Forgot your password?
typodupeerror
Privacy Government Communications News

Germany Implements Sweeping Data Retention Policies 210

Posted by Zonk
from the bad-day-for-leaving-people-alone dept.
G'Quann writes "Starting next year, all communication providers in Germany will have to store all connection data for six months. This includes not only phone calls but also IP addresses and e-mail headers. There had been a lot of protest against the new law, but it was ignored by the government. Quoting: 'The content of the communications is not stored. The bill had been heavily criticized. Privacy [advocates] had organized demonstrations against the bill in all major German cities at the beginning of this week. In October there had already been a large demonstration with thousands of participants in Germany's capital Berlin. All opposition parties voted against the bill. Several members of the opposition and several hundred private protesters announced a constitutional complaint.'"
This discussion has been archived. No new comments can be posted.

Germany Implements Sweeping Data Retention Policies

Comments Filter:
  • by KingSkippus (799657) * on Friday November 09, 2007 @06:34PM (#21301985) Homepage Journal

    Before we in the U.S. get to patting ourselves on the back for not being this bad, consider the story [slashdot.org] just two posts down that discusses how this is probably already being done here with no one's knowledge or consent. I say "probably" because no one really knows. No laws passed, no protests staged (hard to protest something you don't even know about), just government silently doing whatever it wants after slapping a "national security" label on it.

    It's not right in Germany, and it's not right here. The difference is that at least in Germany, this type of gross invasion of privacy happened on the public record and they can react and do something about it now.

    Of course, we in the U.S. can do something about it too, but most people won't get worked up over what government might be doing without it being proven true, and our government is mercilessly exploiting that fact right now by keeping everything secret and implying that anyone who thinks otherwise is some kind of kooky conspiracy theorist (while they spy on them to make sure they don't get too far out of line).

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Hmm.
       
      The people who see this coming are a minority. I don't think Germany is special in this way. Governments all over the world are doing this quitely and slowly, so almost nobody will notice the difference or will do anything, because the difference is so small.
       
      Germany just introduced fingerprints in their id cards. Very few people think that this is a bad idea.
       
      20 (maybe less) years and we are in 1984.
    • by xENoLocO (773565)
      You'd probably get pretty pissed if you heard about the patriot act. ;)
    • Re: (Score:3, Insightful)

      by goldspider (445116)
      I say "probably" because no one really knows. No laws passed, no protests staged (hard to protest something you don't even know about), just government silently doing whatever it wants after slapping a "national security" label on it.

      In other words, "groundless speculation."

      The Bush administration doesn't have a really good record of keeping such programs under wrap. Why would this be any different?
      • by Lennie (16154)
        I'm sorry, but the Subject is in the headers and so is the thread-information (repling on other e-mail by so and so).

        I would call it content.
    • Before we in the U.S. get to patting ourselves on the back for not being this bad

      It was ruled long ago by the American courts, that the information on the envelope of a letter is not subject to privacy expectations and can be examined by the police without a warrant.

      Germany's surveilance of the e-mail headers and connection's IPs is no different — fair game, as long as the contents is not looked at.

      It's not right in Germany, and it's not right here.

      It's been "right" here and there for decades

      • logical fallacy (Score:2, Insightful)

        by erlehmann (1045500)

        It's been "right" here and there for decades -- possibly, centuries.
        same thing could be said about slavery some hundred years ago. only because something is law, it isn't automagically right.
      • by Anonymous Coward on Friday November 09, 2007 @10:00PM (#21303691)

        It was ruled long ago by the American courts, that the information on the envelope of a letter is not subject to privacy expectations and can be examined by the police without a warrant.
        Could there be a slight difference in proportionality between "being allowed to examine the information on the envelope of a letter without a warrant" and "requiring the information on the envelope of every single letter to be recorded and kept available for six months"?
      • Before we in the U.S. get to patting ourselves on the back for not being this bad

        It was ruled long ago by the American courts, that the information on the envelope of a letter is not subject to privacy expectations and can be examined by the police without a warrant.

        Germany's surveilance of the e-mail headers and connection's IPs is no different — fair game, as long as the contents is not looked at.

        It's not right in Germany, and it's not right here.

        It's been "right" here and there for decades — possibly, centuries. I can not even find any links quickly, which means, it is certainly a pre-Internet thing...

