back to article German court set to rule on legality of IP address harvesting

Germany's federal court is set to hand down a ruling about the legality of storing IP addresses. It'll be the culmination of a long-running suit brought by Patrick Beyer, who wants to prevent German government Websites from storing his IP addresses. The government's argument is that storing visitors' IPs, along with a …

  1. Gene Cash Silver badge

    "It ruled (PDF) that IP addresses can be collected if they don't identify an individual"

    So this immediately punts all those "these IPs downloaded our stuffs" piracy fishing expeditions, at least in Germany?

  2. Adam 52 Silver badge

    I fear this may be badly argued and set a poor precedent. IP addresses often do identify an individual - as the Article 29 working group concluded - and their use in conjunction with other available datasets almost certainly will.

    But some wannabe hero on a piracy crusade going to mess it up. Better to get the precedent set on a case about the government tracking abused children or something not some nerds wanting to get away with copyright infringement.

    1. Roland6 Silver badge

      >IP addresses often do identify an individual

      But not to the same extent as a telephone number. So a question has to be to what extent can telephone numbers be harvested (in Germany). I'm immediately thinking about BT's scammer system that monitors call patterns to determine sources of scam phone calls, which obviously has to retain phone numbers and associated call data.

      1. Dazed and Confused

        >>IP addresses often do identify an individual

        >But not to the same extent as a telephone number.

        Well in my case a quick whois will give you my home address which wouldn't be so easy for a member of the public to do for my phone number. Not everyone's IP address is NAT'd to the N'th degree before it hits the net.

        1. Blane Bramble

          This hinges on what you mean by "identify an individual".

          Your netblock identifies who is responsible for the IP address.

          Not who was using it.

  3. Anonymous Coward
    Anonymous Coward

    Please don't

    IP addresses are one of the mechanisms by which we can identify where attacks come from so we can decide to block completely or just to filter. If privacy laws forbid us to retain visitor data, OK, fair enough, but please don't interfere with genuine protective measures and diagnostics - levae some room to retain those.

    It's hard enough keeping the f*ckers from breaking your website, let's be at least sensible in implementing such laws so we don't have to fight with one hand tied behind our backs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Please don't

      Sticking and RFID inside everyone in Germany would offer more protection. For example, the Baader-Meinhof could never have operated if Law Enforcement always knew their movements.

    2. Adam 52 Silver badge

      Re: Please don't

      "which we can identify where attacks come​ from"

      You can do the same with a hash of the IP address and the network block, you don't need to store IP.

      It's called privacy by design, and is about to become a lot more important.

      1. LDS Silver badge

        "You can do the same with a hash of the IP address"

        A rainbow table of IPv4 addresses is quite simple to build... IPv6 may be another matter.

        But I start to be very worried about my car plate now... <G>

      2. Anonymous Coward
        Anonymous Coward

        Re: Please don't

        You can do the same with a hash of the IP address and the network block, you don't need to store IP.

        Sadly not, I wish. Don't forget that I have the pain of managing that retention in line with data protection, so it's not something I would inflict on myself if it wasn't for a very good reason. Tools such as dig, whois and traceroute don't work on hashes.

        I am perfectly OK with not associating IP numbers with logged in users, yes, that could be via hashing, but for security and protection I need the raw data - also because I may have to preserve them if we take matters further.

        That said, I need to start looking up the IP ranges or maybe the AS that OVH lives in, and grab the list of TOR nodes off Maxmind. I can block traffic from there with only positive impact on the sites.

        It's called privacy by design, and is about to become a lot more important.

        That is already a default in all our services (it's very easy to get support for that, just point out the liability issues that otherwise show up :) ), but as operators we have a duty to protect our users. We cannot do that when blindfolded, that will help the hackers more than us.

        I suspect it may involve a time range. Unless you're in the process of acting upon data in which case it gets a different legal status (as evidence), you may be required to hash IP numbers after x months. I'm OK with that, that follows roughly what we had already planned.

  4. LDS Silver badge

    The risk of that anarchic nerd

    They will make so stupid requests to download porn and music illegally, they will give governments a hand to move in the opposite direction and crushing real privacy rights.

    Do they understand that would make any diagnostic/security log "illegal"?

    I would suggest these "pirates" to remove directly their IPs from their source packets, if they don't want to be "tracked" <G> Or use Tor, if you're paranoid.

    Also, do they have issue with Google, Facebook and others to collect much more information, even about third parties not using their services, or that's fine because it's "free" stuff and help to find more "free" stuff for "personal use"?

  5. Pen-y-gors Silver badge

    Compromise is possible

    1) There are legitimate reasons to log IP addresses - blacklisting, hacking investigation etc.


    2) how long is that data needed - hours, days, a few weeks? In most cases no more than that as the problem to be investigated is likely to be known by then.


    3) You allow the data to be logged but it must be deleted or anonymised after, say, 28 days. With an exception that files can be kept longer if they are needed for an active investigation, and provided a senior officer or equivalent of the company sends a statement to that effect to the local Data Protection Czar. Add various penalties for abuse of the system, including direct action against the officer making the statement.

    1. Yet Another Anonymous coward Silver badge

      Re: Compromise is possible

      But what if the next government needs to check if you ever looked at a pro-immigration web site?

      28 days isn't long enough

    2. Anonymous Coward
      Anonymous Coward

      Re: Compromise is possible

      Plenty of hacks go unnoticed for a lot more than 28 days. The US Office of Personnel Management hackers were in the network for at least a year before anyone noticed.

  6. Kevin Johnston

    Identification through IP Address

    While the line about 'assigned by ISP' is partly true, if you have a static IP address that fig-leaf becomes a somewhat transparent.

    The question I would have is can the same treatment be applied to people using IPV6? (Cue the gags about do you mean both of them?)

    1. Dazed and Confused

      Re: Identification through IP Address

      > (Cue the gags about do you mean both of them?)

      You need two of them so they have someone to talk to.

  7. Hstubbe

    Wasting tax money, the pirate party has apparently become one more established political party.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019