Is Hacking Illegal? A Deeper Look at Hacking Laws

When you mentioned IDOR vulnerabilities and the law, it reminded me of the guy who was called a hacker because he found SSN numbers in the source code of a county employee directory.

gFamWeb

I feel like no matter what you do, there is "some" law that makes it "by definition" illegal and punishable which is so messed up

And the fact that a 60+ year old judge that doesnt understand technology will have to judge you based on that is the most frightening part

KianBrose

I don't agree with the sentiment that you should trust the judges to treat you fairly.
Good laws require the least amount of interpretation possible, to protect the accused of unfair sentiment by the judge.
Think what these inaccurate laws would mean for a whistleblower for example.
I think certain laws(e.g. "hacker paragraphs") are unnecessarily inaccurate, possibly maliciously, because they could be used to accuse basically anybody with basic computer skills without good causation.

Maxjoker

Tbh the fact that all of this needs to be so special-cased and _not just get inferred from more general laws_ is pretty saddening

mskiptr

I'm not a lawyer, but one interesting thing that caught my eye about section 303a (1) is the word "unlawfully". What is defined as "unlawful" manipulation of data? Is it having authorisation? If I, as a sys admin, were to accidentally delete a few records from a server's database, would I've committed a crime?

kris.yochev

On your IDOR example, you show the most important part of the law. What if you are against a judge that does not understand this technology? Lawyers can then say anything they want, the judge will probably believe them. That is why I think that there should be some max age / required expert on each of these cases.

DutchGamingPieces

About the bank, in Italy there is the legal concept of "impossible crime", a crime that cannot be committed, and some people were not charged for trying to break alone in the Bank of Italy because it has been deemed impossible. So, I guess, attacking in a laughable way a website that should be protected should fall under the same laws. But while you cannot be punished, you can be declared socially dangerous with some restrictions on your personal freedom.

briansciretti-informatica

I certainly hope playing around with IDOR is legal, because I have a bunch of scripts relying on them for completely benign reasons.

thecakeredux

I just want to add one thing:
When the current german government was formed in December, the parties in the coalision agreed in their contract, which defines the goals they have for the next 4 years, that "The identification, reporting and closing of security vulnerabilities in a responsible process, e.g. in IT security research, should be legally feasible."
But i guess looking at the current political situation, inflation, russia, ... this will probably be if low priority and will be adressed at the and of the legislative period at most

SomeRandomUserName

The company I work is using a bug bounty platform for the security program. Part of the program description is something they call "safe harbour":

{company} considers ethical hacking activities conducted consistent with the Researcher Guidelines,
the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law.
{company} will not pursue civil action or initiate a complaint for accidental, good faith violations,
nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

JeroenPlug

One could argue that anytime you can get access to data, that the data was not protected.

InfiniteQuest

Gotta love the law. It tries to state things with certainty, but we still don't know what will happen. White-hat disclosure of vulnerabilities being punishable is a serious problem.

OcteractSG

6:00 the exact case you described happened last year when Lilith Wittmann used an IDOF on the CDU app. The CDU tried to apply the hackihg laws but the case was dropped by court.

LnkkE

3:45 Maybe you could consider tricking someone into sending data to the wrong destination interception. Then it covers phishing.
It would be interesting to see some examples of the law being applied.

kas

With criminal laws it gets much more complicated than that, on the bright side I'm a lawyer who's a tech geek and I'm currently working on a research paper related to this video, I'll email it to you when it's finished so you can explain it to our fellow geeks <3
But in short :-
Criminal laws around the world are devided into two main types, the objective criminal law (penal codes for example) which has objective rules in it and usually are something like this(whoever kills another person to be sentenced to 15 years of prison), b. Killing someone means commiting a wrongful act that leads to death(not real laws but giving an analogy) so b section of this analogy defines the crime (crimes are the exception to what you can freely do because the parliament said so) and each word in the definition is important, like an if statement while coding with and in between each condition, so if u stabbed a man, that stab killed him, and your intention is to kill him, the definition of said crime applies to this case therefore it's punishable by 15 years of imprisonment, now the other type of criminal law is the criminal procedure code, which is okay we suspect there's a crime committed, how do we know for sure who did it and how and what happens next, and that's even more important than the objective penal code by the legal notion that justice is within the procedures not the objective law, so if the objective law is kinda unfair on its own, the procedures to the process of proving guilt or innocence and it's applicability to any criminal case within the jurisdiction of the legal system in said country is what achieves justice from a legislative point of view, so for each crime there must be an act, damage or minimally a breach of rules, a cause relationship between the act and the result, and a procedure to determine guilt like investigation, trial and a verdict and each stage of those has much more details in it that I can't fit in a single YouTube comment written from my phone!.

ahmadsalahat

12:20 Attempts are handled separately across all laws by Title 2 section 22 and 23. Attempting to gain unauthorized access to protected data is seemingly also illegal.

DelusionalLogic

"I would hope, in practice, that it does actually matter." Nope. Laws are deliberately broad and vague so that they can be enforced against "the bad guys" and ignored for "the good guys".

JoeJoeTater

Can't wait for the follow-up videos in ~5 months: "I got sued for scanning Minecraft servers" (9:16), and "I got sued for attempting to breach N26" (18:19)

In all seriousness, even if german laws aren't sufficient enough to get you in jail, there are also *EU-Laws* like the "Convention on Cybercrime (ETS No. 185)" which explicitly defines terms like "computer system" or "computer data" and gives some (ethical) guidance on what legislative measures should be implemented by each member state.

Here are some rules for myself when it comes to "hacking":
- "Don't overstep boundaries."
- (With the exception of bug-hunting) Don't hack large companies. They'll find a way to sue you, no matter your intention.

AquaFX

I am always paranoid about the these kinds of laws while doing some random things for web scraping or simply playing with the url for fun 🤣. It was a cool video

hiruthicsha

THIS is the #1 Most important thing any aspiring hacker SHOULD learn no matter what. You dont want to learn hacking and security tech and then do something without knowing that turns out is illegal and you end up with the FBI at your door and you in prison for years and your life destroyed.

vectoralphaSec