The German Federal Ministry of Justice has recently sent out a draft proposal for a reform of the computer criminal law to various states and organizations. The main goal of this proposed reform is to ensure that individuals who uncover and repair IT security vulnerabilities are not penalized for their actions. At the same time, the draft also aims to increase penalties for cases involving data espionage and interception.
Under the proposed reform, cases of data espionage and interception will be considered particularly severe if the perpetrator acts out of greed, operates as part of a criminal organization, or causes significant financial harm to the victim. The proposed changes would also cover instances where critical infrastructure or the security of the Federal Republic or a state is compromised, including attacks originating from abroad. The penalties for these offenses would be raised to a range of three months to five years of imprisonment, as opposed to the current maximum penalties of three years for data espionage and two years for data interception.
One key aspect of the proposed reform is the treatment of hackers who engage in ethical hacking, also known as security research, with the intention of improving the security of IT systems. The draft proposal outlines three specific conditions that must be met for their actions to be considered non-criminal:
1. The act of hacking must be carried out with the intention of identifying a security vulnerability.
2. The hacker must intend to inform a responsible party capable of addressing the identified vulnerability.
3. The hacking activity must be necessary for identifying the security vulnerability.
It is crucial for individuals engaging in ethical hacking to meet all three of these conditions in order to avoid criminal prosecution. This approach aims to strike a balance between fostering cybersecurity efforts and deterring malicious hacking activities.
Overall, the proposed reform of the computer criminal law in Germany seeks to encourage cybersecurity research and support while also ensuring that malicious activities are met with appropriate consequences. By clarifying the criteria for determining when hacking activities are permissible and enhancing penalties for serious digital crimes, the draft proposal aims to create a more secure digital environment for individuals and organizations in Germany.