        Yes, but no.
        Envolope: Address, adressee, sender, return address, location where it was mailed from (Via Postmark)
        e-mail: Address, adresse, sender, return address, server that it was sent from, a list of every server it's touched since being sent, subject, unique identifier, what software was used, what's being responded to, what type of document is included in the message, possibly spam status flags (Anything Bold is not located on the outside of an envelope)

        There's a lot more information in e-mail headers

    • but most people won't get worked up over what government might be doing without it being proven true

      Most people won't get worked up over what government might be doing even with it being proven true. That's been shown many times already.

    • Re: (Score:2, Insightful)

      by cddp (1187057)
      Sadly, out of all the comments here, he's the only one who got it right. This is NOTHING like what we're seeing here in the US. There are quite a few important differences: - This is a public law that has been voted on by the legislature (UNLIKE anything we've seen here). - They are not saving the actual content, but just the connection data (eg. A talked with B). - The government is not the one who's saving this data. Individual providers are now required to keep the data for 6 months. That certainly lim
    • If it's any consolation for you, most people in Germany don't get worked up over it either.
      • by Lennie (16154)
        Because a lot of people don't know what it means to them.

        They don't understand the implications.
    • by Z00L00K (682162)
      And it's not even effective.

      The way this is intended to work is that the traffic captured goes unencrypted. As soon as SMTPS [whoopis.com], IMAPS and possibly POP3S is used all this effort is just a waste of resources because the mail headers will also be encrypted. Same goes for HTTPS.

      Of course it's possible to do a man in the middle attack from the government on this, but it will be a waste of effort and unless the traffic is restricted to always going through government approved servers and proxies it will be a wa

      • by Lennie (16154)
        In Germany all your protocol encryption is not going to help.

        It's the provider handling your e-mail that will save it, it's not 'read' in transit. The provider has access to the unencrypted data.

        As long as you don't encrypt the e-mail it self.
  • by GeneralEmergency (240687) on Friday November 09, 2007 @06:40PM (#21302059) Journal
    &nbsp:

    One Word:

    Crapflood.

  • Defeat it by.. (Score:2, Interesting)

    by ackthpt (218170) *

    Flood the internet with grabage

    Oh, wait, spammers, worms and bots are already doing this.

  • Spoofing? (Score:3, Insightful)

    by corsec67 (627446) on Friday November 09, 2007 @06:43PM (#21302089) Homepage Journal
    What if you use an exploit that takes only 1 packet, and spoof the IP addresses? If they try and trace the "hacking" back to one of these IPs, do they get into serious trouble since "of course it is you"?
    • why bother spoofing an IP from your own machine when there's a nice botnet called storm that could in principle, do the work for you?
  • by jhfry (829244) on Friday November 09, 2007 @06:44PM (#21302095)
    ... of countries to escape to when things continue to get worse here in the US!

    Maybe somewhere in the Swiss Alps?
    • Re: (Score:2, Insightful)

      by What the Frag (951841)
      > Maybe somewhere in the Swiss Alps?

      As being German: Definitely yes. Island may be an other option to consider

      If the current politics remain, Germany is going to be a police and surveillance state in near future...
      • History (Score:3, Insightful)

        by iknownuttin (1099999)
        If the current politics remain, Germany is going to be a police and surveillance state in near future...

        You would think that the German people would look back on their own history and say "Never again!"

        • by muuh-gnu (894733)
          The majority of the Germans right now simply does not know what their goverment does. The percentage of privacy aware people is miniscule and mostly active on the net. Yes, there were demonstrations, and about 10000 people took part, but those 10000 were divided on whole 40 (!) cities, so there in average there were only 200-300 demonstrants per city. Not actually enough to make the public aware of the imminent loss of their privacy rights. TV channels were mostly not present at the demos because nobody fro
      • by Qbertino (265505) on Friday November 09, 2007 @08:51PM (#21303249)
        >> Maybe somewhere in the Swiss Alps?
        >As being German: Definitely yes. Island may be an other option to consider
        >If the current politics remain, Germany is going to be a police and
        >surveillance state in near future...

        Living in Germany you should know better than that.

