[HN Gopher] Germany: Data retention to be abolished ___________________________________________________________________ Germany: Data retention to be abolished Author : seesawtron Score : 177 points Date : 2021-12-30 17:02 UTC (5 hours ago) (HTM) web link (tutanota.com) (TXT) w3m dump (tutanota.com) | lgrapenthin wrote: | Since June, the German government allows even police to secretly | spy on Germans "preventively", i. e. without suspicion or proof | of crime or future crime and without decision by court of law, by | installing trojans on their phones and PCs, i. e. through the app | store. "Your right to privacy is being respected in Germany!" - | This is not true. | eastendguy wrote: | NOT true. The regulations that you have in mind never made it | into law. | | Source: https://www.spiegel.de/netzwelt/netzpolitik/bundesrat- | stoppt... | [deleted] | 3np wrote: | Not that I doubt you, but do you have a source? | St_Alfonzo wrote: | Maybe I mixed up something and this is the wrong law: The | "Gesetz zur Modernisierung der Rechtsgrundlagen der | Bundespolizei" was accepted by the Bundestag, but finally the | Bundesrat did not agree. | https://dip.bundestag.de/vorgang/gesetz-zur- | modernisierung-d... | ashtonkem wrote: | The German government is pretty good at putting on a face of | respectability and proper process, while also doing bad things. | I'm reminded of the fact that the state began a criminal | investigation of FT after they reported on Wirecard's fraud _on | the insistence of Wirecard itself_. | drited wrote: | Yep all while people working for the financial regulator | Bafin traded Wirecard stock in their personal accounts. | y4mi wrote: | Germany has a massive corruption problem on the higher | levels. | | It's not as visible for outsiders, because nations with | corruption issues usually also have police and office workers | essentially doing shakedowns to do their jobs, and that's not | really a thing in Germany. | | What is quiet widespread is politicians and office worker | enriching themselves either directly from budgets theyre | responsible for or by doing things for corporations which pay | them handsomely. | nivenkos wrote: | The mask scandal brought it to light. | [deleted] | ben_w wrote: | While I am very much opposed to being spied on without a | warrant[0], the case where _only_ government bodies can do this | is better than the case where _anyone_ can do it. | | Of course, the existence of a mechanism to enable this is | itself a thing which can be exploited by the exact same | criminals I'm most concerned about with data retained by | private businesses, so it's not _much_ of an improvement even | though the attack surface is probably smaller. | | [0] and indeed this is why I was already looking to leave the | UK even before Brexit; the Investigatory Powers Act gives _the | Welsh Ambulance Service_ access to anyone's "internet | connection records" without a warrant. | SllX wrote: | I prefer the case where no one does it. | | Private corporations at least do it for money. Governments do | it for power. I think it's a hard case to make that that's a | better reason than to do it for money. | ben_w wrote: | Likewise I would prefer nobody does it, but that isn't | feasible given how easy it is to do it. | | But... money is one kind of power, so I don't think it's | "better". | | Given what happened in living memory to a previous | government in (East) Germany that abused surveillance | power, I both accept the concern, and yet also don't expect | it to actually apply _here_ , at least not until about 2040 | when the last people who remember experiencing the | receiving end of it retire. | Jensson wrote: | In smaller democracies the government tend to serve the | people. In that case the purpose of the spying is to serve | the people and not a government power grab, that is how | democracies are intended to work. | | Also large enough corporations tend to do things for power | reasons rather than money, as once you are a billionaire | your money is mostly just a means to exert power so trading | money for power is what you do. And at that size they start | to intermingle with governments, making the acts of the | company hard to separate from acts of the government. | jdavis703 wrote: | Maybe top-100 population US cities don't count as "small | democracies" in your definition. But if they do, I'd | argue that small democracies do plenty to protect owners | of capital at the expense of people in the lower half of | wealth owners. | | For example, take the surveillance and excess force | against protestors during the summer of 2020 in the US | (various judges and courts have agreed that some of the | most high-profile police actions were illegal.) | causality0 wrote: | "The people" don't have any more right to my data than | anyone