Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Court Rules That Websites Can't Retain Logged IPs

Posted by CmdrTaco on from the well-this-is-interesting dept.

tmk writes "The local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from logging IP adresses of the visitors of its website. German law prohibits storing personal data for a longer time — if not needed for accounting. German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."

4 of 176 comments (clear)

  1. Deutsche sprache, schwere sprache by micropitt · · Score: 2, Informative

    I think some people here got confused with the translation. It is ok to have IP's in theserver logfiles. It is not ok to store/save the logfiles with the IP's for a longer period of time.

  2. Don't mess up with the context. by burni · · Score: 3, Informative

    The context is that the http://www.bmj.bund.de/ ( german version of the DOJ )
    started to log ip-addresses of people who had accessed public information dealing with
    a terrorist group called "millitante Gruppe".

    (
    "Militante Gruppe" / ('militant group')

    - german leftist/communist/(anarchist?)
    - anti-global

    terror group

    till now no human causalties were recorded, terrorist actions mostly targeted unmanned police cars, or cars of right winged politicans in the city of Hamburg, using molotow cocktails,

    The BKA ( german version of the FBI ) is investigating the incidents since 2001,
    and they lack in information.
    )

    The information was placed intended to inform the public about the signs of identification the
    group has been used in the past, to engage whistleblowers who may have recognized suspicious things helping the police to identify the persons behind this terrorist group.

    But in contrast the visitors ip's were logged and further investigation was done by the 'BKA',
    this includes identify the persons which accessed the page using their ip addresses,
    with no further evidence such as visiting a governmental public information site,
    such actions probably are illegal.

    From the judgement were some non-offical guidancelines derived,
    I will try to translate them as properly as I can.

    The judgement deals not with IPs in detail, there is a term
    "Internet-Nutzungsdaten" this can also be a profile of use,
    and the german privacy laws try to protect the people from
    being tracked, and so profiled.

    GER Leitsätze (nicht amtlich):
    ENG guidancelines ( non offical ):

    a.)
    GER Anbieter von Telemedien im Internet dürfen nicht systematisch die Kennungen (IP-Adressen) GER der Nutzer ihrer Dienste protokollieren.

    ENG Provider of internet content and service shall not log signs of identification (ip-addresses)
    ENG of users systematically.

    b.)
    GER Zur Entscheidung von Streitigkeiten über die Verarbeitung von Internet-Nutzungsdaten durch GER eine öffentliche Stelle ist die ordentliche Gerichtsbarkeit berufen.

    ENG Anytime an offical judge must decide in disputes concerning the processing of
    ENG  ?InternetUserProfilingData? through a governmental organisation

    c.)
    GER Kann zwar nicht die speichernde Stelle, aber ein Dritter eine Angabe der Person des
    GER Betroffenen zuordnen, so ist das Datum personenbezogen.

    ENG If the Content Provider (logger) is not able to resolve the person of interest through the IP
    ENG but a third person (ISP) is able to do so, the date is also to be recognized as personal data

    NONTRANSLATIONJUSTMYSAYING  .. and so shall not be logged at all.

    GER Die von einem Internet-Zugangsanbieter temporär zugewiesene Internetkennung (dynamische IP-GER Adresse) stellt nicht nur für den Internet-Zugangsanbieter, sondern auch für Anbieter von GER Telemedien im Internet ein personenbezogenes Datum dar.

    ENG The dynamic IP address assigned by the ISP, is to be treated as personal data,
    ENG for both the ISP and the content provider,

    ????? it can be seen as a personalised private date/datum.

    From my point of view - I'm not a lawyer - but I understand a.) as if you recognize
    missuse you are allowed to log the data of the missusing parties,
    it's just not allowed to log and store every access over the
    period of use ('.. dürfen nicht systematisch ..')

  3. Re:Illegal? Or government limitation? by Josef+Meixner · · Score: 3, Informative

    It is a bit complicated. In principle the law states you are not allowed to store privacy related data without a clear cause. Just storing because you can store is not enough. Every citizen has the right to ask what data you store about him and can even ask you to delete it. Failure to do so can result in a law suite and if you store information you don't need for the agreed upon cause you will loose. That has happened to the Ministry of Justice. As German law is not based on precedent it doesn't mean anything for anybody else directly. But it can mean, you are next on the list and will face a similar law suite.

    One of the problems is, I don't see, how the IP address is a privacy related data, as a normal webmaster will not be able to connect an IP of an anonymous user with the users identity. This also is only the lowest instance of the court system, but the Ministry has not appealed (for whatever reasons).

    I am personally undecided about it, in principle it is correct, why does a website I once visit have to store my IP forever? Also the next target of the group which started the Ministry of Justice case is now going after the BKA (federal police), they put up an information page about an extremist group not much is known about called mg (for "militante gruppe"). Everyone who visits that page is logged and they try to connect your IP with the data they have to identify you. It seems they try to somehow find the "terrorists" that way. Don't laugh, they seem to actually believe that could work.

  4. Re:Illegal? Or government limitation? by vidarh · · Score: 2, Informative
    In principle the law states you are not allowed to store privacy related data without a clear cause. Just storing because you can store is not enough. Every citizen has the right to ask what data you store about him and can even ask you to delete it. Failure to do so can result in a law suite and if you store information you don't need for the agreed upon cause you will loose.

    And for those who don't know: This is the case in all EU (and EEA) countries. It is a result of the implementation of the EU Data Privacy Directive, which is overall very good. The exact implementation vary from country to country, and the national courts interpretations of what is private data also vary, so this court decision can NOT be treated as precedent in other EU countries (not even sure if it can be treated as precedent in Germany), but the general principles apply.

    However, the bar for showing you have reasonable grounds for storing data are relatively low - if you use the IP addresses for tracking down abuse of your system, for example, and you don't keep them excessively long, you're likely to be in the clear in most or all EU countries.

    If you want to keep possibly personal information for a long while, your odds of avoiding problems also dramatically diminish if you reduce the scope (filter and store only information that is actually specifically relevant to your objectives, for example).