Germany's new antihacking law: Bad for security?
Some charge that a new move to criminalize "hacking tools" as of Saturday could stunt legitimate security research, as some choose to exit Deutschland altogether.
As of Saturday, it's a crime in Germany to build, sell, distribute or obtain so-called "hacking tools" designed to allow access to protected data or promote other illegal acts.
The intention of the lawmakers, who proposed the item last year and passed it in late May, was to crack down on attacks on government and private-sector computer systems. Penalties include prison sentences of up to 10 years and fines, IDG News Service reports.
But some security industry representatives are worried the law will actually make the nation less safe because they believe it'll be more difficult for "good" hackers employed by companies to do research. They say the law could make it illegal to use popular free tools like nmap, an open-source network exploration program, and Nessus, top-rated network vulnerability-scanning software.
"Already it seems that the law will have the unintended consequence of making legitimate research just that much harder, only deterring the legitimate researchers and the opportunistic attacker," a representative from the Australia-based security research firm Sunnet Beskerming wrote on the company's Web site Sunday. "The serious criminal will just keep on going with their malicious activity, probably a little bit bolder--safe in the knowledge that the German government has just made it a little bit more difficult for them to be found."
Some security experts say it's arguably still kosher for them to report on security vulnerabilities and how to exploit them, but it's possible some tools they would use to derive those findings could be verboten.
Still, like the well-documented phenomenon of corporations moving their operations to more favorable tax-law climates, some groups and firms have already opted to shift operations that they believe may run afoul of the law to outside German borders.
The makers of a product called KisMAC, a wireless network discovery tool for Mac OS X, said in a note at their Web site that the law shows "complete incompetence" but vowed to resume their activities in the nearby Netherlands.
"Even worse politicians still believe in the successful ban of digital information, obviously not reckoning globalization," the KisMAC representative wrote. "We are heading straight to a country I do not want to be living in."
A group called Phenoelit also recently abandoned its German Web site and relocated its network packet-sniffing and password-cracking tools to a U.S. Web server.
For those of you who can read German, the government's explanation of the new law is available in PDF form.