Prepare for data spying and interception

from Wikipedia, the free encyclopedia

Preparing to spy on and intercept data (colloquially also hacking paragraph or hacking tool paragraph ) is an offense that is standardized in Section 202c of the German Criminal Code (StGB). It was passed by a large majority in the German Bundestag at the end of May 2007 . The paragraph makes the procurement and distribution of access codes to access-protected data as well as the production and use of tools that are useful for this purpose, as preparation for a criminal offense, a punishable offense (maximum two years imprisonment ). A legal opinion by the European Expert Group for IT Security (EICAR) assumes that benign activities (in the service of IT security) are not punishable under this paragraph if detailed documentation is provided.

History of origin

It was incorporated into the German Criminal Code by the Forty-First Amendment to the Criminal Law to Combat Computer Crime (41st StrÄndG) and came into force on August 11, 2007. Among other things, the German legal norm criminalizes the production and distribution of so-called hacker tools under certain circumstances. This implements the Council of Europe Convention on Cybercrime of November 23, 2001 (Cybercrime Convention, ETS No. 185) and the framework decision of the Council of the European Union on attacks on information systems. The maximum sentence in the original version from 2007 was one year imprisonment.

Article 9 (2) of Directive 2013/40 / EU requires a minimum maximum penalty of two years. The implementation took place with Art. 1 No. 5 of the law to combat corruption by increasing the range of punishments in § 202c Abs. 1 StGB new version to two years.

Legal position

Section 202c preparing the spying and interception of data

(1) Anyone who prepares a criminal offense under Section 202a or Section 202b by

1. Passwords or other security codes that enable access to data (Section 202a Paragraph 2), or
2. Computer programs the purpose of which is to commit such an act,

manufactures, procures for himself or for another, sells, leaves to another, disseminates or otherwise makes accessible, is punishable by imprisonment for up to two years or a fine.

(2) Section 149 (2) and (3) apply accordingly.


Which software falls under hacker tools is formulated very vaguely in the legal text and has therefore met with considerable criticism, especially from security experts and IT industry associations. Above all, it is criticized that the only decisive factor is that a program or information could be used to penetrate third-party computers and that there are no exceptions that allow use for legal purposes. For example, a criminal complaint was filed against the Federal Office for Information Security because the office itself allegedly violated the law. The public prosecutor's office in Bonn closed the investigation because the offense according to § 202c StGB was not fulfilled. In February 2008, the Mannheim public prosecutor's office in the case of Michael Kubert's self-disclosure was also discontinued.


As a reaction to the growing criticism, the Legal Committee of the German Bundestag pointed out in a report in 2007 that the goodwill handling of hacker tools by IT security experts is not covered by Section 202c of the Criminal Code. In July 2007, the Federal Minister of Justice Brigitte Zypries also repeatedly pointed out that this paragraph only criminalizes preparatory acts for computer crimes.

The legal situation for the manufacturers of hacking tools was also questionable if, for example, they distribute their software on the Internet and this is actually misused by criminals for criminal offenses. For this reason, many manufacturers are relocating their offerings to foreign websites or publishing abroad.

Another example of the ambiguity of this paragraph is the decision of the public prosecutor's office of the Fulda Regional Court. This is also the case with the voluntary disclosure of the managing director Herbert Treinen of dit-consulting GmbH, also an IT service provider and therefore inevitably dependent on the use of so-called hacking tools , was discontinued in February 2008. The reason given by the public prosecutor's office was that “Sections 202a, 202b do not exist due to a lack of illegality ” and therefore no conviction was to be expected. According to the public prosecutor's office, the offense of Section 202c of the Criminal Code was also not fulfilled, since the hacking tools were only procured and used for “benign” purposes.

The end of 2008, filed a voluntary disclosure was also the iX - Chief Editor Jürgen Seeger from the Hanover public prosecutor "for legal reasons" in March 2009 rejected. Seeger had reported himself after he published an iX special issue "Safe on the Net". This contains, among other things, a data carrier with the Linux distribution BackTrack , which contains various hacking tools. "Due to the considerable legal uncertainty not only with professional security experts, but also with magazines, we have no choice but to have the legal classification of the distribution of such programs checked as part of a voluntary disclosure," commented Seeger on his voluntary disclosure. The public prosecutor, in turn, commented on the rejection to the effect that it depends primarily on the actor's subjective perception . This is also reflected in the draft law.

In 2008, the Chaos Computer Club examined the effects of the change in the criminal law of the hacker paragraph and, in a statement, found location disadvantages for IT companies in Germany. Rather, these legal measures would run counter to the legislator's goal and lower the level of security: “Security researchers and companies can no longer provide services without exposing themselves to the risk of criminal prosecution.” Rather, it shows that the legislator's goals are to improve the security situation achieve, have been missed. The criminalization of software manufacturers and users leads to a location disadvantage for German research and economy.

In jurisprudence, the provision was referred to as a criminal offense "without a recognizable 'core of injustice'".

