The whole case dates back to early 2008, when Patrick Beyer, a lawyer and member of the Pirate Party in the state of Schleswig-Holstein, sued the federal government. According to Beyer, the “massive storage” of Internet Protocol addresses is a violation of the data protection laws. On the other hand, the German federal government argued that storing such data was a legitimate action since it’s a technique helping law enforcement to identify potential hackers and cybercriminals.
The legal dispute was not ruled exclusively in Germany. The BGH presented the case to the European Court of Justice in Luxembourg (ECJ), which ruled on the dispute on October 19, 2016. According to the ECJ’s ruling, IP addresses are considered as personal data when the owner of a website has the “legal means” to access the data behind an IP address. This includes the name or the email address of the internet browser. The European Court of Justice also ruled that the federal government does have the right to ask Internet Service Providers (ISPs) to provide such information linked to the IP addresses. The ECJ added that processing personal data (the storing of an IP address and linking it to a real name and address) can be a legal action if the administrator of the website has a “legitimate interest” to do so. However, while doing this, law enforcement authorities should not infringe on the fundamental rights and freedoms of the person visiting the website.
After the ECJ’s ruling, the case was back at the BGH. The Federal Court of Justice ruled on May 16 that information regarding the IP address of an internet user may be acquired by law enforcement beyond the period the user visited a specific website if obtaining the IP data was necessary to defend and investigate cyber attacks. This action can be only performed legally if the investigated website is prone to cyber attacks. However, further clarification is needed in the case regarding which sites are to be considered as posing a high risk to hacker attacks.
“I am glad that the court is questioning the need for unfounded and across-the-board logging of our surfing behavior,” Beyer said in a statement after the verdict was announced. The Pirate Party politician was not concerned about the possible chance that authorities would use the stored data to spy on the citizens. According to Beyer, the main concern in the case was that the saved information could fall into the “wrong hands”. If that happened, the personal data of the citizens could be used for blackmailing people. According to the lawyer, the best protection would be to never store such data.
On the other hand, the state argues that during a hacker attack, the IP addresses may show clues where the attack was launched along with other useful information. According to criminalists, data collection protects the citizens of the country. They argue that, for example, there is a chance to identify criminals who are launching phishing attacks to steal financial information, including credit card and banking details.
However, Beyer rejects that argument. The Pirate Party politician says that “real criminals” use proxy and VPN services or the Tor network to mask their IP addresses and hide their identities from law enforcement authorities. That is a fact though that many cybercriminals use the dark web and the Tor browser to hide from authorities. Such services allow them to bounce their communications off so many virtual locations that it becomes really hard or almost impossible for investigators to trace them back.
The May 16 ruling is not the end the current case. The question of what constitutes a site at risk of a cyber attack was left open by the BGH. Beyer also questioned why the previous findings “were not adequate for a definitive ruling”. The Federal Court of Justice passed this decision to the district court of Berlin.