So who's more confused, the computer experts or (at least some of) the politicians?:
http://www.jerzy-montag.de/cms/default/dok/185/185831.gesetz_zur_computerkriminalitaet.htm

The problem is that most security experts seem to not understand or seem to want to ignore the proof of malicious intent and purpose specifically stated in the law. The law specifically allows use of otherwise now illegal tools when this use is condoned and authorised by the owner of the system being tested. It specifically states that programs that can also be used to check security are not illegal per se.

In addition, people in the security industry seem to be crying wolf because they don't understand the law's specific emphasis on burden of proof, which increases the strength of the basic tenet of _innocent until proven guilty_ underlying any justice system in a democracy.

It's very simple if you compare electronic breaking and entering to physical breaking and entering:

If you own a building, you can ask someone to try and break in and then ask and/or pay them or someone else to protect it better, but it is not legal for anyone, including university students or professors, to drive around and try to break into any company whose locks and intrusion detection systems they feel like testing.

The Internet's technology and (seeming!) anonymity has made this simple situation look complicated. The main problem is that the Internet started out and is still a Wild West and that the technology involved makes simple things look complicated and/or lets "experts" make it look complicated to normal users.

Very few people would claim that it should be legal for people to try to physically break into businesses or that this would help prevent crime. Even if it became "normal" that hordes of people were running around at night getting kicks and "glory" by trying to break into businesses, no amount of security experts could confuse normal people into believing this is a good idea.

Normal users are beginning to understand enough about computers to see that the "experts" like the CCC claiming the same kind of nonsense about the useful and benevolence of attempts to break into business ICT networks are emperors without clothes. No wonder politicians in some countries are finally doing something to clean up this mess that produces incredible profits for the security industry.

If it were not illegal to try and physically break into a company, many people would try to do that to be able to boast about how they walked around inside some big company's premises last night. This would mean that the security industry would be able to increase sales dramatically.

If this were considered a minor offense, the same or other people would at some point start to break into private homes too. This would then create an incredible market first for improved locks and then for intrusion detection and prevention systems.

It seems that the computer security industry including antivirus vendors and similar companies have at least 3 reasons to shed crocodile tears about the new antihacker law and claim incorrect things about it, though some of their incorrect claims may in fact be due to ignorance about legal concepts:

1) when breaking and entering becomes illegal, most people stop doing it and then sales of security products and services will go down drastically

2) there doesn't seem to be proof of collusion between malware writers and the security industry, but the industry profits from the hysteria caused by viruses and other malware and hacker intrusions and even stir it up.

3) no industry has ever welcomed government regulation, and when it started, the sector's companies have always claimed this would make their work less efficient or even make it impossible. In reality, all industry sectors have needed government intervention to achieve minimal efficiency and make real progress. Too much government intervention is of course bad, but competition and efficiency don't happen unless fair rules and sanctions are established.

As far as i know, a proof of concept exploit is not a 202c violation unless you actually break into the system, not if you only show how it can be done.

>> The problem is that most security experts seem to not understand or
>> seem to want to ignore the proof of malicious intent and purpose
>> specifically stated in the law. The law specifically allows use of
>> otherwise now illegal tools when this use is condoned and
>> authorised by the owner of the system being tested. It specifically
>> states that programs that can also be used to check security are
>> not illegal per se.
>
> You are very wrong. Paragraph 202c makes it very clear that once a
> program is defined as illegal because it's purpose is malicious you
> are already violating 202c by downloading it.

"Once a program is defined as illegal" are the key words. Only programs made *exclusively* to break into systems and specifically *sold* will be banned. Any program that is *also* used by security experts to test systems is not illegal unless used for illegal purposes. They're trying to ban spyware and other crap like virus kits sold by big criminals to petty offenders, not real security tools.

> If you don't understand it, then read 202c again and again...
>
> It clearly says that you are preparing a violation of 202a/202b by
> JUST aquiring the tools.

*certain* tools, not "the tools", not any tools.

> BTW your comparision is completely wrong. 202c ist not about
> unallowed physically or electronically entering. This has been
> illegal before and noone complains about this. 202c defines what the
> law sees as preparation for an unallowed break in. And there is the
> problem. 202c clearly says that you prepare to violate 202a/202b when
> you download a hacking tool.
>
> 202c does NOT say that it is just illegal to download a malicious
> program if your intention is to break into a system. Because such a
> paragraph would be complete nonsense. The moment you really attack
> the system you are violating 202a/202b. And no 202c would be needed.

