[HN Gopher] Germany: Data retention to be abolished
___________________________________________________________________
Germany: Data retention to be abolished
Author : seesawtron
Score : 177 points
Date : 2021-12-30 17:02 UTC (5 hours ago)
(HTM) web link (tutanota.com)
(TXT) w3m dump (tutanota.com)
| lgrapenthin wrote:
| Since June, the German government allows even police to secretly
| spy on Germans "preventively", i. e. without suspicion or proof
| of crime or future crime and without decision by court of law, by
| installing trojans on their phones and PCs, i. e. through the app
| store. "Your right to privacy is being respected in Germany!" -
| This is not true.
| eastendguy wrote:
| NOT true. The regulations that you have in mind never made it
| into law.
|
| Source: https://www.spiegel.de/netzwelt/netzpolitik/bundesrat-
| stoppt...
| [deleted]
| 3np wrote:
| Not that I doubt you, but do you have a source?
| St_Alfonzo wrote:
| Maybe I mixed up something and this is the wrong law: The
| "Gesetz zur Modernisierung der Rechtsgrundlagen der
| Bundespolizei" was accepted by the Bundestag, but finally the
| Bundesrat did not agree.
| https://dip.bundestag.de/vorgang/gesetz-zur-
| modernisierung-d...
| ashtonkem wrote:
| The German government is pretty good at putting on a face of
| respectability and proper process, while also doing bad things.
| I'm reminded of the fact that the state began a criminal
| investigation of FT after they reported on Wirecard's fraud _on
| the insistence of Wirecard itself_.
| drited wrote:
| Yep all while people working for the financial regulator
| Bafin traded Wirecard stock in their personal accounts.
| y4mi wrote:
| Germany has a massive corruption problem on the higher
| levels.
|
| It's not as visible for outsiders, because nations with
| corruption issues usually also have police and office workers
| essentially doing shakedowns to do their jobs, and that's not
| really a thing in Germany.
|
| What is quiet widespread is politicians and office worker
| enriching themselves either directly from budgets theyre
| responsible for or by doing things for corporations which pay
| them handsomely.
| nivenkos wrote:
| The mask scandal brought it to light.
| [deleted]
| ben_w wrote:
| While I am very much opposed to being spied on without a
| warrant[0], the case where _only_ government bodies can do this
| is better than the case where _anyone_ can do it.
|
| Of course, the existence of a mechanism to enable this is
| itself a thing which can be exploited by the exact same
| criminals I'm most concerned about with data retained by
| private businesses, so it's not _much_ of an improvement even
| though the attack surface is probably smaller.
|
| [0] and indeed this is why I was already looking to leave the
| UK even before Brexit; the Investigatory Powers Act gives _the
| Welsh Ambulance Service_ access to anyone's "internet
| connection records" without a warrant.
| SllX wrote:
| I prefer the case where no one does it.
|
| Private corporations at least do it for money. Governments do
| it for power. I think it's a hard case to make that that's a
| better reason than to do it for money.
| ben_w wrote:
| Likewise I would prefer nobody does it, but that isn't
| feasible given how easy it is to do it.
|
| But... money is one kind of power, so I don't think it's
| "better".
|
| Given what happened in living memory to a previous
| government in (East) Germany that abused surveillance
| power, I both accept the concern, and yet also don't expect
| it to actually apply _here_ , at least not until about 2040
| when the last people who remember experiencing the
| receiving end of it retire.
| Jensson wrote:
| In smaller democracies the government tend to serve the
| people. In that case the purpose of the spying is to serve
| the people and not a government power grab, that is how
| democracies are intended to work.
|
| Also large enough corporations tend to do things for power
| reasons rather than money, as once you are a billionaire
| your money is mostly just a means to exert power so trading
| money for power is what you do. And at that size they start
| to intermingle with governments, making the acts of the
| company hard to separate from acts of the government.
| jdavis703 wrote:
| Maybe top-100 population US cities don't count as "small
| democracies" in your definition. But if they do, I'd
| argue that small democracies do plenty to protect owners
| of capital at the expense of people in the lower half of
| wealth owners.
|
| For example, take the surveillance and excess force
| against protestors during the summer of 2020 in the US
| (various judges and courts have agreed that some of the
| most high-profile police actions were illegal.)
