Internet Security and the Law

von Prof. Dr. Bernd Holznagel
Online-Veröffentlichung, Beijing, Englisch, 11 Seiten.

I. Introduction

Nowadays, the Internet has reached an enormous significance as a driving force in social and economic change. Even if the far too optimistic visions of the New Economy have vanished today, there is still no doubt about sales and marketing of merchandise and services having found new figures in the network of networks. However, these innovations are not limited to the commercial sector (so called eCommerce). Local and federal authorities aim at carrying "eGovernment" by providing voluminous websites about their services(1). In my current hometown, for instance, citizens cannot only find information about the timetable of refuse disposal service or the opening hours of public baths. For further questions, one can also turn immediately to the officials by eMail. These days, certain courts and authorities even accept online processed tax declarations and reports or plaints(2).

We all know that every medal has two sides. The advantages of the internet are opposed by significant disadvantages. They may be well illustrated with the everyday life experiences as far as internet in my institute. My eMail account at the University of Münster is everyday flooded with dozens of spam mails(3), without my authorization. There has obviously been created a customer profile of my person. Because the commercial spam I receive always praises similar products and businesses. As a professor, I seem to be especially interesting for banks constantly offering me mortgages and other credits. Recently, internet pharmacies, offering postal drug delivery, are getting more and more active(4). Time and again the institute also happens to receive material that may be described as pornographic. Casually, we are also being warned by the university information processing centre about students surfing to illegal websites or even providing illegal web content themselves. Broad public attention is dedicated to paedophile-pornography and xenophobic web content. Latter ones are in particular websites glorifying Adolf Hitler's politics and denying the persecution of Jews during World War II (so called Auschwitz-Lie). Finally, the last weeks' hacker attacks need to be mentioned. Our University as well as other institutions have repeatedly been victims of virus-attacks. One of these viruses was even able to paralyse all of the university's internet-traffic for two days. Such attacks affecting air traffic or energy supply would have inconceivable consequences and cause unimaginable damage(5). This arises the question: how may these threats be contained with the means of law?

II. Provider- and User internet access

An important keyword is the "enhancement of public control". But where shall it be started? If online communication affects the rights of thirds or the security of information technology, one might tend to subdue internet- and service providers as well as users to concession. That way, one could at least control the reliability of those, who want to use the medium and in consequence ease the persecution of lawbreakers. This idea is not unfamiliar to German media law. For instance, someone, who wants to broadcast TV- or radio programs, needs to apply for a concession at first. As far as the new internet-services, the German government has however not chosen to follow this model. According to the appropriate laws (the "States Treaty covering Media Services" and the "Act on the Utilization of Tele Services") internet-services are free of concessions. Hence, I needed no concession to put my institute's homepage online. Even my private internet-access, provided by a small local telecommunication business, is not registered by the authorities; the same for internet-provider. Neither is he subdued to concession, nor registration. However, in order to enable internet-users to complain about web content, providers have to make available general information. E.g. they have to put their name, address and eMail address on their homepage.

The Federal Republic of Germany, as well as Europe in general has decided for this liberal handling with the internet, because we believe, that this is the only way of using and advancing the entire potential of the internet-medium. An overdose of control would inappropriately narrow spontaneous communication, which is guaranteed by the constitutional freedom of opinion. Moreover, a concession-system – provided internet control is technically realisable at all – would be difficult to put into practice. The administrative efforts would surely be vast. The broad public acceptance that the internet has reached in the past years would certainly not have been achieved with an approach of restrictive control(6).

Besides, we are optimistic about getting a hold on the risks of internet-communication(7) described above. On the one hand, traditional administrative- and criminal law will serve as instruments(8). On the other, we have come to the conclusion that the internet-community is in many fields able to establish order itself. The state even depends on supporting individual commitment for the objective of public welfare, because especially young internet-users oftentimes know more about the functionality of computer-networks than authorities do. Let me clarify this approach of self-regulation with the allocation of internet-addresses and domain-names. Afterwards, I will point up how the public instruments work(9).

