Lightning Talk #137 Ethical Hacking for a Safer Internet
27 Jun 2025 09:00h - 09:30h
Lightning Talk #137 Ethical Hacking for a Safer Internet
Session at a glance
Summary
This discussion focused on the legal challenges surrounding ethical hacking and the need for improved legal frameworks to support cybersecurity efforts. Tim Philipp Schafers from Mint Secure and lawyer Carolin Kothe presented their analysis of how different jurisdictions treat ethical hacking versus malicious hacking activities. They began by defining ethical hacking as systematic testing to uncover security vulnerabilities, distinguishing between authorized penetration testing and unauthorized but well-intentioned security research conducted for societal benefit.
The speakers emphasized the critical importance of external hackers in strengthening cybersecurity, noting that the NIS2 directive recognizes that most security disclosures come from external testers. They highlighted how crowdsourced defense works effectively, as demonstrated by open source software development and corporate bug bounty programs. However, they identified a significant problem: most legal systems fail to differentiate between ethical and malicious hacking, creating uncertainty and potential legal risks for security researchers.
The presentation examined various jurisdictional approaches across Europe, noting that Poland stands out as a rare example with explicit statutory support for ethical hacking when done solely to secure systems. Most other countries equate ethical hacking with criminal activity, though some like the US and France have prosecutorial discretion policies that provide safe harbor for responsible disclosure. The speakers outlined four key elements needed for an ideal legal framework: legal certainty, explicit immunity for ethical hackers, reframing of hacking terminology, and clear differentiation between ethical and malicious activities.
They concluded by calling for harmonized international regulations and greater public awareness to support collaboration between ethical hackers, private companies, and governments in strengthening cybersecurity defenses.
Keypoints
## Major Discussion Points:
– **Definition and Types of Ethical Hacking**: The speakers distinguish between malicious hacking and ethical hacking, explaining that ethical hacking involves systematic testing to uncover security vulnerabilities with good intent. They identify two subtypes: authorized ethical hacking (contracted penetration testing, bug bounty programs) and unauthorized ethical hacking done for societal benefit without financial gain.
– **Legal Inconsistencies Across Jurisdictions**: The presentation highlights how different countries treat ethical hacking legally, with most jurisdictions failing to distinguish between ethical and malicious hacking. Poland is cited as a rare positive example with explicit statutory support, while countries like Germany, the US, and France rely on prosecutorial discretion rather than clear legal protections.
– **Current Legal Challenges for Ethical Hackers**: Despite following responsible disclosure practices, ethical hackers face legal uncertainty, potential prosecution, and emotional pressure. Even when not prosecuted, they may face investigations, reputational damage, and restrictions on sharing their findings for educational purposes.
– **Proposed Legal Framework Improvements**: The speakers outline four key elements for better regulation: legal certainty, explicit immunity for responsible disclosure, reframing of hacking in public perception, and clear differentiation between ethical and malicious activities. They also advocate for harmonized international regulations.
– **Need for Collaboration and Public Awareness**: The discussion emphasizes the importance of ethical hackers in cybersecurity, citing examples like the Heartbleed bug discovery and DEF CON voting village, while calling for better collaboration between private sector, ethical hacking community, and government.
## Overall Purpose:
The discussion aims to advocate for legal reform that would protect and encourage ethical hacking by establishing clear legal frameworks that distinguish between beneficial security research and malicious cybercrime. The speakers seek to educate the audience about the value of ethical hacking and promote policy changes that would provide legal certainty for security researchers.
## Overall Tone:
The tone is professional, educational, and advocacy-oriented throughout. The speakers maintain an informative approach while expressing clear frustration with current legal ambiguities. The tone remains consistently constructive, focusing on solutions rather than criticism, and becomes more engaging during the Q&A session where practical concerns about surveillance and brain drain are addressed with empathy and understanding.
Speakers
– **Tim Philipp Schafers**: Co-founder of Mint Secure, specializes in ethical hacking and criminal law in regards to computer crime
– **Carolin Kothe**: Trained lawyer, does software development in her law firm, deals with questions of standardization and citizen knowledge as part of her role at the Liquid Legal Institute
– **Audience**: Multiple audience members asking questions during the Q&A session (roles and expertise not specified)
Additional speakers:
None – all speakers were included in the provided speakers names list.
Full session report
# Legal Challenges and Reform Needs for Ethical Hacking: A Comprehensive Discussion Summary
## Introduction and Context
This discussion brought together Tim Philipp Schafers, co-founder of Mint Secure specializing in ethical hacking, and Carolin Kothe (pronounced “Carolin Kothein Kothe”) from the Liquid Legal Institute, who combines legal expertise with software development experience in standardization and citizen knowledge. Their presentation addressed the critical legal challenges facing ethical hackers and the need for comprehensive legal reform to support cybersecurity efforts while protecting legitimate security researchers.
The speakers presented their analysis through a structured four-step approach: defining ethical hacking and its variants, explaining why ethical hacking is important, examining current legal frameworks across jurisdictions, and proposing solutions for legal reform.
## Defining Ethical Hacking and Its Variants
Carolin Kothe explained that hacking fundamentally involves systematic testing to uncover security vulnerabilities, with the crucial distinction between ethical and malicious hacking lying in three critical factors: intent, authorization, and methods employed. The actual judgment of whether hacking is ethical or malicious depends on these factors rather than the technical actions themselves.
Kothe distinguished between two distinct subtypes of ethical hacking: authorized ethical hacking, which includes contracted penetration testing and corporate bug bounty programs, and unauthorized but benevolent ethical hacking, conducted without individual contracts but motivated by societal benefit rather than financial gain.
Tim Philipp Schafers referenced the established hacker ethic from the 1980s, later extended by groups like the Chaos Computer Club, which established moral principles including breaking systems to enhance security, avoiding data littering, and protecting private information. He provided concrete examples including the discovery of the Heartbleed bug in OpenSSL affecting HTTPS connections, testing conducted at DEF CON voting villages, and responsible information handling. Schafers also mentioned historical examples like the Loft hacker collective’s testimony and Taiwanese activist groups who handled sensitive information responsibly.
## The Critical Importance of Ethical Hacking in Cybersecurity
Both speakers emphasized the indispensable role of ethical hackers in modern cybersecurity. Kothe highlighted that external security researchers provide the majority of security disclosure reports to Community Emergency Response Teams (CERTs), as recognized by regulations like the NIS2 directive. This external perspective proves essential because internal security teams may miss vulnerabilities due to familiarity with their own systems.
Schafers noted that “crowdsource defense works,” referencing the open source software model where distributed scrutiny by many contributors strengthens overall security. Corporate recognition of ethical hacking’s value has grown, with companies increasingly investing in bug bounty programs, though Schafers cautioned that hackers can be “uncautious with their wording” when asking for rewards, potentially creating legal complications.
The speakers emphasized that ethical hacking serves as crucial defense against increasing cybercrime costs, both monetary and in terms of privacy breaches and infrastructure disruption.
## Legal Framework Disparities Across Jurisdictions
The presentation revealed significant inconsistencies in how different countries approach ethical hacking within their legal systems. Kothe’s analysis demonstrated that most jurisdictions fail to distinguish between ethical and malicious hacking, creating uncertainty for security researchers.
Poland emerged as a rare positive example, with explicit statutory support stating that no offense is committed when hacking is conducted “solely on the purpose of securing a system.” Kothe termed this a “unicorn regulation” that represents what comprehensive legal protection could look like, yet remains exceptional.