Constitutional law

Due to this ambiguity, three people - one from the IT industry, one from the academic sector and the Berlin lawyer and criminal defense attorney Ulrich Kerner - each filed a constitutional complaint against the so-called hacker paragraph (more precisely: against § 202c paragraph 1 No. 2 StGB). The three complaints were rejected as inadmissible by the Federal Constitutional Court (BVerfG) on May 18, 2009 . The BVerfG justified the rejection by stating that the complainants' basic rights were not “themselves, presently and directly” affected by Section 202c of the Criminal Code . After all, there is no risk of criminal prosecution if the text of the law is interpreted in conformity with the constitution for the activities they mention in dealing with such programs. On the one hand, one cannot assume (especially with so-called “dual use tools”) that the programs have the “purpose of committing a crime”. In any case, the complainants lacked the “ subjective characteristic of the preparation for a computer crime”.

Situation in Switzerland

Article 143bis StGB makes unauthorized entry into a data processing system as such, Article 143 data theft and 144bis data damage a punishable offense. In addition, there are civil law claims for damages .

As of January 1, 2011, Art. 143bis StGB was expanded in Switzerland to include provisions analogous to the German hacker paragraph.

See also


  • Dennis Jlussi: IT security and § 202c StGB - criminal liability when handling IT security tools according to the 41st Criminal Law Amendment Act to combat computer crime , Hanover / Munich 2007.
  • Kai Cornelius: On the criminal liability of offering hacker tools , in Computer und Recht 2007, p. 682 (688).
  • Kai Cornelius: Good or not good - What to consider when developing security software, iX 3/2008, page 101.
  • Gröseling / Höfinger, The criminal handling of 'hacker tools' on the test stand , in Multimedia und Recht 2007, issue 12, p. XXVII.
  • Ines M. Hassemer: The so-called hacker paragraph § 202 c StGB - Criminal IT risks in companies , in JurPC Web-Doc. 51/2010, para. 1 - 47.
  • Stefan Holzner: Clarification of criminal offenses by the legislator required , in Zeitschrift für Rechtssppolitik 2009, p. 177.
  • Carl-Friedrich Stuckenberg: Much Ado About Nothing? - No criminalization of "IT security" by § 202c StGB , in Zeitschrift für Wirtschafts- und Steuerstrafrecht 2010, p. 41.

Web links

Individual evidence

  1. a b Dennis Jlussi: IT security and § 202c StGB. (PDF; 231 kB) European Expert Group for IT Security , October 19, 2007, accessed on October 25, 2012 (legal opinion issued as part of the Information Security Summit).
  2. Forty-first Amendment to Criminal Law to Combat Computer Crime of August 7, 2007 ( Federal Law Gazette I p. 1786 , PDF)
  3. a b Editor nC: network Computing . Test, trends, technology for technical IT decision-makers. March 2, 2010, ISSN  1435-2524 , p. 66 .
  4. Cybercrime Convention of the Council of Europe
  5. Framework decision 2005/222 / JHA of the Council of February 24, 2005 on attacks on information systems . In: Official Journal of the European Union . L, No. 69, pp. 67-71.
  6. Directive 2013/40 / EU
  7. The BSI and the hacker paragraph § 202c: No prosecution by the public prosecutor . TecChannel
  8. Hackertool Paragraph 202c: Proceedings closed . ( Memento from February 10, 2009 in the Internet Archive ) SpitBlog
  9. BT-Drs. 16/5449
  10. ^ Testimony by Brigitte Zypries on July 26, 2007 on parliament
  11. The Hackers Choice ( Memento from September 16, 2010 in the Internet Archive ) as an example of a separation of German and international websites
  12. a b Public Prosecutor's Office at the Fulda Regional Court. Reference 12 Js 17070/07 dated February 25, 2008
  13. Az. 1111 Js 181/09, see also: Heise report online, March 10, 2009
  14. ^ Message from Heise Security, December 19, 2008
  15. CCC: Hacker Paragraph Endangers Germany's IT Location Golem, July 21, 2008
  16. Eric Hilgendorf : Right through wrong? Interkulturelle Perspektiven , in: Juristische Schulung (JuS), Issue 9/2008, pp. 761–767 (p. 766 fn. 59).
  18. a b Federal Constitutional Court - Press Office -: Press Release No. 67/2009. June 19, 2009. Retrieved June 19, 2009 .
  19. Federal Constitutional Court: Order of May 18, 2009, file number: 2 BvR 2233/07, 2 BvR 1151/08, 2 BvR 1524/08. Retrieved June 19, 2009 .
  20. Federal Constitutional Court: Order of May 18, 2009, file number: 2 BvR 2233/07, 2 BvR 1151/08, 2 BvR 1524/08, paragraph 62 ff. Accessed on June 19, 2009 .
  21. Federal Constitutional Court: Order of May 18, 2009, file number: 2 BvR 2233/07, 2 BvR 1151/08, 2 BvR 1524/08, paragraph 70 ff. Accessed on June 19, 2009 (link to (special) subjective features in the subjective Facts not in the original; italics not in the original).