III. Allocation of internet-addresses and domain-names

The transmission of information by thirds always presupposes a distinct address. A letter must contain a deliverable address. In order to make a phone call, you need to dial the correct telephone number. And in the internet, data will only find its way, if IP-number and domain-name are exact. A typical IP-number for example is; this is my institute's web-server at the University of Münster. The proper domain-name is itm@uni-muenster.de. The setup of addresses in the postal- and telecommunications domain is traditionally state-run. In the internet, things have developed alternatively. There has never been a public authority, setting technical or organisational rules for the network of networks, although the whole functioning of the internet depends on the addresses. The internet has in the USA indeed emerged from the military ARPA-net. But already in the early 80's the organisation and support of the internet was given to American universities and later to privately operating providers. Today, it is the non-governmental and non-profit Internet Corporation for Assigned Names and Numbers (ICANN), who is responsible for worldwide coordination of IP-numbers and Top-level-domains. Correspondingly, Europe has followed this example and not installed public authorities for these tasks as well. As regional register for IP-numbers there is the Résaux IP Européens Network Coordination Centre (RIPE NCC). The Deutsches Network Information Center (Denic e.G.) is responsible for second level domains underneath the top-level-domains "de", whose members are German internet-service-providers(10). Denic's work has altogether well proven. Denic has set up the standards, to which every domain-name must correspond. The allocation of addresses works efficiently and without much bureaucracy: Whoever has found a free name may basically be registered as second-level-domain. The applier must simply affirm that there are no clues for the impediment of third concerned rights. No further material verification is processed by the Denic. Basically the allocation works according to the general principal "first come first served"(11). As a matter of course, this does not hinder the collision of interests. Also in Germany there are hence many quarrels about the allocation of domain-names. The case "heidelberg.de" has become famous. This address has been assigned to a business at first. However, the city of Heidelberg has successfully claimed an infraction of her right to that name(12). In Germany a court is responsible for this kind of disagreement. Recently however, such quarrels are oftentimes settled in front of an arbitration panels(13). Summed up, the state leaves the allocation to the internet-community and restraints itself to providing means of settling the disputes.

IV. Fighting illegal internet content

1. Examples of illegal content

Interlocutors in China time and again underline that the state must - even in the age of the internet - proceed against the dissemination of web-content interfering into thirds' rights or public interests. They criticise the U.S.-American constitutional understanding of the absolute priority of the freedom of opinion. This view is principally also shared in the Federal Republic of Germany.

Yet, one needs to stress out, that public authorities must surmount high hurdles before restricting the freedom of opinion. The freedom of opinion is one of the most eminent constitutional rights in Germany. This is shown by the fact that it has been put down at the beginning of the constitution: right after the principle of equality and the freedom of religion. The German Constitutional Court, our highest court, has always put emphasis on the freedom of opinion as plainly constitutive for a democratic republic(14). Authorities – even secretaries of state – are not offhand able to ban social and political views. Censorship is generally forbidden. In Germany there is no authority that could control newspapers and flyers prior to their publication. Only common prohibitions that must be followed by everyone are tolerable and their infraction may be punished. Such interference must always be justified by a general law. Reasons that could legitimate an intervention into the freedom of opinion are for instance matters of personal honour and protection of minors. These principles, originally conceived for the dissemination of opinion in press and broadcasting, have nowadays been transfused to the internet by the legislator. Some examples of such interdicting laws are:

  • First of all, according to the criminal law (Strafgesetzbuch), one will be punished, if giving access to pornographic content to minors. Since "providing access" in this sense means every possibility of sharing the content, an internet provider will already infract this law, if presenting pornographic information on his homepage regardless of whether these are in fact seen by minors or not.

  • Besides pornographic-, also violence exalting content may not be made accessible to minors. This means content that plays down or glorifies violence to humans or presents it in a way that infracts human dignity. This is e.g. the case if humans are being tortured in particularly abnormal ways (for instance tearing out bowels).