| causality0 wrote:
| "The people" don't have any more right to my data than
| anyone else.
| yawaworht1978 wrote:
| Without warrant or accountability?
|
| How would they go on about infecting a PC?
|
| Crazy that the app stores play along.
| usrusr wrote:
| Do warrants really make that much of a difference? I don't
| really see anything that could be considered incentive or
| control for keeping that mechanism from slowly (or not slowly
| at all) degenerating into a rubberstamping process.
|
| I could easily imagine a system that leaves case by case
| decisions completely to law enforcement practitioners, but
| constrains them with paper trail requirements
| (accountability, I do agree with that part) and, most
| importantly but unfortunately kind of irreconcilable with the
| legal mindset, an artificial quota that forces them to
| actually think about the case. I believe that a system like
| that might in the end lead to less frivolous eavesdropping
| than one where everything is fair game as soon as they get
| someone authorized to sign off a form. "I got it signed off"
| goes a long way when it comes to questions of moral
| licencing: suddenly it becomes someone else's job to feel bad
| about it if maybe someone should.
| largbae wrote:
| Would the warrant describe what is being searched for and
| why? If so could that be used to challenge unrelated
| "evidence" to the approved purpose?
| usrusr wrote:
| As in motivated law enforcement would want to avoid a
| questionable warrant that could ruin all their other
| achievements related to the case? Certainly not in
| Germany, where the admissibility of evidence is not
| really a factor: if evidence is assumed to be true then
| it exists no matter the provenance, if you want to sue
| the obtaining party for the obtainment process that's a
| separate case.
|
| And what about situations where the surveillance doesn't
| even result in a trial? If a suspicion is made up to gain
| e.g. intelligence over some personal opponent (or
| personal opponent of someone the eavesdropper swaps
| favors with) evidence disadmittance couldn't even be an
| issue at all. But the party requesting the warrant would
| find it comparatively easy to appease their conscience
| with "nothing I wrote in the warrant request was a lie".
| I believe that most people doing bad things don't really
| like to acknowledge that to themselves, and that many who
| might actually talk themselves into requesting a
| questionable warrant would rather not risk running out of
| "wiretap wildcards" they might later need for doing their
| actual job. Of course a system trying to cause self-
| regulation with a quota could still be designed in
| dysfunctional ways (e.g. if there were "leftover
| wildcards" at the end of a quarter, those would be
| powerful fuel for abuse), but with a bit of care those
| pitfalls should be avoidable.
| usrbinbash wrote:
| And what can we learn from this story?
|
| Middle-Left coalitions are actually a pretty good idea.
| dsnr wrote:
| weinzierl wrote:
| _the current one is more right-center-left_
|
| You wouldn't label the Labour Party or the The Greens right
| wing? If "right" in your sentence refers to the Free
| Democratic Party (FDP) the abolishment of the data retention
| regulation would even be a "right wing initiative", which is
| kind of funny. Not sure if I agree, the only thing that's
| certain for the FDP nowadays is that they lack a clear
| profile.
| dsnr wrote:
| Krasnol wrote:
| Whatever you're using, it's not in German sense and since
| Germany is the topic here: the old coalition was more
| right than the current and the current is not
| "whatever"-right.
| okl wrote:
| > The previous ruling coalition was also center-left.
|
| That's not true. Maybe center-left compared to US politics.
| dsnr wrote:
| CDU is a center catch-all party, and SPD is a left party.
| Which part is not true? I wasn't referring to US politics,
| this is a thread about Germany.
| Aerroon wrote:
| Why does everything list CDU as a catch-all for centre-
| right then? It's even on the wiki.
| wwtrv wrote:
| Well historically Christian-Democrats (not only in
| Germany) tended to be centrist or even left leaning
| economically.
| [deleted]
| bbarnett wrote:
| [deleted]
| iqanq wrote:
| As if data retention was the only thing the government had to
| decide on...
| johnnycerberus wrote:
| To be fair, data retention is a hot topic right now in
| Europe, the pandemic and the increased screen time that
| resulted from it, the amount of accounts we had to create
| left and right require new regulations.
| iqanq wrote:
| I live in Europe and the only hot topic I can think of,
| apart from the virus, is energy prices. The same energy
| prices the center-left wants to increase via CO2 taxes.
