German Court Rules That Websites Can't Retain Logged IPs

tmk writes "The local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from logging IP adresses of the visitors of its website. German law prohibits storing personal data for a longer time — if not needed for accounting. German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."

Idiocy

[giorgiofr]

My webserver == my home. You're welcome to visit, but you will obey the rules I set. If you don't want me logging you, just turn down my offer and be on your way.
Yes, this applies to everything else as well.

Re:Idiocy

[Nos.]

Sorry, but federal law trumps you. If this is the law in Germany, and you're breaking it, you're committing a crime.

Re:Idiocy

[Daimanta]

You are living in a country. You are a (permanent/temporary) guest. You have to obey by the laws of the country. If you want to keep logging you could leave the country and be on your way.

Yes, this applies to everything else as well.

Re:Idiocy

The problem is that you neither request nor inform me that you want to log my data.

Re:Idiocy

This is our country. You're welcome to operate here, but you will obey the rules we set. If you want to log personal data, just be on your way.
Yes, this applies to everything else as well.

Re:Idiocy

[Nos.]

Replying to myself... but just wanted to add, "and you live in Germany" as one of the conditions to breaking the law. Obviously if you aren't in the country, its laws don't apply (or at least have jurisdiction).

Re:Idiocy

[Obvius]

Yes, but by the time you've told me that's your policy, you've already logged me.

Re:Idiocy

[speaker+of+the+truth]

One of my rules in my home is that I can forcibly rape you. My home == my rules. The government is abusing its power by arresting me, the person knew the rules when they entered my home, not my fault they were underage or changed their mind.

Re:Idiocy

[neoform]

It should be assumed.

Do you walk in to a store and complain when you find out that your face has been recorded by a CCTV camera? Visiting a website is the online equivalent of going on to someone else's private property.

Re:Idiocy

[Blakey+Rat]

I agree. This is like saying that Caller ID should be illegal... when someone calls you, you should have no way whatsoever to find out where they were calling from. Ridiculous.

Not only that, but I think it's a bit of a stretch to call an IP address "personally identifiable information."

Re:Idiocy

[aadvancedGIR]

Anyway, did you ever visited a website that explicitly told you what data the kept on you?

Re:Idiocy

[Big+Nothing]

Yes, there's no place like 127.0.0.1

Re:Idiocy

You are living in a country. You are a (permanent/temporary) guest. You have to obey by the laws of the country. If you want to keep existing as a Jew you could leave the country and be on your way.

So Jews left, and hundreds of thousands to millions that didn't were punished. Grandstanding about how your server is "your home" is like grandstanding about the treatment of Jews while sitting safe on your couch while real men fought the real war that it took to reverse that thinking.

Re:Idiocy

[russ1337]

You are living in a country. You are a (permanent/temporary) guest. You have to obey by the laws of the country

I thought Americans were exempt from having to obey the local laws of other countries...

/facetiousness

Re:Idiocy

[fifedrum]

absolutely agree with you here, at the office, my web servers are my company's property and I'll log what the CEO tells me to log. We use the IP logs from web servers to stop 419ers and other jerks, not logging this information over the course of a few months would make our lives more difficult and let more spammers abuse our services.

just imagine what would happen if these freaks saw my mail logs, MONTHS of data gzipped with metaphorical tons of IP addresses in it. I'd get the chair.

Re:Idiocy

[denmarkw00t]

Though extreme, you could have a license (lol My House EULA), and upon entering anyone must sign and agree to the terms that "you may be raped." And while you, the homeowner, assume legal liability as far as the act of rape is concerned, a person signing this form would therby be consenting to possible rape, and since "rape is a crime wherein the victim is forced into sexual activity against his or her will, in particular sexual penetration," your contract would be sufficent enough to say that this person has agreed to the idea that they may be sexually violated. This is not rape.

Just remember: It isn't rape if you yell "Surprise!"

Re:Idiocy

[Ferzerp]

no place like local(host)?

you mean no place like ~?

Re:Idiocy

[Daimanta]

Would it be a case of Godwin's law to ask Daimanta if he agrees with Germany's use of this principle in certain other instances? That's not a helpfull question. It doesn't matter if I like the laws of a certain country. The fact is, a country can and has the power to impose the laws they deem neccesairy or just. My opinion on those laws are a matter debate, but they do not add any value. There are a ton of laws I don't agree with, but most countries simply have the power to make them and enforce them.

Same with Nazi Germany. I may not agree with their policy towards certain groups of people, but they were executed regardlessly(the fact that I wasn't born yet probably has something to do with it ;) ).

Re:Idiocy

[richie2000]

Do you walk in to a store and complain when you find out that your face has been recorded by a CCTV camera? If they don't have a sign at the door saying they have cameras? Damn right I do, as that would be an illegal practice for the store (in Sweden). Furthermore, they require a permit for the camera(s).

Re:Idiocy

[boost1]

Well, in Denmark the law requires you to state if you're recording anything, thus you would have a choice NOT to enter the shop, before you're recorded. However, I don't think I should lecture on privacy, seeing as the Danish state has just inforced a data retention law, making it neccessary for an ISP to log any information regarding all data on private lines, without properly notifying the citizens.

Re:Idiocy

[TheCarp]

Course then you can get into other weird areas.... how about brining in the concept of a "Safe word" thats a stand in for stop. Such a person could agree to participate in acting out a rape scene "with no safe word".

Then I have to wonder how the law even deals with it.

Here in MA, so I have heard, there are no provisions that allow for consensual beating. So Spanking your spouse, or beating him/her with a whip, crop, or paddle is abuse, whether its consensual or not. This is a bit of a problem for the local BDSM community which is active, but has to watch its Ps and Qs since technically, some of the things that they engage in are illegal.

I mean shit its bad enough how hard some thigns would be to explain if the police showed up at the wrong time... "its not how it looks! she wanted to be tied up, and she likes being hit with the flogger and having hot wax poured on her! Seriously!" but having it not even matter that she liked it, and came back to have me do it again after last week.... talk about a sticky situation.

Overall, I mostly agree with the "my home is my castle" concept... up to a point. That point is when you start interacting with the public. Your home may be your castle... your store? not so much. Your theater? probably not. Your externally facing webserver? only up to a point.

I think its quite reasonable to put into effect some manner of standards for transactions. Your home may be your castle... but I don't think that should mean you are A OK to make your doorbell open a trap door on the porch. Its not what your doing in your house, its how your public face interacts with the external face and what is done with the results of that interaction that I do see both a right and value in regulating.

-Steve

Re:Idiocy

[UbuntuDupe]

So the informational content of your original post was what? The TC was saying why the laws are morally wrong. Your response was ... Germany will enforce them anyway? So? How is that responsive?

Re:Idiocy

[neoform]

And what about recording your own phone conversations without the consent of the person on the other end of the line? Is that too illegal? (it isn't here in Canada, and I'm glad)

Re:Idiocy

[ACS+Solver]

Just like the sibling - yes, I would damn well complain if I "found out" - it's illegal here, too, to have CCTV recording on premises without having a clear sign to that end that is visible before you get recorded, such as on the entrance.

Re:Idiocy

[AndersOSU]

That's idiocy. Any waivers are contracts which can be broken by either party at any time. If someone signs your waver, enters your house, and finds themselves in an uncomfortable position they can revoke their consent. If they're not consenting, you're in big trouble. Hence the use of safe words in S&M situations.

If they do revoke their consent, you can ask them to leave, and call the police if they refuse, but you can't say too bad, you signed away your rights, I'm going to do as I please.

Re:Idiocy

[brunascle]

it's not uncommon. if they have it, it'll be in the privacy policy page.

Re:Idiocy

[fbjon]

Going to a webserver is the same as going on to someone's publicly available private property. Moreover, CCTV images are useful for security, but they're highly unlikely to be retained for arbitrarily long times.

In effect, what the German law says, is that if you open up a public space on a website, you must also allow for some personal privacy for the visitors there. As a visitor, I find such protection entirely reasonable and agreeable.

Re:Idiocy

[Bert64]

Stores are required to have a sign, clearly visible *BEFORE* you enter the store (or before you enter any outside area which is visible from a camera) declaring the presence of cameras.
You are free to read this sign, and refuse to enter the area covered by the camera.

Similarly if a company wishes to record a phone call, they must announce their intention to record the call upon answering and before you have opportunity to say anything (or before the recording equipment is turned on)... Typically this involves a recorded message before you are forwarded to an operator or any kind of interactive system.

Re:Idiocy

[Bert64]

In the UK you must inform the other party that you intend to record them *before* you record anything...
This is usually achieved by playing a recorded message before forwarding the call to an operator or interactive automated system (thus the caller hasn't had opportunity to say anything yet).