  • Under the heading of sedition the Criminal Code makes it a punishable crime to disseminate media content that contains propaganda which incites hatred or violence against national, ethnic or religious groups. If for example someone on a homepage in the internet, in a newsgroup or in a chat incites hatred or violence against Jewish fellow citizens, asylum seekers or other ethnic minorities, he can be punished with a prison sentence of up to three years.

All these examples show, that the legislator has not been put off by difficulties of law enforcement of bringing traditional criminal law provisions to life on the internet. Often it is argued that measures taken by the police lead to nothing if the criminal content is located on servers abroad. Indeed German authorities are not allowed to destroy certain criminal content on a server abroad by means of Denial-of-Service-Attacks, Mail-Bombs or Viruses. But they can take action against and punish foreigners, who are present in Germany, and German nationals, who actively take part in committing the crime or abet it(15).

2. Liability of Providers

The current discussion in Germany however does not so much focus on the criminal responsibility of content providers but above all on the responsibility of access providers. Let me present the problems related to this matter using the somewhat famous CompuServe Case(16).

In November 1995 German police informed Mr Solms, the chief executive officer of CompuServe Germany, of the existence of five newsgroups on the servers of CompuServe in the US that contained child pornography(17). The police also gave him a list with 282 more usenet-newsgroups, which were available via CompuServe Germany and which according to the police, contained such content as well or could be used to make such content available. Mr Solms passed this information immediately to the parent company in the US and asked CompuServe USA to delete or to block these newsgroups. CompuServe USA initially did just this, but by doing so caused a massive wave of protest from users all over the world. Consequently the 282 newsgroups were reopened in February 1996 after CompuServe USA and CompuServe Germany had provided software for child and youth protection to their members. In later controls German police found again some posting that contained "hard pornography". The German CEO, Mr Solms, was then indicted because of 13 of these pictures and found guilty by the court of first instance, the Amtsgericht Munich. The second instance court however acquitted him.

There was probably no court case in Germany in recent years that has provoked similarly fierce reactions in the U.S. press. Articles related to the CompuServe case were headed with "Deutschland's Internet Angst" or "Deutschland's Zukunft im Internet fraglich". A large majority of Germans however considers it reasonable that an access provider should constantly block criminal newsgroups, if they provide a forum for the dissemination of child pornography. For most Western-Europeans tolerance ends when child pornography is concerned.

Two bases of liability are generally agreed(18). That the so-called Content-Provider is liable for its own content is self-evident. Access-Provider in contrast only provides technical access to the internet. They can be compared to a postal service that also does not know the content of the letters that it transports from one place to another. Thus the Access-Provider is freed of liability for content in the internet. The liability of the so-called Host-Provider, that stores information for different users, was disputed for some time. Host-Providers are the turning platform of the new internet world as they provide webspace free of charge or for a certain charge. Generally the Host-Provider does not exercise any influence over which content is deposited on its server. He can however take the role of a moderator of a newsgroup and can then take part in the organization of content for the in ternet page. Not least because of this changing role and task of the Host-Provider it was intensely discussed whether a Host-Provider is rather similar to a fully responsible Content-Provider or to a non-liable Access-Provider. Practical considerations played some role in this context. It is the Host-Provider, who has the best overview over the communication content administered by him. Thus it seemed an obvious conclusion to oblige him to look for criminal content on the internet and to report such content to the authorities. This would make him a kind of auxiliary policeman.