The complexity varies considerably across jurisdictions. Some countries require bypassing security measures as an objective element of computer crime, while others treat authorization as either an objective element or a justification defense. Countries like Latvia incorporate substantial harm requirements, while Germany and Austria include intent to harm or enrich as subjective elements, which better distinguishes ethical from malicious hacking but still creates uncertainty.
## Current Legal Challenges and Prosecution Approaches
Despite following responsible disclosure practices, ethical hackers face considerable legal uncertainty. Schafers emphasized the emotional pressure security researchers experience when discovering vulnerabilities, lacking clear statutory protection even when acting with beneficial intent.
The speakers identified four approaches jurisdictions currently employ: explicit statutory support (Poland), additional legal requirements favoring ethical hackers, prosecutorial discretion policies creating safe harbors, and reliance on justification defenses.
Countries like the United States and France have implemented prosecutorial discretion policies. Kothe referenced the justice.gov website and French authority safe harbor details, but noted these approaches remain inadequate because security researchers still technically commit crimes and face restrictions on publishing findings for educational purposes.
Even without prosecution, the investigation process creates significant hardship through mental burden, potential reputation damage, and restrictions on sharing research findings that could benefit the broader security community.
## Proposed Solutions for Comprehensive Legal Reform
The speakers outlined their “wish list” of four essential elements for an ideal legal framework. First, legal certainty must be established so security researchers understand how to responsibly report vulnerabilities without fear of prosecution.
Second, explicit immunity should be codified in law rather than relying on prosecutorial discretion. Third, comprehensive reframing of hacking terminology and public perception is necessary to move away from purely negative connotations. Fourth, clear legal differentiation between ethical and malicious actors must be established in statutory frameworks.
The speakers advocated for harmonized international regulation, recognizing that software vulnerabilities affect multiple jurisdictions and fragmented national approaches create unnecessary complexity for companies acting internationally.
## Audience Engagement and Unresolved Implementation Issues
The question-and-answer session revealed additional complexities. One audience member asked about Germany’s progress after a failed referendum, prompting Kothe to explain details about the “not authorized a scene if” provision and burden of proof considerations in German legal reform attempts.
An important concern was raised about whether intent requirements might expose security researchers to intrusive surveillance practices. Another audience member, Janik, questioned potential brain drain effects, suggesting that legal uncertainty might push talented individuals toward black hat activities rather than legitimate white hat security research. Schafers responded by noting that anonymous reporting through onion networks represents one way people navigate these legal uncertainties.
The question of how far ethical hackers can proceed in their testing activities remains unresolved, as hacking involves a series of actions rather than a single act, raising complex questions about which specific actions are covered by legal justifications.
## Areas of Consensus and Approach Differences
Both speakers agreed that ethical hacking provides essential security benefits and should be clearly distinguished from malicious activities. They shared the view that current legal frameworks create harmful uncertainty for security researchers and that comprehensive legal reform including explicit statutory protection is necessary.
Both advocated for harmonized international regulation and recognized that societal perception of hacking needs fundamental change. They agreed that prosecutorial discretion approaches are inadequate solutions.
Differences emerged primarily in emphasis, with Kothe providing detailed technical legal analysis while Schafers focused more on practical implementation needs and public awareness requirements.
## Conclusions and Call to Action
The speakers established that current legal approaches fail to serve either security or justice interests effectively, creating uncertainty for beneficial actors while potentially driving talent toward malicious activities. They called for comprehensive rather than piecemeal reform, addressing statutory protections, public perception, international coordination, and practical implementation challenges.
The speakers concluded with specific action items: collecting and discussing points about better legal frameworks within companies and with lawmakers, sharing ideas about differentiating between malicious and ethical activities, working toward harmonized international regulation, and increasing public awareness through education and discussion.
The discussion highlighted that achieving comprehensive reform will require sustained effort and careful attention to unintended consequences, while recognizing the essential role ethical hackers play in protecting digital infrastructure and systems.
Session transcript
Tim Philipp Schafers: Hello and welcome to our talk Ethical Hacking for a Safer Internet. My name is Tim Philipp Schafers and today we will talk about criminal law in regards of computer crime and I’m the co-founder of Mint Secure. We are also doing ethical hacking and I’m happy to be here today with Carolin Kothe.
Carolin Kothe: My name is Carolin Kothein Kothe, I’m a trained lawyer. I’m also doing the software development in my law firm. I’m also dealing with questions of standardization and citizen knowledge as part of my role at the Liquid Legal Institute. So we will examine today the legal patchwork concerning the treatment of ethical hacking in different jurisdictions and want to kind of show you how a harmonized framework could look like that empowers ethical hackers to strengthen our IT landscape. We will proceed in four steps, which is first defining what hacking and ethical hacking actually means to start with a common ontology for our talk. Then we will continue with kind of emphasizing the importance of external hackers as indispensable and then we will continue showing you the main differences in jurisdictions in Europe. Last but not least we will envision how an ideal legal framework could look like as a start of a little discussion. So what is ethical hacking? Hacking has a negative connotation, a negative narrative to it, but what it actually means is that we just do the systematic test to uncover security vulnerabilities and systems and applications in networks and to judge the actual act we have to look at the intent, we have to look at the authorization, we have to look at the methods that the hacker actually used. So what people usually have in mind when they think of hacking is this kind of malicious act, meaning somebody seeks private gain, sabotage, theft, but there’s also ethical hacking and we can even distinguish ethical hacking in two subtypes. The one that is authorized, meaning companies that actually hire penetration test teams or do bug bounty programs to invite external testers to actually back their defenses and then we have the other even more highly debatable group which doesn’t have these individual contracts but actually is just working without seeking financial benefit but doing it out of society’s reason, society’s interest. And because of that we will actually show you the disclosure policies that all these hackers, no matter what kind of ethical hacking group you belong to, will look like. But first we want to emphasize why we’re actually having this talk. So there’s an increasing surge in cybercrime and with that comes a high increase of costs and we don’t only mean the monetary cost to it but also the intangible risk. And that is actually why the regulators already have recognized it, they have recognized that it’s a need to put pressure on companies to invest in their security systems and especially we have seen this in the NIST2 directive which even states that the majority of disclosure reports come actually from external testers. And the market reinforces this, so there are already plenty of companies that invest heavily in bug bounty programs where they pay those who report responsibly and we also see this with an increase of open source usage. Because open source relies on so many eyes, they take this kind of expertise of different people which know different kind of security vulnerabilities to then build up higher security barriers. So crowdsource defense works and open source is a living proof of that. So already this kind of discussion is going on for quite a while already and to make an example of that I can hand over to Tim to give you one of these examples.