Re:Idiocy

[Bert64]

Well, but that's a law REQUIRING them to do it...
Therefore the mere existence of this law is notification enough.
Better to know that they will log, and be vigilent, than to not know for sure and get caught out.

Re:Idiocy

Bull - a web-site is public, not private.
If you want it private, password protect it, require a TOS, and log only authenticated users.
Your argument is totally fallacious.

Re:Idiocy

[Bert64]

If the law states that you cannot log IP addresses, and your CEO tells you to log them anyway you are well within your rights to refuse and he has no legal comeback, no employer can request you to break the law, by asking you to do that it is your employer that is breaking the law and it is your duty to refuse. Any problems that occur as a result of complying with the law are simply costs of doing business that you cannot avoid short of moving to a different jurisdiction. Just like Tax is a cost of doing business, and many companies move to various tax-havens where the laws tell them to pay a lower amount of tax.

Re:Idiocy

[Bert64]

There are many laws that I and many other people personally disagree with, in many countries. Your example is far more extreme than most, but it still doesn't give you the right to simply ignore these laws.
Sovereign nations have the right to create and enforce any laws they choose. If other countries disagree strongly enough with these laws, then they will grant you asylum if you choose to leave, and if enough of the population disagree strongly enough with the government they will attempt to overthrow the government.

Re:Idiocy

[Bert64]

Governments don't have to make their laws "morally right"... They just need to be able to enforce them, and that means ensuring that the people who oppose those laws are not well armed or numerous enough to remove you from government.

Re:Idiocy

[KDR_11k]

You can know it but you cannot retain the data without the explicit consent of the subject (that means being presented a page detailling what data will be stored and how it will be used that the user has to click "I agree" on, any claims you make on that page are legally binding, sharing this information to unauthorized parties, especially foreign companies, is a crime).

Re:Idiocy

[richie2000]

And what about recording your own phone conversations without the consent of the person on the other end of the line? Legal.

Re:Idiocy

Yup, your post is idiocy alright. It's the people's webserver, so the people set the rules. If you don't want to be Justice Minister/Secretary/Attorney General anymore, go ahead, make my day.

Re:Idiocy

[maxwell+demon]

So if I choose to enslave some visitors to my home, that's entirely OK, since it's my home?
Even at home you are still subject to the laws of whatever country you are in.

(And just in case someone with bad reading comprehension gets to read this post: I did not say that logging IPs is the same as enslaving people.)

Re:Idiocy

[Alphager]

And what about recording your own phone conversations without the consent of the person on the other end of the line? Legal. not in germany.

Re:Idiocy

One of my rules in my home is that I can forcibly rape you. My home == my rules. The government is abusing its power by arresting me, the person knew the rules when they entered my home, not my fault they were underage or changed their mind.

This right here is the reason I love Slashdot and have wasted countless hours here over the last ten years. On any other forum the same point would have been made with some tame, boring analogy, probably involving a car. On Slashdot we skip the car analogies and go straight to child rape. In fact I think that should be the site's new slogan: "Slashdot: We Skip the Car Analogies and Go Straight to Child Rape. Good Luck Finishing that Hot Dog."

Re:Idiocy

[WaltBusterkeys]

Actually, the legal status of recording a conversation without the consent of the other side varies by state (if you're in the US) and it obviously varies across countries. In some states it's quite illegal, in others it's quite OK.

If you're considering it, check the interwebs first to make sure that your state allows it.

Re:Idiocy

[mrogers]

Let me get this straight: sovereign governments have the "right" to create laws, people don't have the "right" to break them, but the laws don't have to be "morally right", even in the eyes of the people who make them? You have a very unusual conception of "rights" if they're not grounded in any kind of morality.

If "rights" are simply grounded in power, then surely anyone who has sufficient power to break the law also has the "right" to do so? So your conception of "rights" becomes meaningless - it's just a label for the way things are. If anyone who does anything inevitably has the "right" to do it, the concept of "rights" is redundant.

Re:Idiocy

[datadigger]

Nice article, you should read it some time. It applies to US soldiers, not US citizens. And it is not about 'regular' crime either:
Criminal issues vary, but the typical provision in U.S. SOFAs is that U.S. courts will have jurisdiction over crimes committed either by a servicemember against another servicemember or by a servicemember as part of his or her military duty, but the host nation retains jurisdiction over other crimes.
And:
... However, most crimes by servicemembers against local civilians occur off duty, and in accordance with the local SOFA are considered subject to local jurisdiction.
I must admit that USA breaks its own rules, it exempts Japan.

Re:Idiocy

[neoform]

So if I leave my front door unlocked, suddenly my house is considered "public property"? You're delusional, accessing a webserver is accessing private property.

Remember, the server is no soliciting you for information, you're soliciting the server for information, and in the process offering (freely) your IP address as well as user agent information. At no point are you ever required to give either to this private server.

Re:Idiocy

[neoform]

Why would/should it be illegal?

If I'm allowed to look at someone talking to me and hear what he/she has to say, am I not allowed to record that transaction?

Where do you draw the line as to recording?

No Video?
no Audio?
No Photos?
No Drawings?
No Writen notes?
No Mental recollection of the dialog?
No Remember the persons face?

The whole concept of denying someone the right to record personal transactions is ludicrous. If I run a website and someone access it, I have every right to record that person's IP address and hold it for as long as I want. Same goes for any personal transactions I have.

(this does not include making this information public however, that becomes a gray area)

Re:Idiocy

[vidarh]

The line is generally anything that reproduce the conversation in a way that let you prove that the conversation took place and/or it's content, which generally is taken to mean an audio and/or video recording.

Notes etc. aren't covered anywhere I know of for the same reason.

It has to do with expectation of privacy, often extrapolated from what you would expect in a face to face conversation - it's reasonably to expect that people will be able to take quite accurate notes, so it's usually legal. It's generally reasonable to assume that people aren't recording most conversations.

You could of course argue that people who have something to hide should assume they may be recorded, but often people don't realize when they are talking to someone they can't trust or they don't realize when the person on the other side may have an interest in recording. Hence the restrictions on recording in a lot of countries.

This is clearly a subjective judgment, however, and that's one of the reasons there are so many jurisdictions where it IS legal as well.

Re:Idiocy

[russ1337]

>>> Nice article, you should read it some time

Of course I did (was subject to a SOFA once myself), But O.k, I'll bite...

It applies to US soldiers...

I thought Americans overseas were all soldiers...? [/further facetiousness]

Re:Idiocy

And how is anyone supposed to know your specific rules without visiting?

Re:Idiocy

[Sancho]

Realistically, it's probably never going to matter unless you provide that recording to someone else. For example, if you try to use it in court, or send it to someone that the person knows.

You wouldn't be breaking the spirit of the law, for example, if you recorded the conversation so that you could personally refer back to it and/or transcribe it later.

Re:Idiocy

[ScrewMaster]

You do know that logging IPs is not the same as enslaving people.

Re:Idiocy

[Arancaytar]

has barred the Federal Ministry of Justice from

You are not the Federal Ministry of Justice.

Not all news posted under YRO conclude that the world is sliding towards fascism. There are actually things to cheer about, and this is one of them. It is good when the government is not allowed to log your IP.

Sheesh.

Re:Idiocy

[Meski]

So ISPs should not log ip addresses too? Let's not make this a boring argument about logging MACs, or account details, the argument obviously tends towards record companies and law enforcement not being able to request a log if it doesn't exist.

Re:Idiocy

[Bloke+down+the+pub]

Not really. Even though the physical analogy is strained a bit, a website is more like a shop or a pub - private property to which the public have access.

Re:Idiocy

So if I leave my front door unlocked, suddenly my house is considered "public property"? You're delusional, accessing a webserver is accessing private property. I guess that would depend on the circumstances. If you somehow give impression that anybody is welcome to enter freely (such as having the address published in the yellow pages), then certainly that makes your house publicly available private property. And if you are going to methodically record other people in such a place, you should be required to tell them that you are doing just that. Just like a shop is required to tell if they have recording CCTV system.

In the Internet, being linked from a public website can be considered as an invitation to enter. In that case, if you don't want to have visitors, then you need to have the door locked, you can't leave it unlocked. Same as with a shop, if a shop doesn't want anybody to enter, it can't just leave the door unlocked and without any "CLOSED"-sign visible from outside. In the web you can't have a "CLOSED"-sign in a link in somebody elses page, so the only option is to have the website with "locked door".

Re:Idiocy

[subterfuge]

If "rights" are simply grounded in power, then surely anyone who has sufficient power to break the law also has the "right" to do so?

I personally do not like it but even a cursory review of history and/or current global headlines would tend to support that statement.

