere, and given the novelty and scope of these measures, it is not clear that they will even prove enforceable.