Slashdot Mirror
German Court Rules That Websites Can't Retain Logged IPs
tmk writes "The local court of the Berlin district of Mitte has barred the Federal Ministry of Justice from logging IP adresses of the visitors of its website. German law prohibits storing personal data for a longer time — if not needed for accounting. German privacy activists have started a campaign Wir speichern nicht, ("we don't log your data!") which provides manuals how to turn off the IP logging on your server."
Sorry, but federal law trumps you. If this is the law in Germany, and you're breaking it, you're committing a crime.
You are living in a country. You are a (permanent/temporary) guest. You have to obey by the laws of the country. If you want to keep logging you could leave the country and be on your way.
Yes, this applies to everything else as well.
Knowledge is power. Knowledge shared is power lost.
Yes, but by the time you've told me that's your policy, you've already logged me.
There has been a movement to INCREASE the amount of logging going and to force ISP's to maintain detailed records for long periods of their users actions. That is WAY more intrusive then a website logging your ip. You do NOT have to go to a website, you are bound to use an ISP.
Before all the privacy loonies wake up, remember that it is perfectly normal for ALL your phone calls to be logged and it is standard practive for the police to check them, with court order, if they suspect something.
The most common example of this is a bomb threath. The police will have a record of where the call was made from.
This ruling makes this impossible to do the same with a bomb threath send over the internet. Wouldn't this ruling make even the most basic web policing, the blocking of ip adresses, impossible?
This seems like an overly broad ruling that leaves a lot of web admins in trouble because they can no longer effectively manage their servers.
Yes it is a nice counter to the european wide move to log EVERYTHING but there is such a thing as balance. Logging everything is wrong, but not being able to log anything can lead to just as much trouble.
For all the slashdot privacy nutters I ask you this. How often have you sniggered when some scumbag was traced by online activists and had his private information published on slashdot?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
What if some users are uploading/downlöoading child pornography or other illegal material? How do I track down the motherfucker? Yes, some people will say, let everyone do whatever they want... But no, laws are laws and log files are an effective (yet, imperfect) way of keeping things in order, at a minimum. Is like having a law that says that all door locks are ilegal...
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
It doesn't sound like this is an easy law to enforce. I mean how are you going to know if someone is logging ips on their site by seeing what the server variables are set to? But then again you can always use another tool that doesn't show up so easily. This whole thing just sounds to hard to enforce to the point where it would be effective to have the law. Its not like enforcing a parking ban or anything.
Who's there?
Denial Of Service Attack
Denial Of Service Attack Who?
We dont know.. we dont log that stuff..
As I understand this law is that my private server in Germany is now open for brute force attackers because I can't ban their ip address after 3 login failures? Heck I can't even break that law since everyone can easily tell that I'm using a ban list and just call the police.
I think someone in the German government should google brute force attacks and why ban lists are good.
I really doubt this is going to last, and nobody outside of Germany is going to take it seriously. Too many servers log IP addresses, if nothing else just because IIS and Apache do that by default.
Then there is the issue of competing laws. In the US, for example, federal encryption laws require IP addresses to be logged when certain pieces of software are downloaded.
Gifts for Geeks - Stuff that really matters!
So, you can't store people's IPs on your web server, but if you operate a TOR node, you do? Or only if you are ordered to by a court?
I think I'm confused.
I think some people here got confused with the translation. It is ok to have IP's in theserver logfiles. It is not ok to store/save the logfiles with the IP's for a longer period of time.
My servers are in Germany, but I will continue to log.. I am hosted on Hosteurope which is actually currently under investigation by the FBI for allowing a hole to persist in their infrastructure that allows anyone to get into any server on their network...
I already know the guy that got into my server lives in Romania, registered the domain name in Canada (Toronto), using a New York Address, with a fake credit card, and the fake business is !located in Sweden...
So, I will continue to log for security purposes..
Josh
Just because it works, Doesn't make it right. - JTM
If you haven't done so yet, reading and laughing about German politics is a great idea to spend some boring office hours. American Slashdot readers may already know what it's like to have a moron rule your country, but in everything privacy-related Germany's totally unbeatable.
April 2007. A new law about data retention has just passed the german government[1]. Called "Vorratsdatenspeicherung"[2] it forces communication providers to introduce an identification liability. As an example this means no more anonymous E-Mail in Germany. IP addresses of anyone sending and accessing their E-Mail accounts must be stored and retained for a few months (6 IIRC). IIRC this also affects other types of communication, including forced storing of a web site visitor's IP address.
October 2007. A german court decides to outlaw storing of IP addresses by web pages. Anybody see a pattern here?
This is almost as absurd as a court deciding to outlaw not killing people. It may seem completely moronic, but since those guys will have better salaries than you they ARE right.
