 I'm standing there so we can start. All right. Let's start with Uli or lawyer Ulrich Kerner, who is going to talk about a law that is 12 years old. How the law is being implemented, I don't really know. But it applies to me. So I think help, I use Nmap. Stop, stop, stop, stop, stop. I'd like to see the hashtag. If you have questions from the internet, Twitter and ISC and Macedon, please use these hashtags. And now applause for Uli. Hello, everyone. Thank you for coming. I'm super happy to be here. I have already held a talk three years ago in Hamburg on the Congress. Today, we're talking about the hacker paragraph. 202C in the German Strafgesetzbuch. Please, the subtitles do not post in the wrong forum. That will be explained later. What do I want to talk about today? First, an introduction where we are right now. Then the theory of paragraph 202C in lawmaking, in legislation. And then how is this happening in reality? What is the relevance of this paragraph? And then in the end, a little bit outlook and answering questions. Basically, when we are talking about internet legislation, then we have to talk about two things. First of all, still normal in the legal entity to use the legal world to use faxes, injustice, and everywhere, but also between legislators. So in the Bundestag, they start activity, but they usually miss the mark. So as an example, for example, about a year ago, someone under the name of Orbit stole data from politicians and prominent people and they shouted out loud to prevent cyber attacks on politicians. But when you were looking closely, then it turns out there's not a lot of cyber criminality. It's mostly doxing. Most of the data was already available online and there, according to my knowledge, one or the other account was capered. So this didn't use high IT technology or skill, but just with the guessing of passwords who were too easy to guess. And the reaction of the Bundesregierung was that Secretary Stefan Meyer declared that a cyber attack prevention center would be created. We don't know what actually came out of this, but if you Google for Cyber Attack Prevention Center, then you find these things from 2014, a report about a secret report of the financial center for the government. So the National Cyber Attack Prevention Center is, they say that this center is not judgmental because it would be... Because the only actual thing they could do was talking about the current situation and give a recommendation. So this is all that this center could have done. So this is what the government is doing to help save our laws. So this is not an easy relation and you can also see this in paragraph 202c. 202c came into legislation through the Cyber Crime Convention. So I want to talk to you about this process and then talk about what the high court or the German high court was actually making. The constitutional complaint was actually making out of this. So the Cyber Crime Convention is a contract between the European Senate and with the goal to have certain standards about bad forms of cyber criminality in the European space and also make easier the cooperation between the states. And a part of this, Article 6, CCC, is the idea that using computer software that is able to help with such crimes is also already a criminal offense. Here's the English text of this. I also have to add that Article 6 has a paragraph 3 which has a rule that says, this Article 6, we don't want to implement this. So they can refuse to implement it. But I was of the opinion that what we find here, devices including computer programs, that these can be used for all these offenses, that these are written in order to do these or adapted primarily for the purpose of... Yeah, he's basically translating this into English, so I'm not going to translate it back into English. Accessing and monitoring. All right, there was a law proposed by the government. It was discussed in a controversial way. The Bundesrat was very skeptical about this and said this was going too far. Then the government opposed this. There was a public hearing. And then it was moved into the legal committee. Thank you. And this was recommended to the Bundestag to implement this law, this proposed law. And so what they say is what they want to... the goal they want to reach is, with the new 202C, they want to prevent certain dangerous preparation actions to make them criminal. So in order to... So you can understand this concept when we are talking about the new 202C, when we are talking about offence, that is also like preparation actions, I want to talk about this. So, in principle, there is always preparing tasks or preparing measures. The criminal is starting the attempt to commit a crime or a punishable action. And with certain crimes, you have the execution and then you have the finalization. An example, if somebody would like to kick someone really, really hard, this alone is not punishable. Now, if that person is wearing really heavy boots so it's going to hurt, this is still not punishable. This is all still preparation. This is not yet assault. So it's not punishable by law yet. Once the person kicks the other person, so they're attempting, but they're missing, this is still an attempt, which means that the immediate step, now it's starting, this line has been crossed. And I am willing to accept the consequences. And at this point, the attempt is already punishable by law, for example, with the assault. If you want to kick a car to put a dent into it and the person misses because the car starts, it is an attempt to damage property. But the attempt is not punishable by law because the attempt itself is only applicable for laws that carry a minimum sentence of one year. Everything that falls into the preparatory stages is not yet covered by the penal code, so it's not punishable by law. If you go into a shop to buy growing lamps and water for irrigation system to grow plants, this is not yet punishable by law. You need other actions to do that to be punishable. Now, it's in the interest of the legislator to penalize preparatory tasks, preparatory actions under this new paragraph. In its current form, the HACA paragraph looks like this. If you prepare a crime under 202A or 202B with two preconditions, either if you try to access passwords or other safety measures, or if you use computer programs that have the purpose to execute such an act, or if you sell those, if you procure them, if you give them to other people, if you distribute them, or if you make them accessible to anybody else, you can be penalized with a prison sentence of up to two years and or a financial sentence. Now, you only understand if you understand both 202A and 202B, so the paragraph that this is based on, 202A concerns the spying of data, so the illegitimate accessing of especially protected files or information that's also called digital breaking the peace under the second law of fighting corporate crime, which has been put into law in the 90s. It has its current state through the 41th change of the penal code of 202A. So we've got the action to manufacture or distribute programs that can spy data from other people. 