In September 2024, the first case relating to the legal framework for cybersecurity research was presented to a mock court.

The first fictional case study focuses on cybersecurity researchers A and B, who frequently scour the dark web for the latest attack methods and tools. They come across a file called 'Offer to carry out cyberattacks on behalf of others.pdf'. Researchers A and B decide to download the file to find out what cyberattacks are being offered. However, the file also contains a list of thousands of stolen access details from two large companies, which the criminal providers have included as a 'work sample'. A and B deal with this accidental discovery differently. For example, Person A documents every key step in their handling of the data and logs into an account on a trial basis to test its authenticity and validity, but does not notify the affected companies. In contrast, Person B notifies the affected companies, but does not document their handling of the data or test the logins.

These different approaches are intended to provide cybersecurity researchers with guidelines for legally compliant research, which is why the fictional researchers sometimes act differently to real-life counterparts.

The court found Person A guilty of accessing an account on a trial basis. They issued a warning and reserved the right to impose a penalty of 20 fines, each worth EUR 100. The court also ordered Person A to pay €4,000 to a charitable organisation. The judge participating in the study explained that Person A had violated the data owner's interests by logging into someone else's account, even if only briefly and for testing purposes. "In this case, the end does not justify the means," the judge said. Person A was acquitted of all other charges and Person B was completely acquitted.

Although this decision is based on a fictional case, and final judgements depend on individual cases and can only be made by competent courts, this mock trial provides valuable insights into the criminal liability of cybersecurity researchers' actions, such as overcoming access controls, the prerequisites for intentional action, and the possibilities for justifying actions relevant to criminal law.

A detailed description of the case and the court's ruling were published in the December issue of the journal "Datenschutz und Datensicherheit" (DuD) and are available here free of charge.