[1] http://www.heise.de/newsticker/meldung/88449
[2] http://de.wikipedia.org/wiki/Vorratsdatenspeicherung
That "Wir speichern nicht" site makes the argument (or, appears to, based on google translation) that keeping IP addresses for a ban list isn't useful because an IP address isn't necessarily associated with a single person - yet, if you accept that argument, an IP address isn't "personal data" of any kind at all!
We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
The context is that the http://www.bmj.bund.de/ ( german version of the DOJ )
.. and so shall not be logged at all.
..')
started to log ip-addresses of people who had accessed public information dealing with
a terrorist group called "millitante Gruppe".
(
"Militante Gruppe" / ('militant group')
- german leftist/communist/(anarchist?)
- anti-global
terror group
till now no human causalties were recorded, terrorist actions mostly targeted unmanned police cars, or cars of right winged politicans in the city of Hamburg, using molotow cocktails,
The BKA ( german version of the FBI ) is investigating the incidents since 2001,
and they lack in information.
)
The information was placed intended to inform the public about the signs of identification the
group has been used in the past, to engage whistleblowers who may have recognized suspicious things helping the police to identify the persons behind this terrorist group.
But in contrast the visitors ip's were logged and further investigation was done by the 'BKA',
this includes identify the persons which accessed the page using their ip addresses,
with no further evidence such as visiting a governmental public information site,
such actions probably are illegal.
From the judgement were some non-offical guidancelines derived,
I will try to translate them as properly as I can.
The judgement deals not with IPs in detail, there is a term
"Internet-Nutzungsdaten" this can also be a profile of use,
and the german privacy laws try to protect the people from
being tracked, and so profiled.
GER Leitsätze (nicht amtlich):
ENG guidancelines ( non offical ):
a.)
GER Anbieter von Telemedien im Internet dürfen nicht systematisch die Kennungen (IP-Adressen) GER der Nutzer ihrer Dienste protokollieren.
ENG Provider of internet content and service shall not log signs of identification (ip-addresses)
ENG of users systematically.
b.)
GER Zur Entscheidung von Streitigkeiten über die Verarbeitung von Internet-Nutzungsdaten durch GER eine öffentliche Stelle ist die ordentliche Gerichtsbarkeit berufen.
ENG Anytime an offical judge must decide in disputes concerning the processing of
ENG ?InternetUserProfilingData? through a governmental organisation
c.)
GER Kann zwar nicht die speichernde Stelle, aber ein Dritter eine Angabe der Person des
GER Betroffenen zuordnen, so ist das Datum personenbezogen.
ENG If the Content Provider (logger) is not able to resolve the person of interest through the IP
ENG but a third person (ISP) is able to do so, the date is also to be recognized as personal data
NONTRANSLATIONJUSTMYSAYING
GER Die von einem Internet-Zugangsanbieter temporär zugewiesene Internetkennung (dynamische IP-GER Adresse) stellt nicht nur für den Internet-Zugangsanbieter, sondern auch für Anbieter von GER Telemedien im Internet ein personenbezogenes Datum dar.
ENG The dynamic IP address assigned by the ISP, is to be treated as personal data,
ENG for both the ISP and the content provider,
????? it can be seen as a personalised private date/datum.
From my point of view - I'm not a lawyer - but I understand a.) as if you recognize
missuse you are allowed to log the data of the missusing parties,
it's just not allowed to log and store every access over the
period of use ('.. dürfen nicht systematisch
Governments don't have to make their laws "morally right"... They just need to be able to enforce them, and that means ensuring that the people who oppose those laws are not well armed or numerous enough to remove you from government.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It has to be noted that this decision does not necessariliy affect anyone apart from the parties involved in that particular case. German courts are not bound to decisions other courts made; there is no such thing as 'case law' in the german legal system. I'm pretty confident that 'regular' logging will continue to be alright; the analysis of user behavior is the critical fact here, at least that's how I read it. Still, every single law concerning the internet seems to be utter nonsense as of late; however, since noone in the government seems to understand how that whole computer-thingy works, that's hardly surprising. And on a sidenote: The Grundgesetz (*) states in article ten that "The privacy of correspondance, posts, and telecommunication shall be unviolable" - so far so good, however that does only affect the relationship between people and the state, not purely private relationships. I'm in law school, and I recently learned that the "Article 10 is not that important anymore since the Dt. Post and Dt. Telekom became private corperations and are not directly controlled by the state anymore." * http://www.bundestag.de/htdocs_e/parliament/function/legal/germanbasiclaw.pdf
Why would/should it be illegal?
If I'm allowed to look at someone talking to me and hear what he/she has to say, am I not allowed to record that transaction?
Where do you draw the line as to recording?
No Video?
no Audio?
No Photos?
No Drawings?
No Writen notes?
No Mental recollection of the dialog?
No Remember the persons face?
The whole concept of denying someone the right to record personal transactions is ludicrous. If I run a website and someone access it, I have every right to record that person's IP address and hold it for as long as I want. Same goes for any personal transactions I have.
(this does not include making this information public however, that becomes a gray area)
MABASPLOOM!