202B concerns the capturing of data. Now, it's not necessary that there are special precautions taken to protect the data. The only thing that matters is that there are data that's being transmitted using technical means that has been captured. Another small hint, there are other preparatory tasks like this that are punishable by law. For example, if you change files, if you've changed files and delete files, and the law 202C is applicable accordingly under computer sabotage. So if you're interested in this, then have a look at this. So these other paragraphs are mentioned here, criminalization of preparatory acts. Who wouldn't be? OK, back to 202C, we are talking about the hacker paragraph. The problem here is that computer programs whose purpose is the act of spying or capturing data using those computer programs is punishable. And so we are asking ourselves, what are we supposed to think about this, and how do we categorize this? So the moderation says, I used Nmap, a very capable tool. Am I already doing something illegal if I have this in my Linux distribution or not? So the law says, demands that the objective purpose of the program should be the capturing or spying of data. Problem is, programs or objects don't have an objective purpose. Programs and objects have properties. For example, a pistol has a property that it can project a projectile very quickly out of the front. And if someone shoots, like the fact that someone shoots at a target or a peep or a human, it's not the purpose of this pistol, but instead it's purpose is always given by a person, so which has properties that can be used for different purposes. So in summary, it's unclear what falls under this and what does not. So according to the government, classic or typical hacker tools should fall under this, but not programs that can be used for other purposes as well, such as so-called dual use programs. And that means that this objective culpability of this program is very subjective. And this aspect has to be determined very subjectively. And this is a problem here. So this has been subject to subject of various constitutional complaints at the constitutional High Court. But the High Court didn't accept these. And so these are the IDs. So if you want to read off Google these, you can find all the information about these. So the High Court said that these complaints or the people who complained are not hackers themselves, so they don't have a problem. So the people who complained was a teacher at a university who uses many tools and who provides these tools to his students. And you can download these tools from his website. For example, the program Nmap. And so he thought he's already culpable just by doing this. Then a security company, CEO, who did penetration tests and used hacker software or software from anonymous hacker forums. And I was the third complainant. So because I thought I use Linux and have a lot of tools, every Linux distribution has a lot of tools like Nmap, where I can pretty much be sure that it can be used for criminal purposes. I just don't know what the purpose was in the creator's mind of that program. And so I feel very threatened by this. So the High Court needs to know that the people are actually hit by this law. So if they possible, if you interpret this in a different way, then there is a high risk that you are culpable. So but the High Court did not agree. They said instead that dual use tools do not fall under this law ever. They also said the purpose is nothing objective and not a property of the program, but describes purpose of an action and not of the program itself. And this is of course very subjective. But it has to manifest in a way that can be visible in the creation of the program or in the design of the program. However you want to interpret that or with advertisement that shows exact intent to use this illegally. I still think this is very vague. What does the literature say of a make-out of this? If you look at the law literature, I'm quoting my co-worker Schröder. So programs whose functional purpose is not uniquely criminal and only by misusing those, you can use them as a tool of network sniffers. So culpability does not apply here and then reference to various press releases by the government and other legal decisions. How does this look in reality? It's still very vague. It makes a lot of complications. And so apart from this law part, how does it look in reality? Now, right now the paragraph 202C still has a comparatively low impact. The JURIS is a database for legal decisions and I checked what's actually in there. And I was really surprised at JURIS in the 12 years since this law has been passed. JURIS has eight decisions. One of these decisions is the decision of the Constitutional High Court. One decision is the Constitutional Administrative Court. It was about the freedom of the press of a mayor. And then we have six civil verdicts from civil courts. For example, the termination of a managing director of a company because of wrongly expenses on his company laptop. There's only one decision from the criminal law. It's a verdict from the court in Cologne. This is about the verdict about a person who has used these programs. And it's a verdict in a forced legal process. Basically, you can force a decision in a legal matter and the state attorney can introduce this. Now, if this is not mitigated from the state attorney, then you can go to the court directly and force it to open a legal procedure. And the only criminal case is one in which it doesn't really get us much further. Now, what else can we say about this? What's the relevance of, for example, the police statistics from last