German ISP Forced To Delete IP Logs 202
An anonymous reader writes "A German federal court decided today that T-Online, one of the largest ISPs in Germany, was obligated to delete all IP logs of a customer upon request to guarantee their privacy. From the article: 'The decision (German) does not mean that T-Online is now obliged to delete all their IP-logs, the customers first need to complain. But, if they ask T-Online to delete their IP-logs, the ISP has no other choice than to comply. A lawyer from Frankfurt already sketched a sample letter (German) to make this process easier.'"
The way it should be. (Score:5, Insightful)
Re: (Score:3, Insightful)
it should be "opt in" (Score:2)
This is the way it already is... (Score:2)
... in enough english-speaking jurisdictions in North America that library software companies arrange for their programs to only keep logs while a book is actually in the hands of a patron (think: IP address is assigned by DHCP), and discard the identifying information as soon as the book is returned, or paid for if lost.
Non-identifying information, like "book x circulated twice this year", is retained for planning and statistical purposes.
If one happens to do business in a jurisdiction that has such a
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Disclaimer: By "logs" I don't mean record of what web sites were surfed and what files downloaded, I mean record of what customer had X IP address at Y time.
Re: (Score:3, Informative)
48 for a mac.
how big is a datetime? give it 128.
30 bytes being generous.
another datetime for disconnect.
30+30+8+6 = 74bytes
why not make it a clean 100 bytes.
If you stored the connection details for every single possible ip adress in the 64bit space.
you got 4billion connections a day at 100 bytes.Thats only 400g
So the entire worlds isps would only generate 144TB of connection data a year and only if everysingle ip in the space was used and being connected everyday.
A few thousand TB is waaaa
Re: (Score:2, Interesting)
Re: (Score:2, Informative)
It's not true, because you haven't presented all the connection details that have to be stored. For starters, none of that information actually identifies which user it was exactly that dialed in, or what MAC or IP address was assigned to that user.
Secondly, more information about the connection has to be kept to be useful for analyzing any problems/difficulties with the service. There's really no point in just retaining merely a list of ip addresses, usernames, and times, absent the key connection p
Re: (Score:2, Insightful)
Worst case would be 256 bits (32 bytes) for source and destination IPv6 addresses.
>48 for a mac.
Not worth collecting; the MAC address that would actually be in the packet at the time would be that of the last switch/router the packet passed through... unless you are collecting this data at all of the users' gateways.
>another datetime for disconnect.
How do you do this for UDP? UDP does not have a "connect/disconnect" paradigm; you just throw packets at the port and hope
Re: (Score:2)
Re: (Score:2, Insightful)
Re:The way it should be. (Score:5, Informative)
This case is about deleting a particular user's records. If you don't keep them, you don't have to do anything. You seem to say you'll need to create an all-encompassing tracking system so you can selctively delete the records. Just delete them all as soon as you've abstracted any information you need for billing or debugging.
Has anyone asked what the plaintiff has to hide? hope he gets cyber-stalked by a hate group
In TFA: "The court ruling is the result of a case that was initiated by Holger Voss, a 33 year old man from Münster. Voss was sued for making a sarcastic comment in an Internet forum back in 2002."
Sarcasm? Yeah, he totally deserves to be stalked and vilified by a hate group. That'll learn him not to mouth off.
Sarcastic comment explained (Score:3, Interesting)
Sorry for reading TFA...
Re: (Score:3, Interesting)
You would hope that would be a crime in itself.
Re: (Score:2)
Re: (Score:3)
How ironic that some Anonymous Coward wrote this crap.
Re: (Score:3, Insightful)
Only if your basic assumptions is that everyone is guilty of some sort of crime every single day of their life and it is the job of someone to sift through all that data to find all these criminals. Would it not be more effective to monitor ONLY those who are truly suspects of a real crime? A real crime that does real damage to others? Most possession crimes do not rise to ever hurting anyone, until the illicit substance or object is actually u
Re: (Score:2)
Should the "authorities" be able to get a list of books you've checked out?
Should anonymous pamphleteering be banned?
Would you like the person next door, to be able to publish pictures of your kids on the net, and then hide his tracks.
How would you even know he did that? How do you know he hasn't already done that? Maybe some CTV operators in Britain are already doing that. Do those cameras make you feel safe now?
Wake up people. This is not about freedom.
Law is about freedom. In "Free" countries i
Re: (Score:2)
I think you missed my point. The internet is just a mirror. So your statement "The internet is an extremely dark place." is really you commenting that the world is very a dark place.
