The German government has proposed draft legislation that would exclude ethical hacking aimed at finding security vulnerabilities from criminal prosecution. Golem.de reports that this would reduce legal risks for cybersecurity researchers.
The draft law is supposed to protect anyone who hacks computer systems with positive intentions to find security gaps. According to a press release by the German Federal Ministry of Justice, whitehat hackers should not be exposed to the risk of criminal liability.
The law also introduces tougher penalties for blackhat hacking, particularly serious cases of espionage and intercepting data.
“Anyone who wants to close IT security gaps deserves recognition – not a letter from the public prosecutor,” said Federal Justice Minister Dr. Marco Buschmann.
“It is in the interest of society as a whole that IT security gaps are uncovered and closed. With the draft law, we will exclude the risk of criminal liability for people who take on this important task.”
According to the current criminal law in Germany, anyone who gains “unauthorized” access to data is committing a criminal offense. A new paragraph will clarify that IT security researchers’ actions are not ‘unauthorized’ and therefore not punishable.
In certain serious cases of spying and the interception of data, when the perpetrator causes a large loss of assets or acts out of greed, commercially or as a member of a gang, the penalty will be a prison sentence of three months to five years.
“Security gaps in IT systems can have dramatic consequences in our connected world. Cybercriminals and foreign powers can use IT security gaps as gateways. Hospitals, transport companies, or power plants can be paralyzed in this way, personal data can be spied on, and companies can be ruined,” the minister said.
According to Golem.de, the draft law does not change the hacker paragraph in the Criminal code. The ministry pointed out that the possession of hacking tools is not considered a criminal offense.
The draft is currently under review until December 13th, 2024, before moving to parliamentary approval.
The US Department of Justice (DOJ) introduced a similar decision in 2022, encouraging cybersecurity research for the common good and excluding whitehats from prosecution under the Computer Fraud and Abuse Act (CFAA).
Your email address will not be published. Required fields are markedmarked