Incentive system for data leaks - part 1

14. Apr, 2025
Foto by Conny Schneider auf Unsplash

Unlawful government behaviour, corruption, data protection violations or security gaps in software - it is often individuals who draw attention to wrongdoing. Whistleblowers are therefore an essential part of modern whistleblowing. They can help authorities and the media to uncover unethical or illegal behaviour and highlight security gaps in companies. However, it is often the supposedly disruptive whistleblowers who are targeted rather than the wrongdoing. They are intimidated and harassed. At the same time, they find themselves in a legal field of tension, as their actions, although socially useful, can be prosecuted under certain circumstances. This harbours the risk of a considerable deterrent effect.

Examples of this include the case of an IT security researcher who was subjected to a house search after reporting a data leak instead of being rewarded for his security research (Golem) or an IT security researcher who reported a security vulnerability to the CDU and was reported for it (Zeit). The Whistleblower Protection Act (HinSchG) is a first step in the right direction. Anyone who comes across violations of the law in their professional environment can report these to specially established reporting centres and should be protected from disadvantages by legal regulations. However, there are also problems with guaranteeing anonymity here. In addition, the scope of application of the HinSchG is limited. (Another blog post will follow) As a result, there is still no legally secure way to submit data records anonymously. Reports of data leaks, discovered data records/security vulnerabilities by IT security researchers (‘white hats’ or ‘white hackers’) and whistleblowers from companies often lead to criminal investigations against them or to denials by the companies. It is not uncommon for IT security researchers to turn to the CCC in the event of security breaches (as was recently the case with D-Trust) due to a lack of trustworthy alternatives. It is not only against this background that an anonymous submission on a trustworthy platform seems preferable. The legal situation of platforms that - like DROPS - enable anonymous recording and processing of data leaks is similarly problematic and the subject of this blog post. (Cf. blog post) Platforms such as DROPS enable whistleblowers to uncover abuses anonymously. However, criminal law standards must be observed in order to avoid becoming the subject of criminal investigations. The provisions of the BDSG, the GeschGehG and the StGB are particularly relevant. However, legal uncertainties, particularly in the area of data theft, unauthorised processing of personal data and the protection of trade secrets, make the work of such platforms considerably more difficult. The criminal law assessment depends on several factors (not cumulative) and the respective individual case.

  • Origin of the data (legally or illegally obtained)
  • Technical security measures (protected or not)
  • Existence of generally accessible data (when this is the case is controversial)
  • Existence of a trade secret

These aspects are described in more detail in a follow-up blog post (part 2).