Tim Philipp Schafers: Yeah, thank you very much Carolin Kothe. Actually here you can see a testimony from the Loft hacker collective. It’s kind of the first time where hackers were in direct exchange with politicans and as you can see this is still a while ago and at that time it was kind of the first remarks where it was mentioned that there is certain critical infrastructures, that there is a real harm that can exist there. But actually not that much has changed in regards of how the media perceives hackers In general, as Carolin Kothe mentioned, this is very often connotated with a negative framing. And actually we kind of want to flip that and also want to emphasize that hacking is also a possibility to enhance security. And very often one can hear that hacking is malicious or something, but actually if we look back at the so-called hacker ethic, we see that even within this community there is a huge understanding how to act and how to act morally. Here you can see an excerpt from the so-called hacker ethic, which basically describes how you should work as a real hacker. And there you can see again that, for example, the idea of breaking things to enhance them and to make them even more secure is a very basic principle which is already there. Furthermore, that you should not litter with other people’s data and also use public data and protect private data. So this is really a common ground and understanding. In the 1980s, this was first kind of proposed and discussed and later on it was extended by the Chaos Computer Club, for example, where many people thought about, OK, how can we handle hacking or what is really good hacking in that regard. And to my personal understanding, it’s really important to understand that breaking things always some kind helps of fixing things. We also have a few examples here, which might be familiar for you or not. I just want to briefly mention a few of those things. Actually, there was a so-called Heartbleed bug, which was a security vulnerability within OpenSSL, which is used for transport layer security. And in 2014, there was a serious vulnerability in that software, which is basically used by a lot of web servers on the Internet. Probably when you enter a website and enter HTTPS, this software is used on the server side to encrypt certain connections. And the good thing is that people very often find these bugs, report these bugs, and that they can fix. This is mostly how open source software, for example, is secured. There’s also the principle that you don’t disclose any information about the security vulnerability before it is fixed. This is also closely related to the hacker ethic you have seen before. Furthermore, a second example is, for example, the so-called DEF CON voting village. DEF CON is a security conference in the US. And there is a basic idea that, for example, voting machines are hardly tested by hackers to see whether they are secure or not. And of course, this also helps to enhance the security at that point and to make sure that those components are secured. As Caro mentioned before, for example, the NIST2 directive also aims in the direction of saying, okay, it makes sense to break certain things and fix them afterwards. This is the basic enhancement process, I would say. And the third example here is from a Taiwanese activist group. To me, this is also very important because a lot of people think in regards of hacking always from the technical standpoint. But for a lot of hackers, and also for me personally, hacking also is handling information responsibly. And in this case, for example, people were able to make use of public information and APIs, and made a more user-friendly way to disclose information. This is very often also something that hackers do. So just to give you a few examples, what can be done with hacking, and this is just a short excerpt. There are many more examples where security of software and products were enhanced in the past also by certain people, hacker collectives, and so on. And now I would hand over to Caroline so that we look at certain legal examples.
Carolin Kothe: So after Tim told you about the disclosure policies, you might think that if you follow those policies, you are not treated as a criminal. Yet statutory certainty is quite rare for ethical hackers. Most countries still equate ethical hacking with criminals. And we had a referendum in Germany, which was actually So due to that and due to the fact that usually companies act internationally, meaning their software is internationally used, meaning we have always different jurisdictions affected, we actually had a look into the other countries. And we did found one good example, one rare example in the Polish panel code, which actually explicitly supports ethical hacking in the sense that it says no offense is committed if you do it solely on the purpose of securing a system. And however, this is kind of a unicorn regulation, because other states don’t do this differentiation. They equate ethical hacking with malicious hacking on the first place. So I can hand over to Tim what it actually means in practice, if you equate malicious hacking with ethical hacking.
Tim Philipp Schafers: Yeah, so in general, one potentially can imagine that it’s combined with a lot of emotional pressure also when you find, for example, a certain vulnerability, but you are unsure whether this is fully covered by the law and how to potentially report this. So what we see is that ethical hackers often are threatened by the classical legal system or how the laws are working. And from my perspective, the core question is whether we want this so that also ethical hackers are put under pressure or don’t know how to report certain vulnerabilities, or if it doesn’t make more sense to say, hey, please, please hack public systems to secure them to responsibly report this. There are some community emergency response teams around the world that also receive reports and handle them. And in a few cases, of course, it helps to make systems even more secure. In other cases, there was also the case that certain hackers got a little bit of legal pressure and were not able to disclose or talk a lot about these topics.
Carolin Kothe: So to understand the main differences between the jurisdictions and how they treat ethical hacking, we need to clarify, at least on a brief level first, what actually makes an act a crime and what will be punished and what will be prosecuted. So a crime usually has two conditions to it. The first one is, did you fulfill all the elements of the offense that is stated by the law? And the second one is, is this act deemed lawful or unlawful? And it is unlawful if you lack any kind of legal justification for it, as we mentioned the authorization at the start. So let’s have a look at the main differences in the jurisdictions, starting from the act itself. So actually, we have in every kind of jurisdiction some variance of, I’m assessing, I’m altering, interfering with the system, I’m interfering with data. But what we also have is that some countries, but not all of them, have an additional bypassing of security measures in their samples. And we also have the element of authorization, sometimes as an objective element of the act and sometimes as a justification. And as stated, that makes a huge difference, because one means that even commissioned ethical hackers committed a crime but are justified, and the I-didn’t-commit-a-crime-at-all kind of variation. There’s another issue with the authorization, especially when it comes to third-party systems, because there is a dispute, whose authorization do I actually need to be completely covered? It could be that I’m commissioned by one company, but if I’m accidentally or by intention accessing a third-party system, I might need another system owner’s authorization too. So even commissioned hackers are always in that kind of gray area, which is obviously not what is wanted. You have also countries that have put these additional requirements that kind of put up a higher threshold to it, which is to the benefit of ethical hackers, and that one example would be Latvia, who says you need an extra substantial harm. And this kind of substantial harm, though it’s kind of a vague, ambitious term, because what does substantial actually mean? It does help ethical hackers, because especially if you see it as financial harm, this is usually not fulfilled by ethical hackers, and by that you have this kind of distinction to it. But when we look actually onto the subjective elements of an offense, we actually see that some countries put even a better threshold that even distinguishes more between ethical hacking and malicious attacks, and that is, the subject element usually says you intentionally and knowingly do what is stated in the objective offense, but if you also add the intent to harm someone or the intent to enrich yourself or a third party to the law, which is quite easily done, which was also done in the German referendum, but also for example Austria is doing that, this intent is actually what differentiates the ethical hacker from the malicious attacks, and by that you kind of do this distinguishing, so ideal version of doing it. As stated, even if you meet all these technical requirements, the act itself could still be rendered as lawful if you have a justification reason. And most hackers argue whether it’s a state of emergency for this personal data or there’s a state of emergency because it’s critical infrastructure and we all kind of are dependent on that, and this is kind of highly debatable, because what means immediate? The state has happened already quite a while before, the state is there for quite a while already. And there’s another even severe question to the justification reason argument, because hacking is not just one act, it’s a series of actions, and the question is what of these actions are actually covered by the justification reason? So how far can I as a hacker actually go and how far is too far? What is actually required? But after all these issues, we want to mention one good thing, kind of at least, which is that most countries that till that point still equate ethical hacking and malicious attacks actually do not convict or prosecute. And we see, for example, in the US and in France, that there are public enforcement discretives, like you can actually see on, for example, the USA, on the justice government website, where they state as long as you follow the responsible disclosure guidelines, we won’t prosecute. Or in case of France, if you report to our authority that is meant for security, well, then you have a safe harbor, we won’t tell your name, even if some kind of complaint is filed. As said, you still have committed a crime, and it’s just not kind of prosecuted. And this comes also with a little kind of snippet to it, because what hackers, especially ethical hackers, like to do is use what they have done for educational purposes and kind of publish it, and they are not allowed to do that. As soon as they do, all this kind of on-hold procedure is gone. And that is also not helpful, because we want people to publish what could be a security vulnerability and exchange on that. So to sum it up, we have basically four different legal approaches. We have that explicit statutory support, like in Poland, where we already have in the law this kind of framing of ethical hackers are not seen as criminals, optimal version. Then we have the second kind of favorable version of putting additional requirements to it that are really fulfilled by ethical hackers. Also good, not optimal, because we kind of like that reframing of the first version. And then we have the prosecution directives, meaning, as stated, for example, for France, creating this kind of safe harbor to it. The last one, which is still happening in most of the countries, is the least favorable one, because it lets the hacker rely on justification reasons, let’s see, basically the interpretation of different judges, he never knows what is going to happen. And then we also have the thing that the prosecution investigation is still ongoing, meaning that they might face hard procedures, they might face mental load of legal battles, they might even face reputation loss, which is especially affecting those who have another business as IT researchers, too, to it. And leaving me up to that one, I can hand over to Tim and ask him what his wish list for ideal legal framework would be.
