Data Retention Law in Germany

[UPDATE JAN 5, 2016] By publication in the Federal Law Gazette (Bundesgesetzblatt), the new German law on data retention has entered into force.

Germany making strong strides towards reinstating mandatory data retention law as means of strengthening the national cyber security mandate, as Bundestag (lower house of German Parliament) votes in favor of data retention becoming law in October of 2015. The legislation proposes a requirement for all telecommunications and internet service providers to retain user metadata for up to 10 weeks.

What is Metadata and what is Data Retention Law?

Metadata is data about data. All the metadata recorded when you use your mobile or landline phone, send or receive text messages, download or upload anything, send emails or browse the web will be retained by different German phone and internet providers for 10 weeks.

Metadata does not include content of web or phone conversations, however a digital footprint is significant enough to ID who you called, where from, for how long, etc. Also due to technicality, text messages would be retained in full. The data would be retained and could be accessed by appointed government officials with a warrant.

Timeline of Metadata Retention in Germany

In not so distant past of 2010, Germany’s Federal Constitutional Court (FCC) deemed EU’s Data Retention Directive (DRD) of 2006 and Germany’s Implementation Act (which brought the Directive to national law) invalid on grounds of fundamental rights violations. It was followed-up by 2014 European Court of Justice ruling, stating that mass storage of internet users “without any distinction, restriction or exception” was contrary to fundamental human rights.

Fast forward to April 2015 – Heiko Maas, the German Justice Minister drafts a new proposal of data retention law as a compromise that would assist both the national security and address issues with earlier Data Retention Policy. After-all, the FCC never ruled data retention by and of itself unconstitutional. It was rather its arrangement in the Data Retention Implementation Act that did not comply with the rights to secrecy of communications and informational self-determination.

Proposed amendments include the time-frame of how long the data would be stored (down from 6 months to 10 weeks), all e-mail traffic would be excluded from retention and retrieval of retained data would always depend on a judicial order. SMS content would be stored for 10 weeks, IP addresses and time of web page access would be stored for 10 weeks, while phone call location times would only be stored for 4 weeks.

On June 22, 2015 the leading political party SPD (Social Democrats) approved data retention legislation, moving it forward to parliament for discussion.

October 16th, 2015 the lower house (The Bundestag) votes to pass the law with an overwhelming 404 to 148 vote in favor of the data retention legislation.

December 2015/ January 2016  – Upper House of Parliament (The Bundesrat) will pass this into law (considered to be a sure thing), then it is up to the President if the law needs to be signed, declined or signed with a special request to Germany’s constitutional court to review and check compliance with Germany’s basic law.

Worrying Points of Legislation that are cause for concern:

Civil liberties groups have criticized similar laws arguing cybersecurity measures like data retention are to blame for dangerously instilling a false sense of security. Here’s a closer look at legislation criticism both from privacy advocates and Data Retention Law supporters alike.

• The Criminal Police Union (BDK) believe the legislation is not going far enough. They believe 10 weeks is too short to gather information for cybercrimes and offers a weak definition of ‘severe crimes’ that warrant more in-depth investigation into suspect. Further, they seem astounded that crime catalog which spells what data is flagged does not include cybercrimes like phishing, sextortion or the use of ransomware.

• Data Retention Law could be legally challenged as stated by Wolfgang Kubicki, deputy leader of the liberal Free Democratic Party (FDP), who told the press that he intends to bring it before constitutional court judges. He argues the data retention law would not protect the privacy of people with professional secrets, which is a guarantee under EU law.

• European Single Market regulations might be at odds with the German data retention law, as it might give Germany an unfair advantage over other countries if it will force companies to use German servers for easier data access.

• The fact that the previous data retention law in Germany was deemed unconstitutional by German Federal Court stating violations of human rights is cause to question if the proposed amended legislation goes far enough to address problems deemed unconstitutional in the first place.

• It is unclear what would happen if your ‘digital footprint’ raised suspicion after examination. Would the collected evidence be grounds for a digital surveillance or phone tap warrant to be issued?

• More countries are choosing tougher national security measures like surveillance or data retention — i.e. Australia’s recent Data Retention Law [logging data for 2 years], Canada’s Bill C-51 – [logging data for 6 months] or the US’ Stored Communications Act [requiring ISPs to log data for up to 90 days upon request].  It is yet to be proven if this is an effective strategy when dealing with either cybercrime or security on the national scale.

• The fact that so many parties will be involved in handling sensitive information is a huge issue in itself, as the likelihood of mishandled data is quite high.

Ways to avoid Metadata Retention:

Get a VPN

A VPN encrypts your data through a secure tunnel before accessing the internet – this protects any sensitive information about your location by hiding your IP address. Virtual Private Networks connects you to the internet through an alternative path than your ISP. The only information visible to them is that you are connected to a VPN server and nothing more. All other information is encrypted by the VPN’s protocol. This is handy when you don’t want your real IP traced back to you. It is very important to use a VPN service that has a strict no log policy to ensure your data is not logged and forwarded to the ISP if requested. NordVPN does not store logs of user IP addresses and could not forward them to the ISPs as they would not have such data.

Connect via Proxy

All packets exchanged between the internet and your device go through a remote machine used to connect to the host server. The IP address of the proxy server appears to be that of a remote machine, which enables the user to hide their true IP address. However, web proxy does not encrypted your traffic.

SOCKS5 Proxy for Torrenting and P2P

SOCKS5 is an internet protocol which routes packets between a server and a client using a proxy server.  To put it simply – your data is routed through proxy server that generates an arbitrary IP address before you reach your destination. It is a good option for torrenting or P2P, but not web-browsing.

Use Encrypted Communication Services

There are a number of phone and email services that offer additional security for your day to day communication. When choosing ensure they are not based in Germany and do not keep logs. For additional security use in combination with VPN/ Proxy service.

Tor Network

Tor Network is a privacy network is designed to hide information of which computer actually requested the traffic. Routing traffic through different nodes, it makes it difficult to say whether your computer initiated the connection or it may just be acting as a relay, relaying that encrypted traffic to another Tor node.