First of all, morality is culturally relative: some parts of the world frown on raping 14 year old girls but in other areas its called an arranged marriage. Are you suggesting that the child in question has the power to refuse being raped if the powers that be in her tribal area make said arrangement? I'm not so sure that her having the 'right' not to be raped gives her that warm and fuzzy feeling while it is happening.

Second, 'rights' are defined by those in power [**warning** - 'Soviet Russia' meme coming...]. In Soviet Russia there existed a 'right' to free speach. What was lacking was permission to speak. Those without power can believe they have 'rights' but lacking the ability to excercise those 'rights' pretty much makes it mental masturbation.

The way a perceived 'right' actually becomes a 'right' is for enough people to agree on it and force the issue - isn't that the definition of power [having enough critical mass and/or firepower to enforce your belief]?

Sure, it sucks balls, but power is now and always has been the definer of what 'rights' the masses are allowed to have/excercise. Certain individuals may rise above what the great unwashed are allowed to do if they personally have enough clout to do so but everyone else is under the bootheel whatever power structure they live under.

= : ^ \ >

Re:Idiocy

[mrogers]

I think we need to make a distinction between (a) moral rights, (b) legal rights, and (c) illegal power. In your example of the 14-year-old girl, I'd say it's morally wrong for her to be married against her will; in some countries it's also illegal; in some of those countries it's actually prevented. Clearly I can't expect everyone to agree with my moral position, and I certainly don't expect legal or illegal power to bow to my moral sensibilities, but that doesn't stop me from saying "here is what's right, and there is what's happening, and they're not the same".

The point I was trying to make in my previous post was that if you just say "whatever happens is right" or "anyone who does anything has the right to do it" then the concept of rights becomes redundant and worthless. The value of the concept lies in its counterfactuality: rights describe a possible world, an aspiration, which doesn't necessarily coincide with the actual world.

Are you suggesting that the child in question has the power to refuse being raped if the powers that be in her tribal area make said arrangement?

Not at all. I'm saying she has the right to refuse, even if she doesn't have the power to refuse. That's my whole point: rights and power are not the same thing. To rape her would be wrong, even if you have the power to do so.

Sure, it sucks balls, but power is now and always has been the definer of what 'rights' the masses are allowed to have/excercise.

Again, the rights you have and the rights you can exercise are not the same thing. Yes, power defines what you can do, but it doesn't define what it's right for you to do. I realise that's probably cold comfort when you've got a jackboot on your neck, but in my more idealistic moments I like to think it's worthwhile to at least assert the possibility that not everything done by those in power is right.

Achtung!

[eldavojohn]

Wir wissen, daß Sie Adressen, Slashdot loggen. Dies heißt Krieg. Hans, bereiten das Virus vor! Widerstand ist vergeblich!

The Germans were dismayed to report that an 'unfortunate' side effect of this ruling is that they would have to invade Poland & France to 'liberate' their servers.

But in all seriousness, good for them. I personally think it should be left up to the administrator of the server (or whoever 'owns' the content). If you do keep it, it's evident that the government may be knocking on your door for it for (hopefully) only the most serious infractions of the law. I think making it illegal to retain this information is going a bit too far but it is better than going too far the other way. I guess it would make me feel more safe personally though I know a lot of people that would feel less safe and that's why we (I'm an American) have a government in power that is putting up more and more systems to monitor its own people.

Re:Achtung!

Doesn't Godwin's Law pretty much invalidate your entire post? Nice work!

Re:Achtung!

Mentioning Godwin's law is not funny. Get a new schtick.

Re:Achtung!

Doesn't Godwin's Law pretty much invalidate your entire post? Nice work! Maybe you should go learn what Godwin's Law actually says before you post something dumb like that.

woo!

Something out of Germany that doesn't scar the world!

Bush Administration

[registrations_suck]

Wow - Impressive. I wish whomever made this decision were in charge of things in the Bush Administration.

"we don't log your data!"

[zergl]

Actually, that seems to me like a rather dodgy translation for "Wir speichern nicht".

Just "We don't log" would suffice, imo. More to the point and a rather more literal translation (the german version never mentions the logged data) as well.

Re:"we don't log your data!"

I would translate it as "We don't save" because like you said it doesn't mention logging directly.

Re:"we don't log your data!"

[ScrewMaster]

Does that apply to Jesus? I understand he's been logging souls for centuries.

Having your cake and eating it too

[packetmon]

The local court also opposed the view espoused by operators and some data privacy watchdogs that security reasons justify a recording regime that over short periods of time maps the behavior of all Net users and allows individual users to be picked out. Are these the same security groups and watchdogs that shout "We want TOR... We want TOR" ... Funny thing is, they can use TOR which pseudo-anonymizes their identities, then cry foul... Mapping IP addresses means nothing when it comes to tracking users:

xxx.63.95.219.cbj02-home.tm.net.my - - [03/Oct/2007:08:24:32 -0500] "GET /scripts/dsphunxion.sh HTTP/1.0" 200 2227 "http://it.slashdot.org/comments.pl?sid=315917&threshold=1&commentsort=0&mode=thread&pid=20835097" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Oh look someone from TMNET in Kuala Lumpur visited me via Slashdot. I'll teach that bastard to visit me.

echo "Can I have the name and address of the person using the IP address of 219.95.63.xxx aka xxx.63.95.219.cbj02-home.tm.net.my. They recently visited my site and did X"|mail -s Information noc@tm.net.my

Most of the information will not be obtained without warrants. Sure you can get the gist of information from a visitor, but detailed information requires court orders in most countries. On the other hand, this means I can now run all sorts of HTTP based exploit scanners against German hosts and legally they can't do anything if they see entries in the access_log. How stupid is that. Then again, this is the country that bans security tools

Re:Having your cake and eating it too

[emj]

Lets say you log all connections done in bittorent and then match them against the people logging in on your government site looking for jobs.

Re:Having your cake and eating it too

[packetmon]

Irrelevant... Unless you have a static address there is no way to differentiate who was behind that address. Even WITH a static address there is nothing to say it was you behind a machine

Re:Having your cake and eating it too

[megaditto]

Not just address. You get things like browser id, accept formats, OS, and a bunch of other stuff that, taken together, is pretty unique to the system. It could be simple things such as email traffic, or those 5 tabs that auto-load all at once whenever you start your browser.

If you are not a super-secretive computer freak, then just by looking at your TCPIP traffic in toto I can tell exactly who you are. And even if you are a paranoid privacy nut, I still can tell who you are based on how you are probably the only person in your neighborhood that has 5 concurrent ssh streams or port 80 traffic to non-web hosts, or whatever.

Re:Having your cake and eating it too

And how exactly is an employer going to get that data?

Re:Having your cake and eating it too

[jamar0303]

OUh huh... I'd like to see that in action.

Re:Having your cake and eating it too

[nospam007]

        echo "Can I have the name and address of the person using the IP address of 219.95.63.xxx aka xxx.63.95.219.cbj02-home.tm.net.my. They recently visited my site and did X"|mail -s Information noc@tm.net.my
__________________
No, you can't. Since the IP address isn't needed for billing purposes for out flatrate-only customers, we are not allowed to store them, sorry.

Re:Having your cake and eating it too

[Bert64]

Even with a dynamic address, you can track it to a particular customer of the ISP...
Most ISP user agreements hold the customer liable if they let someone else use their connection, willingly or not.

Conflict with logging laws?

[SmallFurryCreature]

There has been a movement to INCREASE the amount of logging going and to force ISP's to maintain detailed records for long periods of their users actions. That is WAY more intrusive then a website logging your ip. You do NOT have to go to a website, you are bound to use an ISP.

Before all the privacy loonies wake up, remember that it is perfectly normal for ALL your phone calls to be logged and it is standard practive for the police to check them, with court order, if they suspect something.

The most common example of this is a bomb threath. The police will have a record of where the call was made from.

This ruling makes this impossible to do the same with a bomb threath send over the internet. Wouldn't this ruling make even the most basic web policing, the blocking of ip adresses, impossible?

This seems like an overly broad ruling that leaves a lot of web admins in trouble because they can no longer effectively manage their servers.

Yes it is a nice counter to the european wide move to log EVERYTHING but there is such a thing as balance. Logging everything is wrong, but not being able to log anything can lead to just as much trouble.

For all the slashdot privacy nutters I ask you this. How often have you sniggered when some scumbag was traced by online activists and had his private information published on slashdot?

Re:Conflict with logging laws?

[morgan_greywolf]

This ruling makes this impossible to do the same with a bomb threath send over the internet. Wouldn't this ruling make even the most basic web policing, the blocking of ip adresses, impossible? Not that I see it. The problem is with retaining logs that are unneeded except for accounting. Keeping a few days worth of IP address logs is enough for me. If I see someone doing something malicious, I usually only need to check that days or the previous day's logs. A week would be more than adequate. So, I need to keep a week's worth of Apache access logs for accounting purposes. What's the problem?