Tim Philipp Schafers: Yeah, actually we thought about, okay, what might be helpful and for better legal framework we have outlined at least four things that are important. On the one hand is legal certainty needs to be established, so what Caro mentioned that in a lot of cases, as a hacker reports something, maybe a case is opened or not, but yeah, it would be great if it would be very clear. that you really know, okay, where is it possible to responsibly report certain security vulnerabilities and how to act in the legal framework. Then there’s another point, explicit immunity. So like we heard about safe harbor regulations, that this is really stated in the law that you are allowed to report certain security vulnerabilities. As mentioned before, a lot of computer emergency response teams around the world say, hey, please report us security vulnerabilities, but in the law, this case is not existing at all. So that is very important that also the lawmaker understands, okay, it makes sense and that ethical hacking helps to secure systems and enhance security of companies and for the society, for our society in general. Then this reframing of hacking so that this is not just a negative approach or that hacking harms certain people or system, but that is also very positive. Also in the media, as mentioned before, you can see that very often the term hacker is connotated negatively, but from our perspective, this must not be the case. It’s more the question how we perceive this and how those people really act. And there’s also a way of acting responsibly. And then the differentiation, as mentioned before, between ethical hacking and malicious actors. This is really important in a lot of cases, not the case in the law itself. So it just describes hacking as a bad thing, which might be something from the past and where we need to reframe this. Then some general actions or something we wish from your side, on the one hand, that you potentially collect this points about a better legal framework, also in discussions within your company, maybe also with lawmakers, that you kind of share the idea and describe why it makes sense to differentiate between malicious activities and ethical activities. Then a harmonized regulation would make sense because even if some countries adapt the change, the problem exists that if you, for example, find a certain security vulnerability in a software, it might be used in a lot of different countries and jurisdictions, which is also a problem because if you, as an ethical hacker, report a certain vulnerability in one country and then you report it in another country and one country has a stricter hacking law, so to say, then you would face legal problems. So it would make a lot of sense to have a harmonization of the regulation and the reporting ways in that regard. And in general, that’s also why we are giving the talk here, is to have a greater public awareness and empathy about those topics, so that it can be discussed. Because the ultimate goal from our perspective is that we really tackle security vulnerabilities, make it even harder for hackers to break systems, and for that a stronger collaboration between the private sector, the ethical hacking community and even the government is needed to enhance the security level. Because from our perspective, nowadays, sometimes they are still in their corner, so maybe the government is saying, hey, we need to prosecute hackers, because as we have seen, cybercrime is a big topic, that the hacking community tries to do certain things, tries to improve software with open source projects, as we have heard, and of course also the private companies have an interest in regards of really prosecute malicious intents, but maybe also, as Caro mentioned, with bug bounty programs, have a reward for ethical hacking and really use it as a driving force, which can help us to secure systems. Yeah, that maybe as an overview. So thank you very much. We would have the possibility for one or two questions, if there are any from the public, so to say. So thank you very much. So are there any questions or examples? So we have one here at the front.
Audience: Thank you. Not really an example, but just a question. See, I gather you are German. Do you have any idea where this is going in Germany? Try that referendum, which didn’t fly, I understand. Any other progress in sight?
Tim Philipp Schafers: Actually, we have a new government and they also put this in the plan for the next year, so to say. So my hope is that over the next couple of years, we will see some progress there. But the current or the last referendum thing now is gone. So it needs to be built up completely new, which is really important for our point of view, because the German law explicitly, yeah, not differentiates between ethical hacking and malicious attempts.
Carolin Kothe: The referendum, I think, ran there as I talked about it. The referendum that was there before the election actually included an exception for people who do it solely for the purpose of securing a system and has this additional intent as a requirement. But it’s a little bit still up to debate if it’s just an acceptable or even ideal solution, because what they did is they just added a paragraph to it and said not authorized a scene if, and that might seem like kind of like simple, like why does it matter? But some argue that this is actually putting a point on the question of who needs to prove what. Do I need now, some ethical hackers read that as do I now need to prove that I didn’t have a malicious intent? And in my view, that is not the case, because in Germany, you have the principle of the prosecutor needing to prove the stuff. And usually you have, when it comes to prosecution and they need to prove if you had a certain intent, then prosecutors will have a hard time struggling that you had this kind of intent of enrichment or intent of harming someone. Especially, there’s one little exception to that, because sometimes ethical hackers are a little bit uncautious with their wording in their reports and ask for, well, I would be happy if you would give me a reward for finding your vulnerability, and that could cause some suspicion. But except that, I think it’s fine.
Audience: Hi, yeah, thanks for the excellent presentation. I already raised my hand like a few minutes ago, and you started answering my question already. But I was wondering about this intent requirement, as you were just talking about, because I was wondering if it doesn’t maybe expose security researchers maybe to intrusive surveillance practices to like figure out if there was malicious intent. I was just wondering if you have any knowledge of something like this going on, or whether this is not possible under the current laws?
Tim Philipp Schafers: Actually, as Caro described, very often there are cases that are opened, and when a case is opened, there’s uncertainty for the people that are affected by that. And that could also mean for security researchers that they might be under surveillance, so to say, because somebody might need to find out, okay, what are they doing, why are they doing this, are they acting on their own, and so on. That’s why we need a clearer regulation on that, to make sure that people are not threatened, that people responsibly can report it and have kind of a peace of mind in what they are doing, because they are securing certain systems which are very important to us.
Audience: That’s why we graded the prosecution approach a little bit lower, because that means that there is already investigation if you have this intent, if you’re acting in good faith, if you have followed all the responsible disclosure guidelines, and that could, in practice, we actually know that this basically is you getting called, what did you do, what was your intention, and if they are then fine with you, then it’s good to go, but that is already causing a hard race for the ethical hacker itself, because he knows he’s part of this prosecution investigation. Hi, I’m Janik, I used to work in the industry, and what I saw at that time when I worked there, that it’s also a matter of brain drain, because people would go rather in the black hat direction and not in the white hat direction, just exclusively working over the onion net or something, would you say that it’s the case for today as well, or is it in a better state?
Tim Philipp Schafers: I mean, in some cases it makes sense to report security vulnerabilities anonymous, because you want to have your name attached to this, I know certain cases where this happened, but from my perspective it’s very sad that things like that are needed, or that security researchers might hide their activity behind the onion network or things like that, because it should be legal, because it really helps us to secure certain systems, and from my perspective it’s really something from the past that you say, okay, this is just illegal activity and needs to be prosecuted, because we have learned a lot through hacking to understanding how the world and systems work and how to improve them, because, I mean, every human makes mistakes, every program or computer can make mistakes, so it makes sense to recognize this and to change it to the better in regards of hacking in general, and maybe also to the law in that case. Okay, I think then we are fine, thank you very much for having us, and have a nice day. Thank you.