else. | yawaworht1978 wrote: | Without warrant or accountability? | | How would they go on about infecting a PC? | | Crazy that the app stores play along. | usrusr wrote: | Do warrants really make that much of a difference? I don't | really see anything that could be considered incentive or | control for keeping that mechanism from slowly (or not slowly | at all) degenerating into a rubberstamping process. | | I could easily imagine a system that leaves case by case | decisions completely to law enforcement practitioners, but | constrains them with paper trail requirements | (accountability, I do agree with that part) and, most | importantly but unfortunately kind of irreconcilable with the | legal mindset, an artificial quota that forces them to | actually think about the case. I believe that a system like | that might in the end lead to less frivolous eavesdropping | than one where everything is fair game as soon as they get | someone authorized to sign off a form. "I got it signed off" | goes a long way when it comes to questions of moral | licencing: suddenly it becomes someone else's job to feel bad | about it if maybe someone should. | largbae wrote: | Would the warrant describe what is being searched for and | why? If so could that be used to challenge unrelated | "evidence" to the approved purpose? | usrusr wrote: | As in motivated law enforcement would want to avoid a | questionable warrant that could ruin all their other | achievements related to the case? Certainly not in | Germany, where the admissibility of evidence is not | really a factor: if evidence is assumed to be true then | it exists no matter the provenance, if you want to sue | the obtaining party for the obtainment process that's a | separate case. | | And what about situations where the surveillance doesn't | even result in a trial? If a suspicion is made up to gain | e.g. intelligence over some personal opponent (or | personal opponent of someone the eavesdropper swaps | favors with) evidence disadmittance couldn't even be an | issue at all. But the party requesting the warrant would | find it comparatively easy to appease their conscience | with "nothing I wrote in the warrant request was a lie". | I believe that most people doing bad things don't really | like to acknowledge that to themselves, and that many who | might actually talk themselves into requesting a | questionable warrant would rather not risk running out of | "wiretap wildcards" they might later need for doing their | actual job. Of course a system trying to cause self- | regulation with a quota could still be designed in | dysfunctional ways (e.g. if there were "leftover | wildcards" at the end of a quarter, those would be | powerful fuel for abuse), but with a bit of care those | pitfalls should be avoidable. | usrbinbash wrote: | And what can we learn from this story? | | Middle-Left coalitions are actually a pretty good idea. | dsnr wrote: | weinzierl wrote: | _the current one is more right-center-left_ | | You wouldn't label the Labour Party or the The Greens right | wing? If "right" in your sentence refers to the Free | Democratic Party (FDP) the abolishment of the data retention | regulation would even be a "right wing initiative", which is | kind of funny. Not sure if I agree, the only thing that's | certain for the FDP nowadays is that they lack a clear | profile. | dsnr wrote: | Krasnol wrote: | Whatever you're using, it's not in German sense and since | Germany is the topic here: the old coalition was more | right than the current and the current is not | "whatever"-right. | okl wrote: | > The previous ruling coalition was also center-left. | | That's not true. Maybe center-left compared to US politics. | dsnr wrote: | CDU is a center catch-all party, and SPD is a left party. | Which part is not true? I wasn't referring to US politics, | this is a thread about Germany. | Aerroon wrote: | Why does everything list CDU as a catch-all for centre- | right then? It's even on the wiki. | wwtrv wrote: | Well historically Christian-Democrats (not only in | Germany) tended to be centrist or even left leaning | economically. | [deleted] | bbarnett wrote: | [deleted] | iqanq wrote: | As if data retention was the only thing the government had to | decide on... | johnnycerberus wrote: | To be fair, data retention is a hot topic right now in | Europe, the pandemic and the increased screen time that | resulted from it, the amount of accounts we had to create | left and right require new regulations. | iqanq wrote: | I live in Europe and the only hot topic I can think of, | apart from the virus, is energy prices. The same energy | prices the center-left wants to increase via CO2 taxes. | ChuckNorris89 wrote: | > _I live in Europe and the only hot topic I can think | of, apart from the virus, is energy prices._ | | And