[UPDATE JAN 5, 2016] By publication in the Federal Law Gazette (Bundesgesetzblatt), the new German law on data retention has entered into force.
Germany making strong strides towards reinstating mandatory data retention law as means of strengthening the national cyber security mandate, as Bundestag (lower house of German Parliament) votes in favor of data retention becoming law in October of 2015. The legislation proposes a requirement for all telecommunications and internet service providers to retain user metadata for up to 10 weeks.
Metadata is data about data. All the metadata recorded when you use your mobile or landline phone, send or receive text messages, download or upload anything, send emails or browse the web will be retained by different German phone and internet providers for 10 weeks.
Metadata does not include content of web or phone conversations, however a digital footprint is significant enough to ID who you called, where from, for how long, etc. Also due to technicality, text messages would be retained in full. The data would be retained and could be accessed by appointed government officials with a warrant.
In not so distant past of 2010, Germany’s Federal Constitutional Court (FCC) deemed EU’s Data Retention Directive (DRD) of 2006 and Germany’s Implementation Act (which brought the Directive to national law) invalid on grounds of fundamental rights violations. It was followed-up by 2014 European Court of Justice ruling, stating that mass storage of internet users “without any distinction, restriction or exception” was contrary to fundamental human rights.
Fast forward to April 2015 – Heiko Maas, the German Justice Minister drafts a new proposal of data retention law as a compromise that would assist both the national security and address issues with earlier Data Retention Policy. After-all, the FCC never ruled data retention by and of itself unconstitutional. It was rather its arrangement in the Data Retention Implementation Act that did not comply with the rights to secrecy of communications and informational self-determination.
Proposed amendments include the time-frame of how long the data would be stored (down from 6 months to 10 weeks), all e-mail traffic would be excluded from retention and retrieval of retained data would always depend on a judicial order. SMS content would be stored for 10 weeks, IP addresses and time of web page access would be stored for 10 weeks, while phone call location times would only be stored for 4 weeks.
On June 22, 2015 the leading political party SPD (Social Democrats) approved data retention legislation, moving it forward to parliament for discussion.
October 16th, 2015 the lower house (The Bundestag) votes to pass the law with an overwhelming 404 to 148 vote in favor of the data retention legislation.
December 2015/ January 2016 – Upper House of Parliament (The Bundesrat) will pass this into law (considered to be a sure thing), then it is up to the President if the law needs to be signed, declined or signed with a special request to Germany’s constitutional court to review and check compliance with Germany’s basic law.
Civil liberties groups have criticized similar laws arguing cybersecurity measures like data retention are to blame for dangerously instilling a false sense of security. Here’s a closer look at legislation criticism both from privacy advocates and Data Retention Law supporters alike.
A VPN encrypts your data through a secure tunnel before accessing the internet – this protects any sensitive information about your location by hiding your IP address. Virtual Private Networks connects you to the internet through an alternative path than your ISP. The only information visible to them is that you are connected to a VPN server and nothing more. All other information is encrypted by the VPN’s protocol. This is handy when you don’t want your real IP traced back to you. It is very important to use a VPN service that has a strict no log policy to ensure your data is not logged and forwarded to the ISP if requested. NordVPN does not store logs of user IP addresses and could not forward them to the ISPs as they would not have such data.
All packets exchanged between the internet and your device go through a remote machine used to connect to the host server. The IP address of the proxy server appears to be that of a remote machine, which enables the user to hide their true IP address. However, web proxy does not encrypted your traffic.
SOCKS5 is an internet protocol which routes packets between a server and a client using a proxy server. To put it simply – your data is routed through proxy server that generates an arbitrary IP address before you reach your destination. It is a good option for torrenting or P2P, but not web-browsing.
There are a number of phone and email services that offer additional security for your day to day communication. When choosing ensure they are not based in Germany and do not keep logs. For additional security use in combination with VPN/ Proxy service.
Tor Network is a privacy network is designed to hide information of which computer actually requested the traffic. Routing traffic through different nodes, it makes it difficult to say whether your computer initiated the connection or it may just be acting as a relay, relaying that encrypted traffic to another Tor node.