The German legislator as well as the European Community has not followed this conclusion. Too much of a burden on the internet companies would probably have meant the end of many young companies. However a complete exclusion of liability for Host-Providers was also not wanted for reasons of public security and public order. Hence a compromise was adopted: According to the German Teleservices Act and the European E-Commerce Directive Service Providers are not liable for the information which they store for users as long as they are not aware of the illegal nature of the information or action. Once they have knowledge of the illegal content however they are obliged to take immediate action to block or remove the content. In the CompuServe Case the first instance court held the opinion that the CEO of CompuServe Germany as a Host-Provider was liable for US content as well. The police had brought the illegal content to his knowledge and the content concerned had then not been removed. The second instance court, the Landgericht Munich, opposed this view with the argument that the German CEO had had no chance to actually enforce the blocking of the content against the parent company. He was thus considered similar to an Access-Provider and had not committed a crime. You see, Ladies and Gentlemen, the solution of such liability questions is not always easy and the solution found often remains disputed(19).

3. Persecution of Criminals in the Internet / Data Protection

We also consider fighting illegal content on the internet a task that is important for society. In practice the police generally is successful when it obtains information on the communication of an individual from Service Providers. However in our legal tradition this method cannot be used discretionarily. Such investigations are subject to comparably strict legal rules(20). Let me explain this by using an example: Suppose a citizen contacts the police and informs it that he has found an e-mail from an unknown sender in his mailbox. This in practice by the way happens relatively often and many police stations can be contacted by e-mail. Our responsible citizen thus sends the e-mail concerned to the police and the e-mail contains an image of child pornography. The sender's address is jung+sexy@t-online.de. The police now wants to know the following from T-Online, which is a subsidiary of Deutsche Telekom and at the same time the largest Internet-Provider in Germany: 1) Who is behind the address jung+sexy@t-online.de? 2) Who else has received e-mails from this person? Who else is a possible further "client"? 3) Which mails with which content does that person have in his / her mailbox? This in order to find possible suppliers of the images.

Dissemination of child pornography is a serious crime, so one could be inclined to think that the police could take action in this context with considerable discretion. But: the fathers and mothers of our constitution have made the right to confidentiality(21) of all electronic communication a fundamental freedom in Art. 10 para. 1 of the Basic Law and have obliged the state to respect this confidentiality. And they did this foresightedly regardless of the technical means used. The protection of this fundamental freedom encompasses e-mails, voice over IP, SMS, Internet Relay Chats, and so on.

The fundamental freedom not only protects the content of the communication such as the words spoken in a phone call or the text of an SMS, which are called "content data" in legal terms, but it also protects "connection data". Connection data are those data which are collected in making available or providing a certain telecommunication service, such as the IP-numbers of an internet connection. These need to be distinguished from so called stock data, which are collected independently from the single communication, such as the data collected when the contract between the client and the Service-Provider is concluded (i.e. name, address and banking details of the client)(22).

German Law contains a hierarchy of data, a sort of hit parade of confidentiality. The stock data, thus the question of who is behind the jung+sexy@t-online.de address, is at the bottom of this scale. Suppose it was Mr Mayer from Berlin. These data can be obtained by courts, prosecutors, the police, the customs office and by the secret services from the providers and they can even be accessed in an automated procedure according to § 90 TKG, whenever the authorities consider this to be necessary.

At the top of the hierarchy we find the content data – thus for example the content of the mailbox of Mr Mayer – as they form the actual core of the communication. They can only be examined and monitored if a judge has authorized these measures. Only in urgent cases can the prosecutor authorize such action. In these cases the order by the prosecutor needs to be confirmed by a judge within three days. Measures may only be adopted against suspects and their contact persons. The heart of the legal provision governing these measures is an extensive catalogue of crimes. The surveillance of communication data may only be authorized if the suspect is suspected of one of the so called "catalogue crimes", which are enumerated in § 100a StPO. Terrorism and spying are such catalogue crimes as well as other serious crimes such as murder, organized crimes, drug trafficking and also child pornography. Not included are "normal" crimes such as fraud or theft. Prosecutors need to find other means to investigate such crimes; they cannot make use of content data of confidential communication.