Re:Conflict with logging laws?

[brunascle]

same.

not just for security, but for debugging purposes. without the logs, you have little evidence of what actually happened behind the scenes, which can make debugging very difficult.

Re:Conflict with logging laws?

[QCompson]

Before all the privacy loonies wake up, remember that it is perfectly normal for ALL your phone calls to be logged and it is standard practive for the police to check them, with court order, if they suspect something.

Do you do your banking by phone? How about your shopping? Do you search for answers about private medical conditions by phone? Are your sexual preferences revealed by your phone record? Are your sexual curiosities? How about your political leanings and affiliations?

I'm sure you can answer yes to a couple of the above questions. A detailed search of your phone record would reveal much about your life and likely let loose a few skeletons from the closet. However, most home internet users could probably answer yes to all the above questions. The internet is used for a much wider slice of personal life, and thus it deserves more privacy protection.

Re:Conflict with logging laws?

[sploxx]

Well, I think you gave the reasons why it is so much more important to stop the "Vorratsdatenspeicherung" (data retention).

This ruling won't stop all hosts from logging your data (the evil and foreign servers will do that anyway and won't tell anyone), and only looks like a 'privacy wins' case which can be given to the media to produce the appearence that there is progress in privacy issues in germany.

Without the mapping of IP address to a particular user, which only the ISP can do and which is -in most cases- an independent party, logged IPs are not so much of a problem, IMHO.

BUT... if the data retention laws are enacted, our government (and only our government or any corrupted bureaucrats) will be able to access all this data, and not only by kindly asking (i.e raiding) 3rd party servers which may be distributed all over the world - but by simply looking into the logs of the ISP for your sexual preferences etc.pp.

It is scary to label this as a win for privacy in germany.

Re:Conflict with logging laws?

[mxs]

To sum up ... Will somebody PLEASE think of the children ? :P

An argument can be made that IP addresses you use during surfing are data that can be tied to you personally, and as such fall under the strict privacy laws we have here. Don't like it ? Change the law, or work within it. (of course next to nobody actually cares about that law -- the logging you refer to at the ISP level is just as illegal, but has nonetheless been happening for years. DTAG, the biggest German ISP, logs customer IP addresses in violation of the data privacy laws -- they have been sued for it, and at least one customer no longer has his IP logged. Well, only that one customer, that is. Everybody else is still logged.)

You make a valid point about balance. There might still have to be a distinction between government-provided services (such as the site in question) and privately owned enterprises (equal under the law to you and me, while the government is in a clear position of power). In fact, there is; As a citizen you have considerably more power against the government than you do against private enterprise (since the Grundgesetz (our constitution) applies to the disparate legal relationship between the citizenry and the government, not between citizens as such (which corporations are a part of); the most powerful legal tools are reserved for these battles; even if the (strict) privacy laws do not apply, you can still sue based on article 2, for instance (which guarantees the right to personal freedom, an umbrella which includes the right to decide what happens with personally identifiable data about yourself).

You also seem to throw together the laws and practices of the US and Germany into one pot. I'm not certain every phone call ever made is logged here. I'd be surprised if it were, especially when flatrate-type fees are involved.

Personally I prefer tough privacy laws over mandatory data retention and the assumption of general suspiciousness for years. Wiretaps can still be ordered by the court. IMHO, the ISPs and Telcos should not be doing the policework FOR the police. It's not their job.

Web admins can still effectively manage their servers. They may not be able to log IPs for extended periods of time, but they can STILL manage their servers. They can still block IPs. They can still determine the origin of attacks as they are happening. Evidence can still be collected. However, log analysis and data retention for extended periods of time may become shady ... Of course you can evade problems in this area by effectively anonymizing the data in a way that cannot be reverted even given auxiliary data -- once that is done, the data is no longer personally identifiable and does no longer fall under the strict privacy laws.

No logging? Germany's laws makes no sense.

[Psykechan]

OK, you can't log web site visits. Heck, from this broad law I don't even think you are allowed to use tools that would allow you to log those IP addresses.

Supposedly, they even plan to send spyware to people they don't like. Who's going to perform these illegal tasks? I sure wouldn't want to apply for that position. Even if you get hired, the government could just declare you a criminal at any time.

Sounds fun.

Freedom? or Anarchy?

[El+Lobo]

People seem to cheer everytime a law helps "liberty" on the web. But is it really liberty they are promoting? Or is it anarchy? I have sympathy for those who think that not keeping the logs is good , and not having a log at all is better. I don't like either that somebody will missuse MY data (whatever that is) in this way. BUT, does it work in the real world?

What if some users are uploading/downlöoading child pornography or other illegal material? How do I track down the motherfucker? Yes, some people will say, let everyone do whatever they want... But no, laws are laws and log files are an effective (yet, imperfect) way of keeping things in order, at a minimum. Is like having a law that says that all door locks are ilegal...

Re:Freedom? or Anarchy?

[denmarkw00t]

Is like having a law that says that I am not allowed to force you to sign your name, phone and address when you enter my home.

Fixed

You see, I can lock you out of my website, I just can't log who you were. Kind of OK for keeping you out - kind of.

Re:Freedom? or Anarchy?

Yay! Anarchy!

Re:Freedom? or Anarchy?

If you can't keep a long term record of who I am, how are you going to keep me locked out?

Re:Freedom? or Anarchy?

[Neo_piper]

Maby you don't remember the flap a few years ago about the bad experation dates on some cookies on the CIA webpage but in America the government isn't even allowed to leave cookies past the current session.
Also

What if some users are uploading/downlöoading child pornography or other illegal material? How do I track down the motherfucker?

• 1.If they are only downloading then they ARE sick and need SERIOUS TREATMENT but guess what? At least they aren't hurting MORE people.

• 2. YOU don't track any "motherfucker" down. That's for police. Looks like the Lawless Wild West / Fronter Justice aspect of the Internet got to you too for a second. Imagine what would happen if someone not as restrained as you were to "stumble" across the log file of one of these web rings.

Laws aren't just to limit the Government from invading privacy but to protect us from each other as well.

Re:Freedom? or Anarchy?

[moderatorrater]

Is like having a law that says that I am not allowed to write in my journal about your visit to my home. There you go, the actual metaphor. The information is freely given, it's easily changed/hidden, and my web server can't force you or your browser to do anything. If you hand me a business card when you enter my home and my wife wants to scrapbook it, is that a privacy concern, or should you just not hand out business cards?

Re:Freedom? or Anarchy?

[KDR_11k]

Your information can only be stored with your consent. Doing something automatically without informing the subject beforehand is not allowed. Giving someone a business card is consent, as is walking past a "video surveillance ahead" sign.

Re:Freedom? or Anarchy?

[moderatorrater]

But you hand your ip address over as freely as you handed your business card over. If you don't anonymize it somehow, you're implying that you're okay with them storing your information. If you send me an email, should I need your permission to store it? Or should I strip the email address unless you say that you're okay with me storing that?

Re:Freedom? or Anarchy?

[vertinox]

But is it really liberty they are promoting? Or is it anarchy?

I dunno. Maybe because the last German leader who kept telling them to follow his will or suffer anarchy turned out to be a big douche. Some of them are old enough to remember what it was like to have no privacy (especially the East Germans).

Re:Freedom? or Anarchy?

[KDR_11k]

Anonymizing your IP is an active step. Consenting to the use of personal information is opt-in, not opt-out, there needs to be an action that is agreement and that action has to be performed after it has been announced that recording will take place if you agree. Attaching a page "Do you agree to have your IP logged?" and not logging it until the user clicks past that is acceptable, just assuming that because his computer has its default behaviour and tells you the IP that's consent gets you in legal trouble.

Re:Freedom? or Anarchy?

[SnowZero]

Your information can only be stored with your consent. Doing something automatically without informing the subject beforehand is not allowed. Sure but that raises exactly the problem GP was talking about with his metaphor. Put another way, if a coworker comes to your house for dinner, can you write about it in your diary? Apparently in Germany, you'd have to get permission from your coworker first.

Giving someone a business card is consent, as is walking past a "video surveillance ahead" sign. How about putting a link to your privacy policy on your home page? That's about as visible as a sign.

While the law seems helpful, it seems like it would create quite a few unintentional problems. A time limit (such as 18 months) would be a little easier to deal with.

Re:Freedom? or Anarchy?

[Bert64]

Frontier justice is somewhat self-policing...
Most people wouldn't be too concerned about someone who ran a stop sign, or stole a loaf of bread. The vast majority of people however, would be very much concerned about someone looking at or creating child pornography. And really, someone who's committed such a sick crime deserves more punishment than the police are allowed to hand out.

Re:Freedom? or Anarchy?

