The head of Germany’s Federal Office for Information Security (BSI), Claudia Plattner, is advocating for a significant overhaul of the nation’s controversial “hacker paragraph” a move sparking debate over cybersecurity and civil liberties. Plattner’s call for reform, outlined in an interview with Funke-Mediengruppe newspapers, centers on the current legal ambiguity surrounding vulnerability disclosure by security researchers and “ethical hackers.
Paragraph 202a of the German Criminal Code currently prohibits the unauthorized access and extraction of data, effectively criminalizing activities undertaken by individuals – often independent researchers – who identify and report security flaws within corporate IT systems. While intended to protect data privacy, the law has been widely criticized for inadvertently stifling crucial security improvements by deterring those who could proactively address vulnerabilities.
Plattner emphasized the BSI’s firm stance that individuals reporting vulnerabilities deserve legal protection, stating, “If someone comes to me and says, ‘There’s a problem in your software,’ then this person shouldn’t be prosecuted. We should simply say thank you”. This position reflects a growing recognition within German cybersecurity circles that fostering a collaborative approach, rather than a punitive one, is vital for safeguarding the nation’s digital infrastructure.
However, Plattner clarified that such protections are contingent upon demonstrating “good intentions” and a desire to “improve the security of the IT landscape”. This raises questions about how “good intentions” will be objectively assessed and provides a potential avenue for legal challenges and differing interpretations.
The current, previous government had attempted to address the issue with a draft bill that would create exemptions for responsible vulnerability identification, reporting and remediation. While the bill was a step forward, its implementation has been stalled.
A draft law designed to better protect researchers analyzing security flaws in corporate IT systems is currently under consideration within the Justice Ministry. The proposed legislation aims to decriminalize ethical hacking activities. Plattner stressed the urgency of moving forward with this legislation, highlighting its importance for attracting and retaining cybersecurity talent.
The debate hinges on balancing the need for data protection with the incentivization of proactive security measures. Critics argue that the current framework creates a chilling effect, forcing researchers to operate in a legal gray area, potentially exposing them to prosecution. The BSI’s call for reform underscores the recognition that constructive engagement with vulnerability researchers is essential to bolstering Germany’s overall cybersecurity posture, yet the details of implementation remain contentious and potentially fraught with legal interpretation.