        Don't worry. In two months from now someone will the surveilance will cost money and jobs and eventually eliminate 15% of the positions for human investigators at the federal german BKA, thus costing more jobs. An uproar will shake the nation. Some guy at some obscure bureau of the Interior Ministry will also notice that this law makes their recent pet project, the German Federal Trojan (TM) officialy 65% superfluos. Another big no-no. Some other intellectual will publically notice that all info about all Germans is either available at StudiVZ (Germanys Facebook/MySpace), Amazon.de Marketplace or Ebay Germany anyway - which is allready completely scanned and archived (backups included) by the German IRS - and we know everything worth knowing about everybody allready. 10-15 different factions and public bodies of interest groups will have allready filed 20 complaints to the Federal Constitutional Court and the country will be plaqued by a lengthy debate that will have Secretary of the Interior Schäuble eventually drive his wheelchair off a cliff in frustration. Just before the current coalition of two big parties ends it's legislature there will be a watered down full-compromise version of the law with 8500 exception rules and modifications delivered on 2000+ pages in three big-ass Leitz file-covers, German style. Two months after the federal vote and three months into the new law someone in the EU Gouverment Headquarters will notice that this law breaks somewhere between 23 and 65 terms of union contracts, the British will wine that the Germans are now also attempting to take over the EU lead in surveilance, directly competing the UKs last big resort of excellence. Eventually the then new German gouverment will be bitch-slapped into revising its 10kg online surveilance law into a new draft as not to be fined by Brussels for a kazillion Euros.

        Bottom line: No need to worry yet. Even by the most optimistic projections I wouldn't expect this law to gain any tracktion before 2015.
    • Re: (Score:3, Informative)

      by click2005 (921437)
      The worst thing is that Germany was the best country in Privacy International's recent report.
      http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-545223/ [privacyinternational.org]
  • but it seemed marginally more appropriate here:

    In Germany, they came first for the Communists, And I didn't speak up because I wasn't a Communist;
    And then they came for the trade unionists, And I didn't speak up because I wasn't a trade unionist;
    And then they came for the Jews, And I didn't speak up because I wasn't a Jew;
    And then . . . they came for me . . . And by that time there was no one left to speak up."
            - Pastor Martin Niemöller (1892-1984)
    • by Tackhead (54550) on Friday November 09, 2007 @06:52PM (#21302213)
      On the Internet, they came first for Zimmerman and PGP, and I didn't speak up because nobody could figure out how to integrate it into an email client anyway;
      And then they came for the warez d00dz, and I didn't speak up because I wasn't a pirate;
      And then they came for Napster, and I didn't speak up because I had .torrents;
      And then they came for my traffic, and by that time Request timed out.
  • IP addresses? (Score:3, Insightful)

    by Kjella (173770) on Friday November 09, 2007 @06:47PM (#21302159) Homepage
    Yeah, sure. Whatever. If you're on a P2P network, or even just downloading a linux distro you're probably connected to hundreds of ips which have absolutely nothing with you to do. Good luck on mining that unmanagable mess.
    • If you read the article, it seems like they are required to save the IP you are assigned, and when. Not the IPs you connect to, but the one you got via DHCP.

      So, a few orders of magnitudes less data.
  • by Irvu (248207) on Friday November 09, 2007 @07:00PM (#21302305)
    In the early days (first 30 years) of the FBI J. Edgar Hoover made heavy use of his "special investigators" to gather dirt on members of congress, the President, and probably parts of the judiciary. This blackmail material was carefully saved for use to protect both himself and advance his power. He also used this against other such noteable figures as Martin Luther King whom he blackmailed with secretly recorded audio of his marital infidelity. Ironically some people regard this as King's fault not Hoover's. It also set the precedent for branches of the government spying on one-another.

    The simple fact of the matter is that once you give someone the ability to spy on you they will use it, for themselves. This story and the one two posts down about the NSA make perfect sense. The best way to keep yourself and your party on top is to have all the information, all the secrets that you can about your opponents. That way anyone who might challenge your power could be cowed by threats to expose their, or their childrens' embarrassing secrets.

    Quite some time ago Gonzales announced that the Justice Department would begin extensive investigations into the world of Pornography, legal pornography. He candidly admitted that they were not breaking the law nor did he expect to find that Playboy was in violation of some statute. He only said that he wanted to keep track of 'them'.

    Forget finding criminals, the Mafia isn't real. It's all always about power. You think Bin Laden and Mullah Muhammed Omar are dumb enough to be googling "Bomb" no they're using trusted couriers and decentralized structures that don't rely on the use of easily traced e-mails. It's all of us and our elected representatives who are the target here.
    • by couchslug (175151)
      "Forget finding criminals, the Mafia isn't real."

      Convince Italy and I'll agree with that statement. :)
    • by iamacat (583406)
      He also used this against other such noteable figures as Martin Luther King whom he blackmailed with secretly recorded audio of his marital infidelity. Ironically some people regard this as King's fault not Hoover's.

      Well, a point can be made that all leaders are responsible for living a moral life. At least moral by their own standards - they would not be ashamed to admit it - and possibly confirming to society in all the areas which are not related to their agenda. Otherwise their mission gets lost in the
      • by khallow (566160)
        What happens when only one side needs to lead a moral life? Especially if evidence can be fabricated?
    • You think Bin Laden and Mullah Muhammed Omar are dumb enough to be googling "Bomb" no they're using trusted couriers and decentralized structures that don't rely on the use of easily traced e-mails.