[Bloke+down+the+pub]

Anonymizing your IP is an active step.

And so is typing a url into your browser, so you can argue either way. Hopefully someone will come along with a car analogy and clear it all up..

Re:Freedom? or Anarchy?

[KDR_11k]

It's a step taken before communicating with you and knowing that you will log ("it's reasonable to expect that" is NOT an excuse). That'd be like considering dialling a number or picking the phone up consent for recording the call. An action taken prior to knowing the terms cannot constitute agreement to the terms.

Re:Freedom? or Anarchy?

[Bloke+down+the+pub]

Actually, in sensible (i.e. English based) legal systems a lot depends on reasonable expectations.

Perhaps someone should hold a large weight above your heead and release it. After all, he shouldn't reasonably expect it to fall on you, should he?

Re:Freedom? or Anarchy?

[Neo_piper]

1.You've obviously never been to any of the #chan /b boards like on 4chan, have you? That is what Fronter Justice ends up as, lowest (un-common) denominator content and DDOS-ing or gang-mailing anyone you don't like.

2.I'm really glad you aren't in charge of setting sentencing guidelines.

Re:Freedom? or Anarchy?

[Bert64]

// 2.I'm really glad you aren't in charge of setting sentencing guidelines.

Why? you plan on committing some serious crimes and want to get off lightly?

Wir speichern nicht

[junglee_iitk]

I am not proficient at German but I think "Wir speichern nicht" means "We save not" or we don't save.
Corrections?

Re:Wir speichern nicht

[gEvil+(beta)]

No no no. It means "We don't speak." It was obviously said by a group of mutes.

Re:Wir speichern nicht

[UbuntuDupe]

You're correct: "We don't save." "Speichern" is the verb German computer games use when you want to "save the game."

(OT: Many translations "overdo" what is contained in the original statement. "L'etat, c'est moi" is usually translated as "I am the state", but it should really be "The state, it's me." That would carry over Louis XIV's, and the French's acceptance of, sentence fragments and the use of the accusative with "to be". Of course, he didn't actually say that, or believe it, but whatever.)

Re:Wir speichern nicht

[KDR_11k]

Great, now I can't forget the idea of making a "Super Uncle Sam" platformer. "It'sa me, the state!"

What about logging for security purposes?

What about websites where you pay for access? A constant security problem with sites like that is stolen logins. One of the most reliable ways to track stolen logins is by logging IPs. Isn't it huge overkill to take that away from site owners?

Enforcement

[bostons1337]

It doesn't sound like this is an easy law to enforce. I mean how are you going to know if someone is logging ips on their site by seeing what the server variables are set to? But then again you can always use another tool that doesn't show up so easily. This whole thing just sounds to hard to enforce to the point where it would be effective to have the law. Its not like enforcing a parking ban or anything.

Re:Enforcement

[fbjon]

That's perhaps not the point. The law can be enforced when needed, for example if it surfaces during an investigation for some other issue.

Knock Knock

[SuperCharlie]

Who's there?

Denial Of Service Attack

Denial Of Service Attack Who?

We dont know.. we dont log that stuff..

Re:Knock Knock

[mxs]

Funny, if only it were true. The law forbids the general collection of all traffic data without due cause. It does not forbid personally identifiable logging on a case-by-case basis to resolve problems and issues.

The Germans are just weird

Germany; the land where polygonal game characters must legally have green blood!

They say logging IP addresses violates privacy but force webmasters to display an impressum giving full name and contact details. Despite this, DeNIC has it's own views on whois lookups and has long been listed over at RFC-Ignorant. IP logging is essential in reporting abuse but since they banned network security tools, I don't suppose they care about that.

There has to be some logic to all this? If they think the rest of Europe has any truck with this bullshit they're in for a major surprise.

Banlists are now illegal?

[siDDis]

As I understand this law is that my private server in Germany is now open for brute force attackers because I can't ban their ip address after 3 login failures? Heck I can't even break that law since everyone can easily tell that I'm using a ban list and just call the police.

I think someone in the German government should google brute force attacks and why ban lists are good.

Re:Banlists are now illegal?

[Opportunist]

No, but you can claim that you arbitrarily disallow the access of your resources. That's allowed. It just happens to be your IP address. Or the feds'.

Re:Banlists are now illegal?

Create a hash of the IP and store that? Just an idea.

Re:Banlists are now illegal?

Just log the attempted username, and set login attempts per username to five per minute or some similar number which a regular user is never going to hit but which is slow enough to stop brute forcing dead in its tracks (resetting all information after a successful login). Originating IP really shouldn't be your limiting factor anyway, that just means the attacker needs to throw a larger botnet at you.

Re:Banlists are now illegal?

[Bert64]

There are 2^32 potential IP addresses, thats 4294967296... And you can decrease that number considerably by removing addresses that will never appear in internet-facing logs (127.x 10.x 192.168.x, plus all the blocks currently unallocated or reserved)...
Unless the hash algorithm was ridiculously complex, it wouldn't take all that long to brute force, and a database of every possible hash wouldn't be all that big either, not relative to the rainbow tables used for common password hashing techniques.

Re:Banlists are now illegal?

[thomasdn]

There are 2^32 potential IP addresses, thats 4294967296... And you can decrease that number considerably by removing addresses that will never appear in internet-facing logs (127.x 10.x 192.168.x, plus all the blocks currently unallocated or reserved)... Unless the hash algorithm was ridiculously complex, it wouldn't take all that long to brute force, and a database of every possible hash wouldn't be all that big either, not relative to the rainbow tables used for common password hashing techniques. Then you seed each hash with a random seed?

Re:Banlists are now illegal?

[Ajehals]

If your private server hosts the Federal Ministry of Justice website and is holding data beyond legal retention limits then yeah you may have an issue. Personally the servers I have sat in Germany will continue to use IP addresses where necessary and for everything else I will continue to use anonymised data, (i.e. for trend analysis) that way I shouldn't breach either German, UK or EU privacy laws.

Re:Banlists are now illegal?

[pclminion]

Hash the addresses.

unsigned int randomness[5][256] = { Random Numbers };
unsigned int salt = rand() & 0xFF;
unsigned int hash = randomness[0][ip[0]] ^ randomness[1][ip[1] ^ randomness[2][ip[2]] ^ randomness[3][ip[3]] ^ randomness[4][salt];

Now "hash" contains a value derived from the address, but the address cannot be recovered from the value. If you're concerned about collisions, use 64-bit quantities.

The salt is probably not necessary.

Re:Banlists are now illegal?

[maxwell+demon]

IANAL, but I think if you clearly state on the login screen that IPs of failed logins are logged, and that this is in order to disable them on repeated failed logins, I think you should be safe: You stated it explicitly before actually logging (anyone who doesn't want his IP to be logged can simply refrain from trying to login if he doesn't know for sure what the username/password is), and you also stated an IMHO legitimate reason (protecting against fraudulent login).

Re:Banlists are now illegal?

[MeditationSensation]

True, but IPs don't need to be logged forever. A few days or a couple weeks should be sufficient to aid in thwarting attacks.

Re:Banlists are now illegal?

[Cro+Magnon]

I have another concern about banlists. What if I'm running a site, and I have to ban "Imma Troll" for being an @$$? I don't really give a damn who Imma is IRL, but I DO care if "Imma Nice Guy Honest", who registered 5 minutes after I banned the Troll, happens to have the same IP as the banned Troll.

All your IP

[rodney+dill]

are NOT belong to us

This isn't going to last

[Cleon]

I really doubt this is going to last, and nobody outside of Germany is going to take it seriously. Too many servers log IP addresses, if nothing else just because IIS and Apache do that by default.

Then there is the issue of competing laws. In the US, for example, federal encryption laws require IP addresses to be logged when certain pieces of software are downloaded.

Re:This isn't going to last

[Bert64]

US laws don't apply to people living in Germany, despite what a large number of americans seem to believe nowadays.
Similarly, German laws don't apply elsewhere, so you could simply host your website in another country, but you might have to go to the extent of having a foreign entity actually "owning" the site.
Hosting in Germany is expensive anyway, many German companies and individuals host their sites elsewhere already.

What about TOR?

[Luke+Dawson]

So, you can't store people's IPs on your web server, but if you operate a TOR node, you do? Or only if you are ordered to by a court?

I think I'm confused.

In Deutschland

[biocute]

In Deutschland, we do not log IPs.

Re:In Deutschland

[Epsillon]

You're just trolling for the obligatory "In Soviet Russia, IPs log you!" post, aren't you? I know your game. Well, I ain't gonna do it ;-)

Deutsche sprache, schwere sprache

[micropitt]

I think some people here got confused with the translation. It is ok to have IP's in theserver logfiles. It is not ok to store/save the logfiles with the IP's for a longer period of time.