| ChuckNorris89 wrote:
| > _I live in Europe and the only hot topic I can think
| of, apart from the virus, is energy prices._
|
| And real estate prices. Don't forget the insane real
| estate market.
| iqanq wrote:
| Ah indeed. But that bubble has been in the making for 10+
| years. It's not a topic of conversation because we are
| all used to it.
| cblconfederate wrote:
| except for tax reasons. then you have to keep track of every
| penny for a thousand years.
| amelius wrote:
| Are Messenger/WhatsApp messages also telecommunications data?
| adolph wrote:
| It is unclear to me if this means that ISPs cannot retain data,
| or a revocation of the law requiring ISPs to retain data.
| pmontra wrote:
| From what I read it seems that they have to stop logging. They
| can start logging only after they got a request from whoever is
| allowed to issue such requests in Germany.
| realityking wrote:
| The latter. An ISP - within the guard rails set by GDPR and
| other privacy laws - can store customer data for their own
| purposes. But the government won't require them to do so.
| onli wrote:
| That should be pretty much the same thing. The moment the
| illegal data retention law gets disabled the ISPs have no right
| to collect and retain that data anymore.
| realityking wrote:
| That's not true. It's perfectly reasonable to keep some
| operational logs for debugging purposes for a few hours or
| even days.
| onli wrote:
| It's illegal to keep personal data of users without either
| legitimate interest or a direct agreement, that's
| completely clear under the DSGVO. If the operational logs
| are needed to fulfill the contract with the user then sure,
| the provider can keep them (for as short as possible),
| otherwise not. Days? I highly doubt it.
|
| The Vorratsdatenspeicherung counteracted that principle, if
| it falls away storing this data gets really complicated.
| Jensson wrote:
| Keeping server logs for a few days is considered
| necessary for running servers. Therefore you accessing a
| server means you implicitly give them the right to store
| your access request for a few days, because it is
| unreasonable to assume they would run a server without
| access logs.
|
| Edit: For example, you can't assume people will work on
| weekends. So if an issue occurs on a weekend and someone
| needs to look at it, then the log need to at least last
| throughout the weekend.
| pmontra wrote:
| I'm glad about this decision. Anyway removing all personal data
| from logging will be a huge project in large organizations. I'm
| thinking about IP addresses [1] which are often used to aggregate
| requests, debug, etc. Wireshark could become a hot tool to
| handle.
|
| I didn't spend much time to think about it so I might be totally
| wrong but anonymizing IP addresses is probably not easy unless we
| give up aggregation. I think that anything that uniquely maps IP
| addresses also becomes personal data, e.g. cookies.
|
| [1] https://www.whitecase.com/publications/alert/court-
| confirms-...
| notimetorelax wrote:
| Wireshark is very much a hot tool to handle already. To be in
| compliance with GDPR all the traces have to be dropped within
| the data removal grace period.
| mytailorisrich wrote:
| Key seems to be " _without any reason_ ".
|
| An example: here in the UK the limit on taking legal action on
| most civil issues is 6 years. This means it is perfectly
| reasonable to have a 6 year retention policy and indeed that's
| what most companies do.
| johnnycerberus wrote:
| I totally support this. It still amazes me that companies still
| do not delete/anonymize user accounts after periods of
| inactivity. Everything that is linked to your email address
| should be purged after 3-12 months of inactivity, including
| ecommerce like Amazon, game platforms like Steam, cloud storages
| like Dropbox, or even Hackernews. Good luck trying to find old
| accounts that you have used years ago, what if they were breached
| and now they are used by people with bad intentions. In my
| country (Romania), even barber shops that store user accounts for
| longer periods than necessary are fined the shit out of them for
| not closing accounts due to inactivity. Some years ago, I woke up
| with an inactive G2A account telling me that I have to pay a fee
| for inactivity. NO! I don't have to pay anything, purge it!
| akersten wrote:
| > Everything that is linked to your email address should be
| purged after 3-12 months of inactivity, including
|
| That is such a horrible idea, I go on vacations longer than
| that. My Dropbox should be deleted if I don't log in for 4
| months?