      No, but their couriers may be dumb enough to have done so in the past, or that kid googling today will grow up to be a courier. Analyzing networks of connections, many of them perfectly legal and harmless, has been an effective way to detect cutouts and others insulating high ranking criminals. It will work f
  • by Adeptus_Luminati (634274) on Friday November 09, 2007 @07:04PM (#21302341)
    2007...

    Step 1. Encrypt all outbound traffic (hushmail, https, sftp, ssh, etc).
    Step 2. Use TOR to anonymize all your source/destinations
    Step 3. Simultaneously run encrypted torrent traffic (say 25% of all your bandwidth) to increase volumes of crap they have to sort through, making their costs increase.
    Step 4. Where possible borrow your neighbours unencrypted WiFi/WiMax connections to do your real encrypted/anonymous surfing.

    2009... 100Gigabit Ethernet is standardized & sold to carrier backbones. 10G Ethernet becomes cheap & FTTH becomes more affordable. The crappiest computer you can buy now is a quad core with a combined core speed of 10Gigahertz speed.
    ------------
    2010... Their retort: Use Quantum computing to break your encryption. Buy kilometers of underground bases and install thousands of rows of racks filled with multi-terabyte hard drives to store it all.
    ------------
    2011... You upgrade your computer with a quantum chip and use unbreakable encryption.
    ----------
    2012... They are *$(*#ed and you WIN! All Internet is now encrypted and unbreakable and everyone has multi-terabyte hard drives and multi-hundred Megabit or gigabit speeds to home.
    • by TheMeuge (645043) on Friday November 09, 2007 @07:53PM (#21302789)
      You forgot the key date:

      2008/9 - When it becomes a felony to use any encryption that does not have a back door for the NSA (or RIAA... whichever comes first).
    • 2011... You upgrade your computer with a quantum chip and use unbreakable encryption. ---------- 2012... They are *$(*#ed and you WIN! All Internet is now encrypted and unbreakable and everyone has multi-terabyte hard drives and multi-hundred Megabit or gigabit speeds to home.

      Nothing is unbreakable. If a human created it, it has weakness. This may sound fatalistic, but it's the sad reality. It's an arms race for sure, and winning may involve keeping something secret for a determined finite amount of time, but in the end if there's a trace left, it can be solved.

    • Erh... no.

      2008: Everyone starts using encryption and TOR. Everyone? No, just those that care about the whole surveillance (about 0.01% of the online population).

      2009: A new law comes out that everyone in Germany who runs servers has to keep logs. This includes TOR operators, of course. Encryption for private use is outlawed, an exception is provided for online banking and corporation communication.

      I guess you see where we're going.
  • Same old shit (Score:4, Informative)

    by unity100 (970058) on Friday November 09, 2007 @07:09PM (#21302403) Homepage Journal
    You vote some party into power, and they ignore you for 4 years and do whatever they please.
  • Um. (Score:2, Insightful)

    by neimon (713907)
    So. Like. They have a law? That admits what they expect? And defines what they're allowed to do? And there's a limit to what they can do? And it can help identify evildoers? But after 6 months, the data goes away? And we're thinking that's scary? Sounds like goddamned paradise to me. Here, they just drag you off and you disappear and *no carrier*
  • They are required to save every location of every cell phone call made for six months.

    Investigator: "You can't deny it. I know exactly whom you met in the forest 3 months ago."

    Thats scary.
  • by The Breeze (140484) on Friday November 09, 2007 @07:41PM (#21302705) Homepage
    They see the United States slowing turning to a Nazi-like state and they're determined to defend their intellectual property by returning to Nazism first.

    Why is it so hard for some otherwise reasonable people to understand that in a society where everything and everyone is tracable, sooner or later those in power can spank down a few annoying people and everyone will get the idea that if they speak out, they could be next?

  • by adnonsense (826530) on Friday November 09, 2007 @07:56PM (#21302809) Homepage Journal

    Just to be clear on one point: the IP address tracking mentioned in articles on this subject is the IP address allocated by your ISP, not the IP addresses you connect to. Which is bad enough, and on the basis of existing laws there was a ruling that ISPs aren't allowed to retain your IP connection history for privacy reasons.

