Slashdot Mirror
German ISP Forced To Delete IP Logs
An anonymous reader writes "A German federal court decided today that T-Online, one of the largest ISPs in Germany, was obligated to delete all IP logs of a customer upon request to guarantee their privacy. From the article: 'The decision (German) does not mean that T-Online is now obliged to delete all their IP-logs, the customers first need to complain. But, if they ask T-Online to delete their IP-logs, the ISP has no other choice than to comply. A lawyer from Frankfurt already sketched a sample letter (German) to make this process easier.'"
I'm not an admin, and never have been so I'm working on ignorance here. But my question is, why bother with long term logs anyway? I understand a need to keep logs of activity for a week or so to deal with various attacks, zombie machines, etc, but why not set the logs to automatically wipe anything past that point? I can see maybe going nasty and selling it to advertisers, but other than stuff like that is there a use?
"Mission Accomplished" -- George W. Bush May 1, 2003
It should work in Australia. Privacy laws here state that:
- If I ask a company operating in Australia what information they have about me, they are obliged to tell me
- If I ask where they got this information, again they must answer
- If I ask the same company to remove such records, AFAIK they must, though there are reasonable exceptions to this one. (e.g. if i've done business with them, they have to keep financial records. if it's my bank, they might have to cancel the mortgage to comply..)
- Companies operating here are not supposed to pass on private information without consent, which is why so many competitions and things have clauses in tiny writing to get your consent.
-- All your bass are below two Hz
I think the "why" comes down to constitutions, and this serves as a good example of why constitutions (and good constitutional adjudication) are so important. I'm not sure about the extent to which you can say the German government supports privacy because it thinks it's an inherent good. The German constitutional court has for decades recognised a strong right to "informational self-determination" in the German constitution. This right applies pretty much whenever individualised data is being collected (and sometimes even more broadly - e.g. this is why there aren't CCTV cameras everywhere in Germany, c.f. your average English High Street). Compare this to England, where there is absolutely no legal tradition of a right to privacy (even the European Convention on Human Rights, which the UK is obliged to comply with, has had scant effect on this).
The US is somewhere in between. Sure, the US constitution contains what has for the best part of a century now been recognised as a right to privacy, but the Supreme Court put a wall up around this in the 1980s by saying that surveillance of the kind that would be possible with the naked eye in a public street is constitutionally ok (after all, a Police officer standing there 24 hours a day, 7 days a week could observe that stuff, right). Not really an apt comparison for the purposes of IP logging, but demonstrative of the failure of the US courts to keep up with the pace of change.
As with any other business you deal with, the difference between "monitoring customers" and "keeping business records" gets a bit blurry. A plumber keeps a "log" of whose house he visits, what he does in each house, what materials he uses, and how much he charges each householder. He probably calls this log a "receipt book". Obviously this book is unlikely to contain evidence of a crime, but that's due to the different nature of the plumber's business, not the fact that he keeps logs.
The main problem, as I see it, is that a huge load of users will be infected by malware, which is used to spam. If these same users have requested that all their IP logs should be deleted after disconnect - things get rather tricky.
.. waits .. and then starts spamming? Pretty damn difficult to track down if a lot of users have requested that their IPs should not be logged.
.. and so forth).
Also, what if a spammer signs up, requests all logs to be deleted
On the other hand, I hate that the spam problem should be solved by violating privacy. It was all okay for me when ISPs logged what they wanted, but didn't hand it over to anyone except when they found it necessary to investigate something themselves - due to complaints which would hurt the ISP itself (i.e spammers.. RBL's
Disclaimer: By "logs" I don't mean record of what web sites were surfed and what files downloaded, I mean record of what customer had X IP address at Y time.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Have you ever seen a linux logfile? Especially if you have iptables turned on and fairly restrictive on a public-facing ip...... Each line a couple hundred characters and the files get very huge very fast. You're also assuming the customer is only being logged for something like a ppp connect/disconnect... Many protocols (IMAP forinstance) have 5-10 lines for each connection, and then mmore during transfers and idles, depending on your log level. It's conceivable to have several gb a day for even an extremely small IP. If they were hosting a handful of ginormous sites, replete with services (IMAP, SMTP, NNTP, RADIUS (for 802.11 or other), HTTP and others), the logs would be well beyond the simple calculation you're discussing.
Sounds very similar to the case of Landmark Education misusing the DMCA to issue subpoenas against Internet Archive, as described at
a ndmark_Forum.avi
http://www.eff.org/legal/cases/landmark/
The video in question can be downloaded on BitTorrent at
http://thepiratebay.org/tor/3537369/2003_Inside_L
Sorry for reading TFA...
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."