Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to
* passwords or other access codes, that allow access to data or
* computer programs whose aim is to commit a crime
will be punished with up to one year jail or a fine.That's it, create or obtain a hacking tool and you could find yourself behind bars. No exclusion for security professionals, no definition of what exactly the 'aim' of a computer program means.
Let's get it out of the way: Guns don't kill people, people with guns kill people. People with hacking tools can steal your personal data, shut down your system and deface your web site -- but is that any reason to ban them? I've got five good reasons why restricting hacking tools is not like gun control.
Reason Number One: It's hard to know exactly if a given program is aimed at committing a crime. Is it enough to simply be a popular tool with criminals? A port scanner can help you find vulnerable ports in a computer which you can then either secure or exploit to gain access. How about password recovery tools -- you can use them to determine an old password, or crack other's passwords? Packet sniffers -- network analysis or eavesdropping? There are a whole range of tools that are commonly used by hackers, both benign and malignant, that can be used to commit a crime -- may in fact be intended to commit a crime -- which have entirely legitimate and innocent uses as well.
Reason Number Two: Guns have a much smaller effective range than hackers. A local gun restriction law -- if it works -- can curb gun violence locally. A law restricting the use of hacking tools in Germany is going to do German businesses no good at all against a hacker from Nigeria, Russia, China or the United States (taking some countries semi-randomly), all it does is restrict their abilities to defend themselves. The Internet is global, national laws for protection are, at best, paper shields.
Reason Number Three: In the majority of countries that restrict possession of weapons, security professionals are licensed to carry them - there's nothing like that in the German law. Only the most radical gun restriction proponents argue to strip police of their handguns, but many of the same people seem to have no problem with the blanket banning of "hacking tools". Computer security professionals need to be able to use whatever tools they can find to protect their businesses, what good is penetration testing if you don't use the same resources that an attacker would use?
Reason Number Four: It will cripple education. If you're studying computer science how can you learn networking without using a port scanner? How can you study encryption without learning how it is broken? How can you learn application programming without understanding buffer overflowing? If the tools to research these kind of things are illegal, then the standard of programming and the level of knowledge of average, law abiding developers goes down. Worse, they might not even realise that there are gaps in their understanding.
Reason Number Five: It's an oft repeated statistic that a gun in the house is more likely to kill a family member than an intruder -- that is, many incidents of gun violence are not caused by criminals. Some are, sure, but it's dead easy to shoot someone. Malicious hacking on the other hand is planned, premeditated and takes a great deal of knowledge and practise. Nobody can break into a safe in the heat of the moment, and you can't set up a botnet by accident. One hundred percent of the people you want to stop using hacking tools are going to ignore this law because they know they're breaking the law anyway. To put it simply, a law such as the German one just won't work to cut down on electronic break ins.
Laws such as this help no one, and will, in the long run, do a lot of harm to the levels of computer security for local businesses and people in general. In short, the side effects of such a law include reducing local knowledge of security and businesses ability to protect themselves, and ultimately failure at stopping the kind of hackers the law is aimed at. To me the whole think stinks of making a law without asking anyone who knows anything about the subject. Keep an eye out, these laws could even now be heading to a politician near you.
1
John Hardin - 17/07/07
Nick:
The law you quoted states "Whoever prepares a crime according to §202a or §202b _and_ ..." (emphasis mine) - this means that "access tools" are only punishable when used in relation to planning or committing a crime. It is not a blanket ban.
That is the exclusion you're looking for. A professional security consultant is not committing a crime in performing a pen test or other analysis under contract, so would not be subject to punishment under this statute. It addresses most of your points, including education, law enforcement and system defense, and nullifies a large part of your thesis.
(However, I'm not familiar with §202a or §202b, so the definition of "crime" may be more broad than I am assuming...)
To adopt your model of comparison to firearms laws, it is similar to the statutes that add additional penalty for committing a crime if that crime is committed using a firearm.
Granted that a German law will have no effect on a criminal located outside of Germany, but it can have a suppressive effect on computer criminals located *within* Germany attacking others inside and outside of Germany.
"It's an oft repeated statistic that a gun in the house is more likely to kill a family member than an intruder -- that is, many incidents of gun violence are not caused by criminals." Repeating something a lot does not give it factual accuracy, and the statement that "many incidents of gun violence are not caused by criminals" without citing any statistics in support smells strongly of random hysterical gun-bashing.
And what is the relevance of this to your argument? You seem to be comparing malicious hacking to non-criminal firearms ownership (which would be a strawman argument), rather than comparing malicious (criminal) hacking to malicious (criminal) gun violence or comparing innocuous (educational, security) hacking to innocuous (hunting, self-defense) gun use. I don't think it supports your point very well, unless it's a (flawed) appeal to emotion rather than reason.
» Report offensive content
2
Michael Durwin - 17/07/07
I agree with the author, hacking should not be the same level of crime as gun violence. It should be higher. Who uses hacking to protect themselves? You can't go hunting with a good hack and expect to catch anything. Because hacking is not often enough considered a crime, it is often seen as mischievous fun. It's not. It costs billions of dollars, countless man hours to overcome, and could go so far as causing a crack in national security.
Hackers are only out to look cool, by hurting others.
