If law is nothing more than software, it can also be attacked like software
Law Hacking

The modern legal system is experiencing continuous inflation. Quantifying the density of regulations in Germany is not easy, as it is constantly changing. In June 2024, the Bundestag published figures of 1,797 valid laws and 52,401 individual regulations at the federal level. Since the beginning of the previous legislative period, 52 new laws and 1,282 individual regulations had been added. At the same time, 36 laws with 1,060 individual regulations were repealed. Despite all assurances of reducing bureaucracy, we are seeing a steady increase.
I would like to refrain from the (partly ideological) discussion of whether the increase is justified or not. Instead, I ask the question: can this situation be controlled?
Many regulations contain overlaps, contradictions, or gaps. The interrelationships are complex, and the intended digitalization of legal application creates challenges. A (not entirely) new approach attempts to defuse the situation by logically coding laws. In simpler terms, this means describing laws in logical flow structures, comparable to software code. Unfortunately, it inadequately addresses a crucial point: if a law is nothing more than software, it can also be attacked like software.
Law as Code – Law as Software
The idea of treating law like program code is not a pipe dream. Various ministries have been promoting the „Law as Code“ concept for years. This is the notion that legal norms should be readable and executable not only for lawyers but also for machines. The assumption is that law is essentially nothing more than sets of rules with conditions, logic, and dependencies, just like a computer program. This development has two sides. On the one hand, there is the hope that law will become more digitally compatible. On the other hand, however, it also opens up extensive possibilities for automated attacks.
Imagine you’re a hacker. Not a hacker who launches encryption programs to extort ransom from other people’s systems, but a legal hacker. Someone who views law as a system with rules, logic, and vulnerabilities. If we treat law like software, they’re full of bugs that can be exploited. And not just by hackers, but also by companies, lobbyists, or citizens trying to navigate the jungle of legal code.
Let’s take two dry but interesting examples: § 320 of the German Social Code, Book VI (Statutory Pension Insurance, dated December 18, 1989) and § 238 of the German Social Code, Book IX (Rehabilitation and Participation of People with Disabilities, dated December 23, 2016). Both sections regulate what happens if someone violates their reporting or disclosure obligations. Both provide for fines and, if read as code, contain loopholes that can be exploited.
In the IT world, rules are written in a programming language, tested, and checked for errors. In the legal world, they are enshrined in legal paragraphs, but then often no longer systematically monitored, especially given the complex interplay with other legal norms. Yet the consequences of errors in law is often far more serious than a crashing program. They can cost millions, create injustices, and destabilize social systems.
Are similar mistakes punished differently?
Let’s consider the two penalty provisions from the field of social legislation. At first glance, both regulate similar matters: obligations to provide information and report. However, while § 320 of the German Social Code, Book VI (SGB VI) stipulates a maximum fine of €2,500 for providing incorrect or delayed information, § 238 of the German Social Code, Book IX (SGB IX) allows for fines of up to €10,000.
Why this discrepancy? At first glance, one might think: „Of course, disability rights are more important than pension insurance.“ But is that really the reason? Or are there systemic issues, arbitrariness, or simply poorly drafted law at play? The answer: it’s complicated. The German Social Code, Book VI (SGB VI), dates back to 1989, while Book IX (SGB IX) was passed in 2016. Perhaps the legislature simply wanted to generate more revenue. Or perhaps the protected interests were weighted differently. SGB IX deals with the rights of people with disabilities, which address an increasingly sensitive social issue. SGB VI „only“ concerns administrative regulations for the pension insurance system. But does that justify a penalty four times higher for similar violations?
This is where it gets interesting. Inconsistencies like these are like open doors for abuse. If we consider the two paragraphs as code, then we can ask ourselves: How would a hacker exploit this vulnerability?
Regulatory arbitrage – „I only pay the minimum“
The following consideration is, of course, merely a thought experiment and would be illegal to carry out. But let’s explore the idea of what someone might think if they wanted to exploit it.
An employer faces the choice of complying with both reporting obligations (SGB VI and SGB IX) or fulfilling only one of them. The applicable fines play a crucial role in this decision. Since the penalties under SGB IX are significantly higher, the employer could strategically disregard the SGB VI obligations and fulfill only those under SGB IX.
