Recently the question of IT self defense came up and I found this topic quite interesting so i started digging. In situations of the natural world the use of self-defense according to German law is defined with § 32 of the Criminal Code. But can this section also be used in the IT world? Is there a way to defend yourself against IT attacks? And if so, to what extent? Let us roll up this topic from the bottom and start with the legal part.
What is self defense?
“Self-defence means any defensive action that is necessary to avert an imminent unlawful attack on oneself or another.” § 32 StGB . Further this paragraph defines: “A person who commits an act in self-defence does not act unlawfully.”
Does this also apply in the IT world?
That is quite difficult due to the fact that there is no explicit law written yet. I talked about this topic with Monika Menz (lawyer for Ernst & Young Law GmbH, Head of Practice Group IP / IT). They referred me to two elementary paragraphs of the Telecommunications Act (TKG) and the Federal Data Protection Act (BDSG), which regulate the fundamental practices of the IT world:
§ 100 TKG: Faults in Telecommunications Systems and Telecommunications Service Fraud
This section shall apply only to telecom operators. However it regulates the usage of personal data in the German IT business industry. Paragraph 1 allows the recording of user data for purposes of interference avoidance:
“(1) Where required, the service provider may collect and use the customer data and traffic data of subscribers and users in order to detect, locate and eliminate faults and malfunctions in telecommunications systems.”
This record may take place but only temporarily and must be deleted immediately. Except when paragraph 3 is applied:
“(3) Where required, the service provider may collect and use the customer data and traffic data needed to detect and put a stop to the surreptitious use of services and other unlawful use of telecommunications networks and services when there are grounds, to be recorded in writing, to suppose such use. For the purpose referred to in sentence 1 the service provider may use collected traffic data in such a way as to identify, from the total traffic data not more than six months old, the data relating to those network connections in respect of which there are grounds to suppose that unlawful use of telecommunications networks and services has been made.”
Due to this statement, not only logging personal data like the IP but also data packages are allowed, if an attack takes place. But keep in mind this applies only to telecommunications companies. For “personal” matters or matters of any other kind the regulation of the Federal Data Protection Act (BSDG) is required. The Federal Data Protection Act regulates the acquisition, processing and storage of any form of data in Germany. In particular, paragraph 28 of the BSDG is relevant.
§ 28 BDSG: Collection and recording of data for own commercial purposes
The first section authorizes the use of user data when a transaction is present. One could argue that the general good is assumed to believe by the use of server capacity and the user therefore admits only the ordinary handling. Thus, a legal transaction for the time spent on site or other resource would exist.
“(1) The collection, recording, alteration or transfer of personal data or their use as a means to pursue own commercial purposes shall be lawful”
“1. [...] ”
“2. as far as necessary to safeguard legitimate interests of the controller and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of processing or use, or”
However, the following section is much more interesting. This concedes the usage if the user's data are publicly available or responsible entity should publish them.
“3. if the data are generally accessible or the controller would be allowed to publish them, unless the data subject has a clear and overriding legitimate interest in ruling out the possibility of processing or use.”
In the legal sense the IP but also browser cookies and other personal data are understood as easily accessible data.The restriction that the legitimate interests of the person concerned obviously outweighs the exclusion of the processing or use in relation to the legitimate interests of the the responsible entity would run out here on a comparison of interest. Due to the fact, that the interest of the user is directed to its attack and therefore to harm the defender, his interest is supposed to be depreciated. Therefore, the welfare and interest of the owner and the attacked has higher priority than the interest of the attacker. This argument is also reflected in section 8.
“(6) The collection, processing and use of special categories of personal data (Section 3 (9)) for own commercial purposes shall be lawful without the data subject’s consent in accordance with Section 4a (3) if
1. necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his or her consent,
2. data are involved which the data subject has manifestly made public,
3. necessary to assert, exercise or defend legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of collection, processing or use, or
4. necessary for the purposes of scientific research, where the scientific interest in carrying out the research project significantly outweighs the data subject’s interest in ruling out the possibility of collection, processing and use and the purpose of the research cannot be achieved in any other way or would require a disproportionate effort.”
Section 8 describes the handling of user data in the prosecution of offenses.
“(8) [..] Transfer or use shall be lawful also if necessary to prevent threats to state and public security or to prosecute serious crimes.”
Furthermore, when we look back to the Criminal Code (StGB) the "necessity" in accordance with § 34 Criminal Code specifies
“A person who, faced with an imminent danger to life, limb, freedom, honour, property or another legal interestwhich cannot otherwise be averted, commits an act to avert the danger from himself or another, does not act unlawfully, if, upon weighing the conicting interests, in particular the affected legal interests and the degree of the danger facing them, the protected interest substantially outweighs the one interfered with. This shall apply only if and to the extent that the act committed is an adequate means to avert the danger.”
However, this applies only if the act is an appropriate means to avert the danger. For a calamity capable of legal protection ( ife, limb, liberty, honor, property or another legal) a present danger must be present. Risk means that as soon as damage occurs due to objective circumstances, it appears probable and currently means that the risk can change at once or in a very short time in a loss. The emergency action takes place at the justifiable emergency in contrast for self-defense only against legal interests of a third party!
The danger must not be otherwise be averted, that is to say the the mildest must be selected from the resources available.
In contrast to self-defense, the interest in protecting the endangered legal interests must be the interest on impaired when emergency significantly outweigh (balance of interests). According to § 32 sentence 2 of the Criminal Code, emergency action must also be reasonable. This will ensure that the non- action against recognized values and principles of law contrary. The defender must know the circumstances justifying act and security .
Brilliant, I stopped reading at the second line. What does this mean?
Interestingly, a lot of security rights are granted by this legislation to the service owner.
You are allowed to store the IP of a user in log files in order to detect attacks on your system.
You are allowed to “defend” yourself against attacks but transfer these data to a redundant storage location like your HDD.
If someone attacks you with the intention of destroying or harming your system, you are allowed to strike back with the note of proportionality. (The attack has to be present, and undeniably illegal..)
Normally, a “good” hacker uses proxies and anonymizing software in order to hide his origin. Therefore the IP doesn't help to identify the attack generally. But however, you may look into the possibilities of part 3.
And how am i able to strike back?
By now, i am able to get back to my original story. During the implementation of a game API i did a stupid mistake. I simply forgot to put a filter which checks the returned value for INTEGER.
Due to this missing line it was possible for the attacker to execute a simple JS Injection attack. Because i was loading the value on a website in order to accomplish a leaderboard, it was a breeze for the attackers to launch a php console with the right of the web server. I'll spare you the ending of the story. However, I have thought of a potential attack and have therefore taken safety precautions:
Since the game is accessing the API with an empty user agent, other queries would always have a human origin. So I built a gateway, which recognized such a calling and executed a small script. This script does not only log the IP but also imitates different web servers in order to read the cookies of the attacker. In order to circumvent the security settings of the browser my webserver had to adjust its identification characteristics to those of the other web server. As far as i can check it, firefox and opera doesn't check the rDNS record of the webserver’s IP neither the mounted ips and domains. So, i was able to access the active ID and auth of my attackers social media account.
What do be learn ?
Yes, always use filters. But if you forget one or just for precaution, you can built a self defender in order to detect your enemy. You may not use these data further against him but now you have the advantage to report him. And by referring to §202c StGB your attacker has bad cards to get away with an exhortation.