German law eases restrictions on ethical hackers but maintains Hacker Paragraph

Germany’s Justice Ministry has proposed a reform to protect ethical hackers—those who identify and report IT security vulnerabilities in good faith—from prosecution. However, the widely criticized “Hacker Paragraph,” Section 202c of the Criminal Code, which criminalizes possession of hacking tools, will remain in place, creating a complex landscape for cybersecurity professionals.

The intent of the new amendment is to encourage security research while increasing penalties for severe offenses involving data espionage and interception, especially when significant harm or malicious intent is involved.

Key Highlights

Clear Protection for Ethical Hackers: The draft legislation aims to shield those working to improve cybersecurity by establishing explicit protections for good-faith actions. Ethical hackers who access systems to identify vulnerabilities, notify the responsible parties, and do so out of necessity would not face prosecution under the new framework. Justice Minister Marco Buschmann stated, “Those who want to close security gaps deserve recognition—not a letter from the prosecutor’s office.”

Harsher Penalties for Malicious Activities: Severe cases of data espionage will be met with stricter punishments, particularly when financial gain, organized crime, or major financial losses are involved. Additionally, offenses impacting critical infrastructure or national security from abroad will also see increased penalties, with prison terms raised from the current maximum of two to five years.

Three Criteria for Legal Protection: For ethical hackers to avoid liability, three conditions must be met: The intrusion must have been intended solely to identify a security vulnerability. The hacker must plan to report the vulnerability to an entity responsible for addressing it. The act itself must be essential for discovering the vulnerability.

These guidelines provide a structured defense for ethical hacking activities, although they add a layer of interpretation, particularly around determining intent and necessity in each case.

The Hacker Paragraph remains a Point of Contention

Despite the reforms, Section 202c, or the “Hacker Paragraph,” is not being repealed. This section criminalizes possession of tools that could potentially be used to breach systems, which can pose a risk to ethical hackers. Critics, including the Chaos Computer Club (CCC), argue that this provision places security researchers in a “legal gray zone” since it’s not always clear if possessing these tools is punishable until after law enforcement intervenes, sometimes through severe measures like property searches.

The Justice Ministry has clarified that mere possession for good intentions would not lead to prosecution. Still, the CCC and other critics argue that this leaves ethical hackers vulnerable to legal action until their motives can be verified. Professor Dennis-Kenji Kipker, an IT security law expert, views the reform as a positive step but acknowledges the challenges posed by retaining Section 202c.

A Balanced Step Forward or a Missed Opportunity?

The Justice Ministry’s proposal demonstrates a commitment to advancing Germany’s cybersecurity landscape by protecting ethical hackers and dissuading malicious cyber activities. However, leaving Section 202c in place means ethical hackers remain in a precarious position, operating under unclear legal protections.

As the reform progresses through the legislative process, the cybersecurity community will be watching closely. Striking a balance between enabling security research and protecting the public from harmful cyber activities is crucial, and these latest amendments mark a cautious but notable step in that direction.