    Personally I've alway assumed IP addresses are inherently traceable, so in a practical sense this doesn't make any difference to me (except that no doubt I'll end up paying for the extra costs incurred by my ISP). It's the other stuff I find more worrying - and completely asinine at the same time, because anyone with anything to hide (including teh terrorists) will know how to work round them anyway.

    • by rekoil (168689)
      Good, I just posted in the related firehose story how logging every connection from each user would likely cause a huge data-storage issue - ISPs that do Netflow accounting (such as the one I work for) only keep the data long enough to do realtime traffic analysis and still have to store it on big disks if they want to hold onto it for a day, much less six months.
      • Re: (Score:2, Funny)

        by jo42 (227475)
        Time to invest in storage companies, nyet komrade?
      • Just want to point out that a logging like that just started in Denmark this September. Source and destinaton IP, port. each 500th packet. email sender and reciever etc. It is required for each service provider to log this for at least 6 months I believe. Of course there are a lot of loopholes where they don't need to look lige small apartment nets etc.
  • by ScrewMaster (602015) on Friday November 09, 2007 @07:57PM (#21302829)
    Hey Germany! How does that gaping hole in your left podal extremity feel?
  • Or at least of making your ISP talk...
  • Now some enterprising German company is going to implement secure validated email and break away from SMTP/POP3 thus rendering the legislation useless.

    Email headers. How does one enshrine what a header is in law ([^: ]+): ?(.*)

    Go .de
  • If the penalty is not hundreds of millions of Euros, then it would be cheaper to ignore the law and just log everything to /dev/null.
    • I was pondering the same. Are they remotely aware what amount of data will be created that way? Even if they only want to log who talks with whom (that's the plan here at least), it means logging every single sync sent from you. Me. And everyone else using that ISP.

      The amount of data alone is stunning. The overhead to store this flood of information for 6 months costs millions.

      So, unless the penalty is equally large, as an ISP I'd simply go "here's a binary 4, read my fingers. Sue me, it's cheaper."
  • And we will expand our civil liberties! Ronpaul2008.com

  • EU law (Score:3, Interesting)

    by emilv (847905) on Friday November 09, 2007 @09:06PM (#21303353)
    This law is necessary for all countries which are members of the European Union to implement, because it is a EU directive.
    Germany are not the only country in EU that will pass this law. Every country in the union are obliged to have their telephone companies and ISPs keep the information for at least six years (I think Sweden are going to recuire the companies to keep the data for at least a year, but I have not followed the debate for the last months).

    It is important to point out, however, that it's only the metadata that will be saved. You can see that a person have contacted another person, and probably even where this was (if it's a mobile phone), but you can't see what they have been talking about.
    • Oh please, don't try to brush it of on the big, bad EU that interferes with your national legislation. It's not like the German representatives there voted against this bullcrap.

      Too often our politicians use the EU as a petty excuse to push unpopular laws. "We can't help it, the EU makes us" has far too often been the excuse. I don't buy it anymore. If they really don't want to implement it, they should vote against it in the EU Parlament or shut the f. up.
    • let me explain to you how it works:
      some german ministers want to introduce some new crap law to become a police state.
      then they see that this law could be rendered as unconstitutional (or they just try to implement it and fail).
      they go to eu and spin-doctor that crap there so it goes back to germany as an eu directive and the ministers can say they could do nothing about it.

  • Well of course it was. Its for your safety.
  • by Qubit (100461) on Friday November 09, 2007 @10:10PM (#21303753) Homepage Journal
    How long can you retain data if you send email with the content in the headers?

    At some point, even if you have Terabytes of disk space, you're going to run out of room. Then what?

    Here's a sure-fire way to mess things up:

    1. Implement IP over SMTP headers. (already done, I believe)
    2. Use it in Germany.
    3. Watch as your ISP hates you. A lot.

    But anyhow, it says that it's retaining headers, but not content. But sometimes there's content in the headers, right? Got a Catch-22 there, I think.
    • by gronofer (838299)
      All you need is a cooperating SMTP server (directing to /dev/null) and a generator of random giant crap headers, using two german ISPs. I suppose the ISPs would kick them off soon enough.
  • by Opportunist (166417) on Saturday November 10, 2007 @12:53AM (#21304453)
    One that just goes and creates random SYN packets, sending them to random IP addresses and ports and watching the logs go berserk in the process.

    With enough people participating, one could even create a network of some sort, where successful syncs are shared and repeated by others, so actual commections (and thus log entries) are created at an elevated rate.

    As my statistics prof always preached, the only thing that's worse than having too little data is to have poisoned data.
  • Yeah, there has been a lot of that going around lately

Only God can make random selections.

Working...