year, 2018? There's four crimes in total, which describe the capturing of data and the preparatory actions, and then data selling in an illegal way. There's four different legal norms that are applicable. Just for comparison, for assault, like assault of a person, there's over 150,000. The likelihood to become a victim of an assault crime is much disproportionately higher than to become the victim of a data monitoring capture and crime. Now, I waited a long time to see if somebody is going to contact me and tell me, hey, I've actually got an investigation based on 202C. And last year, I had one case which was terminated this year. And I would like to present this case briefly here. This is about a software piece called RevCode Web Monitor. The investigating authority was the Central Association Cybercrime ZCC at the state attorney's office in Bamberg. It's a special unit or specialty department. Quite a lot of personnel. We've got four upper state attorneys, four different state attorneys, two in the offices. And based on their own understanding, on their own website, this Central Association is responsible in all of the state of Bavaria for all the elevated crimes in the realm of cybercrime. Now, what was the problem in this case? One government official had found a tax platforms.net. He had found a thread, which was on a web monitor, which was offered as a remote integration tool, RIT. And this is from the verdict from the court that this software was offered in a non-public forum, which is wrong. Hack forums has 3 million users, according to Wikipedia. And you need to register. Everybody can register if you accept the terms and conditions. And in this case, everybody can look at this thread and read what's been written. Oh, I actually have to go back a couple of slides. So the remote integration tool. Somebody thought I need to search a bit further and found a blog entry. From my perspective, not a very seriously looking blog. It's quite a big, like strongly worded article that this software was used in a CEO fraud to produce some sort of evidence. And he said that this was malware that looks or camouflages a serious software without producing evidence for this. He said, is this well-programmed, which programming language was used? Based on this, the investigations were started, and the Bavarian criminal office started this investigation with the cybercrime unit of the state attorney's office in Bamberg. They bought this software. They put this into the old malware laboratory, or what they call an investigation or examination of the software. And then they came to the conclusion, I quote, it is not a pure, single-purpose hacker tool under the sense of 202C of the German criminal code. It is to be checked whether it is a legitimate computer program or a malware program in its whole existence. Now, this already says it is not a pure hacking tool. So that probably means it's probably a dual-use tool. And according to the Constitutional High Court and many other voices, it means it is not a tool to commit a crime. And from my perspective, we could have closed the file at this point and just focus our attention on another case. Not in this case, though. They found an official website, which has a .eu top level domain. And because of this, the Bavarian state, say, police agency, they were of the conviction that the people that were behind the software were obfuscating their identities, I quote. This is because on this nonpublichackforums.net was advertised there. He says it was wrong. It was actually publicly available. The true identity of the provider was obfuscated. There is no imprint on the website, which might be a violation of paragraph 5 telemedia law. The domain was officially registered. And they had the mailing address of the person that had registered the domain. The who is entry was complete. But then they saw that the registrar used for this domain was a Russian registrar, which they found very suspicious, even though it was done with the right name and the right address. The host was in Ukraine, which probably had made a good offer. According to the Bavarian state police, this was designed to obfuscate the registration. And then they said embedded links on Facebook and Twitter are leading to non-existent sites. Basically, they had the buttons on the website, but they didn't have the registration. So it was just redirecting to the home pages of Facebook, Twitter, and YouTube. So all of this reads more or less. It goes on like this. So the district attorney asked for a warrant. For a warrant, thank you. And so this says the software is obviously a malware only used for a foreign attacker to control a foreign computer. And so they tried, or have to look at the time, a judgmental warrant. We have a huge discussion about this. So law officials are supposed to get passwords and stuff using this, even for low misdemeanors. And so how does this work? So the criminal investigator gets a file and can ask for a warrant. So they can sign it, or they can say, I think this is fishy. So I'm activating a control instance. And they can then refuse this act. So this is a lot of work. And so you cannot think badly of our judges that they look at these warrants, like proto-warrants, and just sign them because it's just easier. So if someone says this is not a pure malware, and so it's automatically dual-use, so it doesn't apply to, so 202C doesn't apply. But if someone tells a judge it's obviously used for these prop purposes, then I can kind of see why they just signed this. And so on the other side, we have this huge discussion about whether people can release their passwords. And people say, yeah, but judges control this. You have to see very clearly that this control is a very, very soft control. And you can't take this seriously as a safeguard for the individual's citizens' rights. Little bit about warrants. How does this work? How do they enter your house? They came as civilians with a package underneath their hands. They wanted to talk to the person who didn't come to the door. And there were three people present in the house and asked for a specific person. So after everyone showed their passports and identified themselves, then the policemen actually started wearing their vest, so they would be recognizable as policemen. So all the neighbors in this whole village, when they started carrying out everything what was available, they