Austria

Several elements of an offence may be used for the prosecution of cybercrime in Austria. As it relates to penetration testing, we will briefly introduce and explain the fundamental statutory text:

(1) A person who gains access to a computer system that they are not authorised to use at all or at their sole discretion, or part of a system that they access by overcoming a specific security precaution in the computer system

1. with the intent of accessing personal data or making it available to third parties, knowledge of which violates the legitimate interests of the data subject or

2. another person through the use of data stored in the system and not intended for the person gaining access, or by using the computer system to inflict harm, is punishable by imprisonment for up to six months or a fine of up to 360 daily rates.

(2) A person perpetrating such an act on a computer system that is an integral part of the critical infrastructure (§ 74 section 1 Z 11) is punishable by imprisonment for up to two years.

(3) The offender can only be prosecuted with the authorisation of the violated party.

(4) A person who commits the act under paragraph 1 as part of a criminal organisation is punishable by imprisonment for up to two years, and any person who commits the act under paragraph 2 as part of a criminal organisation is punishable by imprisonment for up to three years.

- Criminal code (StGB), § 118a StGB illegal access to a computer system

To put it simply, section 118a StGB threatens imprisonment if we gain unauthorised access to the data of an IT system or help a third party to do so. So from now on, it would be wise to no longer log on to third-party websites as an administrator, despite the fact that the standard user account admin/admin is naturally a very secure password. So the question now is, are we also no longer allowed to surreptitiously connect to the protected WLAN of our neighbours?

(1) A person who wilfully gains knowledge of data not intended for them or another unauthorised person by means of a computer system, and who by their own use of the data disclose or publish the data to another party for whom it is not intended, gain financial advantage for themselves or a third party or harm another, use a device that is attached to the computer system or one that has otherwise been rendered capable of receiving data, or use the electromagnetic radiation of a computer system, is punishable by imprisonment for up to six months or a fine up to 360 daily rates, unless the offence is punishable under Section 119.

(2) The offender can only be prosecuted with the authorisation of the violated party.

-Criminal code (StGB), § 119a StGB unlawful interception of data

Section 119a StGB prohibits interception of third-party data transmitted by computer systems. Consequently, we are no longer allowed to record the network traffic of our neighbour either. Too bad, as his Google query “How do I protect myself from my neighbour?“ was always so exhilarating. But in all seriousness:

(1) A person

1. who wilfully produces, introduces, distributes, sells, otherwise makes accessible, acquires or owns a computer program which, according to its special nature, can be used to unlawfully access a computer system (§ 118a), breach telecommunications secrecy (§ 119), improperly intercept data (§ 119a), cause data corruption (§ 126a), a disruption of functionality of a computer system (§ 126b) or has been created or adapted for fraudulent data processing purposes (§ 148a), or a similar such device, or

2. a computer password, access code or comparable data that enable access to a computer system or a part thereof, with the intent of using such to commit any of the offences referred to in subparagraph 1, is punishable by imprisonment for up to six months or a fine of up to 360 daily rates.

(2) According to paragraph 1, anyone who voluntarily prevents use of the computer program mentioned in paragraph 1 or an equivalent device or password, the access code or the data similar to that specified in §§ 118a, 119, 119a, 126a 126b or 148a, is not punishable by law. If there is no risk of such use or if the risk has been eliminated without intervention of the offender, the person is not punishable if they willingly and solemnly endeavour to eliminate it without knowledge of the former.

- Criminal code (StGB), § 126c StGB misuse of computer programs or access data

According to section 126c of the Criminal Code, even possessing or producing any tools that can be used for unauthorised data access is prohibited. This means that being in the possession of Kali Linux would be punishable, because this operating system includes several hacker tools. Our path of becoming a penetration tester would then come to an end before it even started. However, because our actions serve the purpose of preventing such hacker attacks, thankfully we are subject to the second paragraph of § 126c.

As the second paragraph of the above legal text stipulates, we are not punishable by law if our actions are intended to prevent hacker attacks. Since we as penetration testers want to identify all entry points to an IT system, we are compelled to report these to our client. Otherwise we would be liable to prosecution. In summary: we may only attack an IT system with a statement of agreement by the operator.