Uh oh

[Acecoolco]

My servers are in Germany, but I will continue to log.. I am hosted on Hosteurope which is actually currently under investigation by the FBI for allowing a hole to persist in their infrastructure that allows anyone to get into any server on their network...

I already know the guy that got into my server lives in Romania, registered the domain name in Canada (Toronto), using a New York Address, with a fake credit card, and the fake business is !located in Sweden...

So, I will continue to log for security purposes..

Josh

Re:Uh oh

[EvilIdler]

Heh. That chain reminds me of a hacking attempt from a couple of weeks back.
I saw entries from Bulgarian, American and Swedish IPs. The funny thing was
the Swedish IP was a possible source/bot controller, and it was hosted in
the same server farm as mine :)

Yeah, logging is something I won't stop doing, either. Not logging IPs when
you run a server is just stupid. I thought Germany was becoming a nanny state
that wanted full control over their citizens, but now it seems the lawmakers
are simply clueless, making the most wrong choice given any number of choices.

Gotta Love the German Government.

[darthflo]

If you haven't done so yet, reading and laughing about German politics is a great idea to spend some boring office hours. American Slashdot readers may already know what it's like to have a moron rule your country, but in everything privacy-related Germany's totally unbeatable.

April 2007. A new law about data retention has just passed the german government[1]. Called "Vorratsdatenspeicherung"[2] it forces communication providers to introduce an identification liability. As an example this means no more anonymous E-Mail in Germany. IP addresses of anyone sending and accessing their E-Mail accounts must be stored and retained for a few months (6 IIRC). IIRC this also affects other types of communication, including forced storing of a web site visitor's IP address.

October 2007. A german court decides to outlaw storing of IP addresses by web pages. Anybody see a pattern here?

This is almost as absurd as a court deciding to outlaw not killing people. It may seem completely moronic, but since those guys will have better salaries than you they ARE right.

[1] http://www.heise.de/newsticker/meldung/88449
[2] http://de.wikipedia.org/wiki/Vorratsdatenspeicherung

Re:Gotta Love the German Government.

[KDR_11k]

The legislative and the judicative are not the same entity. There's a reason for that. Laws can be struck down by a court if they violate other laws.

Re:Gotta Love the German Government.

[leenks]

IP addresses of anyone sending and accessing their E-Mail accounts must be stored and retained for a few months (6 IIRC).

A german court decides to outlaw storing of IP addresses by web pages.

So... webmail?

Good and bad

[MobyDisk]

There is good and bad to this.

On the one hand, it is great to see courts telling companies that they can't store every little tidbit of information about you. Too many companies (globally) retain customer credit card numbers, addresses, etc. for longer than is required for the transaction. I just got a letter from my credit card company saying that my card may have been stolen, and they issued me a new card. But they won't tell me how they know. Most likely, one of the gzillion places that retain my CC# had a database breach.

On the other hand, IP address is not truly personally identifying information (see below), and is often necessary for proper auditing, problem tracking, etc. My employer holds the IP addresses of people who purchase our software online and what IP they login from so we can determine where to put future data centers, who is causing a problem when a server gets pounded, etc.

From the article:

"it is even today possible in most cases, without any elaborate effort being required, to identify Internet users by merging personal data with the help of third parties, The problem here isn't the keeping of IP address. It's the fact that they then contact another company and share that information. There are many little surveys that ask for seemingly non-identifying information like your postal code and age, but nothing else. Then they combine that with a shipping manifest from a partner company, then with "anonymous" info from a dating site, and they can statistically correlate it to determine a lot of personal information. So retention is slightly dangerous. But sharing is the crime.

heh

[Random832]

That "Wir speichern nicht" site makes the argument (or, appears to, based on google translation) that keeping IP addresses for a ban list isn't useful because an IP address isn't necessarily associated with a single person - yet, if you accept that argument, an IP address isn't "personal data" of any kind at all!

Re:heh

[mxs]

Your logic is fallacious.

A single IP address is not necessarily associated with a single person. Correct. A -> B. This does not imply B->A in any way, shape or form.

The site actually doesn't make that argument, however. It makes the argument that an IP address is not permanently associated with a single person and easily changed for most (most ISPs here assign you a different IP on each login, out of a pool of millions; and most ISPs here do not allow connections to stay connected for longer than 24 hours).

Furthermore, the site states the exact opposite of your assertion a few paragraphs later. IPs are, in fact, personally identifiable to at least the government, police, and intelligence agencies (as well as foreign hostile intelligence agencies and witty hackers of the legal and technical kind) since ISPs store that data (even though they are not required to (yet) and actually currently forbidden to, lawfully.

Last, but not least, your jump from "it's not exactly 1 person == 1 ip" to "it's not personal data at all" is plainly wrong. Take phone numbers as an analogy. You can clearly change phone numbers. Are they suddenly less not associated personally with you, AT ALL ? Take credit card numbers. You can have many of them, or share one with several people, or even change them once they become compromised. Does that make them any less personally identifiable ?

Illegal? Or government limitation?

[RingDev]

I'm no expert on German law, but it doesn't sound like they've made IP logging illegal. It sounds like the ruling states that the government can not retain IP info.

the local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from retaining personal data acquired via its website beyond the periods associated with the specific instances of use of the site. It sounds kinda like free speech in the US. The Constitution hasn't outlawed censorship, it only bars the government from censoring(err... to some extent). So I would guess the big question is how does German's legal system work, and how does this ruling? apply to non-state actors.

-Rick

Re:Illegal? Or government limitation?

[Josef+Meixner]

It is a bit complicated. In principle the law states you are not allowed to store privacy related data without a clear cause. Just storing because you can store is not enough. Every citizen has the right to ask what data you store about him and can even ask you to delete it. Failure to do so can result in a law suite and if you store information you don't need for the agreed upon cause you will loose. That has happened to the Ministry of Justice. As German law is not based on precedent it doesn't mean anything for anybody else directly. But it can mean, you are next on the list and will face a similar law suite.

One of the problems is, I don't see, how the IP address is a privacy related data, as a normal webmaster will not be able to connect an IP of an anonymous user with the users identity. This also is only the lowest instance of the court system, but the Ministry has not appealed (for whatever reasons).

I am personally undecided about it, in principle it is correct, why does a website I once visit have to store my IP forever? Also the next target of the group which started the Ministry of Justice case is now going after the BKA (federal police), they put up an information page about an extremist group not much is known about called mg (for "militante gruppe"). Everyone who visits that page is logged and they try to connect your IP with the data they have to identify you. It seems they try to somehow find the "terrorists" that way. Don't laugh, they seem to actually believe that could work.

Re:Illegal? Or government limitation?

[tmk]

It sounds like the ruling states that the government can not retain IP info.

The law is the same for the government as for everyone else.

The bis question is: are IP adresses personal data? The court confirmed this as a fact, but The Federal Ministry and even the Bureaus for data protection have a different opinion.

If the Federal Ministry is not allowed to log IP adresses, nobody in Germany is.

Re:Illegal? Or government limitation?

[RingDev]

Ahh, thanks for the clarification. If I am understanding you correctly, the ruling, specifically applied to the ministry, was stating that IP's were covered under the existing law. So the ruling did not ban anything, it just clarified was what included in the existing ban.

-Rick

Re:Illegal? Or government limitation?

[tmk]

Yes, that is right.

Re:Illegal? Or government limitation?

[vidarh]

In principle the law states you are not allowed to store privacy related data without a clear cause. Just storing because you can store is not enough. Every citizen has the right to ask what data you store about him and can even ask you to delete it. Failure to do so can result in a law suite and if you store information you don't need for the agreed upon cause you will loose.

And for those who don't know: This is the case in all EU (and EEA) countries. It is a result of the implementation of the EU Data Privacy Directive, which is overall very good. The exact implementation vary from country to country, and the national courts interpretations of what is private data also vary, so this court decision can NOT be treated as precedent in other EU countries (not even sure if it can be treated as precedent in Germany), but the general principles apply.

However, the bar for showing you have reasonable grounds for storing data are relatively low - if you use the IP addresses for tracking down abuse of your system, for example, and you don't keep them excessively long, you're likely to be in the clear in most or all EU countries.

If you want to keep possibly personal information for a long while, your odds of avoiding problems also dramatically diminish if you reduce the scope (filter and store only information that is actually specifically relevant to your objectives, for example).

Re:Illegal? Or government limitation?

[element-o.p.]

