Germany's Justice Department Drafts Law to Protect White Hat Hackers from Criminal Liability for Security-Related Intrusions
Brook.X
The Federal Justice Department of Germany is currently drafting a new law aimed at protecting white hat hackers who contribute to enhancing internet security. This forthcoming legislation stipulates that security researchers who responsibly report vulnerabilities to providers should be recognized rather than held criminally liable.
The primary purpose of this law is to assist white hat hackers and security researchers in avoiding legal risks during their vulnerability discovery processes, which often involve system intrusion activities.
The context for this legislative initiative stems from an incident where a programmer in Germany was prosecuted and fined €3,000 for unauthorized access after discovering a vulnerability. This case garnered significant attention in the security industry and likely influenced Germany’s decision to amend its criminal law.
Under the new law, security research must meet the following criteria:
- The action taken (e.g., intrusion) must be for the purpose of identifying vulnerabilities or other security risks in IT systems.
- Researchers are required to report the discovered security vulnerabilities to the responsible entity capable of addressing the problem, such as operators, developers, or the German Federal Office for Information Security.
- The act of accessing the system must be necessary for identifying vulnerabilities, ensuring that immunity applies only within the scope required for security testing, without unnecessary or excessive access.
- Exemptions from criminal liability also extend to crimes related to data interception and modification, provided the actions are deemed authorized.
The German Federal Minister of Justice stated:
"Those who aim to rectify IT security vulnerabilities should be recognized, not receive letters from prosecutors. With this draft law, we aim to eliminate the risk of criminal liability for individuals undertaking this crucial task."
Additionally, the Justice Department is drafting criteria for the determination of malicious data surveillance and interception, with severe offenses subject to imprisonment ranging from three months to five years.
The draft outlines severe circumstances as follows:
- The criminal act results in significant economic loss.
- The act is motivated by profit, conducted on a commercial scale, or part of a criminal organization.
- It endangers critical infrastructure such as hospitals, energy supply, or transportation networks, or affects the security of Germany or a German state, including attacks from abroad.
The new draft has been distributed to German federal states and relevant associations for review, with feedback due by December 13, 2024, before proceeding to the Bundestag for parliamentary consideration.
Besides Germany, the U.S. Department of Justice also revised the Federal Computer Fraud and Abuse Act (CFAA) in May 2022, adding exemptions for prosecutions against well-intentioned security researchers.
