Security vulnerabilities: companies should rely on bug bounty programs rather than criminal complaints

Stefan Hessel

There was a great deal of outrage on social media when IT security expert Lilith Wittmann announced (only in German) on Twitter on 3 August  that the Berlin State Police had named her as a suspect in an investigation relating to security flaws in the Christian Democratic Union's "CDU connect" app. The IT security expert and Chaos Computer Club (CCC) activist had previously notified the party in a "responsible disclosure" that their app contained significant security vulnerabilities, which made it possible for hackers to access the personal data of over 18,000 campaign workers (only in German). The fact that the IT security expert nevertheless received an e-mail from the Berlin State Police is evidently attributable to a complaint from the CDU, which the party now claims to have "withdrawn." (only in German) As a result, the CCC has announced (only in German) that it will no longer report security vulnerabilities to the CDU in the future. The apps themselves were taken offline temporarily, but are now available once again for use in the party's campaigning. 

We have received many questions concerning this investigation, which we will answer below.

1.    What is "responsible disclosure"?

The term "responsible disclosure" (only in German) describes a process for exposing weak points. A unique feature of this process is that the weak points are not made public until after they are eliminated by the manufacturer. The manufacturer is typically given a certain amount of time to do so.

2.    Why did the CDU file a criminal complaint/request for prosecution?

It is not yet clear whether the CDU filed a criminal complaint or a request for prosecution. A criminal complaint reports an incident to a law enforcement agency (e.g. the prosecutor's office or the police), while a request for prosecution can only be made the victim of a crime and is only required in certain cases. In our experience, a request for prosecution is typically filed along with a criminal complaint in cases involving all of the offenses which may come into consideration here. This may explain the confusion in the use of these terms.

3.    Withdrawing a criminal complaint or request or prosecution: can that be done?

The CDU has since announced on Twitter (only in German) that it has withdrawn its criminal complaint against the IT security expert . But from a legal standpoint, it should be noted that, unlike a request for prosecution, a criminal complaint cannot be withdrawn. Accordingly, "withdrawal" of the criminal complaint would have no impact on the investigation. On the other hand, if a request for prosecution is withdrawn, the investigation is only continued in case of a "relative complaint offense" (i.e. offenses where the need for a complaint is not absolute), if the prosecutor's office believes that action is required due to the particular public interest in prosecuting the offense. In the present case, an investigation may be based on § 202a of the Criminal Code or § 42 of the Federal Data Protection Act (only in German). But since § 202a of the Criminal Code is a relative complaint offense in accordance with § 205(1) Sentence 2 of the Criminal Code (only in German), the investigation may be continued despite the CDU's withdrawal of its request for prosecution if there is a particular public interest, which is not entirely out of the question in light of the ongoing election campaign and the importance of the CDU as a major political party.

4.    What consequences will the security vulnerabilities have for the CDU?

If these vulnerabilities are associated with a personal data breach and if a risk to the rights and freedoms of natural persons cannot be ruled out, the controller is required to notify the competent authority without undue delay, if possible within 72 hours of when it becomes aware of the breach, pursuant to Article 33(1) of the GDPR. But whether such a risk arises in a case where security vulnerabilities are discovered by IT security experts in a responsible disclosure is a matter of dispute. A wide variety of additional legal consequences could result in the event of a cyberattack .

5.    What can companies do better?

According to a recent study by the digital association Bitkom (only in German), German companies sustain more than EUR 220 billion in losses every year from cybersecurity incidents, including cases of extortion (e.g. using ransomware). Given the large number of possible attacks, and in order to avoid drawn-out criminal proceedings and the associated costs, companies should consider alternative precautions such as e.g. setting up contact addresses for IT security researchers, as well as bug bounty programs, in which financial rewards are paid out to IT security experts who discover and report security vulnerabilities as part of a responsible disclosure. In any case, in the event that security vulnerabilities are reported by way of responsible disclosure, we urgently advise companies not to seek prosecution of the informant by filing a criminal complaint or request for prosecution.

6.    What legal options do IT security experts have to protect themselves?

As of now, German criminal law affords inadequate protection for well-meaning IT security experts who report vulnerabilities to the affected parties rather than maliciously exploiting them or selling them on the dark web. This is particularly true for § 202a of the Criminal Code and the subsequent Sections (only in German). It is therefore past time for a change in Germany's cybercrime laws so as to guarantee immunity from prosecution for IT security experts who report security vulnerabilities by way of responsible disclosure. IT security experts can also turn to the Federal Office for Information Security (BSI) (only in German) for assistance when making contact so as to avoid drawing suspicion from companies and law enforcement agencies. BSI provides a reporting form (only in German) for this purpose and promises that the information will be handled confidentially. But given that BSI is a government agency and not an independent body, its promise of confidentiality may be broken in case of doubt. We therefore recommend arranging for responsible disclosure through an attorney, particularly for companies and research institutions which routinely report security vulnerabilities, since attorneys are bound by attorney-client privilege not to disclose confidential information.

The Digital Business Unit of reuschlaw Legal Consultants would be glad to help you manage IT security incidents, as well as advising you in all questions relating to responsible disclosures and bug bounty programs. You can contact them at any time.

[August 2021]