real estate prices. Don't forget the insane real | estate market. | iqanq wrote: | Ah indeed. But that bubble has been in the making for 10+ | years. It's not a topic of conversation because we are | all used to it. | cblconfederate wrote: | except for tax reasons. then you have to keep track of every | penny for a thousand years. | amelius wrote: | Are Messenger/WhatsApp messages also telecommunications data? | adolph wrote: | It is unclear to me if this means that ISPs cannot retain data, | or a revocation of the law requiring ISPs to retain data. | pmontra wrote: | From what I read it seems that they have to stop logging. They | can start logging only after they got a request from whoever is | allowed to issue such requests in Germany. | realityking wrote: | The latter. An ISP - within the guard rails set by GDPR and | other privacy laws - can store customer data for their own | purposes. But the government won't require them to do so. | onli wrote: | That should be pretty much the same thing. The moment the | illegal data retention law gets disabled the ISPs have no right | to collect and retain that data anymore. | realityking wrote: | That's not true. It's perfectly reasonable to keep some | operational logs for debugging purposes for a few hours or | even days. | onli wrote: | It's illegal to keep personal data of users without either | legitimate interest or a direct agreement, that's | completely clear under the DSGVO. If the operational logs | are needed to fulfill the contract with the user then sure, | the provider can keep them (for as short as possible), | otherwise not. Days? I highly doubt it. | | The Vorratsdatenspeicherung counteracted that principle, if | it falls away storing this data gets really complicated. | Jensson wrote: | Keeping server logs for a few days is considered | necessary for running servers. Therefore you accessing a | server means you implicitly give them the right to store | your access request for a few days, because it is | unreasonable to assume they would run a server without | access logs. | | Edit: For example, you can't assume people will work on | weekends. So if an issue occurs on a weekend and someone | needs to look at it, then the log need to at least last | throughout the weekend. | pmontra wrote: | I'm glad about this decision. Anyway removing all personal data | from logging will be a huge project in large organizations. I'm | thinking about IP addresses [1] which are often used to aggregate | requests, debug, etc. Wireshark could become a hot tool to | handle. | | I didn't spend much time to think about it so I might be totally | wrong but anonymizing IP addresses is probably not easy unless we | give up aggregation. I think that anything that uniquely maps IP | addresses also becomes personal data, e.g. cookies. | | [1] https://www.whitecase.com/publications/alert/court- | confirms-... | notimetorelax wrote: | Wireshark is very much a hot tool to handle already. To be in | compliance with GDPR all the traces have to be dropped within | the data removal grace period. | mytailorisrich wrote: | Key seems to be " _without any reason_ ". | | An example: here in the UK the limit on taking legal action on | most civil issues is 6 years. This means it is perfectly | reasonable to have a 6 year retention policy and indeed that's | what most companies do. | johnnycerberus wrote: | I totally support this. It still amazes me that companies still | do not delete/anonymize user accounts after periods of | inactivity. Everything that is linked to your email address | should be purged after 3-12 months of inactivity, including | ecommerce like Amazon, game platforms like Steam, cloud storages | like Dropbox, or even Hackernews. Good luck trying to find old | accounts that you have used years ago, what if they were breached | and now they are used by people with bad intentions. In my | country (Romania), even barber shops that store user accounts for | longer periods than necessary are fined the shit out of them for | not closing accounts due to inactivity. Some years ago, I woke up | with an inactive G2A account telling me that I have to pay a fee | for inactivity. NO! I don't have to pay anything, purge it! | akersten wrote: | > Everything that is linked to your email address should be | purged after 3-12 months of inactivity, including | | That is such a horrible idea, I go on vacations longer than | that. My Dropbox should be deleted if I don't log in for 4 | months? | johnnycerberus wrote: | Do you have a paid account or a free account? If I store my | documents on a free account for a one time send to the | university application and then I forget about it, then | Dropbox should purge it after a time to protect my data, as I | don't have any "contract" with them like a subscription or | something. The same