Hmmm....I'm not sure I agree that "in principle it [the ruling prohibiting the storage of IP addresses] is correct." As a web server administrator, both professionally and at home as a hobby, I have used the logging function on my web server (and e-mail server) to either file complaints with the ISP that owns the IP address used by someone who was behaving poorly on my server or to filter IP addresses used by those who behave poorly. In my logs, I have seen people trying to run exploitable PHP scripts on my server (I hadn't enabled PHP, so there was no reason to run the scripts on my host), to browse to files on the C:\ drive (it's a *nix host; there is no C:\ drive, so again, there was no legitimate reason for anyone to try to do such a thing) and to try buffer overflow attacks. Having an IP address, a date and an accurate time stamp will allow the ISP to contact their user and "encourage" them to knock it off. Without the IP address, it is impossible to know who to blacklist or who to complain to, so I for one would be loath to turn logging off.

Re:Illegal? Or government limitation?

[Josef+Meixner]

owever, the bar for showing you have reasonable grounds for storing data are relatively low - if you use the IP addresses for tracking down abuse of your system, for example, and you don't keep them excessively long, you're likely to be in the clear in most or all EU countries.

In the ruling this story is about it explicitely mentions that case and dismissed it. You are supposed to first have evidence that shows, that logging of the IP could help. Then you are only allowed to log that specific violating IP and have to even delete the logs as soon as you are done. The court explicitely said no keeping beyond the time needed to service the user. If your service doesn't need the IP (that means if you can not prove that the IP is needed for the service) you are not even allowed to log it at all. At least that is, what that ruling says.

Re:Illegal? Or government limitation?

[Josef+Meixner]

That is where the "in principle" comes from. But your case is hampered by the same law here in Germany. An ISP may only store privacy related data when it needs it. The mapping IP->customer is obviously privacy related so on a flat rate the provider has to delete that data as soon as the connection is terminated. And yes, this has been tested in court and not only the lowest, but up to the highest court. Currently 7 days is considered tolerable, but the same group which reached the ruling in the story tries to also get the 7 days down to 0.

What that means for the impeding recording of all connection data for 6 months by ISPs which is now also law is still unknown. It seems as if from January 1st one law says an ISP has to log everything and keep it for 6 months, the other outright forbids it. Against that later EU law (which was adapted into national laws by most member states of the EU) Ireland has appealed to the EU court, outcome unknown.

Someone tagged this "!nazi"...

[TheVelvetFlamebait]

I beg to differ. I have it from a reliable source that the Nazi's didn't log IPs either! The German government is *clearly* evil.

Don't mess up with the context.

[burni]

The context is that the http://www.bmj.bund.de/ ( german version of the DOJ )
started to log ip-addresses of people who had accessed public information dealing with
a terrorist group called "millitante Gruppe".

(
"Militante Gruppe" / ('militant group')

- german leftist/communist/(anarchist?)
- anti-global

terror group

till now no human causalties were recorded, terrorist actions mostly targeted unmanned police cars, or cars of right winged politicans in the city of Hamburg, using molotow cocktails,

The BKA ( german version of the FBI ) is investigating the incidents since 2001,
and they lack in information.
)

The information was placed intended to inform the public about the signs of identification the
group has been used in the past, to engage whistleblowers who may have recognized suspicious things helping the police to identify the persons behind this terrorist group.

But in contrast the visitors ip's were logged and further investigation was done by the 'BKA',
this includes identify the persons which accessed the page using their ip addresses,
with no further evidence such as visiting a governmental public information site,
such actions probably are illegal.

From the judgement were some non-offical guidancelines derived,
I will try to translate them as properly as I can.

The judgement deals not with IPs in detail, there is a term
"Internet-Nutzungsdaten" this can also be a profile of use,
and the german privacy laws try to protect the people from
being tracked, and so profiled.

GER Leitsätze (nicht amtlich):
ENG guidancelines ( non offical ):

a.)
GER Anbieter von Telemedien im Internet dürfen nicht systematisch die Kennungen (IP-Adressen) GER der Nutzer ihrer Dienste protokollieren.

ENG Provider of internet content and service shall not log signs of identification (ip-addresses)
ENG of users systematically.

b.)
GER Zur Entscheidung von Streitigkeiten über die Verarbeitung von Internet-Nutzungsdaten durch GER eine öffentliche Stelle ist die ordentliche Gerichtsbarkeit berufen.

ENG Anytime an offical judge must decide in disputes concerning the processing of
ENG  ?InternetUserProfilingData? through a governmental organisation

c.)
GER Kann zwar nicht die speichernde Stelle, aber ein Dritter eine Angabe der Person des
GER Betroffenen zuordnen, so ist das Datum personenbezogen.

ENG If the Content Provider (logger) is not able to resolve the person of interest through the IP
ENG but a third person (ISP) is able to do so, the date is also to be recognized as personal data

NONTRANSLATIONJUSTMYSAYING  .. and so shall not be logged at all.

GER Die von einem Internet-Zugangsanbieter temporär zugewiesene Internetkennung (dynamische IP-GER Adresse) stellt nicht nur für den Internet-Zugangsanbieter, sondern auch für Anbieter von GER Telemedien im Internet ein personenbezogenes Datum dar.

ENG The dynamic IP address assigned by the ISP, is to be treated as personal data,
ENG for both the ISP and the content provider,

????? it can be seen as a personalised private date/datum.

From my point of view - I'm not a lawyer - but I understand a.) as if you recognize
missuse you are allowed to log the data of the missusing parties,
it's just not allowed to log and store every access over the
period of use ('.. dürfen nicht systematisch ..')

Re:Correction

[burni]

b.)
GER Zur Entscheidung von Streitigkeiten über die Verarbeitung von Internet-Nutzungsdaten durch GER eine öffentliche Stelle ist die ordentliche Gerichtsbarkeit berufen.

ENG Anytime a governmental organisation wants to process IP/User-logs,
ENG a judge has to decide whether or not they are allowed to do so.

Germany is bizarre

On the one hand they are enacting all these laws for snooping on the population and weird copyright laws and all that, then on the other they're doing stuff like making it illegal to record user data.

WTF are they doing over there?

BitTorrent

[Hanners1979]

Time for major BitTorrent trackers to start moving to Germany I guess - A good excuse not to log IPs and user details is exactly the kind of loophole they've been looking for to keep the RIAA and MPAA at bay.

Re:BitTorrent

[burni]

Well before you make such a decission, I should mention that in germany even a bittorrent link is seen as a copyright violation ?

So a BT-tracker is a utility for copyright infrignment, even if you don't need to log
your users data, you are simply not allowed to provide such a service in germany.

Re:BitTorrent

host the torrent search engines somewhere else. Just put the tracker in germany

Re:BitTorrent

[eclectist]

Exactly. I read this and immediately thought - "Wow, Germany now becomes the national equivalent of a proxy. I guess 'torrent will survive after all.' Snark aside, If you don't have to log IP addys, awesome. If you can't log IP addys, uh, wha..?

an IP address isn't

[oliverthered]

an IP address isn't useful on it's own, but with a time stamp it could be used to identify at least a users home address. It's still not useful for identifying the person because there pc could be hacked, but try telling that to the police when they come banging on your door asking you about kiddie porn or terrorist activities.

how about logging ip for security concerns..

[josepha48]

like tracking someone who is trying to attach or hack your server, or DOS attacks. I don't see a problem with IP Address logging. I think it is necessary these days. If you want privacy, stay home.

What about Wikis?

[sufijazz]

Wikipedia logs IP addresses - heck, that's one way they make sense of who is doing what. Does this mean all wikis based on MediaWiki will not be allowed in Germany?

No legal consequences for others... yet

[r3f4rd30n]

It has to be noted that this decision does not necessariliy affect anyone apart from the parties involved in that particular case. German courts are not bound to decisions other courts made; there is no such thing as 'case law' in the german legal system. I'm pretty confident that 'regular' logging will continue to be alright; the analysis of user behavior is the critical fact here, at least that's how I read it. Still, every single law concerning the internet seems to be utter nonsense as of late; however, since noone in the government seems to understand how that whole computer-thingy works, that's hardly surprising. And on a sidenote: The Grundgesetz (*) states in article ten that "The privacy of correspondance, posts, and telecommunication shall be unviolable" - so far so good, however that does only affect the relationship between people and the state, not purely private relationships. I'm in law school, and I recently learned that the "Article 10 is not that important anymore since the Dt. Post and Dt. Telekom became private corperations and are not directly controlled by the state anymore." * http://www.bundestag.de/htdocs_e/parliament/function/legal/germanbasiclaw.pdf

Re:No legal consequences for others... yet

No, I think the BDSG is more relevant here:

http://www.gesetze-im-internet.de/bdsg_1990/

But you're right, this ruling only applies to this case: a public entity. Private entities have completely different rules.