It seems you haven't understood the following, which i guess i don't have to translate because you're apparently German:

http://www.jerzy-montag.de/cms/default/dok/185/185831.gesetz_zur_computerkriminalitaet.htm
In Zweifelsfällen wird helfen, dass es sich um ein Antragsdelikt handelt - ohne Strafantrag des betroffenen Datennetzinhabers ist also ein Strafverfahren ausgeschlossen. Darüber hinaus war für uns Grüne die Klarstellung wichtig, dass das Gesetz in erster Linie auf professionelle Anbieter abzielt. Zusätzlich hebt nun der Bericht des Rechtsausschusses die Pflicht des Gesetzegebers hervor, die tatsächliche Rechtsanwendung genauestens zu beobachten. Sollten - wider Erwarten - die Ermittlungsbehörden ohne kriminelle Energie handelnde Programmentwickler doch mit Ermittlungsverfahren überziehen, muss der Gesetzgeber darauf zeitnah reagieren.

and this:
Dass sich ein Computerprogramm dazu lediglich "eignet", reicht nicht, um eine Strafbarkeit zu begründen - es muss sich der Sache nach um "Schadsoftware" handeln. Diese Klarstellung macht deutlich: dual-use-tools werden von der Strafnorm nicht erfasst, ihre Entwickler werden nicht kriminalisiert. Auch der branchenübliche befugte und gewollte Einsatz von Computerprogrammen durch Netzwerkadministratoren, mit denen diese z.B. die Sicherheit von eigenen oder Kundendatennetzen prüfen wollen, wird von der Strafnorm nicht erfasst.

> First of all "Die Grünen" are not the ruling party of germany.

I never said that. The reason i quoted a member of the Green Party is because the Greens know more about IT and are more interested in open source and other software issues than the other parties. The reason i quoted Jerzy Montag is because he's the legal expert of the Greens and on the legal committee (rechtsausschuss) that drafted the extra conditions for the law that will decide how the law is applied.

Members of the other parties have used almost the exact same words in calming down people who didn't understand the law and its provisions although these clearly protect honest security professionals and programmers from prosecution.
http://www.abgeordnetenwatch.de/dr_sascha_raabe-650-5542--p466.html
http://www.abgeordnetenwatch.de/thomas_kossendey-650-6008--p491.html
http://www.abgeordnetenwatch.de/dr_thea_dueckert-650-5577--p491.html#frage67281
http://www.abgeordnetenwatch.de/heinz_lanfermann-650-5572--p491.html#frage65139

This
http://www.heise.de/newsticker/meldung/87182
also explains exactly what IT experts are having trouble understanding:

"Die Befürchtungen sind ernst zu nehmen", urteilte Georg Borges, Rechtsprofessor an der im Sicherheitsbereich renommierten Ruhr-Universität Bochum. Es gebe "ein erhebliches Maß an Unsicherheit bei Software-Entwicklern". Bruns räumte ein, dass die gewählten Formulierungen im Gesetzestext "psychologisch ganz anders aufgenommen" würden als juristisch angebracht. So seien beim 202c zwei Filter eingebaut, die auf den Vorsatz und die Absicht zur Straftatvorbereitung anspielen würden. Dies sei für den "juristisch Gesetzesinformierten" verständlich. Die Aufklärung der sich momentan fälschlich betroffen Fühlenden sei aber "eine Frage der Vermittlung".

> The description of "Die Grünen" does NOT MATCH the law that passed.
> The law that passed has NO EXCEPTION.

The description is a very precise summary of the extra conditions added to the law, which are an integral part of the law. As important are the declared political intent of all the parties to swiftly change the law if any innocent people are accused. Didn't you look at the links i sent or even the relevant part i found and quoted for you?!
http://dip.bundestag.de/btd/16/036/1603656.pdf
http://dip.bundestag.de/btd/16/054/1605449.pdf

> And actually it does not matter if there are additional explanation
> papers for 202c out. The judge needs only to obey the law, not some
> extra explanation papers.
>
> BTW. the law does NOT say that the download/usage of the software
> must be part of a preparation for a violation of 202a and 202b to be
> illegal. It says that BY downloading/using the software your prepare
> for a 202a/202b violation.

No it doesn't. It seems you haven't seen the first line of 202c! There is a clear logical and causal relationship that you haven't grasped:

§ 202c Vorbereiten des Ausspähens und Abfangens von Daten
(1) Wer eine Straftat nach § 202a oder § 202b vorbereitet...

And reread the explanations; they clearly explain the causality and logic involved that requires malicious intent to create an offense.

You apparently also didn't understand that there's an extra safeguard built into the law that states that people supposedly breaking the law will not be prosecuted or even charged unless there's a victim (a person or a company) that sues the accused:

In Zweifelsfällen wird helfen, dass es sich um ein Antragsdelikt handelt - ohne Strafantrag des betroffenen Datennetzinhabers ist also ein Strafverfahren ausgeschlossen.
http://de.wikipedia.org/wiki/Antragsdelikt

> BTW: The whole idea to compare computer software with guns is
> completely absurd.