I can only suggest that you take a break and find some goodness to focus on to replenish your spirit. A few moments everyday to appreciate that which is good in your life and the darkness won't seem so powerful, so overwhelming that you're willing to trade away yo
Re: (Score:2)
So why not collect an keep information ONLY on people suspected for wrongdoing? Why does data have to be kept for everybody for every minute of the day? The REAL evil people who are not totally stupid, will not be caught by these "cast a wide net tactics" in the first place. For example, there are literally millions of open wireless access points that a person bent on doing wrong can use to access the Internet. Any
Re: (Score:2)
The whole idea of data retention is horse shit. The data is not "evidence" until requested by court order. If the data is gone by then, too bad. With a proper court order, the MIB can monitor 'till their hearts' content to obtain new data. Proactive monitoring (pre-crime) is anti-American.
Re: (Score:2)
Re: (Score:2)
So, if ComCast has a spammer, it should terminate the account. If Embarq has someone making threatening calls, it should work to monitor and eventually shut the line down. And so on. But we should not be
Re:The way it should be. (Score:4, Insightful)
As a admin, working for a german company in Germany, I know that our privacy laws are a PITA.
As a german citizen, living and working in Germany I think our privacy laws are way too relaxed.
That said, I very much welcome the decision of the court. We had a couple of similar decisions lately. And one always got the impression that the judges not only talking about the very case they had to handle, but that their sentence was also aimed at our politians to show them how german courts think about the EU data retention act. This one can't be trialed in Germany yet, as it hasn't become german law as of now. So this seem like a warning about what to expect when that gets taken to court, once it made it into german law.
Re: (Score:2)
That in itself was probably not much of a privacy issue as many servers are logging connections anyway.
What did become an issue was that those logs were made available to all via our intranet.
The idea being this way supervisors/ management could root out abuse of the internet access, like people spending too much time
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Requests to delete server logs (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Requests to delete server logs (Score:4, Informative)
Re: (Score:2)
This raises an interesting question: would Google delete logs on you if you asked them to?
Re: (Score:2)
Then they wouldn't know what ads to give Adblock to block
But no privacy in the land of the free (Score:5, Insightful)
Sure, our media and government pay lip service to privacy issues, but the reality is that our government wants to increase monitoring in the name of fighting terror. Compare this story of Germany forcing the ISP to delete logs for a customer to this one [msn.com] outlining yet another argument by US officials to require ISPs to maintain even more user data.
I'd hate to see us to become a 'surveillance society' like Britain has. Unfortunately, we seem to be quickly heading down that path, particularly since our citizens haven't yet raised up to demand greater freedom.
Re: (Score:2)
Re:But no privacy in the land of the free (Score:5, Insightful)
Any source? Just curious, as I am living in Germany and did not really realize.
Also:
Press Freedom Index 2006 [rsf.org]
CC.
Re:But no privacy in the land of the free (Score:5, Insightful)
Re: (Score:2)
Of course we could argue that such sentiments are stupid anyway, but that is clearly a matter of opinion. And just because our opinion (assuming you also do
Re: (Score:2)
Re: (Score:2, Informative)
Ah, nice twist by the Scientology spin doctors. Scientology is not considered to be a "religion" in Germany. Therefore there can't be any "persecution of religious minorities". They're a company with any rights and duties each other company has in Germany.
But they're also considered to be an anti-constitutional. Their goals are against our constitution. Therefore our secret services ("Verfassungs
Re: (Score:2)
The government has no business deciding what is and what is not a religion, of course. Not that I am positively disposed towards Scientology, but if awarding status as a religion is apparently problematic, then maybe religion has a privileged status it sho
Re: (Score:2)
Germany is not alone in the idea that everything that is not expressly permitted is automatically forbidden. It's just like in many things German, the Germans are more thorough and methodical about it.
Re: (Score:2)
Deciding that "a religion" is tax exempt is contrary to freedom of religion. Only things sufficiently similar to christianity will be considered religion, which means that the taxpayer sponsors christianity. Best way to avoid criticism of privileging one religion over another is to ignore them in the first place.
The problem with scientology is that they can not prove that their sole purpose is religi
Re:But no privacy in the land of the free (Score:4, Informative)
Re: (Score:2)
Sorry, I just watched Hellboy for the first time the other night.
Re:But no privacy in the land of the free (Score:5, Informative)
Re: (Score:2)
I think you mean the Regulation of Investigatory Powers Act [opsi.gov.uk].
Re: (Score:3, Insightful)
Well, Germany actually had a dictator lie his way to power by using fear and patriotism as bludgeons against his opponents. They know firsthand what dangers lie at the end of that road. We still think we can have everything along the road (the exaggerated nationalism, the fear-mongering, the reduction of freedom to save freedom, etc) without necessarily arriving at the same
Re:But no privacy in the land of the free (Score:4, Informative)
The fear of politicians and government of being perceived as nationalist sometimes has perverse results. Here in the Netherlands we used to have a historical curriculum that identified tolerance as a key part of national identity, but the reluctance of government to prescribe historical dogma about "our ancestors" gives license to for instance schools with a majority of muslim pupils to gloss over impopular subjects like the holocaust and the eighty years' war (1568-1648), where "our protestant ancestors" are the ones being persecuted.
Teaching children about the attack by the resistance in 1943 on the population register in Amsterdam, with the intent to burn it down in order to frustrate Nazi bureaucracy, is the best way to instill respect for privacy. Reference to this event that most people know about is a powerful antidote to suggestions that "you have nothing to fear if you are innocent": it was the Dutch government that, in better days, compiled the data that allowed the Nazis to trace most jews (population register) and gave them few places to hide (cadastral maps). What to remember and what to forget is still a policy choice.
The US and continental Europe have different experiences of, and therefore perspectives on, WWII. For the US, WWII is a license to interfere militarily in perceived Nazi regimes abroad (as they did in WWII), while formerly occupied countries, and Germany itself, are busy simply not being a Nazi regime.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But is a good comparison. The Internet is a PUBLIC place. Anyone who thinks otherwise is fooling themselves. Privacy only should apply where human eye or ears or their extensions would normally be, like in your house. Universal surveillance cuts down on random crimes of opportunity, but will never deter anyone determined to do wrong. Therefore, it is pretty useless to deter terrorists by universal monitoring of everybody. Terrorists are not
A question for network admins (Score:5, Interesting)
Re: (Score:2)
The MPAA/RIAA/IFPI/etc. all LOVE long data retention as well, especially when combined with Law Enforcement.
I'm pretty sure all manner of intelligence services also LOVE long data retention.
I have yet to see a case of a consumer/customer loving long data retention.
Re: (Score:2)
Re: (Score:2)
Traffic usage logs are interesting as well; one broadband ISP (1&1) in Germany regularily offers some of their customers $150 if they leave for another provider, since these customers actually used the bandwidth being advertized and generated generous amounts of traffic. You can't do that without retaining information on traffic usage.
Other ISPs mi
Re: (Score:2)
hrrm
Re:A question for network admins (Score:4, Informative)
reports are for events more than a week old (typically worm type reports
come fast, but spam reports are often delayed because the recipients
don't read their email every day).
We also use long-term data for trend analysis: which POP needs more or
less dialup lines, who dialed in to a POP (with how much they pay, does
the POP make financial sense), etc.
While trend analysis doesn't require IP addresses (for the most part),
the call database has a record per call that includes the IP (same
database as used for IP abuse lookups). To not retain IP addresses,
we'd have to set up a second database, second lookup interface, and some
transfer mechanism between the "with IP" and "without IP" databases.
That's a real PITA, so we don't do that.
Re: (Score:2)
Re: (Score:2)
On a practical note, how much storage are we talking about for a decent sized ISP? I'm assuming you'd want to store the customer's ID, the IP address visited by the customer, the website address (if there is one), a timestamp for that visit, and maybe the amount of transfer both upstream and downstream each time the computer sends or recieves. Even for small ISP's that sounds like a lot of info to keep, indefinately, for every single custo
Re: (Score:3, Insightful)
No logs of website accesses or acribic list of all packets sent and received are made.
A lot of data is accumulated, but really, what does a terabyte of online storage cost these days
Amazon stores your entire clickstream history, everything you ever did on their website, for an indefinite amount
Re: (Score:2)
The idea of immense data storage and its implication for all humans, especially evil doers, is nothing new. DNA can store a lot of information. If we humans can develop low cost data storage, is it so far fetched that the One who came up with the DNA data storage machinery can and will do exactly what he has promised to do in revealing ALL of man's thoughts and deeds? This was written centuries ago in
Re: (Score:2)
(the above was written by man, and genetic memory was not even a far-fetched thought back then. I love it when people try to cite that (admittedly in some stretches quite entertaining) book as a way to instill fear and prophecize whatever it is that is currently worth prophecizing to the citer
You Can Delete the Logs Present Now... (Score:3, Insightful)
Blurb text misleading (Score:5, Informative)
The linked webpage then recommends sueing T-Online in that case. If/Once you win that lawsuit, T-Online has no choice but to comply. This is a tad different from what the blurb here would have you believe.
(All this is based on rather strict privacy laws that require a provider not to collect any data not relevant to accounting; since IP addresses and data volume is not needed for accounting on plans with a flat fee per month, T-Online has no right to do so; they, however, save that data for 80 days.)
Data retention directive (Score:2)
Re: (Score:2)
After Deleting the Logs... (Score:2)
Re: (Score:2)
Dear requester: Per your request, we have deleted your IP logs. The deleted records are attached to this letter, for your reference. We will keep a copy of this letter on file, as proof that your request was carried out. Thank you for your patronage.
Google Language is a real boon :) (Score:2)
Othertimes though... [google.com]
Machine translation just isn't up to task.
Not quite as good as it looks (Score:5, Insightful)
The original article [spiegel.de] points out that keeping logs is incompatible with existing German law. But the law will soon be changed, because Germany will have to comply with an EU directive mandating that logs be kept for at least 6 months. Germany has already asked for an extension of the deadline to comply with this, but the strong likelihood is that the German privacy laws will be changed to comply with the EU-mandated snooping.
EU pols and bureaucrats are as hostile to personal privacy as US pols and bureaucrats.
Re: (Score:3, Informative)
It wouldn't be the first time that the highest German court nullifies the implementation of a EU directive [bundesverf...gericht.de].
The interesting political spin... (Score:3, Insightful)
Now here's the interesting bit: The entity that owns most of Telekom's shares is - the Bundesrepublik Deutschland, the German gouvernment. The "Innenminister", the guy responsible for the justice system, police etc. was one of the kind of politicians who'd like to know everything about everyone for the sake of "security". (Who needs freedom if they are secure? Oh wait, that was prison.)
So, while by the law he could not force ISPs to retain that data, the biggest german ISP that just happened to be controlled by... him(!)... did so anyway, aiding law enforcement in trivial (and here: unfounded) cases with said data.
Unfortunately, even in germany, noone seems to bother about privacy anymore.
Re: (Score:2)
If by "most" you mean more than 50%, then you are wrong. The German state still owns about 30%, although only 15% directly, while the other 15% are parked at the "Kreditanstalt fuer Wiederaufbau". Most(!) (as in ~70%) of the shares are nowadays owned by private and institutional investors.
Possible in the UK? (Score:2)
obliged to delete all logs (Score:2)
Yes it does. Maybe not yet, but soon as German ISPs get these complaints by the hundreds daily the only way to handle the requests will be to just change their log retention policy and delete them all after n days.
Re: (Score:2)
So without logs... (Score:2)
Without logs, it seems it would be harder to track down network abuse (i.e. crackers). So you trade privacy for some protection from assholes. To me, that's a fair tradeoff, but what happens when the German courts demand that an ISP assist in some investigation and they can't because they've deleted certain logs (as the SAME courts told them they have to do)?
Seems like it puts the ISP between a very uncomfortable rock and a hard place.
Re: (Score:2)
Australia.. (Score:5, Interesting)
- If I ask a company operating in Australia what information they have about me, they are obliged to tell me
- If I ask where they got this information, again they must answer
- If I ask the same company to remove such records, AFAIK they must, though there are reasonable exceptions to this one. (e.g. if i've done business with them, they have to keep financial records. if it's my bank, they might have to cancel the mortgage to comply..)
- Companies operating here are not supposed to pass on private information without consent, which is why so many competitions and things have clauses in tiny writing to get your consent.
Re: (Score:2)
The Office of the Privacy Commissioner [privacy.gov.au] will only launch investigations against larger companies (IIRC they need to have an annual turnover >$500K) and they told me as much when I complained. So that leaves a fair bit of room for unscr
Re: (Score:2)
I was about to say the same thing about France, but will add this as a reply here. I worked in France for some time and remember the same rights being effective there, and having them printed on a lot of things you sign to when you hand someone information (when ordering something or whatever). I remember being impressed that the system seemed to work there and be respected, at least most of the time, though I'm sure there are exceptions.
It is interesting to note that while a lot of restrictions are in plac
Re:Australia.. (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
Re:What type of logs? (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Note that your connection can stay completely idle for those 24 hours, or pump a full 16mbit/s through it for 24 hours -- you can also reconnect immediately after the forced disconnect; it doesn't really do anything to prevent idle connections or "unecessary" (that term should be defined by the paying customer, not by the telco) traffic.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
Yet in almost no country does the post office keep track and logs of who mail who despite crimes both in the past and present probably occur thorugh mail. Further, many countries does not have any law requiring ISPs to keep logs, yet they do it anyway.
>b) there are good technical reasons, ie statistical data used for load-balancing purposes,
>network expansion, upgrade scheduling etc, for keeping logs (although obviou
Re: (Score:2)
"Because: (a) some people commit actual crimes (like, the kind with victims) on the internet, and the ISP's logs are equivalent to the film from the CCTV camera across the street from a robbed bank;"
The CCTV camera doesn't watch *every* person in the world, 24/7/365.
Let's take a look at another example: telephones. You wouldn't tap a guy's phone until he was suspected of a crime, so why would you "tap" a guy's internet connection when he hasn't done anything to warrant suspicion? I'm all in favour of la
formerly, it did (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Some of it they must remove upon your request, but not all. There is a very serious legal problem in the UK between the conflicting requirements of the DPA, the Regulation of Investigatory Powers Act (RIP) and the Human Rights Act. I suspect that if you pay enough to your QC they will make sure that