Carolin Kothe
Speech speed
143 words per minute
Speech length
2100 words
Speech time
877 seconds
Hacking involves systematic testing to uncover security vulnerabilities, with the actual judgment depending on intent, authorization, and methods used
Explanation
Kothe argues that hacking itself is simply the systematic testing of systems to find vulnerabilities, and whether it’s considered ethical or malicious depends on three key factors: the hacker’s intent, whether they have authorization, and what methods they employ.
Evidence
Distinguished between malicious acts (seeking private gain, sabotage, theft) and ethical hacking done for society’s benefit
Major discussion point
Definition and Types of Ethical Hacking
Topics
Cybersecurity | Legal and regulatory
Agreed with
– Tim Philipp Schafers
Agreed on
Ethical hacking provides essential security benefits and should be distinguished from malicious hacking
Ethical hacking can be divided into two subtypes: authorized (contracted penetration testing/bug bounties) and unauthorized but benevolent (done for society’s interest without financial gain)
Explanation
Kothe categorizes ethical hacking into two distinct groups: those who have explicit contracts and authorization from companies through penetration testing or bug bounty programs, and those who work without individual contracts but act in society’s interest without seeking financial benefit.
Evidence
Examples of companies hiring penetration test teams and running bug bounty programs to invite external testers
Major discussion point
Definition and Types of Ethical Hacking
Topics
Cybersecurity | Legal and regulatory
External hackers are indispensable as the majority of disclosure reports come from external testers, as recognized by the NIST2 directive
Explanation
Kothe emphasizes that external hackers play a crucial role in cybersecurity, with most vulnerability disclosures coming from outside testers rather than internal security teams. This importance has been formally recognized by regulatory frameworks.
Evidence
NIST2 directive explicitly states that the majority of disclosure reports come from external testers
Major discussion point
Importance and Benefits of Ethical Hacking
Topics
Cybersecurity | Legal and regulatory
Agreed with
– Tim Philipp Schafers
Agreed on
Ethical hacking provides essential security benefits and should be distinguished from malicious hacking
Crowdsourced defense works effectively, with open source software serving as proof that many eyes make security stronger
Explanation
Kothe argues that distributed security testing through multiple contributors is highly effective, using the open source software model as evidence that having many different experts examine code leads to better security outcomes.
Evidence
Open source software relies on many eyes and different expertise to build higher security barriers, with increased open source usage demonstrating this principle
Major discussion point
Importance and Benefits of Ethical Hacking
Topics
Cybersecurity | Infrastructure
Companies are increasingly investing in bug bounty programs and recognizing the value of responsible vulnerability reporting
Explanation
Kothe points out that the market is already demonstrating the value of ethical hacking through increased corporate investment in bug bounty programs that reward responsible disclosure of vulnerabilities.
Evidence
Market reinforcement through companies investing heavily in bug bounty programs that pay those who report responsibly
Major discussion point
Importance and Benefits of Ethical Hacking
Topics
Cybersecurity | Economic
Ethical hacking helps tackle cybercrime’s increasing surge and associated costs, both monetary and intangible risks
Explanation
Kothe argues that ethical hacking is essential for addressing the growing cybercrime problem, which brings not only direct financial costs but also intangible risks that affect society broadly.
Evidence
Increasing surge in cybercrime with high increase of costs, leading regulators to recognize the need for companies to invest in security systems
Major discussion point
Importance and Benefits of Ethical Hacking
Topics
Cybersecurity | Economic
Most countries equate ethical hacking with criminal hacking, creating statutory uncertainty for ethical hackers
Explanation
Kothe explains that the majority of legal systems fail to distinguish between ethical and malicious hacking, treating all hacking activities as criminal regardless of intent or purpose. This creates legal uncertainty for those trying to improve security.
Evidence
Statutory certainty is quite rare for ethical hackers, with most countries still equating ethical hacking with criminals
Major discussion point
Legal Framework Disparities Across Jurisdictions
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Tim Philipp Schafers
Agreed on
Current legal frameworks are inadequate and create uncertainty for ethical hackers
Poland provides a rare positive example with explicit statutory support, stating no offense is committed when done solely for system security purposes
Explanation
Kothe highlights Poland as an exceptional case where the legal system explicitly supports ethical hacking by providing clear statutory language that exempts security-focused hacking from criminal prosecution.
Evidence
Polish panel code explicitly supports ethical hacking by stating no offense is committed if done solely for securing a system, described as a ‘unicorn regulation’
Major discussion point
Legal Framework Disparities Across Jurisdictions
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Tim Philipp Schafers
Agreed on
Legal reform should include explicit statutory protection and clear differentiation
Legal frameworks differ in their elements: some require bypassing security measures, others have authorization as objective elements vs. justifications, creating confusion about whose authorization is needed for third-party systems
Explanation
Kothe explains that different jurisdictions structure their computer crime laws differently, with some including security bypassing as an element and others treating authorization differently. This creates particular confusion when ethical hackers might access third-party systems while working on commissioned projects.
Evidence
Some countries have additional bypassing of security measures requirements, and authorization sometimes appears as objective element vs. justification, with disputes over whose authorization is needed for third-party systems
Major discussion point
Legal Framework Disparities Across Jurisdictions
Topics
Legal and regulatory | Jurisdiction
Some countries like Latvia add substantial harm requirements, while others like Germany and Austria include intent to harm as subjective elements, better distinguishing ethical from malicious hacking
Explanation
Kothe describes how some jurisdictions have developed better legal frameworks by adding requirements that help distinguish ethical hackers from malicious actors, either through harm thresholds or intent requirements that ethical hackers typically don’t meet.
Evidence
Latvia requires extra substantial harm; Germany and Austria include intent to harm or enrich as subjective elements, which differentiates ethical hackers from malicious attacks
Major discussion point
Legal Framework Disparities Across Jurisdictions
Topics
Legal and regulatory | Cybersecurity
Even when following responsible disclosure policies, ethical hackers lack statutory certainty and may still be treated as criminals
Explanation
Kothe emphasizes that even ethical hackers who follow all best practices for responsible disclosure still face legal uncertainty and potential criminal treatment because the laws themselves don’t provide clear protection.
Evidence
Following disclosure policies doesn’t guarantee protection from being treated as criminals, with statutory certainty being quite rare
Major discussion point
Current Legal Challenges and Prosecution Approaches
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Tim Philipp Schafers
Agreed on
Current legal frameworks are inadequate and create uncertainty for ethical hackers
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Explanation
Kothe explains that while some countries have created practical protections through prosecutorial discretion, these approaches still treat ethical hacking as criminal activity and restrict hackers’ ability to share their knowledge publicly for educational purposes.
Evidence
US justice department website states they won’t prosecute if responsible disclosure guidelines are followed; France provides safe harbor through their security authority but hackers still committed crimes and cannot publish findings
Major discussion point
Current Legal Challenges and Prosecution Approaches
Topics
Legal and regulatory | Cybersecurity
Disagreed with
– Tim Philipp Schafers
Disagreed on
Adequacy of prosecution discretion approaches vs. statutory reform
Legal investigations can cause hardship for ethical hackers even when they ultimately face no prosecution
Explanation
Kothe points out that even when ethical hackers are not ultimately prosecuted, the investigation process itself creates significant burden and stress for individuals who are trying to help improve security.