You didn't get that logic either; i was not comparing them. I was responding to and trying to point out how illogical, childish, and irrelevant the quips by others about hammers and sharp items are. You missed the point although i even quoted what i was responding to:

> you Germans might want to enforce an additional law to forbid the
> creation, distribution, and usage of hammers, since those evil tools
> definitely can be used to kill people

> 202c does NOT say that it is just illegal to download a malicious
> program if your intention is to break into a system. Because such a
> paragraph would be complete nonsense. The moment you really attack
> the system you are violating 202a/202b. And no 202c would be needed.

It DOES mean just that even if it doesn't say that directly because of the attached Gesetzentwurf Computerkriminalität http://dip.bundestag.de/btd/16/036/1603656.pdf and
Änderungen des Rechtsausschusses http://dip.bundestag.de/btd/16/054/1605449.pdf

Durch die objektive Beschränkung auf Computerprogramme, deren Zweck die Begehung einer Computerstraftat ist, wird bereits auf Tatbestandsebene sichergestellt, dass keine Computerprogramme erfasst werden, die beispielsweise der Überprüfung der Sicherheit oder Forschung in diesem Bereich dienen. Unter Strafe gestellt werden lediglich das Herstellen, Verschaffen, Verbreiten usw. solcher Programme, denen die illegale Verwendung immanent ist, die also nach Art und Weise des Aufbaus oder ihrer Beschaffenheit auf die Begehung von Computerstraftaten angelegt sind. Bei Programmen, deren funktionaler Zweck nicht eindeutig ein krimineller ist und die erst durch ihre Anwendung zu einem Tatwerkzeug eines Kriminellen oder zu einem legitimen Werkzeug (z. B. bei Sicherheitsüberprüfungen oder im Forschungsbereich) werden (sog. dual use tools), ist der objektive Tatbestand des § 202c StGB-E nicht erfüllt. Die bloße Eignung von Software zur Begehung von Computerstraftaten ist daher nicht ausreichend, so dass auch solche Programme aus dem Tatbestand herausfallen, die lediglich zur Begehung von Computerstraftaten missbraucht werden können.

Zudem muss die Tathandlung zur Vorbereitung einer Computerstraftat (§§ 202a, 202b, 303a, 303b StGB) erfolgen. Entscheidend für die Tatbestandserfüllung des § 202c StGB-E ist, dass der Täter eine eigene oder fremde Computerstraftat in Aussicht genommen hat. Das ist nicht der Fall, wenn das Computerprogramm beispielsweise zum Zwecke der Sicherheitsüberprüfung, zur Entwicklung von Sicherheitssoftware oder zu Ausbildungszwecken in der IT-Sicherheitsbranche hergestellt, erworben oder einem anderen überlassen wurde, da die Sicherheitsüberprüfung, die Ent- wicklung von Sicherheitssoftware oder die Ausbildung im Bereich der IT-Sicherheit keine Computerstraftat darstellen.

Das gilt auch für den Fall, in dem ein Computerprogramm, das ursprünglich nur zu kriminellen Zwecken hergestellt worden ist, verschafft, verkauft, überlassen, verbreitet oder sonst zugänglich gemacht wird, wenn dies ausschließlich zu nicht kriminellen Zwecken erfolgt und keine Anhaltspunkte für eine eigene oder fremde Computerstraftat nach den §§ 202a, 202b, 303a, 303b StGB bestehen. Auch in diesem Fall wird keine Computerstraftat in Aussicht genommen. Wenn also beispielsweise in den Fällen des Entwickelns von Sicherheitssoftware auch Schadprogramme verschafft werden, dann erfolgt dies nicht zur Vorbereitung einer Computerstraftat nach den §§ 202a, 202b, 303a, 303b StGB und ist daher nicht nach den § 202c StGB-E strafbar. § 202c StGB-E ist demzufolge nicht so zu verstehen, dass allein das Herstellen, Verschaffen, Verkaufen, Überlassen, Verbreiten oder sonst Zugänglichmachen der in Rede stehenden Computerprogramme ein Vorbereiten der Computerstraftaten nach den §§ 202a, 202b, 303a, 303b StGB darstellt.

> you Germans might want to enforce an additional law to forbid the
> creation, distribution, and usage of hammers, since those evil tools
> definitely can be used to kill people

You sound like you're a US American, so you'll probably be surprised to know that guns are illegal in most countries for that very reason. We US Americans really should try to join the ranks of civilised nations by preventing the insane daily slaughter caused by millions of guns lying around millions of US homes. In countries where guns are rarely found in homes, fits of violence usually cause bruises or worse but only rarely death. Most people killed by guns in the US are killed in emotional fits, not due to planned murder.