By ¿oVe®fLoW¡ in security

My view on Germany's latest 'hacking' case

My view on Germany's latest 'hacking' case
Photo by Tingey Injury Law Firm / Unsplash

For context start with the original article from heise.de:

Federal Constitutional Court rejects appeal in Modern Solution case
The Federal Constitutional Court refuses to provide more clarity on the application of Section 202 of the German Criminal Code (StGB) concerning hacking.
heise onlineFabian A. Scherschel

Something bad is happening in Germany. Something really bad. At least if you are serious about Cyber Security.
Long story short: responsible disclosure is under fire.

But why should you care? Germany's internal court cases are typically of no interest for foreign countries. And this case looks very "German". Not repeating the entire article from heise.de I want to focus on my view why this is so dangerous to responsible disclosure in its entirety.
While this topic is multi-dimensional, I will first cover two important parts in this.
1. legislature
2. judiciary

Legislature

The article 202c of Germany's StGB (Strafgesetzbuch / German Criminal Code) has been created back than by the German government in 2007 (government parties CDU/CSU+SPD) and is the root cause of the whole dilemma.
Article 202c states that even the preparation of the act of data espionage or phishing (202a and 202b) is illegal as soon as you access password-protected (or any other form of protection) data without explicit consent of the owner.

That's it.

Yes.

You won't find a definition of password security. You won't find a definition of baseline security. You won't find any borders at all that would force the victim to follow well established rules.
In other words: as there is no legal definition it could be a criminal offence if you use a password written on paper to access data for which you don't have the consent of the owner.
Important: the last sentence is exactly how our system works. If something is not defined our courts will need to do that. That's the judiciary "interpretation of law" created by the legislature.

💡
So if you as a security researcher (independent from where you are) use my (German citizen or company or subsidiary) totally unsecured stored password (written on my head) to access my internet-facing database with sensitive customer information of the whole German country and I did not give you consent to do that (well ... maybe passwords written on the own head might be considered "explicit consent" but that's a topic for later) I just will create a case against you and you will be punished (if Germany's executive is able to get access to you).


With that said you understand that a clumsy law needs to be followed by judiciary even if it is obviously clumsy.

We still wait for the correction of the law from our government even after they promised that back in the past ...

Judiciary

So if the law is so clumsy why bothering with the judiciary then? Would could they have done to at least minimize the problems arising from this?

As with any democracy our courts are expected to not act arbitrarily. In this case this would mean to take care of a reasonable "interpretation of law" as the borders are not set as you have seen above. Would that have been the case my article would be unnecessary.
To bolster the strength of securing Germany's judiciary they use (likewise in other countries) different levels of courts so if you think you are wrongly condemned you are able to step up the latter to the next court and request them to check the outcome of the last courts decision. The highest court in Germany is the Bundesverfassungsgericht, the Federal Constitutional Court. To have a chance to open the case again within the Federal Constitutional Court you somehow need to prove that the judgement of the lower courts infringe Germany's Grundgesetz, the constitution of our Country.

So what happened right here with this case over the years?
Interestingly the first court (the Jülich District Court) decided in favour of the security researcher as they reasonably argued that the extremely weak password protection (plain -text in a windows executable) could be for sure seen as "click here for consent" and they dropped the case because access with consent is no offence at all.

Unfortunately the company which secures their passwords plain within executables just went up the latter to the next instance of courts. And here starts the pain.

The Aachen Regional Court rule that the Jülich District Court cannot drop the case as in their words "Securing access by means of a password is sufficient as access security" and with that starting to totally ignore their need to interpret the law if it misses necessary borders to have a clear base to judge reasonably. With that rule the Jülich District Court now changed their agenda and followed the judgement of the Aachen Regional Court without any comment of this might be a totally wrong direction.

Next step was now for the researcher to go to the Aachen Regional Court after being condemned by the Jülich District Court. But the Aachen Regional Court did not even consider to really dig deeper into the topic of "reasonable password security" and it's own necessity to not act arbitrarily. One step up at the Higher Regional Court of Cologne there was no reason to see any "legal errors" in the decision of the Regional Court of Aachen meaning this court not even read all available information on the case to come to a conclusion.

So now we have three courts in three levels (the Jülich District Court, the Aachen Regional Court and the Higher Regional Court of Cologne) that at least acted negligent in condemning a security researcher for opening a windows executable to read a password.

Just a quick comparison. That would be the same if you find a door to lockers in a large bank where the key is sitting behind a small compartment only secured with a handle. So you press the handle, get access to the key, open the door and find the lockers of the most important customers of the bank without further protection. Now the bank accuses you of unlawfully entering the room as it is forbidden by law to get access to the key without consent from the bank.

Yeah ... exactly ... a no-brainer for any court to use their room of reasonable interpretation of laws to prevent incredibly wrong decisions.

They didn't.

But wait! There is more! The last light of hope for the defendant filed a complain with Germany's highest Court, the Federal Constitutional Court.

And they rejected ... without any comments, without reasoning, just "because" meaning they don't consider this whole topic (not only the wrongly condemned security researcher) as important enough for the highest Court.

Wait ... that's it?

Yes. That's it. This means:

💡
As the highest Court already rejected this case any future cases with the same argumentation will be judged in the very same way in favour of any party not taking care about their security. Just create a case and accuse security researchers of unlawfully obtained access to "password-secured" data. For that you just need to have a German subsidiary and the data to be hosted in Germany (I am not fully sure, if the German hosting is even necessary from a legal perspective). The law does not exclude foreign researchers. Maybe courts would reject such cases if the researcher obtained access from outside Germany but who knows for sure. I wouldn't bet on it any more.

Responsible disclosure? Nearly gone. At least in Germany for now as companies really don't like to report public vulnerabilities. Just a question of time until foreign companies find a loophole to create German subsidiaries and to accuse anyone under German law everywhere in the world.

Let's quote a very well-known security researcher from the Netherlands: "Germany, what the f*** is wrong with you?! Bring about the correction of your law! We need responsible disclosure!"