German law makes hacking a punishable crime

New legislation proposed by the German government aims to make computer hacking a punishable crime.

The draft law, announced Wednesday, defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing data.

As part of the draft, groups that intentionally create, spread or purchase hacker tools designed for illegal purposes could be punished by law, the Federal Ministry of Justice said in a statement.

Other punishable cybercrimes include denial-of-service attacks and computer sabotage attack on individuals, which would extend the existing law that limited sabotage to businesses and public authorities. Offenders could face up to 10 years in prison for major offenses.

Although Germany already has a comprehensive penal law against attacks on IT systems, the proposed revision aims to close any remaining loopholes, the ministry said.

Some security experts warn, however, that "good" hackers, also known as "white hats" who work for security companies, could be restricted in their ability to help software makers and businesses as a result of the proposed law.

If hackers can't share their tools with the public, "white hats will not be able to get them and use them internally for testing or external security consultants won't be able to do security testing," a hacker, known by the pseudonym van Hauser, wrote in an e-mail. "It's a win-lose law in favor for the bad guys."

Van Hauser is president of The Hacker's Choice, a noncommercial group of security experts.