Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Court Rules That Websites Can't Retain Logged IPs

Posted by CmdrTaco on from the well-this-is-interesting dept.

tmk writes "The local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from logging IP adresses of the visitors of its website. German law prohibits storing personal data for a longer time — if not needed for accounting. German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."

13 of 176 comments (clear)

  1. Idiocy by giorgiofr · · Score: 1, Insightful

    My webserver == my home. You're welcome to visit, but you will obey the rules I set. If you don't want me logging you, just turn down my offer and be on your way.
    Yes, this applies to everything else as well.

    --
    Global warming is a cube.
    1. Re:Idiocy by Nos. · · Score: 2, Insightful

      Sorry, but federal law trumps you. If this is the law in Germany, and you're breaking it, you're committing a crime.

    2. Re:Idiocy by Obvius · · Score: 4, Insightful

      Yes, but by the time you've told me that's your policy, you've already logged me.

    3. Re:Idiocy by Bert64 · · Score: 2, Insightful

      Governments don't have to make their laws "morally right"... They just need to be able to enforce them, and that means ensuring that the people who oppose those laws are not well armed or numerous enough to remove you from government.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Idiocy by Alphager · · Score: 2, Insightful

      And what about recording your own phone conversations without the consent of the person on the other end of the line? Legal. not in germany.
  2. Conflict with logging laws? by SmallFurryCreature · · Score: 4, Insightful

    There has been a movement to INCREASE the amount of logging going and to force ISP's to maintain detailed records for long periods of their users actions. That is WAY more intrusive then a website logging your ip. You do NOT have to go to a website, you are bound to use an ISP.

    Before all the privacy loonies wake up, remember that it is perfectly normal for ALL your phone calls to be logged and it is standard practive for the police to check them, with court order, if they suspect something.

    The most common example of this is a bomb threath. The police will have a record of where the call was made from.

    This ruling makes this impossible to do the same with a bomb threath send over the internet. Wouldn't this ruling make even the most basic web policing, the blocking of ip adresses, impossible?

    This seems like an overly broad ruling that leaves a lot of web admins in trouble because they can no longer effectively manage their servers.

    Yes it is a nice counter to the european wide move to log EVERYTHING but there is such a thing as balance. Logging everything is wrong, but not being able to log anything can lead to just as much trouble.

    For all the slashdot privacy nutters I ask you this. How often have you sniggered when some scumbag was traced by online activists and had his private information published on slashdot?

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  3. Freedom? or Anarchy? by El+Lobo · · Score: 2, Insightful
    People seem to cheer everytime a law helps "liberty" on the web. But is it really liberty they are promoting? Or is it anarchy? I have sympathy for those who think that not keeping the logs is good , and not having a log at all is better. I don't like either that somebody will missuse MY data (whatever that is) in this way. BUT, does it work in the real world?

    What if some users are uploading/downlöoading child pornography or other illegal material? How do I track down the motherfucker? Yes, some people will say, let everyone do whatever they want... But no, laws are laws and log files are an effective (yet, imperfect) way of keeping things in order, at a minimum. Is like having a law that says that all door locks are ilegal...

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
  4. Banlists are now illegal? by siDDis · · Score: 3, Insightful

    As I understand this law is that my private server in Germany is now open for brute force attackers because I can't ban their ip address after 3 login failures? Heck I can't even break that law since everyone can easily tell that I'm using a ban list and just call the police.

    I think someone in the German government should google brute force attacks and why ban lists are good.

  5. This isn't going to last by Cleon · · Score: 2, Insightful

    I really doubt this is going to last, and nobody outside of Germany is going to take it seriously. Too many servers log IP addresses, if nothing else just because IIS and Apache do that by default.

    Then there is the issue of competing laws. In the US, for example, federal encryption laws require IP addresses to be logged when certain pieces of software are downloaded.

    --
    Gifts for Geeks - Stuff that really matters!
    1. Re:This isn't going to last by Bert64 · · Score: 2, Insightful

      US laws don't apply to people living in Germany, despite what a large number of americans seem to believe nowadays.
      Similarly, German laws don't apply elsewhere, so you could simply host your website in another country, but you might have to go to the extent of having a foreign entity actually "owning" the site.
      Hosting in Germany is expensive anyway, many German companies and individuals host their sites elsewhere already.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. What about TOR? by Luke+Dawson · · Score: 2, Insightful

    So, you can't store people's IPs on your web server, but if you operate a TOR node, you do? Or only if you are ordered to by a court?

    I think I'm confused.

  7. Illegal? Or government limitation? by RingDev · · Score: 2, Insightful
    I'm no expert on German law, but it doesn't sound like they've made IP logging illegal. It sounds like the ruling states that the government can not retain IP info.

    the local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from retaining personal data acquired via its website beyond the periods associated with the specific instances of use of the site. It sounds kinda like free speech in the US. The Constitution hasn't outlawed censorship, it only bars the government from censoring(err... to some extent). So I would guess the big question is how does German's legal system work, and how does this ruling? apply to non-state actors.

    -Rick
    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  8. Re:heh by mxs · · Score: 2, Insightful

    Your logic is fallacious.

    A single IP address is not necessarily associated with a single person. Correct. A -> B. This does not imply B->A in any way, shape or form.

    The site actually doesn't make that argument, however. It makes the argument that an IP address is not permanently associated with a single person and easily changed for most (most ISPs here assign you a different IP on each login, out of a pool of millions; and most ISPs here do not allow connections to stay connected for longer than 24 hours).

    Furthermore, the site states the exact opposite of your assertion a few paragraphs later. IPs are, in fact, personally identifiable to at least the government, police, and intelligence agencies (as well as foreign hostile intelligence agencies and witty hackers of the legal and technical kind) since ISPs store that data (even though they are not required to (yet) and actually currently forbidden to, lawfully.

    Last, but not least, your jump from "it's not exactly 1 person == 1 ip" to "it's not personal data at all" is plainly wrong. Take phone numbers as an analogy. You can clearly change phone numbers. Are they suddenly less not associated personally with you, AT ALL ? Take credit card numbers. You can have many of them, or share one with several people, or even change them once they become compromised. Does that make them any less personally identifiable ?