German Law on Hacking Tools

Roger Adams
Roger Adams used Ask the Experts™
on
Hi,

A company is doing legitimate security testing in Germany, which requires the use of 'hacking tools' (eg. Kali Linux, metasploit etc.) to conduct this work.

A quick online search suggests there are strict laws around the use of such tools (for any purpose) in Germany.

Does anyone know where one could find more details (or get approval) for the legitimate use of such tools in this country, to deliver information security engagements?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You might look for any evidence that any security professionals have actually been prosecuted under the laws (after professional engagements). I'm not aware of any though it might have happened. (I'd like to see any.) Since the basic law is from 2007, it might not be that big of a concern as long as professional protocols are followed. Plenty of time has passed.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
You can use such tools for penetration tests if with consent, as everywhere.
It is prohibited to record actions of people without them knowing it, if it can get tracked down to a single individual, group, or otherwise de-anonymized - again if not with consent of those.
Thanks for the comments. We have also received German legal advice:

The use of hacking tools in Germany is blurry. The legal basis is the “hacking paragraph” which was introduced in 2007 and added to the German criminal code (section 202 a,b, c).

This makes data espionage and phishing illegal, the main issue is that the law does not differentiate between good (ethical ) and bad hacking.  

The German parliament and the European Expert Group for IT Security (https://de.wikipedia.org/wiki/EICAR) have indicated that the “good use” of hacking tools is not illegal (in fact, many security consultants in Germany use hacking tools) however there is no official authority/regulatory body who can allow your tool, neither is there a license to buy .

To be on the safe side, good documentation and the Management board’s approval of the affected company (the ecommerce organisation in your case) is crucial.

There are other issues to consider, such as if for instance employees use their computers for private matters, a hacking tool could violate the privacy of the employees. Therefore the client company's internal policies should be reviewed prior to engaging.

Author

Commented:
Received external legal advice

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial