Thursday, October 04, 2007

Wow! Logging Is Illegal in Germany!

From Eric Fitzgerald on "Windows Security Logging and Other Esoterica" comes a major wow: logging is now illegal in Germany: "A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.

The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a "violation of the right to informational self-determination."

I was tempted to put this into "Nobody is That Stupid ... Oh, Wait!", but, to be honest, I am not sure I fully believe it...


wjl (Wolfgang Lonien) said...

Well, this is the answer to the long-discussed "Vorratsdatenspeicherung", or data retention. A big applause from the public, and a slap into the face of our minister of the interior, Mr. Schäuble.

Tony said...

There is probably a separate law specific to Germany as well, but the EU Directive on Privacy and Electronic Communications (Directive 2002/58/EC) specifies in point #22:

"The prohibition of storage of communications and the related traffic data by persons other than the users or without their consent is not intended to prohibit any automatic, intermediate and transient storage of this information in so far as this takes place for the sole purpose of carrying out the transmission in the elec- tronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed. Where this is necessary for making more efficient the onward transmission of any publicly accessible information to other recipients of the service upon their request, this Directive should not prevent such information from being further stored, provided that this information would in any case be accessible to the public without restriction and that any data referring to the individual subscribers or users requesting such information are erased."

IANAL, especially not a European lawyer, but it seems that even the statement here that "information is not stored for any period longer than is necessary for the transmission and for traffic management purposes" might support the German judge's decision.

Anton Chuvakin said...

I think most people will just ignore it. Are they used to ignoring laws in Germany? I guess not, but with that type of law, they will have to learn fast :-)

Dr Anton Chuvakin