Evidence
Prosecution investigation procedures can cause mental load of legal battles and reputation loss, especially affecting IT researchers
Major discussion point
Concerns About Implementation and Surveillance
Topics
Legal and regulatory | Human rights
Current prosecution approaches still involve investigation procedures that create mental burden and potential reputation loss for ethical hackers
Explanation
Kothe argues that even the more favorable prosecution discretion approaches still subject ethical hackers to investigation procedures that can cause significant personal and professional harm through mental stress and damage to their reputation.
Evidence
Investigation procedures might face hard procedures, mental load of legal battles, and reputation loss, especially affecting those with IT research businesses
Major discussion point
Concerns About Implementation and Surveillance
Topics
Legal and regulatory | Human rights
Agreed with
– Tim Philipp Schafers
Agreed on
Current legal frameworks are inadequate and create uncertainty for ethical hackers
Tim Philipp Schafers
Speech speed
141 words per minute
Speech length
2060 words
Speech time
872 seconds
The hacker ethic from the 1980s establishes moral principles including breaking things to enhance security, not littering with others’ data, and protecting private information
Explanation
Schafers argues that the hacking community has long-established ethical principles that guide responsible behavior, emphasizing that true hackers follow moral guidelines about how to conduct their activities responsibly.
Evidence
Hacker ethic from 1980s describes breaking things to enhance and secure them, not littering with other people’s data, using public data and protecting private data, later extended by Chaos Computer Club
Major discussion point
Definition and Types of Ethical Hacking
Topics
Cybersecurity | Sociocultural
Agreed with
– Carolin Kothe
Agreed on
Ethical hacking provides essential security benefits and should be distinguished from malicious hacking
Breaking systems helps fix them, as demonstrated by examples like Heartbleed bug discovery, DEF CON voting village testing, and responsible information handling by activist groups
Explanation
Schafers provides concrete examples to illustrate how the process of finding and responsibly disclosing vulnerabilities leads to improved security across various domains, from web encryption to voting systems to public information access.
Evidence
Heartbleed bug in OpenSSL (2014) found and fixed through responsible disclosure; DEF CON voting village tests voting machine security; Taiwanese activist group made user-friendly disclosure of public information through APIs
Major discussion point
Definition and Types of Ethical Hacking
Topics
Cybersecurity | Infrastructure
Agreed with
– Carolin Kothe
Agreed on
Ethical hacking provides essential security benefits and should be distinguished from malicious hacking
Ethical hackers face emotional pressure and uncertainty when finding vulnerabilities due to unclear legal coverage
Explanation
Schafers explains that the current legal uncertainty creates significant psychological stress for ethical hackers who discover vulnerabilities but are unsure whether reporting them might lead to legal consequences.
Evidence
Ethical hackers are threatened by classical legal system and face uncertainty about whether vulnerability reporting is fully covered by law
Major discussion point
Current Legal Challenges and Prosecution Approaches
Topics
Legal and regulatory | Human rights
Agreed with
– Carolin Kothe
Agreed on
Current legal frameworks are inadequate and create uncertainty for ethical hackers
Legal certainty must be established so hackers know where and how to responsibly report vulnerabilities
Explanation
Schafers argues that clear legal frameworks are essential so that ethical hackers can understand exactly what is permitted and have confidence in their ability to report security issues without legal risk.
Evidence
Computer emergency response teams around the world receive reports and handle them, but legal framework doesn’t explicitly support this
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Carolin Kothe
Agreed on
Legal reform should include explicit statutory protection and clear differentiation
Explicit immunity should be codified in law, not just stated by computer emergency response teams
Explanation
Schafers emphasizes that legal protection for ethical hackers needs to be formally written into law rather than just being policy statements from technical organizations, ensuring that lawmakers understand the value of ethical hacking.
Evidence
Computer emergency response teams say to report vulnerabilities, but this case doesn’t exist in law at all
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Carolin Kothe
Agreed on
Legal reform should include explicit statutory protection and clear differentiation
Disagreed with
– Carolin Kothe
Disagreed on
Adequacy of prosecution discretion approaches vs. statutory reform
Reframing of hacking is needed to move away from purely negative connotations in media and public perception
Explanation
Schafers argues that society needs to change how it perceives hacking, moving beyond the purely negative framing to recognize the positive contributions that ethical hackers make to security and society.
Evidence
Media very often connotates the term hacker negatively, but this perception needs to change based on how people actually act
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Sociocultural | Cybersecurity
Clear differentiation between ethical hacking and malicious actors should be established in legal frameworks
Explanation
Schafers advocates for legal systems that can distinguish between hackers who help improve security and those who cause harm, rather than treating all hacking activities as inherently criminal.
Evidence
Current laws often just describe hacking as bad without differentiation, which is something from the past that needs reframing
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Legal and regulatory | Cybersecurity
Agreed with
– Carolin Kothe
Agreed on
Legal reform should include explicit statutory protection and clear differentiation
Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions
Explanation
Schafers explains that because software is used globally, ethical hackers need consistent legal protection across countries to avoid facing different legal risks when reporting the same vulnerability that affects multiple jurisdictions.
Evidence
Software vulnerabilities might be used in different countries and jurisdictions, creating problems when one country has stricter hacking laws than another
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Legal and regulatory | Jurisdiction
Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security
Explanation
Schafers calls for breaking down silos between different stakeholders and fostering collaboration to improve cybersecurity, arguing that currently these groups often work in isolation when they should be working together.
Evidence
Currently stakeholders are sometimes in their corners – government prosecuting hackers, hacking community improving open source, private companies using bug bounties – but stronger collaboration is needed
Major discussion point
Proposed Solutions for Legal Framework Reform
Topics
Cybersecurity | Legal and regulatory
Audience
Speech speed
170 words per minute
Speech length
298 words
Speech time
105 seconds
Intent requirements may expose security researchers to intrusive surveillance practices to determine malicious intent
Explanation
An audience member raises concern that legal frameworks requiring proof of intent could lead to invasive surveillance of security researchers to determine whether their motivations were malicious or benevolent.
Major discussion point
Concerns About Implementation and Surveillance
Topics
Human rights | Privacy and data protection
Current legal uncertainty may cause brain drain, with researchers potentially moving toward black hat activities rather than white hat ethical hacking
Explanation
An audience member suggests that the legal risks and uncertainties facing ethical hackers might drive talented security researchers away from legitimate white hat activities toward illegal black hat hacking where they can work anonymously.
Evidence
People would rather work in black hat direction exclusively over onion networks rather than white hat direction
Major discussion point
Current Legal Challenges and Prosecution Approaches
Topics
Cybersecurity | Legal and regulatory
Agreements
Agreement points
Ethical hacking provides essential security benefits and should be distinguished from malicious hacking
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Hacking involves systematic testing to uncover security vulnerabilities, with the actual judgment depending on intent, authorization, and methods used
External hackers are indispensable as the majority of disclosure reports come from external testers, as recognized by the NIST2 directive
The hacker ethic from the 1980s establishes moral principles including breaking things to enhance security, not littering with others’ data, and protecting private information
Breaking systems helps fix them, as demonstrated by examples like Heartbleed bug discovery, DEF CON voting village testing, and responsible information handling by activist groups
Summary
Both speakers agree that ethical hacking serves a vital security function and should be clearly differentiated from malicious activities based on intent, methods, and outcomes. They provide evidence of its effectiveness and established ethical principles.