for G2A, I have bought from them some | game keys at a cheap price sometime ago and then I totally | forgot that I have one, I couldn't even find the activation | mail in my inbox, lol. One day in the summer I woke up with a | mail that I have to pay an inactivity fee even if I'm just a | row in their database and I have no contractual obligation | with them. | fiddlerwoaroof wrote: | I had a family member go through a major life event that | left his OneDrive account unused for about a year. When we | needed to access tax documents on it, Microsoft had deleted | it. I'm strongly against non-user initiated account | deletion. | ivan_gammel wrote: | In fact you have the contract with the services where you | sign up. Even if you did not read T&Cs, you have accepted | them and only then your relationship with the service | started _on their terms_. You are not just a row in the | database, you are a customer getting service in _exchange | for something_. You have at least opted in to their data | retention policy, and you have to opt out explicitly. If | services will be required to purge the customer data after | period of inactivity by default, chances are high that free | accounts will simply cease to exist. In any case, quite | significant share of customers would prefer to opt out from | purge and they will be important enough from commercial | perspective to make this opt out default in T &Cs | acceptance process. | luckylion wrote: | If so, please make it opt-in. Let users set the auto-delete | date themselves, because I don't want to have to make sure that | I log in every other week to keep my account alive. | bbarnett wrote: | This could work, along with a default setting, and if the | config was easy to find. | | Or not purposefully obscured. | peakaboo wrote: | Why does it amaze you that companies want to keep user data | when we know it's extreamly valuable? | nine_k wrote: | What is _extremely_ valuable about data on an account which | is dormant for years? | usrusr wrote: | You can fake relevance if you want to sell the company | without actually lying. Coincidentally there's a certain | class of company that is in a permanent state of being sold | and whose communication is under particular scrutiny wrt | truthfulness. Seen from any other angle I fully agree, | random user data value tends to be greatly overestimated. | notimetorelax wrote: | We'll this is not what the OP is proposing. Data removal | after 3 months or a year seems too fast. I game on steam | once every two years - do I have to buy all my games each | time? | pomian wrote: | you are not alone ! (sometimes longer...) | wowokay wrote: | I don't want to lose all my steam games just because I am | inactive for a time. That us a terrible idea, I purchased those | digital goods, that's like saying crypto markets should dump | data from time to time. | Schroedingersat wrote: | Then fight for digital purchases to be actual purchases, not | renting until you lose that account. | renewiltord wrote: | What, why would I do that? I don't want to fight for | something I already have. I'd rather fight against people | who would take it from me. | slickdork wrote: | Mildly related: In America, e-mails stored on a server for over | 180 days are considered 'abandoned' and can be viewed by law | enforcement without warrants. [0] | | [0] | https://en.wikipedia.org/wiki/Electronic_Communications_Priv... | Matticus_Rex wrote: | The bill to fix this relic of a time where people stored | emails in noticeably-finite inboxes, the Email Privacy Act, | passed the House this session but got knocked out of the bill | in the Senate. | https://en.wikipedia.org/wiki/Email_Privacy_Act | goodpoint wrote: | How comes there are no ongoing protests? This is appalling. | largbae wrote: | I wonder the same thing. Civil Asset Forfeiture is at least | as awful and should offend everyone regardless of their | stance on current political hot topics. Yet it appears to | go on unaddressed. | CodeMage wrote: | People can't protest what they don't know about, and this | kind of thing isn't talked about at all. | pjc50 wrote: | This would be a disaster for a lot of people. | 323 wrote: | > _In my country (Romania), even barber shops that store user | accounts for longer periods than necessary are fined_ | | Those most be some fancy barber shops that you need online | accounts for. | Tijdreiziger wrote: | Not Romanian, but you usually need to make an appointment at | a barber (especially now that they can't/don't want to have | too many people in their shop at once, due to COVID | regulations). If you make the appointment online, then you | can usually create an account to view/rebook/cancel it later, | if necessary. ___________________________________________________________________ (page generated 2021-12-30 23:00 UTC)