» Report offensive content
3
Charles H. - 17/07/07
I think I'll have to disagree on all points:
1.) It's equally hard to know if a gun is going to be used to commit a crime. Even automatic weapons could be used for only self defense.
2.) Local gun purchasing restrictions do nothing to keep guns bought elsewhere for coming in. Local laws to keep guns out (like no guns on Virgina Tech's campus) don't keep guns bought elsewhere off campus. Local laws help but without considerable infrastructure, they are also a paper shield.
3.) A bit of a stretch but without access to weapons, one is not very able to develop defenses against them (e.g. better plastic armors, etc.).
4.) Banning firearms makes learning how to hunt or defend ones self with a firearm nigh impossible.
5.) Just as firearms are dangerous in the hands of the foolish, so too can be computer programs. Take the example of a 13 year old interested in computers. He/she downloads some tools and some viruses from hacking sites and foolishly runs or misuses them in an attempt to understand them (just as a foolish teen may do with a firearm). The danger is less likely to be life threatening, but it can easily deal a great deal of economic damage.
Certainly there are differences between hacking tools/programs specifically designed to be malicious and guns. I'm not arguing that they are exactly the same, but I think if you examine your arguments, you'll find they are probably much weaker than you think. People have a right to the tools that allow them to defend themselves. This includes computer programs, firearms, and other things that could potentially be dangerous.
» Report offensive content
4
Matthias Osterrieder - 17/07/07
I agree with John, but it took me a while to read through his response and I don't think I got all of it. In a nut shell, I was thinking the same thing he was saying as I read the article: the law only restricts harmful use of such programs and code, and, not to say you are not smart, but I think that the people who designed the law we're not stupid and probably thought about it more than you did before writing this.
» Report offensive content
5
dan - 17/07/07
Interesting... if this is actually a ban and german security professionals now have their hands tied, there will be a huge new market for outsorced german it security. German companies will have to hire Russians and Americans etc. to secure their systems. May be interesting for business.
» Report offensive content
6
Jen Larkin - 17/07/07
I think that most of the commenters are completely off the mark because the important part of the law is not the first line but "otherwise allows access to: computer programs whose aim is to commit a crime." I was writing a detailed response about why that is the important part but this site auto-refreshed my page after I wrote about 500 words and deleted everything that I wrote, so it is clear that the people who put together this site are not the least bit interested in intelligent discourse.
I hope the developers go jump in a very cold lake.
» Report offensive content
7
Jen Larkin - 17/07/07
I think that most of the commenters are completely off the mark because the important part of the law is not the first line but "otherwise allows access to: computer programs whose aim is to commit a crime." I was writing a detailed response about why that is the important part but this site auto-refreshed my page after I wrote about 500 words and deleted everything that I wrote, so it is clear that the people who put together this site are not the least bit interested in intelligent discourse.
I hope the developers go jump in a very cold lake.
» Report offensive content
8
Jen Larkin - 17/07/07
In other news, the comment interface doesn't know the difference between preview and post, so I don't think I'll be coming back here.
» Report offensive content
9
Dave Hancocks - 17/07/07
As an aside (on topic) If I use Microsoft Access to store all my passwords and various Banking details etc., and someone gains access (no pun intended) to this Data and decides to use that information... Surely Bill Gates is Guilty of the crime of supplying/making/causing to be available the program that was used in a crime..... ?
» Report offensive content
10
Molly Bennett - 18/07/07
This is exactly what we need. The German government understands that to prosecute and convict hackers, the law must be broad enough in scope to catch all variants of the criminal activity. The fact that German law does not apply to criminals outside of Germany does not negate the effect of the law. It will slow down the criminal hacking activity inside Germany. The fact that US state law does not prevent murder on foreign soil does not mean state laws are ineffective at preventing murder.
» Report offensive content
11
Typoist - 18/07/07
First, the comparison is meant solely to get attention and serves no purpose clarifying the issue. If someone has a gun pointed at you, a gun might just be the thing that could save your bacon; if someone hacks your bank account - you can't see it coming and hack them first........
Second, the article is written as if is fact, when it is opinion......... Third, the issue should be about the extent of the law, not a gun comparison. People use cars to make their get-away from a crime = cars should be illegal.........
The law seems to me (opinion) to be to broad to be realistic.
What if YOU get infected by a virus and pass it to another computer?
What if a hacker stores files on your PC?
Without intent (at a minimum) how can there be a crime? Show me the victims body before you find me guilty, please.
» Report offensive content
12
Typoist - 18/07/07
Unless, the point of this law is to make people afraid to use the web.
Then, it would make perfect sense to me.
» Report offensive content
13
jimmy - 30/12/08
I am agree with author but if hacking is used only for positive and health purpose.Other wise hacking is very bad.http://www.quranreading.com/ get information here.Jen Larkin you are right.But do not take it serious.
» Report offensive content
14
Body Armor - 28/10/09
All you need to know about bullet proof vests, protective clothing, concealable body armor and tactical body armor.
» Report offensive content
15
www.islamicnet.com - 14/05/10
I agree with John, but it took me a while to read through his response and I don't think I got all of it. In a nut shell, I was thinking the same thing he was saying as I read the article
» Report offensive content