| johnnycerberus wrote:
| Do you have a paid account or a free account? If I store my
| documents on a free account for a one time send to the
| university application and then I forget about it, then
| Dropbox should purge it after a time to protect my data, as I
| don't have any "contract" with them like a subscription or
| something. The same for G2A, I have bought from them some
| game keys at a cheap price sometime ago and then I totally
| forgot that I have one, I couldn't even find the activation
| mail in my inbox, lol. One day in the summer I woke up with a
| mail that I have to pay an inactivity fee even if I'm just a
| row in their database and I have no contractual obligation
| with them.
| fiddlerwoaroof wrote:
| I had a family member go through a major life event that
| left his OneDrive account unused for about a year. When we
| needed to access tax documents on it, Microsoft had deleted
| it. I'm strongly against non-user initiated account
| deletion.
| ivan_gammel wrote:
| In fact you have the contract with the services where you
| sign up. Even if you did not read T&Cs, you have accepted
| them and only then your relationship with the service
| started _on their terms_. You are not just a row in the
| database, you are a customer getting service in _exchange
| for something_. You have at least opted in to their data
| retention policy, and you have to opt out explicitly. If
| services will be required to purge the customer data after
| period of inactivity by default, chances are high that free
| accounts will simply cease to exist. In any case, quite
| significant share of customers would prefer to opt out from
| purge and they will be important enough from commercial
| perspective to make this opt out default in T &Cs
| acceptance process.
| luckylion wrote:
| If so, please make it opt-in. Let users set the auto-delete
| date themselves, because I don't want to have to make sure that
| I log in every other week to keep my account alive.
| bbarnett wrote:
| This could work, along with a default setting, and if the
| config was easy to find.
|
| Or not purposefully obscured.
| peakaboo wrote:
| Why does it amaze you that companies want to keep user data
| when we know it's extreamly valuable?
| nine_k wrote:
| What is _extremely_ valuable about data on an account which
| is dormant for years?
| usrusr wrote:
| You can fake relevance if you want to sell the company
| without actually lying. Coincidentally there's a certain
| class of company that is in a permanent state of being sold
| and whose communication is under particular scrutiny wrt
| truthfulness. Seen from any other angle I fully agree,
| random user data value tends to be greatly overestimated.
| notimetorelax wrote:
| We'll this is not what the OP is proposing. Data removal
| after 3 months or a year seems too fast. I game on steam
| once every two years - do I have to buy all my games each
| time?
| pomian wrote:
| you are not alone ! (sometimes longer...)
| wowokay wrote:
| I don't want to lose all my steam games just because I am
| inactive for a time. That us a terrible idea, I purchased those
| digital goods, that's like saying crypto markets should dump
| data from time to time.
| Schroedingersat wrote:
| Then fight for digital purchases to be actual purchases, not
| renting until you lose that account.
| renewiltord wrote:
| What, why would I do that? I don't want to fight for
| something I already have. I'd rather fight against people
| who would take it from me.
| slickdork wrote:
| Mildly related: In America, e-mails stored on a server for over
| 180 days are considered 'abandoned' and can be viewed by law
| enforcement without warrants. [0]
|
| [0]
| https://en.wikipedia.org/wiki/Electronic_Communications_Priv...
| Matticus_Rex wrote:
| The bill to fix this relic of a time where people stored
| emails in noticeably-finite inboxes, the Email Privacy Act,
| passed the House this session but got knocked out of the bill
| in the Senate.
| https://en.wikipedia.org/wiki/Email_Privacy_Act
| goodpoint wrote:
| How comes there are no ongoing protests? This is appalling.
| largbae wrote:
| I wonder the same thing. Civil Asset Forfeiture is at least
| as awful and should offend everyone regardless of their
| stance on current political hot topics. Yet it appears to
| go on unaddressed.
| CodeMage wrote:
| People can't protest what they don't know about, and this
| kind of thing isn't talked about at all.
| pjc50 wrote:
| This would be a disaster for a lot of people.
| 323 wrote:
| > _In my country (Romania), even barber shops that store user
| accounts for longer periods than necessary are fined_
|
| Those most be some fancy barber shops that you need online
| accounts for.
| Tijdreiziger wrote:
| Not Romanian, but you usually need to make an appointment at
| a barber (especially now that they can't/don't want to have
| too many people in their shop at once, due to COVID
| regulations). If you make the appointment online, then you
| can usually create an account to view/rebook/cancel it later,
| if necessary.
___________________________________________________________________
(page generated 2021-12-30 23:00 UTC)