Cost-benefit analysis:
- If he violates both obligations, he theoretically faces a fine of up to €12,500.
- If he only fulfills the obligations under SGB VI, he risks a maximum of €10,000 (only for violations of SGB IX).
- If he only fulfills the obligations under SGB IX, he risks a maximum of €2,500 (only for violations of SGB VI).
Someone who thinks solely in terms of economic optimization might choose the option with the lowest financial risk. Since the penalties under SGB IX are significantly higher, it is worthwhile for them to carefully comply with these obligations – whereas they are more willing to take risks with SGB VI obligations because the penalties are lower.
In practical terms, this would mean prioritizing obligations under Book IX of the German Social Code (SGB IX). This means that record-keeping according to § 163 Section 1 SGB IX and providing information according to § 163 Section 5 SGB IX would be carried out correctly. Obligations under Book VI of the German Social Code (SGB VI) would be neglected, and reports according to § 190a SGB VI or information requests according to § 196 SGB VI would be submitted late or incompletely. The calculated risk is that the employer accepts occasional penalties for SGB VI violations as long as the overall costs are lower than the costs of fully complying with all obligations.
The different penalty ranges (theoretically) create an incentive system to not treat all obligations equally, but rather to selectively ignore those where the risk and financial burden are lowest. As already mentioned, this is a thought experiment intended to illustrate the inconsistencies. However, focusing solely on an employer ignores an even more serious problem. The differing legal norms lead to unnecessary regulatory complexity, which the legislator is precisely trying to reduce. Table 1 shows the contradictory assessment of the two standards.
| category | Contradiction / Inconsistency | possible rating |
| Sanctions | €2,500 (SGB VI) vs. €10,000 (SGB IX) for similar offenses | Possible violation of Article 3 of the Basic Law (principle of equality), if not objectively justified. |
| Intentional/Negligence | Recklessness (SGB VI) vs. Negligence (SGB IX) | Inconsistent thresholds : Why is simple negligence already punished under the German Social Code, Book IX (SGB IX)? |
| Administrative authority | Not regulated (SGB VI) vs. Federal Employment Agency (SGB IX) | Legal gap in the German Social Code, Book VI (SGB VI) : Who is responsible? |
| Use of fines | No regulation (SGB VI) vs. treasury of the administrative authority (SGB IX) | Systematic unequal treatment : Why do the funds under the German Social Code, Book IX (SGB IX) flow into the Federal Employment Agency? |
| List of duties | Different obligations (e.g., record keeping only in SGB IX) | No direct contradiction , but complexity for employers . |
To address the identified weaknesses in the example, the first step should be to harmonize the penalty frameworks for similar offenses in § 320 SGB VI and § 238 SGB IX in order to prevent regulatory arbitrage and promote uniform compliance.
That’s just an isolated case…
Unfortunately, no. Using the CASSA analysis software, we were able to identify a significant number of potential bugs and inconsistencies in the German Social Code, Book VI (SGB VI). To do this, all individual provisions of the SGB VI were broken down into their constituent parts and subjected to a multi-stage pairwise comparison. The 495 paragraphs were divided into 2,615 semantic elements. Comparing these semantic elements is mathematically complex. Theoretically, this results in 3,417,805 combinations (a complete graph consisting of n * (n – 1) / 2 element combinations). The computation time and costs for this quantity are considerable. Therefore, a mathematical trick was used to reduce the number of combinations considered to approximately 25,000 elements for comparison. A rolling assessment was then applied to assess potential collisions between elements:
- 1 ≙ no regulatory conflict
- 0 ≙ complete regulatory conflict
The selected combinations were evaluated. The threshold values between 0.1 and 0.4 for the identified regulatory conflicts result in the following under the German Social Code, Book VI (SGB VI):
- Threshold 0.1 = 92 regulatory conflicts
- Threshold 0.2 = 97 regulatory conflicts
- Threshold 0.3 = 134 regulatory conflicts
- Threshold 0.4 = 512 regulatory conflicts
Not all matches should be considered potential weaknesses, as, for example, differing time-related regulations in the law are also identified. For instance, regulations before and after a cut-off date.
