On Tuesday Germany's Federal Court decides whether it's legal for federal bodies to store the IP addresses of internet users who visit their websites. They say it's to protect us, but does it really?
An IP address is like a fingerprint. When you browse the internet or send emails, you leave your IP address like smudges on a glass door. The question is whether it's acceptable for Germany's federal authorities to register and store IP addresses belonging to all the people who visit their websites. The German Federal Court (BGH) will rule on that question on Tuesday (16.4.2017).
Patrick Beyer, a lawyer and member of the Pirate Party in the state of Schleswig-Holstein, sued the federal government in early 2008.
Beyer said he considered the massive storing of IP addresses by government bodies to be a violation of data protection laws. The federal government argued that the storing of the data was legitimate, saying it was a necessary technique to identify potential hackers. The BGH has been considering the case since February 14.
This legal dispute, however, has gone back and forth for longer than that. The BGH earlier presented the case to the European Court of Justice in Luxembourg (ECJ), which passed its ruling on October 19, 2016.
The ECJ ruled that IP addresses are to be considered personal data when the owner of a website has the legal means to access the data behind an IP address - such as the name or mailing address of the person browsing the website. And the federal government does have the right to ask internet service providers to hand over such personal data linked to IP addresses.
It added that processing personal data - that is the storing of an IP address and linking it to a real name and address - can be legal if the operator of the website has a "legitimate interest" to do so. But this should not infringe on the fundamental rights and freedoms of the person visiting the website. And with this, the ball was back in the BGH's court.
A short excursion into the basics of data protection
The principle of data protection is that the processing of personal data - any data that can be linked to a person - is illegal, unless it happens to be allowed.
"Processing" includes collecting, storing, passing on to others, copying, using and researching of data.
This can only be allowed under certain conditions. For instance, it can be allowed when a person has given his or her explicit consent, when the data processing is a contractual issue, when there's a legal obligation to process the data, or when there are "legitimate interests."
There is also a principle of "data minimization." This means that only data, which meets at least one of the conditions set above, may be processed. And the data may only be stored as long as those conditions exist.
Every person has the right to request information about the personal data a company or institution is processing or storing on them. And those internet users have a right to demand that the data be deleted if the processing is deemed unlawful.
Is identifying cyber criminals a "legitimate interest" and does it justify storing everybody's IP address?
On May 25, 2018, a new EU General Data Protection Regulation comes into force. From then on, anybody processing personal data will have to document how the processing is in line with the law.
It will also be illegal for companies or authorities to make a service dependent on the condition that the customer flatly accepts the processing of his or her data. The customer, user or website visitor will have to be presented with a real choice.
Protection from hacking versus protection of privacy
It's hard to navigate these basics principles - lawyers could fill entire libraries with literature on how to interpret them. But the key issue which the BGH will have to decide is what constitutes a "legitimate interest."
The browsing behavior of web-users is a highly personal issue. Someone who visits the website of health authorities may give away something about an illness or a sexual preference. Visitors of other websites may unwittingly give authorities hints about his or her political or religious beliefs.
But the Pirates' Patrick Beyer says he is less concerned about the authorities spying on citizens. He is more concerned that the data could fall into the "wrong hands." If that happened, any personal data could be used to blackmail people. So Beyer says the best protection would be to avoid storing such data in the first place.
The state, on the other hand, sees a "legitimate interest" in using data to prosecute hackers. Hackers can cause economic and social damage with a distributed denial of service (DDoS) attack, or by releasing "ransomware" like the WannaCry attack.
An IP address, says the state, might hold clues as to where an attack was launched.
Criminalists also argue that data collection protects people. For example, it could be possible to identify criminals who are phishing for credit card data.
Beyer rejects that argument. Real criminals, he says, hide their identities with proxy-servers or through so-called Tor networks. These allow a user to bounce their communications off so many virtual locations that it becomes almost impossible to trace them back.
Whatever the BGH decides, it's likely to affect not only the federal authorities. It will also affect private companies and website operators, who tend to store our personal data for even longer periods of time.