German antihacker law could backfire, critics warn

Germany's new antihacker law could open the door to more cybercrime and not less, security experts warn.

The law, which the German government approved in May and put into effect on Saturday, aims to crack down on the sharp rise in attacks on computers in the public and private sectors.

Although Germany already has approved numerous laws to curb attacks on IT systems, the most recent one aims to close any remaining loopholes. Punishable cybercrimes include DOS (denial-of-service) attacks and computer sabotage attacks on individuals, which would extend the existing law that limited sabotage to businesses and public authorities.

The new law defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing data. Offenders are defined as any individual or group that intentionally creates, spreads or purchases hacker tools designed for illegal purposes. They could face up to 10 years in prison for major offenses.

"Dual use is at the root of the problem with the new law," said Andy Müller-Maguhn, a spokesman for the German hacker club Chaos Computer Club. "You can develop tools, for instance, to test the security of a network system but you can use the very same tools to hack a system. Our concern is that if a person has to go to court for having a hacker tool on his system, he will have to prove his good intentions."

The legal uncertainty created by the new law will make the work of security experts in Germany more difficult, according to Müller-Maguhn.

"The law is counterproductive," said Marcus Rapp, product specialist at the German subsidiary of Finnish security vendor F-Secure. "It will make the security situation worse, not better."

Rapp is concerned about what he calls the law's "broad interpretation" of hacking and the legal uncertainty it creates.

"We use hacker tools to test the security of computer systems; that's an essential part of our business," he said. "Could our use of these tools get us in trouble someday? That's what we don't know."

Russian rival Kaspersky Lab shares a similar opinion.

Hacker tools are "constantly" used by vendors of security software to close security holes, wrote Andreas Lamm, managing director of Kaspersky Labs in an e-mail. It's also "unrealistic" to believe, he added, that the new law will eliminate the illegal use of these tools as clever criminal hackers will continue to find ways to operate under the police radar.

Several groups of computer experts that develop hacking tools to test the security of computers and network systems have already pulled the plug on their operations in Germany, either calling its quits for good or relocating to countries without antihacking legislation.

Rapp referred to the situation as "not encouraging."

KisMAC , a self-described "good" hacker group that offers a tool to detect security holes in wireless networks, stopped its work in Germany and plans to resume in neighboring Netherlands.

Phenoelit , another hacker group, has ended its operations in Germany and is also considering the Netherlands as a possible relocation site.