German Law on Hacking Tools


A company is doing legitimate security testing in Germany, which requires the use of 'hacking tools' (eg. Kali Linux, metasploit etc.) to conduct this work.

A quick online search suggests there are strict laws around the use of such tools (for any purpose) in Germany.

Does anyone know where one could find more details (or get approval) for the legitimate use of such tools in this country, to deliver information security engagements?
Roger AdamsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex [***Alex140181***]Software DeveloperCommented:
You might look for any evidence that any security professionals have actually been prosecuted under the laws (after professional engagements). I'm not aware of any though it might have happened. (I'd like to see any.) Since the basic law is from 2007, it might not be that big of a concern as long as professional protocols are followed. Plenty of time has passed.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
You can use such tools for penetration tests if with consent, as everywhere.
It is prohibited to record actions of people without them knowing it, if it can get tracked down to a single individual, group, or otherwise de-anonymized - again if not with consent of those.
Roger AdamsAuthor Commented:
Thanks for the comments. We have also received German legal advice:

The use of hacking tools in Germany is blurry. The legal basis is the “hacking paragraph” which was introduced in 2007 and added to the German criminal code (section 202 a,b, c).

This makes data espionage and phishing illegal, the main issue is that the law does not differentiate between good (ethical ) and bad hacking.  

The German parliament and the European Expert Group for IT Security ( have indicated that the “good use” of hacking tools is not illegal (in fact, many security consultants in Germany use hacking tools) however there is no official authority/regulatory body who can allow your tool, neither is there a license to buy .

To be on the safe side, good documentation and the Management board’s approval of the affected company (the ecommerce organisation in your case) is crucial.

There are other issues to consider, such as if for instance employees use their computers for private matters, a hacking tool could violate the privacy of the employees. Therefore the client company's internal policies should be reviewed prior to engaging.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Roger AdamsAuthor Commented:
Received external legal advice
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.