Topics
Cybersecurity | Legal and regulatory
Current legal frameworks are inadequate and create uncertainty for ethical hackers
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Most countries equate ethical hacking with criminal hacking, creating statutory uncertainty for ethical hackers
Even when following responsible disclosure policies, ethical hackers lack statutory certainty and may still be treated as criminals
Ethical hackers face emotional pressure and uncertainty when finding vulnerabilities due to unclear legal coverage
Current prosecution approaches still involve investigation procedures that create mental burden and potential reputation loss for ethical hackers
Summary
Both speakers agree that existing legal systems fail to provide adequate protection for ethical hackers, creating uncertainty and stress even for those following best practices.
Topics
Legal and regulatory | Cybersecurity
Legal reform should include explicit statutory protection and clear differentiation
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Poland provides a rare positive example with explicit statutory support, stating no offense is committed when done solely for system security purposes
Legal certainty must be established so hackers know where and how to responsibly report vulnerabilities
Explicit immunity should be codified in law, not just stated by computer emergency response teams
Clear differentiation between ethical hacking and malicious actors should be established in legal frameworks
Summary
Both speakers advocate for comprehensive legal reform that provides explicit statutory protection for ethical hackers and establishes clear legal distinctions between ethical and malicious activities.
Topics
Legal and regulatory | Cybersecurity
Similar viewpoints
Both speakers believe in the effectiveness of collaborative, distributed approaches to cybersecurity and see market validation through increased corporate investment in ethical hacking programs.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Crowdsourced defense works effectively, with open source software serving as proof that many eyes make security stronger
Companies are increasingly investing in bug bounty programs and recognizing the value of responsible vulnerability reporting
Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security
Topics
Cybersecurity | Economic
Both speakers recognize that the global nature of software and cybersecurity requires harmonized international legal approaches rather than fragmented national regulations.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions
Legal frameworks differ in their elements: some require bypassing security measures, others have authorization as objective elements vs. justifications, creating confusion about whose authorization is needed for third-party systems
Topics
Legal and regulatory | Jurisdiction
Both speakers believe that societal perception of hacking needs to change and that current prosecutorial discretion approaches are insufficient because they still treat ethical hacking as criminal and restrict educational sharing.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Reframing of hacking is needed to move away from purely negative connotations in media and public perception
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Topics
Sociocultural | Legal and regulatory
Unexpected consensus
Prosecution discretion approaches are inadequate despite being more favorable than criminalization
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Legal investigations can cause hardship for ethical hackers even when they ultimately face no prosecution
Explanation
It’s somewhat unexpected that both speakers would criticize what might seem like progressive approaches (prosecutorial discretion) as still inadequate. This shows their commitment to fundamental legal reform rather than accepting partial solutions.
Topics
Legal and regulatory | Cybersecurity
The importance of educational sharing and publication of security findings
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security
Explanation
The emphasis on the right to publish and share security research findings for educational purposes represents an unexpected consensus on the importance of knowledge dissemination beyond just vulnerability reporting.
Topics
Cybersecurity | Human rights
Overall assessment
Summary
There is strong consensus between the two main speakers on the fundamental issues: ethical hacking provides essential security benefits, current legal frameworks are inadequate and harmful, and comprehensive legal reform with explicit statutory protection is needed. They also agree on the need for international harmonization and societal reframing of hacking.
Consensus level
Very high consensus between the main speakers, with audience questions reinforcing concerns about current legal approaches. This strong agreement suggests a well-developed shared understanding of the problems and solutions in this field, which could facilitate coordinated advocacy for legal reform.
Differences
Different viewpoints
Adequacy of prosecution discretion approaches vs. statutory reform
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Explicit immunity should be codified in law, not just stated by computer emergency response teams
Summary
While Kothe acknowledges prosecution discretion as a partial solution, Schafers emphasizes the inadequacy of this approach and the need for explicit legal immunity. Kothe presents it as one of four approaches while Schafers argues it’s insufficient because it still treats ethical hacking as criminal.
Topics
Legal and regulatory | Cybersecurity
Unexpected differences
Scope of surveillance concerns in intent-based legal frameworks
Speakers
– Audience
– Tim Philipp Schafers
– Carolin Kothe
Arguments
Intent requirements may expose security researchers to intrusive surveillance practices to determine malicious intent
Legal investigations can cause hardship for ethical hackers even when they ultimately face no prosecution
Explanation
An audience member raised concerns about surveillance implications of intent-based frameworks, which the speakers had not fully addressed despite advocating for intent-based legal distinctions. This revealed a potential tension between their proposed solutions and privacy concerns.
Topics
Human rights | Privacy and data protection | Legal and regulatory
Overall assessment
Summary
The discussion showed minimal direct disagreement between the main speakers, who were largely aligned in their goals. The primary tension was between different approaches to legal reform rather than fundamental disagreements about objectives.
Disagreement level
Low disagreement level among main speakers, with most differences being matters of emphasis rather than substance. The audience questions revealed some unaddressed concerns about implementation details, but overall there was strong consensus on the need for legal reform to protect ethical hackers. This high level of agreement suggests the speakers were presenting a unified advocacy position rather than debating competing approaches.
Partial agreements
Partial agreements
Similar viewpoints
Both speakers believe in the effectiveness of collaborative, distributed approaches to cybersecurity and see market validation through increased corporate investment in ethical hacking programs.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Crowdsourced defense works effectively, with open source software serving as proof that many eyes make security stronger
Companies are increasingly investing in bug bounty programs and recognizing the value of responsible vulnerability reporting
Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security
Topics
Cybersecurity | Economic
Both speakers recognize that the global nature of software and cybersecurity requires harmonized international legal approaches rather than fragmented national regulations.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions
Legal frameworks differ in their elements: some require bypassing security measures, others have authorization as objective elements vs. justifications, creating confusion about whose authorization is needed for third-party systems
Topics
Legal and regulatory | Jurisdiction
Both speakers believe that societal perception of hacking needs to change and that current prosecutorial discretion approaches are insufficient because they still treat ethical hacking as criminal and restrict educational sharing.