In between the more or less easily available stock data on the one and the relatively well protected content data on the other hand we find the connection data. By their nature they are not as sensitive as content of a phone call for example, but they are still of major relevance for investigations. With these data one can establish a picture of the social environment of a person, his / her communication partners and also his / her consumer habits if he / she uses the internet. Connection data are thus far from meaning- and harmless. Obtaining these data is possible but again not in order to investigate everyday crimes but only for investigations that concern somewhat serious crimes and those crimes that are committed via telecommunications services. This would be the case in our example as the images of child pornography were disseminated via e-mail(23).

All these categories may sound complicated. In practice the system works reasonably well. We believe that with this approach we have found a reasonable and adequate balance between the freedoms of the individual and the needs of the public. In addition we try to monitor whether this balance is maintained by conducting statistical controls and scientific investigations and would amend the law if need be.

V. Network Security

To conclude I would like to address one further problem that has become more important in recent years. A short time ago it was reported that the source code of the so far unpublished computer game "Half-Life 2" had been stolen from the computers of the software firm and had been made available on the internet. Unauthorized intruders had installed so called key-logger for the secret recording of keyboard inputs on the systems of the software company and had hence obtained the passwords to access the source code. This meant an immense economic loss for the software company. It will have to write a large part of the software again. This is just one example of the increased danger for electronically stored data in worldwide information– and telecommunication networks and the economic losses these dangers entail(24).

To reduce such dangers several preventive technical solutions exist. Data can be encrypted to protect its confidentiality. To be able to attribute data to a certain person the data can be electronically signed. The unauthorized access to data can be impeded by firewalls, intrusion detection systems, anti-virus software and by using key cards or biometric data to control access. In addition there are a number of technical or organisational measures that can be taken to guarantee IT security (regular back-ups, regular changes of passwords,…).

Furthermore violations of IT security are punishable under certain provisions of the Criminal Code. To protect confidentiality the spying out of data is a crime under § 202a StGB. To protect authenticity, integrity and availability of data, they may not be altered without authorization (§ 303a StGB). Criminal Law not only protects single data but it also covers the disruption of a company because of unauthorized changes in a data carrier or a data processing device (§ 303b StGB). In addition data transferred by telecommunication services may not be passed to third parties by employees of the telecommunications company (violation of the telecommunication secret, § 206 StGB). Finally the altering of probative data is punishable under § 269 StGB (forgery of probative data) and § 274 para. 1 No. 2 StGB (amending of probative data)(25).

Most of the crimes mentioned, in order to harmonize criminal laws in Europe, have also been included in the Cybercrime Convention of the Council of Europe, which has been adopted and signed on November 23rd 2001 by 28 member states (among them France, United Kingdom, Germany, USA, Canada, Japan). The Peoples Republic of China has so far not adopted the Convention(26).

VI. Conclusion

Rules and criminal law provisions, which have just been mentioned, will not be enough to establish "law and order" in cyberspace. In an environment that evolves as fast as the internet one needs to be flexible and one has to rely on and to trust the responsibility of citizens. Maybe a classic can provide some valuable advice in this context. In such a situation Goethe has proposed: "One has to eliminate obstacles, to clarify concepts, to provide examples and to try to interest all participants. This however of course is more burdensome than merely issuing orders, but it is the only way to attain the objective in such an important area and to really actually change something and not only to intend to change” (to Duke Karl August, November 26th 1784).


