A German court has fined a programmer €3,000 and charged them with hacking for investigating an IT problem. The programmer, working as a freelance IT service provider, was initially hired to resolve log generation issues with merchandise management software. During the investigation, the programmer discovered a MySQL connection to a remote server belonging to the software vendor, containing data for nearly 700,000 customers. Despite the programmer’s efforts to inform the vendor and act in the public interest, the court applied the Hacker Paragraph, emphasizing the need for robust protection, and imposed a fine.
The court’s decision stemmed from the programmer’s unauthorized access to data protected with a password, a violation of Section 202c of the German Criminal Code. The programmer had extracted a plaintext password from the software’s executable to determine the purpose of the database connection. While the prosecution argued that the defendant went as far as decompiling the software, it was confirmed that the programmer had simply listed the strings in the executable to find the plaintext password. Despite the programmer’s clean record and efforts to responsibly disclose the security lapse, the court imposed a fine, leading to concerns about the legal precedent set by the case.
The programmer’s lawyer argued that their client acted in the general public’s interest by informing the software vendor about the security issue. The court’s decision raises questions about the balance between ethical disclosure of security vulnerabilities and legal consequences for unauthorized access. The programmer has decided to appeal the decision, and the case will be reviewed by a higher regional court in Aachen, potentially setting an important legal precedent for similar situations in the future.
Reference:
