Joel R. Voss
5612 University Way NE #210
Seattle, WA 98105
To Whom it May Concern:
I am an American independent security researcher visiting Germany. I use the terms hacker and hacking for my work because they are well-known terms. I attended the CCC (Chaos Communication Congress) here in Berlin at the end of the year, joined by over 4000 hackers. I write regarding a law passed in August of 2007, StGB § 202 aka Anti-hacking law. Many German hackers who release useful tools have closed down their German sites only to reopen in other countries [1][2][3]. Others in the security community mock the law or continue to release despite the law's implications. From the perspective of a security researcher, the law makes illegal a tool that is used for multiple purposes: security improvement and harm. Tools nearly always have this effect because to be effectively useful, it must be also effectively harmful. Many researchers and commenters have made this comment.[5][6][7][8]
Furthermore, Germany is part of a global community where access to tools is international, so your laws do not apply to other countries. This is why tools so easily emigrate from your country upon the enactment of your law. I find myself in this position where your laws effect me although I merely visiting. I release dozens of security tools that can be used for multiple purposes.
Some security researchers have posited that this law will only be used against hackers for which there is insufficient evidence for a wiretap otherwise. This is a bad use for the law since it casts a net so wide that any user of the internet could be easily connected. Your students, researchers, and private citizens will all be breaking this law in multiple ways whether they wish to or not.
To protest your law I have written and released a virus for sale on my website. [9] Instead of writing a tool with obvious dual use cases, I have gone to the other extreme to ensure the German government is clear that this is designed to challenge their law on its basis, not on the obvious dual use flaw. I open myself up to prosecution under this law because I believe that it is important for German people and the international community to confront this harmful law in the most direct way possible so that it can be struck down. Others have also put themselves in a similar position and I applaud them on their efforts [10].
In my own country, writing software whether a virus or a security tool is protected under First Amendment freedom of speech. Until recently Germans have enjoyed similar or greater freedoms of speech due to human rights law. Even though we often have issues with laws effecting the use of software, it is an important distinction between use of software for harm and distribution of software that can be used for harm. I am also opposed to American laws that make software writers liable for others using their software for harm. As security researchers know, most software designed in such a way that it is open to use for harm and good. Simple tools such as a web browser, a port scanner, or a file copier can be used for harm even though the tool is essential for proper use of a computer.
Viruses may not have a potential good use, however the development of viruses is essential as it is a basic form of software. Disregarding a basic form of software because it does not have a clear purpose would be a mistake. Research especially into the most possibly harmful tools must continue for the advancement of science.
In conclusion, I wish to persuade you to rethink this law so that security researchers in your country will have a firm basis for publishing their software without worrying about the government accusing them of a crime. It is quite likely that if the law goes unchallenged and even untested, it will create a long lasting disservice to developers in your country. I suspect that many will choose to publish their software elsewhere.
1. Phenolit. http://www.phenoelit.de/
2. Kismac. http://kismac.de/
3. Month of PHP Bugs. http://www.php-security.org/
4. "Achtung! New German Laws on Cybercrime".
http://www.securityfocus.com/columnists/448
5. "German sites close, as anti-hacking law arrives".
http://www.securityfocus.com/brief/567
6. "New German Hacking Law".
http://www.schneier.com/blog/archives/2007/08/new_german_hack.html
7. de.org.ccc usenet discussion.
http://groups.google.com/group/de.org.ccc/browse_thread/thread/1c67436fafc4171a/2351bf14d780aa51?
8. THC. http://freeworld.thc.org/welcome/
9. "SSH Bruteforce Virus". https://www.altsci.com/concepts/virus/
10. "German Researchers to Test New Anti-Hacker Law".
http://www.darkreading.com/document.asp?doc_id=134646&WT.svl=news1_2