  1. Cf. Büchner, E-Government – Staatliches Handeln in der Informationsgesellschaft, 2003; further information on the possible applications of E-Government: Hanßmann, Möglichkeiten und Grenzen von Internetwahlen, 2004; Holznagel/Grünwald/Hanßmann, Elektronische Demokratie, 2001.
  2. Kussel, Die Digitalisierung der Verwaltungsgerichtsbarkeit, 2003; Holznagel, Recht der IT-Sicherheit, 2002, 216 ff.
  3. For further information see: Wendlandt, Cybersquatting, Metatags und Spam, 2002.
  4. Cf. Rolfes, Internetapotheken, 2003, 1 ff.
  5. More detailed: Denninger, Computers under attack, 1991.
  6. Holznagel/Sonntag, Staatliche Verantwortung für den Schutz ziviler Infrastrukturen, 125 ff., in: Holznagel/Hanßmann/Sonntag, IT-Sicherheit in der Informationsgesellschaft – Schutz kritischer Infrastrukturen, 2001; further information: Zehnder, Gefahr aus dem Cyberspace, 1998.
  7. Wagner, Anforderungen und Möglichkeiten eines Rechtsrahmens für IT-Sicherheit: Bedarf es eines IT-Sicherheitsrahmengesetzes?, 144 ff., in: Holznagel/Hanßmann/Sonntag, IT-Sicherheit in der Informationsgesellschaft – Schutz kritischer Infrastrukturen, 2001.
  8. Holznagel, Recht der IT-Sicherheit, 2003, 35 ff.
  9. Further information: Holznagel, IT-Sicherheit, 2003; Waltermann/Machill, Protecting Our Children on the Internet, 2000.
  10. Hoeren/Sieber, Handbuch Multimedia Recht, Loseblatt, Teil 6 Abschnitt A.
  11. Homepage of the Denic e.G., see http://www.denic.de (Date: 13.09.04).
  12. „heidelberg.de“ – case: LG Mannheim NJW 1996, 2736 ff.; see also: Kulejewski, Der Anspruch auf Domain-Übertragung, 2003.
  13. Further information: Strömer, Das ICANN-Schiedsverfahren, 2002.
  14. Cf. Decision of the German Constitutional Court: BVerfGE 62, 230 (247).
  15. Sieber, Kinderpornographie, Jugendschutz und Providerverantworlichkeit im Internet, 1999, 51 ff.; Stadler, Haftung für Informationen im Internet, 2002, 35 ff.; Cf. Sieber, Verantwortlichkeit im Internet, 1999; Germann, Gefahrenabwehr und Strafverfolgung im Internet, 2000.
  16. AG München 28.05.1998 – 8340Ds 465 Js 173158/95, in: MMR 8/1998, 429 ff.
  17. For further information on the CompuServe case: Hoeren/Sieber, Handbuch Multimedia Recht, Loseblatt, Abschnitt 19 Rdnr. 253.
  18. Cf. Hoeren/Sieber, Handbuch Multimedia Recht, Loseblatt, Abschnitt 19.
  19. Sieber, Kinderpornographie, Jugendschutz und Providerverantwortlichkeit im Internet, 1999, 32 ff., 61 ff.; Stadler, Haftung für Informationen im Internet, 2002, 28 ff., 119 ff.; also: Sieber, Kinderpornographie, Jugendschutz und Providerverantwortlichkeit im Internet, 1999; Stadler, Haftung für Informationen im Internet, 2002.
  20. Cf. Germann, Gefahrenabwehr und Strafverfolgung im Internet, 2000.
  21. More detailed: Sievers, Der Schutz der Kommunikation im Internet durch Artikel 10 des Grundgesetzes, 2003.
  22. Holznagel, Recht der IT-Sicherheit, 2003, 181 ff.
  23. Hoeren/Sieber, Handbuch des Multimedia Rechts, Loseblatt, Abschnitt 16 Rdnr. 93 ff.
  24. More informations on Network Security: Holznagel, Recht der IT-Sicherheit, 2003; Holznagel/Hanßmann/Sonntag, IT-Sicherheit in der Informationsgesellschaft – Schutz kritischer Infrastrukturen, 2001.
  25. Holznagel, Recht der IT-Sicherheit, 2003, 106 ff.
  26. Holznagel, Recht der IT-Sicherheit, 2003, 128 ff.;

Text of the Convention http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm (13.09.2004)

The Author

Prof. Dr. Bernd Holznagel, LL.M. is Director of the Institute for Information-, Telecommunications- and Media Law (ITM), Department II, University of Muenster.