It’s not difficult to imagine that with over 1,800 federal laws alone, there are a significant number of regulatory conflicts within the body of German legislation. These are all zero-day vulnerabilities in the law. The video demonstrates the density of these vulnerabilities in the German Social Code, Book VI (SGB VI), for the aforementioned threshold values.
Removing these „bugs“ from the existing legal landscape is a complex process and can only be achieved with the help of state-of-the-art computer models.
Why we need a virus scanner for laws
This example shows that laws have weaknesses that could be exploited. But why is that a problem? Because it’s not just about isolated cases, but about systemic failure.
Law is more complicated than ever before. Our legal system is becoming increasingly opaque. Social law alone comprises thirteen books, each with hundreds of paragraphs, cross-references, and exceptions. No one can fully grasp it. When even lawyers are no longer certain what applies, then we have a structural problem.
In IT, no one would run an operating system without security updates. In the legal world, the relationships between laws are often not examined – even though society, the economy, and technology are changing rapidly.
Manual inspection is not sufficient
Currently, „Law as Code“ is often understood as manually converting laws into machine-readable form. This is a first step, but far from sufficient. Human errors occur even when the best legal experts manually review and model laws. Manually converting the existing legal framework is impossible, not least because laws are constantly changing through amendments, court rulings, or new interpretations. A static translation into code would quickly become outdated and would perpetuate existing bugs while creating new ones.
Automation is the only way if we want to make law safer and more error-free. This requires automated tools, similar to those used in IT.
A „Legal Vulnerability Scanner“ can automatically check laws for inconsistencies, gaps, and outdated regulations—much like a virus scanner scans a computer system for malware. Using statistical analysis, legal texts are examined for patterns that identify weaknesses such as inconsistent fine ranges, duplicate reporting requirements, obsolete offenses, or unclear terminology. The advantage is that an initial automated review of specific areas can be completed within days, instead of taking months or years for legal professionals to translate everything manually. Dynamic analysis can test the system by simulating use cases to see how laws function in practice. For example, to examine: „What happens if an employer violates both reporting obligations (Social Code Book VI and Social Code Book IX)?“ and „Does this lead to double jeopardy—or is there a provision that prevents this?“
Final expansion stage: „BSI for Law“ as a central institution for legal certainty
Just as the Federal Office for Information Security (BSI) is responsible for IT security, a „Federal Office for Legal Certainty“ could review laws before their enactment. Furthermore, when implementing Law as Code, it is highly advisable to maintain a database of vulnerabilities, similar to the CVE (Common Vulnerabilities and Exposures ) database for IT security gaps, to document legal loopholes. This database would document known inconsistencies, gaps, and outdated regulations, and communicate them to legislators along with proposed solutions. This would facilitate and accelerate the development of „patches“ for laws and „software updates“ for the legal system. The National Regulatory Control Council (Normenkontrollrat) could potentially serve as a starting point for such an organization.
Law is just code – and code has bugs
Using this method, a “virus scanner for law” identifies starting points for reducing bureaucracy and simplifying standards and regulations.
Law is not perfect. It contains inconsistencies, loopholes, and obsolete regulations – just like bad code. And just like with software, these weaknesses can be exploited, sometimes causing significant damage to the state, businesses, and citizens.
The good news: We have the tools to change that.
- AI can scan law much faster than any human and check them for weaknesses, just like we do with code today.
- Automated analyses can efficiently uncover inconsistencies before they are exploited.
- A „BSI for Law“ could strengthen the resilience of our legal system.
Ultimately, it’s not about replacing lawyers with algorithms, but about giving them better tools. Because if law is like code, then we should treat it like code – with all the advantages that entails speed, precision, and scalability. Only a fully automated scan of the legal landscape, similar to a virus scanner in computer science, will allow us to lay the foundation for Law as Code. The previously advocated manual conversion of laws into machine-readable formats will fail due to scalability issues. The practical approach is precisely the opposite. First, fully automatically convert all law into an analyzable structure, identify the weaknesses within it, address it legislatively as far as possible, and then proceed with digitization. Let’s avoid putting the cart before the horse once again.
And who knows… maybe “the next great hacker” won’t be cracking banks and terrorizing companies, but improving laws. That would be a more beneficial revolution for all of us.
Note: This text does not constitute legal advice and serves only to provide information on the topic of Law as Code.