Monday, July 09, 2007

Owning "hacker tools" is now a crime in Germany

As you may have seen, the German Parliament made certain revisions to the German criminal code, one of which added a new section 212c StGB.

According to the only (unofficial) translation I can find right now, it provides roughly as follows:

Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to

* passwords or other access codes, that allow access to data or
* computer programs whose aim is to commit a crime

will be punished with up to one year jail or a fine.

I assume, though I have not seen this in the few stories I’ve seen about the new German law, that the German Parliament passed it as part of the country’s effort eventually to ratify the Council of Europe’s Convention on Cybercrime. Germany signed the treaty back in 2001, but like many countries that have signed it, they have not yet ratified the Convention.

The usual reason for the delay in ratifying is that a country needs to get its local law up to the standards required by the Convention, and Article 6 (“misuse of devices”) of the Convention requires that:
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

Article 6(2) of the Convention notes, though, that the provisions set out above
Shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

Articles 2-5 of the Convention define unauthorized access to computer systems and related offenses. I don’t know if the new German law includes a provision that restates the exclusion given in Article 6(2) or not.

So what is the point of all this? As I think I’ve said before, laws like this are, as far as I can tell, analogues of laws many U.S. states have which make it illegal to possess what are called “burglar’s tools.” They’re all pretty much the same. Here is Colorado’s possession of burglar’s tools statute:
A person commits possession of burglary tools if he possesses any explosive, tool, instrument, or other article adapted, designed, or commonly used for committing or facilitating the commission of an offense involving forcible entry into premises or theft by a physical taking, and intends to use the thing possessed, or knows that some person intends to use the thing possessed, in the commission of such an offense.

Colorado Revised Statutes Annotated section 18-4-205(1). Possessing burglar’s tools is a Class 5 felony in Colorado, which is apparently punishable by imprisonment for 1-2 years followed by one year of parole. Colorado Revised Statutes Annotated section 18-1.3-401(1)(a). I suspect the sentence is pretty much the same in all the states that have this crime.

As I think I’ve mentioned before, the reason for having this crime is to let law enforcement officers step in and interrupt a crime before (presumably) it’s about to be committed. So if they stop someone in a car or someone sneaking down an alley and find they’re carrying burglar’s tools as defined above, the officer can arrest that person for possessing the burglar’s tools. This does two things: First, it means the officer doesn’t have to hang around and wait until the person actually breaks into a house or business in order to be able to make an arrest; law long ago decided that’s not a good way to go, since it radically increases the danger to those who may be inside the burgled building, as well as maybe the officer, too.

Now, even without a possession of burglar’s tools offense, an officer could arrest the person sneaking around with what are clearly tools intended to be used to burgle for the distinct crime of attempted burglary. Attempt crimes were invented, at least in the Anglo-American legal system, purely to let officers interrupt criminal activity before the criminal had gone all the way and was actually involved in the commission of what laws calls the substantive crime. Burglary (like murder, homicide, any crime with a completed “harm) is a substantive offense, while attempt is an incomplete, or inchoate crime.

So where does this leave us with the new German law? Well, I assume the immediate driver was the country’s desire to be able to ratify the Convention on Cybercrime. And I assume the reason for including this provision in the Convention was a version of the burglar’s tools rationale.

The very long Explanatory Report for the Convention adds another rationale:
This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing the above-described offences against the confidentiality, the integrity and availability of computer systems or data. As the commission of these offences often requires the possession of means of access ("hacker tools") or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2 – 5.

Explanatory Report, Convention on Cybercrime, paragraph 71.
I find the uproar in Germany particularly interesting given that I’ve never noticed anything similar here . . . and we not only signed the Convention on Cybercrime in 2001, we ratified it last year. To ratify it, of course, we, too, have to have law implementing the provisions of Article 6(1). You can find those provisions in sections 1029 and 1030 of title 18 of the U.S. Code – the federal criminal code, in other words.

No comments: