Government Regulations, Penetration Testing, Threat Intelligence

Legal protections for security researchers sought in new German draft law

A German draft law announced this week would protect researchers who discover security vulnerabilities from potential criminal prosecution under the nation’s computer crimes law.

The proposed amendment to German Criminal Code § 202a, drafted by the country’s Federal Ministry of Justice in response to feedback from experts in academia, law and cybersecurity, adds explicit exceptions to the definition of data espionage to exclude data access made with the intention to uncover and responsibility report a vulnerability or other security risk.

“Those who aim to close IT security gaps deserve recognition — not a letter from the prosecutor,” Federal Minister of Justice Marco Buschmann said in a statement, which SC Media translated from German to English using ChatGPT.

Buschmann highlighted the potential consequences of security vulnerabilities on personal data and the operations of organizations including hospitals, transportation companies and power plants, stating it is in the “best interest of society” that security gaps are discovered and resolved.

“With this legislative proposal, we will eliminate criminal liability risks for individuals who undertake this important task,” Buschmann stated.

Proposal clarifies that “unauthorized” access does not include legitimate security research

The original version of Criminal Code § 202a, which covers the crime of data espionage, stated that “anyone who, without authorization, gains access for themselves or another to data that is not intended for them and is specifically protected against unauthorized access by overcoming access security” shall receive a penalty of up to three years in prison or a fine (original German text translated to English with ChatGPT).

The proposed updated version would include the same language, but add a section that clarifies access is not “unauthorized” if it is “carried out with the intent to identify a vulnerability or other security risk in an information technology system” and responsibly report the flaw to an appropriate authority such as those responsible for the vulnerable system, the manufacturer of an affected product or the German Federal Office for Information Security.

The draft also includes a line stating the activity conducted must be “necessary to identify the security vulnerability” to be protected from prosecution, thus potentially excluding cases where excessive access was made relative to what was needed to report and resolve the flaw.

The same amendment that would add protections for security researchers also adds greater penalties for “severe cases” of data espionage, increasing the potential prison time from “up to three years” to “three months to five years.” Severe cases are defined as those that cause significant financial loss, that are conducted with financial motivations or as part of a criminal gang, and that impact critical infrastructure or government systems.

The same protections and increased penalties outlined in the amendment to § 202a will also apply to § 202b and § 303a, which cover data interception and data tampering, respectively.

A public comment period for the proposed amendment will last until Dec. 13, 2024, after which the proposal will be go through the process of being forwarded to the German federal parliament for consideration.

A potential blueprint for U.S. law?

Potential criminal or civil liability for research activities has long been a concern in the cybersecurity community following several cases of criminal investigation, lawsuits and legal threats against security researchers.

For example, in 2021, British security researcher Rob Dyke was contacted by police after discovering and reporting a GitHub repository that exposed credentials and other sensitive data to the Apperta Foundation.

In a more recent case in the U.S., researcher David Leroy Ross Jr. was sued by the City of Columbus, Ohio in September 2024 after sharing data leaked from a ransomware attack on the city with the media and criticizing the city for downplaying the attack. The city has since dropped their lawsuit against Ross.

Currently, the U.S. Computer Fraud and Abuse Act (CFAA) does not contain explicit exceptions for legitimate security research, although the Department of Justice changed its policy in 2022 to specifically direct prosecutors not to press charges against those who conduct “good-faith security research.” However, there have been efforts to advocate for a more comprehensive reform of the CFAA to include protections for security researchers.

For example, for more than a decade, the Electronic Frontier Foundation has promoted “Aaron’s Law,” which would clarify the CFAA to prevent cases where researchers or those who commit minor violations – such as breaking a website’s terms of service – could face prison time and other severe penalties. The law is named after activist Aaron Swartz, who died by suicide in 2013 after being prosecuted under the CFAA for downloading large volumes of academic journals from JSTOR using his MIT account.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds