The implementation of these methods must be carried out in accordance with the legal systems of the respective jurisdictions. Based on Estonian and German legislation, the authors address two different approaches to supporting the fight against botnets: first, joint technical measures to combat botnets, mainly related to the takeover and elimination of botnets, are legally evaluated; Secondly, some purely legal constructs, such as compensation for damage caused illegally, are proposed, which may apply to certain circumstances and thus indirectly contribute to the limitation of botnets. As a result, a number of legal requirements as well as potential risks are described that are relevant in the fight against botnets. Laws such as the UK`s Computer Misuse Act and various European data protection laws are designed to protect the law-abiding user. The problem is that the same laws protect the criminal. NATO and ENISA have collaborated on a report to analyse the legal implications for those involved in tackling one of today`s biggest cyber problems: the legal implications of tackling botnets. The extent of the legal complications is evident in what the report calls “one of the logical first steps” when a botnet infection is known or suspected: packaging inspection. On the one hand, packet inspection monitors traffic and not message content and should not violate this part of European data protection laws. On the other hand, the IP address is a much more complex issue – and data protection and telecommunications secrecy must be taken into account. There is currently a debate about whether a user`s IP address constitutes personal data, and the report does not address this debate. However, it notes that if an IP address is personal data, “traffic collection and analysis in accordance with Article 10 of the Estonian Data Protection Act would require the consent of the data subject”, which is highly unlikely if the data subject is a cybercriminal. Equally worrisome is the takeover itself. Specifically, with reference to the German law in force, the report states that “the goodwill of the actor is irrelevant, as any person who collects information or produces or acquires (hacking) tools with the intention of obtaining unjustified access to third-party data is punishable under §§ 202c and 202a StGB”.
But even if the botnet`s C&C servers are taken over or shut down, infected bots remain infected. A few years ago, Dutch police took control of a BredoLab botnet and used C&C servers to send messages to infected computers. That`s as far as they could go. “The preparation, infiltration and disinfection of the robots meet the data handling requirements in accordance with § 303a StGB, even if only the infection is eliminated and the original state is restored,” the report says. Published online by Cambridge University Press: February 28, 2020.