Re:No legal consequences for others... yet

[mxs]

You recently learned wrong, however. It doesn't matter whether DTAG or Deutsche Post are private enterprises or not; article 10 still applies. Without a law allowing it or a corresponding court order, government officials still cannot go to the Post, open your letters and read them. Article 10 still prevents them from doing that. The German state remains a substantial shareholder in both DTAG and Post, as well. Also, even the private enterprise Deutche Post (and its competitors) are bound by the Postgesetz (as is the DTAG and its competitors by similar laws) which codifies pretty much the same -- i.e. even the private enterprise Post cannot legally read your mail or collect information on your mailing behavior. (See 39 PostG, for instance).

Furthermorse, it's not article 10 that is in question here -- it's the BDSG. We don't need case law for what you describe to still be illegal; the BDSG is pretty clear on what it considers personally identifiable data. While no case law exists, judges are still free to look at other decisions and interpretations.

"I'm pretty confident that 'regular' logging will continue to be alright; the analysis of user behavior is the critical fact here, at least that's how I read it." -- how you read what ? Have you READ the BDSG ? Have a look at http://www.gesetze-im-internet.de/bdsg_1990/index.html ... Analysis of user behavior is not a valid reason to log personally identifiable information as per the law.
There's an old saying "Wo kein Kläger da kein Richter", though. People don't usually sue Joe Sixpack Webmaster about this stuff.

Some laws proposed recently are silly, I agree. The BDSG is not one of them. The now infamous Hackergesetz, however, is.

Torrentspy...

[Nom+du+Keyboard]

Torrentspy, welcome to your new home!

Nope*

[Ajehals]

That would be "Wir sprechen nicht"....

* the reason for this comment is that I actually read it as such initially
and thought that not speaking about something may not be the best way of
advocating anything, as for "Wir speichern nicht" wouldn't the closest
translation be we don't store? Although without specifying what.. - By the way did I
miss a joke?

"longer period" == longer than 0 seconds

[3247]

No, they weren't wrong.

"Longer period of time" means "longer than absolutely necessary to provide the service". If the visitor's browser closes the HTTP connection, you no longer need the IP address. In effect, this means no logging. netstat is ok, though.

Re:"longer period" == longer than 0 seconds

[Guspaz]

Except if you run netstat, hey look, that IP is now stored in memory until you clear the console buffer. Wups, can't keep the IP around, better not run netstat anymore.

Public != Private

Please everyone, calm down. The Germany Privacy Laws are extremely different when applied to public institutions as they are to private. Basically, the State has very little power to keep personal data. This is a good thing. Companies have a completely separate set of laws, but any company that can identify who the IP address belongs to, will probably also have to anonymise or delete the logs.

Personal information?

Since when is an IP address personal information?

I'm all for limiting the extent that organizations must limit their holding of personal information, but an IP address? This is going too far. Makes no sense.

The Privacy Solution

[superbrose]

One of the problems is, I don't see, how the IP address is a privacy related data

In theory you can use the IP address together with the time of visit to determine where the visitor came from, provided that you can follow the IP address all the way to its origin. Needless to say this can be difficult, especially if the visitor used a proxy or even a chain of proxies.

If storing IP addresses is considered a privacy violation, then what about cookies? And what about forums, after all they store and display messages from users, normally together with the user alias for god knows how long!

In the interest of everyone's privacy, it's about time to make the Web 2.0 illegal, and indeed databases of any kind should be banned! Or alternatively, since only the government and fraudsters might be interested in using your private data, how about banning these groups from having webservers? :-p

Re:The Privacy Solution

[Josef+Meixner]

If storing IP addresses is considered a privacy violation, then what about cookies? And what about forums, after all they store and display messages from users, normally together with the user alias for god knows how long!

If the cookie is necessary for the service you provide and you have a declaration of what information is contained in the cookie, how long you retain the information and allow a user to delete all privacy related information, then you are allowed to use a cookie. If you use it to track users I would say you might be in problems, but I am not entirly sure, because, at least in theory, you can deny accepting a cookie and delete it. That is not possible with your IP in a logfile. I am no lawyer, this is only how I understand the law in that area.

Forum postings are not privacy related data, as you had to agree to them being shown to the public, if not explicitely then implicitely, as a user posting in a forum can be assumed to know, that a posting will be public.

In Soviet Russia

[LordEd]

In Soviet Russia, IPs log you!

Germany should start their own internet

[thasmudyan]

This is just the latest event in a long series of Germany's attempts to completely regulate any internet activity whatsoever. Germany, which is already not exactly the epicenter of CS innovation, is pushing itself further and further away from reality and relevance. This is following the decades-old scheme of legislating their citizens into submission by what you could call an eloborate undertaking to ensure that nobody can actually live a life that is fully in compliance with the myriad of provisions and laws that rule every day life.

As a German myself, I really don't have an answer as to why this is happening. Sure, there are some hints: We are talking about a culture that has been very hostile towards any change and innovation for a long time now, while at the same time the majority of the people feel oddly comforted by the myriad of confusing laws and provisions that govern all aspects of everyday life. Recently, the people in their enduring wisdom have elected the conservative party to run the country, after a mildly progressive initiative of reform and adaption to the developments of the new century got the old (politically centered) government kicked out of their jobs.

If Germany stays on this course, we are going to become even more irrelevant than we already are. Sadly, laws once issued are rarely revoked at any time in the future, so the only way for Germany is down I'm afraid.

And yes, I believe what you do on your own webserver is nobody's damn business except your own. Every site collects IP addresses and most don't use them at all except for statistics because - hot tech news here - IP addresses are virtually useless! Maybe it's time for Germany to start their own internet instead of trying to convert the existing one to correspond to their views. Heck, they could do that in an alliance with right-wing media companies in the US, the Chinese firewall people and those crazy sheikhs in Saudi Arabia - I think it'd be a good match!

Re:Germany should start their own internet

[laejoh]

Funny, as the internet is a network of networks...

Uh what?

This is soooooooooooooooo old. Really. That legislation has been active for quite some time now. The Heise.com article displays it as something new. It is *NOT*. That's general law in Germany. POINT.

Torrentspy.com should move there

[jonwil]

Then the MPAA wouldn't be able to force them to turn on logging and capture the information (unless they are able to force changes in German privacy law that is)

enough with Godwins law already!

the entire resurgence of white supremacy groups, reactionary rebirth of GOP'ers and the reinvigorated Klan owes their thanks to Godwins law and its usefulness in disassociating modern day extremist opinions from their philosophical birth in 1940's Germany. Its because of Godwin that freedom lovers and those who care about all that is good all over the world are the victims of hatecrimes and genocide and the very offering of this law by Godwin has resulted in suffering that has far exceeded any good that Godwin has done since or will ever be able to do for that matter. Were Godwin to perish tomorrow, he surely should be sentenced to an eternity of infinite Hitlers and Nazi memorabilia and we all hope he will be sodomized forever with latex appliances worn by Goebbels oversized Vichy-French poodle.

Think of it, Mike Godwins casual little jest offered in 1990 has in its relatively short lifetime freed enough bigotry and hatred resulting in easily the death of several hundreds of millions the world over, and nothing Mr. Godwin has or will ever accomplish in his lifetime will come close to righting the wrongs caused by his cute offhand little joke, and nothing he can ever say or do will ever quiet the screams from the grave, forever calling for justice and Godwins repentance until the end of time.

I say call a Hitler a Hitler whereever you see one, Godwin be damned!

Who the hell edited this piece?

[Arancaytar]

This is the first time I've been angry at the Slashdot editors (so I'm kind of a newbie). The title of this article is not only misleading but a bald lie. A federal court barred its own ministry from violating your privacy.

As an example of what other laws have to be followed by the government, but not by its citizens, look no further than website accessibility. Have you ever been told that your blog (or even your online shop) was violating the law because its horrendous HTML+Javascript doesn't even show up on lynx, let alone screen readers or Braille displays? (Assuming for the moment this is true, which it hopefully isn't.) Government websites have to follow accessibility standards for disabled viewing.

"If they allow it, we become a surveillance state, if they outlaw it, we become a police state." This stance is ludicrous - decide! If you are a privacy advocate, this article is one of the ones you cheer about, not rant about encroaching fascism.

IP == personal data?..

[Mondor]

While I do understand that things like passport number can be considered as personal identification information, I wouldn't say that about IP address.

While I am holding a static IP address, I am not owner of it, I am just leasing it for a particular time (theoretically, while the contract with my ISP lasts, but ISP can change it any time). Of course my passport also is a property of the state, but at least there will be no other passport with the same number belonging to other person. ISP technically could use my IP however and whenever he wants I wouldn't even know.

So I believe the article describes two stupidities of German judge - considering the IP address a personal data and disabling logging. Probably will be canceled after German websites fall under unmonitored attacks.

Ob: Godwin

[Hognoxious]

Anybody would think they won.

Re:Datum

Datum in this context does not mean date (as in "point in time") but rather a single entity of data.