Logging of IP addresses banned in Germany

By EDRi · November 22, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 25 January 2006, the District Court of Darmstadt (Germany) ruled that the
German ISP T-Online was legally banned from logging the session IP addresses
it assigned to its customers. German law requires this data to be deleted
upon termination of the connection as it is not needed for billing purposes.
According to the judgement, security requirements do not justify the general
logging of all users’ IP addresses. The collection of such data is permitted
only in reaction to specific incidents (faults or unlawful use) on a case by
case basis.

On 28 October 2006 The German Federal Court of Justice (Bundesgerichtshof)
dismissed, on formal grounds, the appeal filed by T-Online. The District
Court’s ruling has thereby become legally binding between the parties of the
dispute. The legal reasoning of the court applies more generally to all
German ISPs and to all tariff models. A draft complaint for other Germans
willing to sue their ISP was published on the internet. The German Federal
Data Protection Commissioner Peter Schaar announced that he would take steps
to enforce the ruling in relation to all customers.

The plaintiff Holger Voss was prosecuted in 2003 for supposedly having
endorsed the 9/11 bomb attacks in an Internet forum. Only in court room was
it found that his remarks were clearly of a sarcastic nature. In
consequence, Voss was acquitted. In order to trace Voss’ forum post, the
prosecutors had asked the forum provider Heise to hand over the poster’s IP
address. Voss’ ISP T-Online then told the prosecutor whom the IP address had
been assigned to.

The T-Online case raised voices pointing out that German law also bans web
site providers such as Heise, Amazon and Ebay from logging the IP addresses
of their users. At present such logging is widespread, partly because US
designed software (including open source software) does not take data
protection requirements into account. Data protection expert Patrick Breyer
called for a law mandating commercial software for sale in Europe to be
provided with a standard configuration that conforms to European data
protection requirements.

Ruling of the District Court of Darmstadt on IP logging (in German only)

Model complaint against logs retention (in German only)

(Contribution by Patrick Breyer – Working Group on Data Retention – Germany)