Speakers
– Carolin Kothe
– Tim Philipp Schafers
Arguments
Reframing of hacking is needed to move away from purely negative connotations in media and public perception
Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes
Topics
Sociocultural | Legal and regulatory
Takeaways
Key takeaways
Ethical hacking should be legally distinguished from malicious hacking based on intent, authorization, and methods used
Current legal frameworks in most countries treat ethical and malicious hacking equally, creating uncertainty and potential criminalization of beneficial security research
External ethical hackers are essential for cybersecurity, with the majority of vulnerability disclosures coming from external testers
Poland provides the best legal model with explicit statutory support for ethical hacking when done solely for system security purposes
Four legal approaches exist: explicit statutory support (optimal), additional requirements favoring ethical hackers, prosecution discretion policies, and reliance on justification defenses (least favorable)
Legal uncertainty may cause brain drain from white hat to black hat activities and discourage beneficial security research
Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions
Resolutions and action items
Collect and discuss points about better legal frameworks within companies and with lawmakers
Share ideas about differentiating between malicious and ethical activities to promote understanding
Work toward harmonized international regulation for vulnerability reporting
Increase public awareness and empathy about ethical hacking through education and discussion
Foster stronger collaboration between private sector, ethical hacking community, and government to enhance security
Unresolved issues
Germany’s new government plans to address ethical hacking legislation but timeline and specific approach remain uncertain
Debate continues over whether intent requirements place burden of proof on ethical hackers
Concerns about potential intrusive surveillance of security researchers to determine intent remain unaddressed
Question of how far ethical hackers can go in their testing activities and what actions are covered by legal justifications
Uncertainty about whose authorization is needed when accessing third-party systems during security research
Issue of ethical hackers being unable to publish findings for educational purposes under current prosecution discretion policies
Suggested compromises
Prosecution discretion policies that create safe harbors for ethical hackers who follow responsible disclosure guidelines (as implemented in US and France)
Adding substantial harm requirements to legal frameworks to create higher thresholds that favor ethical hackers
Including intent to harm or enrich as subjective elements in laws to better distinguish ethical from malicious hacking
Creating explicit exceptions in law for those acting solely to secure systems while maintaining overall computer crime protections
Thought provoking comments
We can even distinguish ethical hacking in two subtypes. The one that is authorized, meaning companies that actually hire penetration test teams or do bug bounty programs… and then we have the other even more highly debatable group which doesn’t have these individual contracts but actually is just working without seeking financial benefit but doing it out of society’s reason, society’s interest.
Speaker
Carolin Kothe
Reason
This distinction is crucial because it identifies the core legal challenge – while authorized ethical hacking has some legal protection through contracts, unauthorized ethical hacking done for societal benefit exists in a legal gray area. This nuanced categorization moves beyond the simple ‘good hacker vs bad hacker’ narrative to reveal the complexity of motivations and legal standings.
Impact
This comment established the fundamental framework for the entire discussion. It shifted the conversation from a binary view of hacking to a more sophisticated understanding that would inform all subsequent legal analysis. The presenters repeatedly returned to this distinction when discussing different jurisdictions and legal approaches.
Most countries still equate ethical hacking with criminals… And we did found one good example, one rare example in the Polish panel code, which actually explicitly supports ethical hacking in the sense that it says no offense is committed if you do it solely on the purpose of securing a system. And however, this is kind of a unicorn regulation, because other states don’t do this differentiation.
Speaker
Carolin Kothe
Reason
This observation is particularly insightful because it demonstrates that legal frameworks CAN distinguish between ethical and malicious hacking, but most choose not to. The term ‘unicorn regulation’ effectively captures how rare progressive legal thinking is in this area, highlighting the gap between what’s possible and what’s implemented.
Impact
This comment served as a pivotal moment that transitioned the discussion from theoretical concepts to concrete legal realities. It provided hope (Poland’s example) while emphasizing the widespread problem, setting up the subsequent detailed analysis of different jurisdictional approaches.
There’s another even severe question to the justification reason argument, because hacking is not just one act, it’s a series of actions, and the question is what of these actions are actually covered by the justification reason? So how far can I as a hacker actually go and how far is too far?
Speaker
Carolin Kothe
Reason
This comment reveals a sophisticated understanding of the practical complexities that legal frameworks fail to address. It moves beyond theoretical discussions to the granular reality of how ethical hacking actually works – as a process involving multiple steps, each potentially requiring separate legal justification.
Impact
This observation deepened the technical legal analysis and highlighted why simple legal fixes are insufficient. It demonstrated that even well-intentioned legal protections may be inadequate because they don’t account for the multi-step nature of security research, adding complexity to the discussion of ideal legal frameworks.
I was wondering about this intent requirement… because I was wondering if it doesn’t maybe expose security researchers maybe to intrusive surveillance practices to like figure out if there was malicious intent.
Speaker
Audience member
Reason
This question introduced an unexpected dimension – the potential for legal protections themselves to create new problems. It showed sophisticated thinking about unintended consequences and how attempts to protect ethical hackers might paradoxically harm them through surveillance.
Impact
This question elevated the discussion by introducing the concept that legal solutions might create new problems. It prompted the speakers to acknowledge that even ‘better’ legal approaches (like prosecution discretion) still involve investigations that can harm ethical hackers, reinforcing their argument for clearer statutory protections.
What I saw at that time when I worked there, that it’s also a matter of brain drain, because people would go rather in the black hat direction and not in the white hat direction, just exclusively working over the onion net or something.
Speaker
Audience member (Janik)
Reason
This comment introduced a critical societal consequence that hadn’t been explicitly discussed – that unclear legal frameworks may actually push talented individuals toward malicious activities. It connected legal policy to broader cybersecurity outcomes in a concrete way.
Impact
This observation added urgency to the discussion by suggesting that poor legal frameworks don’t just harm individual ethical hackers, but may actively contribute to cybercrime by driving talent toward illegal activities. It reinforced the speakers’ arguments about the societal benefits of clear legal protections.
Overall assessment
These key comments transformed what could have been a straightforward legal presentation into a nuanced exploration of complex policy challenges. The speakers’ sophisticated categorization of ethical hacking types and jurisdictional approaches provided a solid analytical framework, while the audience questions introduced unexpected dimensions like surveillance concerns and brain drain effects. Together, these comments revealed that the issue extends far beyond simple legal reform – it involves balancing security needs, individual rights, societal benefits, and unintended consequences. The discussion evolved from describing the problem to exploring why solutions are complex and why the stakes are higher than initially apparent, ultimately making a compelling case for urgent, thoughtful legal reform.
Follow-up questions
What is the current status and future progress of ethical hacking legislation in Germany following the failed referendum?
Speaker
Audience member
Explanation
The audience member specifically asked about progress in Germany after the referendum didn’t pass, and while Tim mentioned the new government has plans, the specific timeline and approach remain unclear
Do intent requirements in ethical hacking laws expose security researchers to intrusive surveillance practices to determine malicious intent?
Speaker
Audience member
Explanation
This question addresses a potential unintended consequence of legal frameworks that require proving intent, which could lead to privacy violations for legitimate security researchers
Is there currently a brain drain problem where potential ethical hackers choose black hat activities over white hat due to legal uncertainties?
Speaker
Janik (audience member)
Explanation
This question explores whether unclear legal frameworks are pushing talented individuals toward illegal hacking activities rather than legitimate security research, which would be counterproductive to cybersecurity goals
How can harmonized international regulation be achieved given the complexity of different legal systems and jurisdictions?
Speaker
Tim Philipp Schafers and Carolin Kothe
Explanation
While they identified the need for harmonized regulation, the practical steps and mechanisms for achieving international coordination on ethical hacking laws were not detailed
What constitutes ‘substantial harm’ in jurisdictions like Latvia that use this threshold, and how can this vague term be better defined?
Speaker
Carolin Kothe
Explanation
Carolin noted that ‘substantial harm’ is an ambiguous term that helps ethical hackers but lacks clear definition, which could lead to inconsistent application
How far can ethical hackers go in their testing activities when relying on justification reasons, and what specific actions cross the line?
Speaker
Carolin Kothe
Explanation
This addresses the practical boundaries of ethical hacking activities and what constitutes acceptable versus excessive testing when operating under legal justifications
Whose authorization is actually required when ethical hackers access third-party systems during commissioned testing?
Speaker
Carolin Kothe
Explanation
This legal gray area affects even commissioned ethical hackers and needs clarification to provide proper legal protection
Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.