Security researchers in Germany continued to pull down exploit code from their sites last week, scrambling to comply with a German law that makes illegal the distribution of software that could be used to break into computers.
The German law -- referred to as 202(c) -- went into effect on Sunday. Many experts have complained that the language of the law is very unclear, but a strict reading appears to make illegal the distribution, sale and possession of security tools which could be used to commit a crime.
In the latest move, PHP security professional Stefan Esser removed on Friday all exploit code from his Web site dedicated to the Month of PHP Bugs. While reasonable prosecutors would not likely pursue security researchers, the risk is too great, Esser stated.
"The big problem is that the (law) is not clearly written; it allows too much interpretation," Esser stated in the comments to the post. "While our government says that they do not want to punish, for example, hired penetration testers, this is not written down in the law."
Already, a number of other researchers have pulled their tools from their sites or shuttered their sites completely. Late last month, German research group Phenoelit shut down their site, but moved the content to the Netherlands. Earlier this month, the developers of the wireless scanner, Kismac, closed down their site in Germany as well and also said that they would reopen at a later date in the Netherlands.
The German cybercrime provision is the latest law to hobble security researchers' ability to do their jobs. The United States' Digital Millennium Copyright Act (DMCA) -- which was written to provide better protections for copyright, but instead has been used to lock out competition -- has been cited in lawsuits and prosecutions against a number of security researchers.
The German law was passed to meet the country's obligations as a signatory of the Council of Europe's Convention on Cybercrime, a treaty that the U.S. Department of Justice helped craft.