saw immediately that what are these people? Ah, yeah, these are police. Completely unnecessary and left a lasting impression in this village. So these are the tiny little side effects of this theater. My clients, everything got taken away from my client that can be taken away, all the computers which he needs for work, all data storage media, USB cards, USB sticks, hard drives, all mobile phones, lots of correspondence, like paper corners correspondence, was taken. They also found out which servers the man is using. So 12 servers were seized, all email, email was seized, email servers. And then what also happened was, because they paid him via PayPal, and his complete data was with PayPal, they also seized financial properties, including his bank accounts, all the cash, and his wristwatch. We still have to think about people who are accused as the presumption of innocence. Every normal person who doesn't feel solidarity here is ruined. So, you know, your rent is not paid anymore, the rate for your house is not being paid anymore. Mortgage isn't paid anymore, your car, payments, every other insurance, everything that's not getting paid anymore. Your car tax is not getting paid anymore. If you've got a leasing car, this is going to be canceled immediately. It's the maximum catastrophe. So the lower court and the state court have confirmed the seizing of all these assets. After a long time, they said, you know, we're really not sure if these computers actually means to commit a crime. But they are still items to be seized because they might have been procured for illegal purposes. Now, this is about subjectively assessing what the person that was making the software was thinking when they did it, why they were making it and why they were selling it. And this subjective assessment, you need communication with potential clients or customers or potential people of interest that are interested in the software. All this digital communication had been seized. So at this point, I am really not in a position to produce any evidence that exonerates me. Now, they produce an evaluation. And in the evaluation, they said it was recognizable that person one and person two, the two people that were in the crosshairs of the law enforcement agencies, these were not accessible to my client. Now, a year before, in the middle of 2017, somebody had written to say, I'm looking to hack certain accounts. Is it possible to do that if they don't need to enter the info anymore? If they key log it, how can I do this? Now, somebody is asking to hack a computer where the part of the password aren't entered anymore. Can I generate them from inside the system in some way? And my client wrote back, sorry, you mentioned that you want to hack accounts. Our legal guidelines do not allow us to continue this correspondence at this point. So this is not our type of business. We don't want this business. And another person, he replied to, or he wrote to a different person. I wonder what some users are thinking when they just tell us this. No, that was pretty nice. So at least to find this in a written report from the Land Office of Criminal Investigation that there was no criminal intent, there was a few other things. The final report of the Land Office of Criminal Investigation, LKR, it refuted the intent to sell for criminal purposes. But they said this was not a pure dual use tool. So this is a pretty absurd accusation or allegation because for a federal constitutional court, this is not admissible, this interpretation. There was different conditions for what this device can do, for example, silent installation, which really troubled them a lot. TeamView also signed an installation. This was apparently not known to them in similar cases. So in the end, it's going to go like this. The police finishes the investigation, hands it over to the state's attorney's office. And the state's attorney's office has closed the procedure, closed the case after seven months based on letter two. My client who had really been hit hard by this whole case. And this is what a mobile phone looks like once the Land Office of Criminal Investigation has taken control of it. And they completely ripped it apart. At the top, you can see the chip that had been soldered or somehow removed out of it. And here, you can see a hard drive. And as you can tell, this was taken out of its casing. And there is no potential to put it back in in any way. Fitting to the not office Congress resource exhaustion, apparently they didn't have the capacity anymore to put it back together. Now, this whole nightmare was basically over. There is still a criminal sort of restitution process, which has not yet finished. I'm really, really short on time. I'm going to get to the finish now. Now, one of the questions that people ask themselves, that use software like this, that write software, that develop it, that test it, that in the end say, I might be in a legal realm where I think I'm not really punishable. But the LKA, the Office of Criminal Investigation, might see it differently, like in this case. Now, what are protective measures that people can take that are handling software like this? Now, this means seriously, do not post into the wrong forums. Stay away from everything where an LKA official might think this is only hackers, because hackers is only criminals. Even though I think this is really, really absurd. You should only demonstrate legal means of use and do not engage discussion about illegal means to use the same piece of software at all. And also be really cautious when you're, so it's not interpreted that because of your warning, so your measures of precaution, that this should not be used illegally, that you might actually be promoting the illegal use of this product. Ulrich, your time is over. We don't have time for Q&A. Thank you so much for your presentation, and I believe that is your applause. Thank you also from the translation team. We have been Joan Z, YT Chan, and Brick the System. Thank you for listening, and see you soon. Anyone has questions? Send me an email. I might not be able to answer in the full length, but I might try to answer then. So if this topic is very interesting to you, or if you fall under this, or if you're unsure where you should research this, you can find me on the internet with the name, and do not confuse me with the other lawyer of the same name from Hannover.