German Court Rules That Websites Can't Retain Logged IPs

tmk writes "The local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from logging IP adresses of the visitors of its website. German law prohibits storing personal data for a longer time — if not needed for accounting. German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."

Enforcement

[bostons1337]

It doesn't sound like this is an easy law to enforce. I mean how are you going to know if someone is logging ips on their site by seeing what the server variables are set to? But then again you can always use another tool that doesn't show up so easily. This whole thing just sounds to hard to enforce to the point where it would be effective to have the law. Its not like enforcing a parking ban or anything.

Uh oh

[Acecoolco]

My servers are in Germany, but I will continue to log.. I am hosted on Hosteurope which is actually currently under investigation by the FBI for allowing a hole to persist in their infrastructure that allows anyone to get into any server on their network...

I already know the guy that got into my server lives in Romania, registered the domain name in Canada (Toronto), using a New York Address, with a fake credit card, and the fake business is !located in Sweden...

So, I will continue to log for security purposes..

Josh

Gotta Love the German Government.

[darthflo]

If you haven't done so yet, reading and laughing about German politics is a great idea to spend some boring office hours. American Slashdot readers may already know what it's like to have a moron rule your country, but in everything privacy-related Germany's totally unbeatable.

April 2007. A new law about data retention has just passed the german government[1]. Called "Vorratsdatenspeicherung"[2] it forces communication providers to introduce an identification liability. As an example this means no more anonymous E-Mail in Germany. IP addresses of anyone sending and accessing their E-Mail accounts must be stored and retained for a few months (6 IIRC). IIRC this also affects other types of communication, including forced storing of a web site visitor's IP address.

October 2007. A german court decides to outlaw storing of IP addresses by web pages. Anybody see a pattern here?

This is almost as absurd as a court deciding to outlaw not killing people. It may seem completely moronic, but since those guys will have better salaries than you they ARE right.

[1] http://www.heise.de/newsticker/meldung/88449
[2] http://de.wikipedia.org/wiki/Vorratsdatenspeicherung

heh

[Random832]

That "Wir speichern nicht" site makes the argument (or, appears to, based on google translation) that keeping IP addresses for a ban list isn't useful because an IP address isn't necessarily associated with a single person - yet, if you accept that argument, an IP address isn't "personal data" of any kind at all!

Re:Banlists are now illegal?

[Bert64]

There are 2^32 potential IP addresses, thats 4294967296... And you can decrease that number considerably by removing addresses that will never appear in internet-facing logs (127.x 10.x 192.168.x, plus all the blocks currently unallocated or reserved)...
Unless the hash algorithm was ridiculously complex, it wouldn't take all that long to brute force, and a database of every possible hash wouldn't be all that big either, not relative to the rainbow tables used for common password hashing techniques.

No legal consequences for others... yet

[r3f4rd30n]

It has to be noted that this decision does not necessariliy affect anyone apart from the parties involved in that particular case. German courts are not bound to decisions other courts made; there is no such thing as 'case law' in the german legal system. I'm pretty confident that 'regular' logging will continue to be alright; the analysis of user behavior is the critical fact here, at least that's how I read it. Still, every single law concerning the internet seems to be utter nonsense as of late; however, since noone in the government seems to understand how that whole computer-thingy works, that's hardly surprising. And on a sidenote: The Grundgesetz (*) states in article ten that "The privacy of correspondance, posts, and telecommunication shall be unviolable" - so far so good, however that does only affect the relationship between people and the state, not purely private relationships. I'm in law school, and I recently learned that the "Article 10 is not that important anymore since the Dt. Post and Dt. Telekom became private corperations and are not directly controlled by the state anymore." * http://www.bundestag.de/htdocs_e/parliament/function/legal/germanbasiclaw.pdf

Re:Idiocy

[neoform]

Why would/should it be illegal?

If I'm allowed to look at someone talking to me and hear what he/she has to say, am I not allowed to record that transaction?

Where do you draw the line as to recording?

No Video?
no Audio?
No Photos?
No Drawings?
No Writen notes?
No Mental recollection of the dialog?
No Remember the persons face?

The whole concept of denying someone the right to record personal transactions is ludicrous. If I run a website and someone access it, I have every right to record that person's IP address and hold it for as long as I want. Same goes for any personal transactions I have.

(this does not include making this information public however, that becomes a gray area)