Technical and Legal Barriers to Implementation
With the German Federal Government’s decision to reintroduce Blanket Data Retention, questions have arisen as to the constitutionality of the law and the practicability of implementing it. eco explored the issues in a recent “Politikbrief” newsletter. Here, we look at a few of those questions, and the consequences of the law for ISPs in Germany.
Is the planned regulation constitutional?
The Federal Constitutional Court (BVerfG) ruled in March 2010 that the unfounded collection of traffic data for access by law enforcement authority (data retention) is not necessarily unconstitutional. However, the ruling set clear and narrow boundaries for the legislator in the design of such a regulation, given the seriousness of the infringement of fundamental rights.
The draft law on Data Retention shows that the Federal Ministry of Justice and Consumer Protection (BMJV) is keeping within the legal margins stipulated by the Federal Constitutional Court. The storage period and scope of the data retained are significantly less than allowed for in § 113a of the German Telecommunications Act (TKG) (old version) which was ruled as unconstitutional in 2010 by the Federal Constitutional Court. However, the draft still allows for the retention of the data of all users of electronic communication without any grounds, i.e. without suspicion of the involvement in a criminal act.
This is problematic because it infringes the fundamental principle of the presumption of innocence and is a massive invasion of privacy.
What are the legal and technical challenges in the new regulation for the storage of IP addresses?
An individual signature for every Internet connection no longer exists. The shortage of IPv4 addresses has led to Internet Service Providers creating an IP address room behind every public IP address. That means that one IP address is used for several devices. So, in order to unequivocally identify a user, the law enforcement agency needs not only the IP address, but also the port which was used, as well as an extremely exact timestamp. This involves considerably more work for the Internet Service Provider; currently this information is rarely saved, as it is not needed for invoicing purposes. It also makes the matching with the user extremely difficult. The provider must record which Internet connection used which port with which IP address (both internally and externally) and from when until when. That requires the provider to create a data pool of all communications connections, which could then be used to create detailed user profiles. This is not only unconstitutional, but could also attract much unwanted attention from, for example, foreign secret services and intelligence agencies.
How are persons subject to professional confidentiality protected?
Data from telephone counselling help lines are to be excepted from the storage requirements. Data related to persons subject to professional confidentiality such as doctors, lawyers, members of parliament and journalists may be stored, but not retrieved. It is unclear how this particular regulation is to be implemented. So far there is no registry of all such persons. That would mean that either the data of persons subject to professional confidentiality are automatically retrieved (and then perhaps sorted out by the law enforcement authority) or companies must create a database of such professionals – a step that is politically undesirable.
Can companies implement the security requirements called for in the draft law?
The security requirements for companies outlined in the draft law are partly still quite vague, and there are a number of technical questions as to how they can actually be implemented. Such measures include:
- The use of a particularly safe encryption procedure
It is not clear what the requirements of the Federal Constitutional Court could look like in practice, e.g. is every index in an encrypted file with metadata itself a collection of metadata? It is completely unclear how the requirements for the mass retrieval of data, for example from radio cells, should be realized.
- Storage with a high level of protection against unauthorized access, on computers which are not connected to the Internet
This requirement is not feasible as all systems in the Internet are connected. Data is collected in systems in the Internet, is transmitted through an integrated network and then processed in systems which are also online. The VPN of the end user is also an Internet-based system and must be connected with the systems providing the information.
- The requirement for at least two people, who are given specific permission to do so by their organisation, to be involved in accessing data
This requirement is not practicable for the majority of small providers, who often only employ a handful of people.
