German Laws Kill KisMAC,Threaten Privacy
The developers of the KisMAC Wi-Fi sniffing and cracking software have removed their code from distribution and halted their efforts, due to a change in German law that came into effect on 11-Aug-07 (article in German). KisMAC could be used for good or evil, but it was primarily a tool for monitoring and evaluating the security of Wi-Fi networks.
System administrators who used Macs were particularly fond of KisMAC. It was also a good way to demonstrate the utter failure of WEP (Wired Equivalent Privacy) encryption for Wi-Fi when trying to convince people to upgrade to WPA (Wi-Fi Protected Access), which actually works (see “Step on a WEP Crack, Break Your Network’s Back,” 2007-04-09).
KisMAC’s developers reacted to a small set of changes to section 202 in the German Penal Code. These changes broadened the definition of unauthorized access, and, in section 202c, criminalized both the possession of passwords to such networks and any tools that facilitate extraction of passwords and such. Section 202b says either unauthorized access to a private network or obtaining the data or the wireless transmissions of a computer is illegal, unless the data is intended for you. The penalty is two years imprisonment – the lovely phrase Freiheitsstrafe or “freedom penalty” – or a monetary fine. (Unauthorized access and “data not specifically for you” are
two overlapping parts – the one being access or interception, the other being the data itself.)
Section 202c describes punishment of a year in jail or fines if password or security codes to such networks are involved. It likens trafficking in passwords – selling, giving, receiving, etc. – to creating software that allows the extraction of passwords. There’s no exemption in the law, as I read it with my rusty German, that allows for research or other mitigating factors.
Thus, KisMAC’s ability to exist in Germany is legally invalidated, whether for the developers or those who use the software for any but very limited purposes. Because you give yourself permission to sniff your own network, you might be okay to use KisMAC in Germany, but the law seems to indicate that because infringing purposes are available, the software would be thoroughly outlawed even for in-house testing. If you inadvertently sniffed another network, too, you’d be in trouble even if in-house use were permitted.
These laws are part of a class of law found worldwide in which certain behavior is de facto illegal, regardless of any circumstances. The possession of child pornography, for instance, is so illegal in most of the world that even if you can prove you didn’t obtain or view the pornography, you may have no defense against imprisonment. This law provides the same level of indefensibility. The KisMAC developers note that in Germany, possession of child pornography carries twice the jail penalty of this new law.
There’s a further, broader set of changes to German law coming in 2008, too, which don’t specifically deal with hacking, but which raise similar concerns. The potential new policy covering Vorratsdatenspeicherung – loosely: the retention of stored data – includes all mobile and fixed telephony and data transfers. It has an incredibly overarching effect in requiring firms to retain records about the origin, destination, and location of parties involved in calling, emailing, text messaging, and other activities. A demonstration against the law is scheduled for 22-Sep-07 in Berlin.
As of 06-Aug-07, according to Wikipedia’s timeline of the matter, the developers say that a site in the Netherlands should be available “soon.” The KisMAC site notes, “KisMAC will live on. Different people. Different country. Same ‘threat’ to national security.” Wikipedia may be the best place to follow developments in KisMAC’s future, as the article continues to be updated.